[tac_plus] Re: question about tac_plus
Ian Batterbee
ibatterb at gmail.com
Wed Oct 29 03:18:30 UTC 2008
That's good to know, but I'm still a bit confused about the configuration
file syntax. Is there a reference for it somewhere I can read ?
On Wed, Oct 29, 2008 at 1:16 PM, john heasley <heas at shrubbery.net> wrote:
> Tue, Oct 28, 2008 at 12:41:04PM -0700, Jesse Zbikowski:
> > On Mon, Oct 27, 2008 at 8:04 PM, Ian Batterbee <ibatterb at gmail.com>
> wrote:
> > > What I would like to do is have the tac_plus server pass a group
> > > policy name back as part of the reply so that the group the user is
> placed
> > > into can be centrally managed.
> >
> > TACACS+ supports passing attribute/value pairs. I am not sure how to
> > do this in tac_plus. I would be very interested if anyone knows how
> > to send arbitrary a/v pairs from the server and how the client can use
> > them.
> >
> > One way you can accomplish group assignment this is to specify a fake
> > "protocol" to indicate group membership. For example in my
> > tac_plus.conf:
> >
> > user = admin {
> > pap = des ...
> > service = ppp protocol = my-admin-group {}
> > }
> >
> > user = mike {
> > pap = des ...
> > service = ppp protocol = my-user-group {}
> > }
> >
> > When "mike" tries to log in, he will first attempt to authorize
> > service=ppp protocol=my-admin-group. When this fails, the client
> > software should fall back to service=ppp protocol=my-user-group.
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>
> without searching through the code; i know for certain that any AV pair
> can be sent with authorization scripts.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20081029/0d417a25/attachment.html
More information about the tac_plus
mailing list