[tac_plus] Privilege level on hp,3com,h3c switches

['john heasley']

Wed, Nov 03, 2010 at 08:50:43AM +0100, Antonio Ojea:
> 
> Thanks for your help, I have a problem with authorization.
> 
> If I configure the switch to do authorization with the tacacs server, I can
> log in with admin privileges. However, if the switch can't reach the tacacs
> server I can't login because it hasn't an option to do local authorization.

think you want something like the following to have a local login with
privs.  hp has never made management of their devices particularly easy.

password manager <removed>
password operator <removed>

> If I configure the switch to do only authentication with the tacacs server I
> log in with the lowest privileges due to I don't do authorization.
> 
> 
> 
> 
> -----Mensaje original-----
> De: john heasley [mailto:heas at shrubbery.net] 
> Enviado el: mi?rcoles, 03 de noviembre de 2010 3:19
> Para: Antonio Ojea
> CC: tac_plus at shrubbery.net
> Asunto: Re: [tac_plus] Privilege level on hp,3com,h3c switches
> 
> Tue, Nov 02, 2010 at 10:32:44PM +0100, Antonio Ojea:
> > Hi,
> > 
> > I have several (HP, 3com, h3) switches h3600 and routers MSR-20.
> > 
> > I can configure the routers and the switches to authenticate against the
> tac_plus server, but the problem is with the user privilege level.I have
> configured the next statemens, and when I log in a router I have all
> privileges, but in the switches I have the lowest privileges.
> > 
> > default service = permit
> > service = exec {
> > priv-lvl = 15
> > }
> > 
> > I think that this is a H3C issue, but can I configure the tac_plus server
> to get all privileges when I log in the switch?
> > Is it possible to run a script to change the level automatically?
> > 
> if i understand what you want, try clogin from rancid;
> www.shrubbery.net/rancid/
> 
> else, the switches might use a different AVP for setting the priv level
> or might not be configured to perform authorization.