[tac_plus] Nexus
Daniel Schmidt
daniel.schmidt at wyo.gov
Wed Nov 2 22:17:15 UTC 2011
Excellent, thanks! I will research find/replace on these pairs & report
back.
-----Original Message-----
From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net]
On Behalf Of Alan McKinnon
Sent: Wednesday, November 02, 2011 3:46 PM
To: tac_plus at shrubbery.net
Subject: Re: [tac_plus] Nexus
On Wed, 2 Nov 2011 12:55:21 -0600
Daniel Schmidt <daniel.schmidt at wyo.gov> wrote:
> I have updated the do_auth.py authentication script to handle nexus,
> thus it can provide the same multiple group authentication it
> provides on other Cisco devices. (or at least provide an example)
> I have not been able to pass a role tac_pair successfully – please
> post if you have any progress with this.
tac_plus requires it in this form:
shell:roles="\"level1\""
Yes, you see it right. Two levels of double quotes, inner pair escaped
Many brain cells died in agony to discover that one :-)
>
>
>
> I had success with the nexus with the following config: (Note that
> many of the commands you traditionally look for are available)
>
>
>
> !Command: show running-config aaa
>
> !Time: Wed Oct 26 18:28:46 2011
>
>
>
> version 5.0(3)N1(1c)
>
> aaa authentication login default group private
>
> aaa authorization config-commands default group private
>
> aaa authorization commands default group private
>
> aaa accounting default group private
>
>
>
> As was discussed previously, the nexus seems to authenticate pap. No
> clue why Cisco did this; putting pap user names in the tac_plus.conf
> fixes login issues. Also, the resulting accounting file is
> different so if you have written cgi scripts to parse your accounting
> log, be prepared to rewrite them.
--
Alan McKinnnon
alan.mckinnon at gmail.com
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
E-Mail to and from me, in connection with the transaction
of public business,is subject to the Wyoming Public Records
Act, and may be disclosed to third parties.
More information about the tac_plus
mailing list