[tac_plus] More on Nexus/do_auth

[Daniel Schmidt]

I’ve modified do_auth to discriminate between the nexus and Cisco (or
Brocade which acts a lot like Cisco).  A basic configuration would be:



user = tester {

        default service = permit

        login = cleartext "test_me"

        enable = cleartext "test_me"

        pap = cleartext "test_me"

        service = exec {

                priv-lvl = 1

                shell:roles="network-operator"

                idletime = 3

                timeout = 15

        }

        after authorization "/usr/bin/python /root/do_auth_beta.py -i
$address -fix_crs_bug -u $user -d $name -l /root/log2.txt -f
/root/do_auth.ini"

}



Do_auth will send shell:roles to the nexus, but filter it from the
Cisco’s/Brocades.  (Sending both seems to confuse other Cisco devices)  You
can also replace those pairs in do_auth by group, giving network-operator
based on device to some and network-admin to others.  It works quite well.
If anybody is interested in testing it, drop me a line, else I’ll get to
posting it when I get to posting it.

E-Mail to and from me, in connection with the transaction 
of public business,is subject to the Wyoming Public Records 
Act, and may be disclosed to third parties.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20111122/923c0995/attachment.html>