[tac_plus] Re: Configuring tac_plus for Foundry BI-RX-16

jathan. jathan at gmail.com
Thu Sep 3 18:47:44 UTC 2009 

Indeed super-user priv on Foundry devices is 0 instead of 15 but that is
only as far as the CLI input goes.  On the server, it is still considered to
be priv-lvl 15.  Yes, it's counter-intuitive.  For all other intents and
purposes, they fully emulate Cisco devices.  One thing you'll have to add to
the device is this:

aaa authentication login privilege-mode

This tells the Foundry device to honor the enable-request for privilege
escalation sent from the TACACS+ server.

Example of setting priv-lvl in service block:

group = admin {
  default service = permit
  service = exec {
    privl-lvl = 15
  }
}
user = joe {
  login = cleartext joe
  member = admin
}

Full example Foundry AAA template:

aaa authentication login default tacacs+ enable none
aaa authentication login privilege-mode
aaa authorization commands 0 default  tacacs+ none
aaa authorization exec default  tacacs+ none
aaa accounting commands 0 default start-stop  tacacs+
aaa accounting exec default start-stop  tacacs+
aaa accounting system default start-stop  tacacs+
tacacs-server host 1.2.3.4
tacacs-server host 2.4.6.8
tacacs-server key abc123
tacacs-server timeout 1
enable telnet authentication

Good luck!


On Wed, Sep 2, 2009 at 11:25 AM, Jeff Wieland <wieland at purdue.edu> wrote:

> Our engineer reports that these switches use the privilege level
> backwards from Cisco -- 0 is for enable/superuser, 15 is the
> default for user logins.  So, I'm thinking that I need a way to
> specify the priv-lvl on a per-device basis, or on an "service"
> basis assuming that I can figure out what service to use.  Has
> anybody got one of these working?
> --
>           Jeff Wieland            |         Purdue University
>    Network Systems Administrator  |        ITN&S Data Networks
>        Voice: (765)496-8234       |        501 Harrison Street
>         FAX: (765)494-6620        |   West Lafayette, IN 47907-2025
>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>



-- 
Jathan.
-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090903/0bac4559/attachment.html

More information about the tac_plus mailing list