[tac_plus] Re: ACE authentication
jathan.
jathan at gmail.com
Thu Oct 16 20:11:56 UTC 2008
Try adding the keyword 'optional' before the conditional shell:Admin.
Example:
service = exec {
optional shell:Admin = "Admin default-domain"
}
This tells the NAS to ignore this or override it if it doesn't understand
it. Not sure if that will work in this case, but I've used that in the past
to enable special-case support for Procket hardware.
On Wed, Oct 15, 2008 at 9:02 PM, John Payne <john at sackheads.org> wrote:
>
>
> On Oct 15, 2008, at 7:12 PM, John Payne <john at sackheads.org> wrote:
>
> >
> > On Oct 14, 2008, at 6:25 PM, John Payne wrote:
> >
> >> Has anyone had luck translating:
> >>
> >> 4. Under the TACACS+ Settings section of the page, configure the
> >> following
> >> settings:
> >> – Click the Shell (exec) check box.
> >> – Click the Custom attributes check box.
> >> – In the text box below Custom attributes, enter the user role and
> >> associated
> >> domain for a specific context in the following format:
> >> shell:<contextname>=<role> <domain1> <domain2>...<domainN>
> >> For example, to assign the selected user to the C1 context with the
> >> role
> >> ROLE1 and the domain DOMAIN1, enter shell:C1=ROLE1 DOMAIN1.
> >>
> >>
> >> Into tac_plus format? I'm trying various combinations under
> >> service=shell, but I'm getting stuck with the Network-Monitor role,
> >> not the Admin role.
> >
> > Answering my own question:
> >
> > service = exec {
> > shell:Admin = "Admin default-domain"
> > }
> >
> > (shell:context = "role domain")
>
> Argh... Except that broke authentication for IOS devices....
>
> Help?
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>
--
Jathan.
-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20081016/892b0dd9/attachment.html
More information about the tac_plus
mailing list