[tac_plus] multiple groups per user

Tom Murch tmurch at tommurch.com
Tue May 14 20:21:57 UTC 2013


does anyone have an example of av_pairs?

I have arista, juniper and hp gear I want to auth with. I would really like
to just have it pull from /etc/passwd and use multiple groups per user so I
dont need to have a huge config for only the 5 people I work with. Any help
or example configs would be amazing. Thanks to everyone for the help.



On Mon, May 13, 2013 at 4:57 PM, Daniel Schmidt <daniel.schmidt at wyo.gov>wrote:

> Yeah, Cisco does NOT like to get pairs it doesn't understand.  If your
> Juniper and Cisco networks are on different IP spaces, then it should be
> possible by creating a group to match them by IP (device_permit/deny). If
> not, well....
>
> I don't use a lot of Juniper - I think the tac pairs they send are same -
> you can un-comment the part that says "for item in av_pairs:" and take a
> look at the initial pairs they send.  If they are, in fact, different than
> Juniper, I can kluge something to tell the difference like I did with Nexus.
>
> On a side note, I added '/' notation via netaddr to do_auth if anybody
> wants to try it out.  Makes a lot more sense than the regular expressions,
> but requires an egg.
>
>
> On Mon, May 13, 2013 at 11:45 AM, Tom Murch <tmurch at tommurch.com> wrote:
>
>> Hi Daniel,
>>
>> This worked very well thank you. Is it possible to have multiple service
>> entries? I am not sure how to get around that as I use both juniper and
>> cisco gear I have an issue with auth using both.
>>
>> Tom
>>
>>
>> On Thu, Mar 14, 2013 at 4:29 PM, Daniel Schmidt <daniel.schmidt at wyo.gov>wrote:
>>
>>> Checkout do_auth.py.  Several people have reported it to be very useful.
>>> I've been meaning to do some more work on it and Jathan had some
>>> excellent
>>> ideas.
>>>
>>> tacacs.org
>>>
>>> -----Original Message-----
>>> From: tac_plus-bounces at shrubbery.net
>>> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Tom Murch
>>> Sent: Thursday, March 14, 2013 12:43 PM
>>> To: tac_plus at shrubbery.net
>>> Subject: [tac_plus] multiple groups per user
>>>
>>> Hello I am trying to get this working. Reading the mailing list I was
>>> under the impression this was fixed. I am trying to have the same users
>>> admin both juniper and hp gear.
>>>
>>> #
>>> # tacacs configuration file
>>> # xxxxx -
>>> # /etc/tac_plus.conf
>>>
>>> # set the key
>>> key = xxxxx
>>>
>>> accounting file = /var/log/tac_plus.acct
>>>
>>> #group accounts
>>>
>>> group = admins {
>>> ## cli service for junipers
>>>         service = junos-exec
>>> {
>>>         local-user-name = admins
>>>         allow-commands = "all"
>>>         allow-configuration = "all"
>>>         deny-commands = ""
>>>         deny-configuration = ""
>>> }
>>> }
>>>
>>> group = admins2 {
>>>         default service = permit
>>>         service = exec {
>>>         priv-lvl = 15
>>> }
>>> }
>>>
>>> # users accounts
>>> user = tom {
>>>
>>>         member = admins
>>>         login = des "xxxxx"
>>>         enable = cleartext "xxxxx"
>>>         name = "Thomas Murch"
>>> }
>>>
>>> user = tomhp {
>>>         member = admins2
>>>         login = des "xxxxxx"
>>>         enable = cleartext "xxxx"
>>>         name = "Thomas Murch"
>>> }
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>> URL:
>>> <
>>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20130314/2e757a13
>>> /attachment.html<http://www.shrubbery.net/pipermail/tac_plus/attachments/20130314/2e757a13/attachment.html>
>>> >
>>> _______________________________________________
>>> tac_plus mailing list
>>> tac_plus at shrubbery.net
>>> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>>>
>>> E-Mail to and from me, in connection with the transaction
>>> of public business, is subject to the Wyoming Public Records
>>> Act and may be disclosed to third parties.
>>>
>>>
>>
> E-Mail to and from me, in connection with the transaction
> of public business, is subject to the Wyoming Public Records
> Act and may be disclosed to third parties.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20130514/ae83c7c0/attachment.html>


More information about the tac_plus mailing list