[tac_plus] Privilege level on hp,3com,h3c switches

[Antonio Ojea]

Thanks for your help, I have a problem with authorization.

If I configure the switch to do authorization with the tacacs server, I can
log in with admin privileges. However, if the switch can't reach the tacacs
server I can't login because it hasn't an option to do local authorization.

If I configure the switch to do only authentication with the tacacs server I
log in with the lowest privileges due to I don't do authorization.




-----Mensaje original-----
De: john heasley [mailto:heas at shrubbery.net] 
Enviado el: miércoles, 03 de noviembre de 2010 3:19
Para: Antonio Ojea
CC: tac_plus at shrubbery.net
Asunto: Re: [tac_plus] Privilege level on hp,3com,h3c switches

Tue, Nov 02, 2010 at 10:32:44PM +0100, Antonio Ojea:
> Hi,
> 
> I have several (HP, 3com, h3) switches h3600 and routers MSR-20.
> 
> I can configure the routers and the switches to authenticate against the
tac_plus server, but the problem is with the user privilege level.I have
configured the next statemens, and when I log in a router I have all
privileges, but in the switches I have the lowest privileges.
> 
> default service = permit
> service = exec {
> priv-lvl = 15
> }
> 
> I think that this is a H3C issue, but can I configure the tac_plus server
to get all privileges when I log in the switch?
> Is it possible to run a script to change the level automatically?
> 
if i understand what you want, try clogin from rancid;
www.shrubbery.net/rancid/

else, the switches might use a different AVP for setting the priv level
or might not be configured to perform authorization.