[tac_plus] Should optional A/V pair be sent?
Mick Day
mick at mickday.com
Mon Jan 23 11:30:47 UTC 2012
Hi Everyone,
I am having a problem with sending optional a/v pair from tac_plus, this is
related to post
http://www.shrubbery.net/pipermail/tac_plus/2011-September/000978.html as it
now appears that the latest Brocade VDX code now supports optional a/v pairs
for 'brcd-role' the only problem is that when the NAS authenticates with the
server only the mandatory a/v pairs are being sent
My configuration is as follows:
group = admin {
default service = permit
service = exec {
priv-lvl = 15
optional brcd-role = admin
}
}
The NAS only ever receives the a/v pair ' priv-lvl = 15' is this expected
behaviour? If I reconfigure the 'brcd-role' to a mandatory it then sends
both 'priv-lvl' and 'brcd-role' but then this creates the same problem as
described in previous post
http://www.shrubbery.net/pipermail/tac_plus/2011-September/000978.html where
Cisco devices fail authorisation.
I have also tried the same with Cisco ACS and this sends both the mandatory
and optional a/v pairs allowing both devices to be able to login.
I am unclear as to whether it is expected behaviour for server to send
optional a/v pairs by default?
More information about the tac_plus
mailing list