[tac_plus] Configuring a/v pair expected by Brocade VDX switch
Jathan McCollum
jathan at gmail.com
Fri Sep 30 21:14:03 UTC 2011
Hey John, thanks for the reply. That's a good suggestion that I'll tuck away
for future reference.
I actually tracked down access to the Brocade support knowledge base and
found a document someone had posted using Cisco ASA.
And it is:
brcd-role = <role>
So my group config would be:
group = admin {
default service = permit
service = exec {
priv-lvl = 15
brcd-role = admin
}
}
However, sharing that with Cisco devices causes them to be unhappy and fail
authorization. I tried prepending the "optional" keyword e.g. "optional
brcd-role = admin", which makes Cisco devices happy again, but breaks it on
the Brocade.
So... almost there, but still missing something.
On Fri, Sep 30, 2011 at 1:59 PM, john heasley <heas at shrubbery.net> wrote:
> Fri, Sep 30, 2011 at 01:39:32PM -0700, Jathan McCollum:
> > The documentation indicates the device is expecting the server to send an
> > a/v pair that specifies the authenticated user's role. I assume the value
> > would be "admin" in this case. The problem is that nowhere in the
> > documentation so far have I seen what attribute the device is expecting.
> > There may also be a unique service type (again similar to JUNOS'
> > "junos-exec") that is being expected.
> >
> > So... After all that background, anyone had experience with this platform
> > and gotten it working successfully w/ tac_plus?
>
> none, but some devices send the av pairs they have when they perform
> authen and/or author. if you enable the appropriate debugging knobs, it
> might reveal it to you.
>
> or, take the image that you load on the box, uncompress it, unzip it or
> whatever their packaging method is, then run strings(1) on it and look
> for strings that might be related to authorization. then send a bomb to
> brocade offices.
>
--
Jathan.
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20110930/fa587c0f/attachment.html>
More information about the tac_plus
mailing list