[tac_plus] Configuring a/v pair expected by Brocade VDX switch
Jathan McCollum
jathan at gmail.com
Fri Sep 30 20:39:32 UTC 2011
Dear everybody-
We just got these shiny new Brodade VDX units in our lab and they're running
Network OS v2.0.1a with a very stripped down CLI. Apparently this platform
used to be a SAN switch.
I have basic authentication working via PAP, but that's only half the
battle:
aaa authentication login tacacs+
tacacs-server host HOST1 protocol pap key KEY timeout 1
tacacs-server host HOST2 protocol pap key KEY timeout 1
And on the server:
group = admin {
default service = permit
service = exec {
priv-lvl = 15
}
}
user = jathan {
login = des [redacted]
pap = des [redacted]
member = 181
}
The system uses a role model similar to that in JUNOS that designates what
users can do. Commands are assigned to roles, and roles are assigned to
users.
I know that if I want to give a user superuser (read-write) I can assign
them to the "admin" role (one of the 2 built-ins), The other built-in is
"user", which is read-only. If a TACACS user doesn't receive a role from
the server, it defaults to "user":
% telnet myswitch
myswitch login: jathan
Password:
User's role is unavailable, using default.
Welcome to the Brocade Network Operating System Software
jathan connected from 127.0.0.1 using console on myswitch
myswitch#
The documentation indicates the device is expecting the server to send an
a/v pair that specifies the authenticated user's role. I assume the value
would be "admin" in this case. The problem is that nowhere in the
documentation so far have I seen what attribute the device is expecting.
There may also be a unique service type (again similar to JUNOS'
"junos-exec") that is being expected.
So... After all that background, anyone had experience with this platform
and gotten it working successfully w/ tac_plus?
Thanks in advance!
--
Jathan.
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20110930/25dbe789/attachment.html>
More information about the tac_plus
mailing list