[tac_plus] Command authorization for IPv6

Tue Jun 7 23:58:11 UTC 2011

Mon, Jun 06, 2011 at 04:30:36PM -0400, John Payne:
> Trying to authorize users to only configure neighbors and not peer-groups (as an example).  This is highly simplified just to  demonstrate the problem:
> 
>         cmd = neighbor {
>                 permit [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+.*
>                 permit ":.*"
>                 deny .*
>         }
> 
> 
> (config-router)#nei 1:2:3:4:5:6:7:9 remote-as 1
> Command authorization failed.
> 
> 
> Mon Jun  6 20:12:57 2011 [31045]: authorize_cmd: user=XXXX, cmd=neighbor
> Mon Jun  6 20:12:57 2011 [31045]: line 284 compare neighbor permit '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+.*' & 'remote-as 1 <cr>' no match
> Mon Jun  6 20:12:57 2011 [31045]: line 285 compare neighbor permit ':.*' & 'remote-as 1 <cr>' no match

looks like the device is not sending the address.  i havent reviewed the code,
but as i recall, it comes direct from (and is expanded to its canonical form
by) the device.