[tac_plus] Should optional A/V pair be sent?

Mick Day mick at mickday.com
Mon Jan 23 11:30:47 UTC 2012


Hi Everyone,

I am having a problem with sending optional a/v pair from tac_plus, this is
related to post
http://www.shrubbery.net/pipermail/tac_plus/2011-September/000978.html as it
now appears that the latest Brocade VDX code now supports optional a/v pairs
for 'brcd-role' the only problem is that when the NAS authenticates with the
server only the mandatory a/v pairs are being sent

My configuration is as follows:

group = admin {
       default service = permit
       service = exec {
          priv-lvl = 15
          optional brcd-role = admin
    }
}

The NAS only ever receives the a/v pair ' priv-lvl = 15' is this expected
behaviour?  If I reconfigure the 'brcd-role' to a mandatory it then sends
both 'priv-lvl' and 'brcd-role' but then this creates the same problem as
described in previous post
http://www.shrubbery.net/pipermail/tac_plus/2011-September/000978.html where
Cisco devices fail authorisation.

I have also tried the same with Cisco ACS and this sends both the mandatory
and optional a/v pairs allowing both devices to be able to login.

I am unclear as to whether it is expected behaviour for server to send
optional a/v pairs by default?



More information about the tac_plus mailing list