[tac_plus] Re: Authorization script and before authorization
Tourneur Henry-Nicolas
henry.nicolas at tourneur.be
Tue May 11 21:37:41 UTC 2010
On Tuesday 11 May 2010 19:42:58 Kiss Gabor (Bitman) wrote:
> > Basically, I need 2 args, the ip of the device where we are trying to
> > execute the command ($ip I guess) and the command itself. But I don't
> > know how to get the full command as a variable for the script (same for
> > the argument).
> >
> >
> >
> >
> >
> > Any idea ?
>
> I'm afraid it's not fully clear for me what do you want.
> Could you give an example?
>
> Gabor
>
Yes of course :)
Example scenario :
1° I login via telnet with my Tacacs+ credentials on a Cisco router.
2° I go in enable and then configure mode.
3° I enter the command no interface GigabitEthernet0/1.114 (for example)
4° When I enter the previous command, I would like to run an authorization
script on the no interface command. The script will be on the same host than
Tacacs and it should return 0 if the no interface command is allowed
(therefore it will succedd) or 3 if the no interface command should be
forbidden. In the forbidden case, I expect the IOS to not run the command.
In order to do that, I did provide a sample of Tacacs+ config but parts are
missing and I would like to get help to complete them.
The example was :
cmd = no interface {
before authorization "/usr/local/bin/script $ip";
}
Where $ip should be (I guess) the IP address of the Cisco router.
With that sample, I'm still missing the whole command as an argument of my
script (/usr/local/bin/script don't know what to check).
Do you know how to pass the command as an argument to the script ?
Thanks,
More information about the tac_plus
mailing list