[tac_plus] Nexus
Alan McKinnon
alan.mckinnon at gmail.com
Wed Nov 2 21:46:17 UTC 2011
On Wed, 2 Nov 2011 12:55:21 -0600
Daniel Schmidt <daniel.schmidt at wyo.gov> wrote:
> I have updated the do_auth.py authentication script to handle nexus,
> thus it can provide the same multiple group authentication it
> provides on other Cisco devices. (or at least provide an example)
> I have not been able to pass a role tac_pair successfully – please
> post if you have any progress with this.
tac_plus requires it in this form:
shell:roles="\"level1\""
Yes, you see it right. Two levels of double quotes, inner pair escaped
Many brain cells died in agony to discover that one :-)
>
>
>
> I had success with the nexus with the following config: (Note that
> many of the commands you traditionally look for are available)
>
>
>
> !Command: show running-config aaa
>
> !Time: Wed Oct 26 18:28:46 2011
>
>
>
> version 5.0(3)N1(1c)
>
> aaa authentication login default group private
>
> aaa authorization config-commands default group private
>
> aaa authorization commands default group private
>
> aaa accounting default group private
>
>
>
> As was discussed previously, the nexus seems to authenticate pap. No
> clue why Cisco did this; putting pap user names in the tac_plus.conf
> fixes login issues. Also, the resulting accounting file is
> different so if you have written cgi scripts to parse your accounting
> log, be prepared to rewrite them.
--
Alan McKinnnon
alan.mckinnon at gmail.com
More information about the tac_plus
mailing list