[tac_plus] multiple groups per user

Daniel Schmidt daniel.schmidt at wyo.gov
Mon May 13 20:57:12 UTC 2013


Yeah, Cisco does NOT like to get pairs it doesn't understand.  If your
Juniper and Cisco networks are on different IP spaces, then it should be
possible by creating a group to match them by IP (device_permit/deny). If
not, well....

I don't use a lot of Juniper - I think the tac pairs they send are same -
you can un-comment the part that says "for item in av_pairs:" and take a
look at the initial pairs they send.  If they are, in fact, different than
Juniper, I can kluge something to tell the difference like I did with Nexus.

On a side note, I added '/' notation via netaddr to do_auth if anybody
wants to try it out.  Makes a lot more sense than the regular expressions,
but requires an egg.


On Mon, May 13, 2013 at 11:45 AM, Tom Murch <tmurch at tommurch.com> wrote:

> Hi Daniel,
>
> This worked very well thank you. Is it possible to have multiple service
> entries? I am not sure how to get around that as I use both juniper and
> cisco gear I have an issue with auth using both.
>
> Tom
>
>
> On Thu, Mar 14, 2013 at 4:29 PM, Daniel Schmidt <daniel.schmidt at wyo.gov>wrote:
>
>> Checkout do_auth.py.  Several people have reported it to be very useful.
>> I've been meaning to do some more work on it and Jathan had some excellent
>> ideas.
>>
>> tacacs.org
>>
>> -----Original Message-----
>> From: tac_plus-bounces at shrubbery.net
>> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Tom Murch
>> Sent: Thursday, March 14, 2013 12:43 PM
>> To: tac_plus at shrubbery.net
>> Subject: [tac_plus] multiple groups per user
>>
>> Hello I am trying to get this working. Reading the mailing list I was
>> under the impression this was fixed. I am trying to have the same users
>> admin both juniper and hp gear.
>>
>> #
>> # tacacs configuration file
>> # xxxxx -
>> # /etc/tac_plus.conf
>>
>> # set the key
>> key = xxxxx
>>
>> accounting file = /var/log/tac_plus.acct
>>
>> #group accounts
>>
>> group = admins {
>> ## cli service for junipers
>>         service = junos-exec
>> {
>>         local-user-name = admins
>>         allow-commands = "all"
>>         allow-configuration = "all"
>>         deny-commands = ""
>>         deny-configuration = ""
>> }
>> }
>>
>> group = admins2 {
>>         default service = permit
>>         service = exec {
>>         priv-lvl = 15
>> }
>> }
>>
>> # users accounts
>> user = tom {
>>
>>         member = admins
>>         login = des "xxxxx"
>>         enable = cleartext "xxxxx"
>>         name = "Thomas Murch"
>> }
>>
>> user = tomhp {
>>         member = admins2
>>         login = des "xxxxxx"
>>         enable = cleartext "xxxx"
>>         name = "Thomas Murch"
>> }
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>> <
>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20130314/2e757a13
>> /attachment.html<http://www.shrubbery.net/pipermail/tac_plus/attachments/20130314/2e757a13/attachment.html>
>> >
>> _______________________________________________
>> tac_plus mailing list
>> tac_plus at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>>
>> E-Mail to and from me, in connection with the transaction
>> of public business, is subject to the Wyoming Public Records
>> Act and may be disclosed to third parties.
>>
>>
>


E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20130513/b4698e49/attachment.html>


More information about the tac_plus mailing list