[tac_plus] Different privs for different devices?
Paul Floyd
shadrack at rocketmail.com
Wed Jun 30 21:27:12 UTC 2010
Hi all -
New to the list and tac_plus. I'm trying to figure out if there's a way to
grant a set of users one privilege level on one set of devices and a different
privilege level on another set of devices. My best guess at a config to do this
was something like this:
=====
group = helpdesk_full {
acl = routers_full_access
service = exec {
priv-lvl = 15
}
}
group = helpdesk_limited {
acl = routers_limited_access
service = exec {
priv-lvl = 7
}
member = helpdesk_full
}
group = helpdesk {
login = file /etc/tacacs/users
member = helpdesk_limited
}
====
However when I tried this, it seemed a member of the helpdesk group was able to
log in to a router in the "routers_limited access" ACL, but not one in the
"routers_full_access" group. If I'm interpreting the debug correctly, it
appears tac_plus processes the router_limited_access ACL and immediately returns
a login rejected message. It never tries to match against the
routers_full_access ACL.
Is what I'm trying to accomplish possible with tac_plus, and if so, how do I go
about it?
Thanks,
- PF
More information about the tac_plus
mailing list