[tac_plus] Command authorization for IPv6

Thu Jun 9 17:02:56 UTC 2011

On Jun 7, 2011, at 7:58 PM, john heasley wrote:

> Mon, Jun 06, 2011 at 04:30:36PM -0400, John Payne:
>> Trying to authorize users to only configure neighbors and not peer-groups (as an example).  This is highly simplified just to  demonstrate the problem:
>> 
>>        cmd = neighbor {
>>                permit [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+.*
>>                permit ":.*"
>>                deny .*
>>        }
>> 
>> 
>> (config-router)#nei 1:2:3:4:5:6:7:9 remote-as 1
>> Command authorization failed.
>> 
>> 
>> Mon Jun  6 20:12:57 2011 [31045]: authorize_cmd: user=XXXX, cmd=neighbor
>> Mon Jun  6 20:12:57 2011 [31045]: line 284 compare neighbor permit '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+.*' & 'remote-as 1 <cr>' no match
>> Mon Jun  6 20:12:57 2011 [31045]: line 285 compare neighbor permit ':.*' & 'remote-as 1 <cr>' no match
> 
> looks like the device is not sending the address.  i havent reviewed the code,
> but as i recall, it comes direct from (and is expanded to its canonical form
> by) the device.

Thats what I thought :(  Yay, more IPv6 related bugs....