[tac_plus] tac_plus configuration based on source IP

Daniel Schmidt daniel.schmidt at wyo.gov
Tue Aug 30 17:55:51 UTC 2011 

Example doesn't currently do what you want.  That said, I have often
thought about adding something exactly like this to append or modify the
pairs.  (Even listed in "TO DO" section)  I messed around with a wireless
controller but, even when returning the pairs unaltered, it seemed to be
unhappy on a exit code 2 so I got frustrated and gave up.  It shouldn't be
too hard to add if you uncomment the "print tac pairs" section and send me
the log file results for each.

-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of john heasley
Sent: Tuesday, August 30, 2011 11:19 AM
To: Morty Abzug
Cc: tac_plus at shrubbery.net
Subject: Re: [tac_plus] tac_plus configuration based on source IP

Tue, Aug 30, 2011 at 12:42:35PM -0400, Morty Abzug:
> I have a variety of Cisco devices that require mutually incompatible
> values in a certain TACACS+ attribute, Cisco-AVPair.  The way I have
> dealt with this in the RADIUS world is with huntgroups -- I assign our
> engineer group on huntgroup1 to have Cisco-AVPair set to
> shell:roles=network-admin, while by default, the engineer group gets
> shell:priv-lvl=15.  Unfortunately, my usual RADIUS solution isn't
> working.  We also have tac_plus, so I fired that up, and realized that
> I had a similar problem -- we already have one Cisco device type that
> requires a conflicting attribute.  With tac_plus, I have no idea at
> all of how to workaround this, i.e. what the tac_plus equivalent of a
> huntgroup is.  I tried this:

I think that you ought to be able to do this with a before authorization
script.  See Daniel's example python script.

> group = engineer {
>         pap = PAM
>         service = exec {
>                 shell:roles="network-admin"
>                 acl = 1010_application
>         }
>         service = exec {
>                 shell:roles="admin"
>                 acl = fabric_interconnect
>         }
> }
>
> No joy.  Each of those stanzas works individually, but the two
> together cause unhappiness.  Is there a solution?
>
> Thanks.
>
> - Morty
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus

More information about the tac_plus mailing list