[tac_plus] tac_plus configuration based on source IP
john heasley
heas at shrubbery.net
Tue Aug 30 17:18:53 UTC 2011
Tue, Aug 30, 2011 at 12:42:35PM -0400, Morty Abzug:
> I have a variety of Cisco devices that require mutually incompatible
> values in a certain TACACS+ attribute, Cisco-AVPair. The way I have
> dealt with this in the RADIUS world is with huntgroups -- I assign our
> engineer group on huntgroup1 to have Cisco-AVPair set to
> shell:roles=network-admin, while by default, the engineer group gets
> shell:priv-lvl=15. Unfortunately, my usual RADIUS solution isn't
> working. We also have tac_plus, so I fired that up, and realized that
> I had a similar problem -- we already have one Cisco device type that
> requires a conflicting attribute. With tac_plus, I have no idea at
> all of how to workaround this, i.e. what the tac_plus equivalent of a
> huntgroup is. I tried this:
I think that you ought to be able to do this with a before authorization
script. See Daniel's example python script.
> group = engineer {
> pap = PAM
> service = exec {
> shell:roles="network-admin"
> acl = 1010_application
> }
> service = exec {
> shell:roles="admin"
> acl = fabric_interconnect
> }
> }
>
> No joy. Each of those stanzas works individually, but the two
> together cause unhappiness. Is there a solution?
>
> Thanks.
>
> - Morty
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
More information about the tac_plus
mailing list