[tac_plus] More complex do_auth.py
Brandon Ewing
nicotine at warningg.com
Wed May 4 02:48:50 UTC 2011
Has anyone re-written do_auth.py to support command authorization on a
per-device basis? Currently, device IP is only considered on login. Does
TACACS+ pass the device ID when attempting to authorize commands? It would
be beneficial to permit/deny commands on a per-group basis, considering the
device ID.
This would allow one to group allowed commands on a per-device
basis, allowing a group that can execute "interface" or "router"
configuration commands on all but a subset of devices, such as core network
equipment.
--
Brandon Ewing (nicotine at warningg.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20110503/c1712478/attachment.bin>
More information about the tac_plus
mailing list