[tac_plus] command authorization

[Antonio Ojea]

Hello,

I want to use  tac_plus to deny some commands in our routers. I have tried with do_auth script but I can't receive any av pairs to filter them.

I paste the output from running tac_plus with debugging (-d 16)


Tue Feb 22 08:13:58 2011 [30270]: login query for 'XXXX' tty1 from 172.31.5.50 accepted
Tue Feb 22 08:13:58 2011 [30277]: connect from 172.31.5.50 [172.31.5.50]
Tue Feb 22 08:13:58 2011 [30277]: Start authorization request
Tue Feb 22 08:13:58 2011 [30277]: do_author: user='XXXX'
Tue Feb 22 08:13:58 2011 [30277]: user 'XXXX' found
Tue Feb 22 08:13:58 2011 [30277]: exec authorization request for XXXX
Tue Feb 22 08:13:58 2011 [30277]: exec is explicitly permitted by line 45
Tue Feb 22 08:13:58 2011 [30277]: nas:service=shell (passed thru)
Tue Feb 22 08:13:58 2011 [30277]: nas:cmd* (passed thru)
Tue Feb 22 08:13:58 2011 [30277]: nas:absent, server:priv-lvl=15 -> add priv-lvl=15 (k)
Tue Feb 22 08:13:58 2011 [30277]: nas:absent, server:idletime=30 -> add idletime=30 (k)
Tue Feb 22 08:13:58 2011 [30277]: added 2 args
Tue Feb 22 08:13:58 2011 [30277]: out_args[0] = service=shell input copy discarded
Tue Feb 22 08:13:58 2011 [30277]: out_args[1] = cmd* input copy discarded
Tue Feb 22 08:13:58 2011 [30277]: out_args[2] = priv-lvl=15 compacted to out_args[0]
Tue Feb 22 08:13:58 2011 [30277]: out_args[3] = idletime=30 compacted to out_args[1]
Tue Feb 22 08:13:58 2011 [30277]: 2 output args
Tue Feb 22 08:13:58 2011 [30277]: authorization query for 'XXXX' tty1 from 172.31.5.50 accepted
Tue Feb 22 08:13:58 2011 [30278]: connect from 172.31.5.50 [172.31.5.50]
Tue Feb 22 08:14:04 2011 [30297]: connect from 172.31.5.50 [172.31.5.50]

The last 2 statements happens when I type some commands in the router, but I think those are related to accounting.

Thanks in advance


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20110221/4dd0e3f9/attachment.html>