[tac_plus] Re: Different auth per device per user
Schmidt, Daniel
dan.schmidt at uplinkdata.com
Wed Nov 4 16:57:56 UTC 2009
do_auth - see www.tacacs.org
-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon
Sent: Wednesday, November 04, 2009 6:07 AM
To: tac_plus at shrubbery.net
Subject: [tac_plus] Different auth per device per user
Hi,
Using 4.0.4.18 on FreeBSD.
Short description:
I have a need to give a select bunch of users one level of access on
some
devices and a much more restrictive access everywhere else. How can I do
this?
Longer version:
My users are divided into 4 roles (1-4) in increasing level of access,
the
access they get applies to any device they can reach. The network is
broken up
into core routers, non-core routers and customer hosting switches.
There's a team which configures and installs the customer switches, I
want
them to be able configure anything on those devices (role 4 in my setup)
but
to have role 2 on every other device.
I can't quite seem to find a clean way to configure this. The closest I
can
get is an acl and group just for switches and exclude them from
everywhere
else.
In an ideal world, this would suit me fine (I know it doesn't work):
acl = hosting_acl { <list> }
group = hosting_group {
acl = hosting_acl
<rules>
}
group = role_2 { <rules> }
user = hosting_engineer {
group = hosting_group
group = role_2
}
With the first group having precedence and the second being a de-facto
default. I'm OK with setting up the various rules so that conflicts
don't
happen (or fixing them when they do). I've seen patches around that
allow
multiple groups, but was wondering if there's a clean alternative in the
shipped code.
Another alternative is enableacl which is somewhat limiting, but I can
live
with that (aka I can force the user's manager to live with that).
--
alan dot mckinnon at gmail dot com
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
More information about the tac_plus
mailing list