[tac_plus] Problem with creating Multiple groups for a single user. (creating composite groups)

Aaron Wasserott aaron.wasserott at viawest.com
Mon Apr 7 14:53:18 UTC 2014


I would definitely give do_auth a try, you should be able to consolidate down to one tacacs daemon. How complex it needs to be depends really on your support user base. I use the tac_plus.conf file to point the different tiers of support users to different do_auth files. From there, I create separate groups in do_auth.ini that use device_permit to specify what commands they can run on the different devices, and pass the proper privilege level if necessary. You can use the DEFAULT user in the do_auth.ini file to assign everyone to the same groups in your do_auth.ini file, if you have already assigned users to a given do_auth.ini file in tac_plus.conf.

-----Original Message-----
From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Asif Iqbal
Sent: Sunday, April 06, 2014 1:17 PM
To: Daniel Schmidt
Cc: tac_plus at shrubbery.net
Subject: Re: [tac_plus] Problem with creating Multiple groups for a single user. (creating composite groups)

On Sun, Apr 6, 2014 at 2:53 PM, Daniel Schmidt <daniel.schmidt at wyo.gov>wrote:

>
> On a side note, while thanking Alan for his assisting while I was out, 
> I have to also smile at a bit of irony in that the one person who was 
> wary and wouldn't touch do_auth is now helping people with it.  :-P  
> Thanks Alan!
>

Another offtopic comment, but we manage about 8 different tac_plus instances on different IP/PORT combination. And command authorizations are different, at least between cisco and juniper. We also have arista, alcatel and others.

I should give the do_auth a try, not sure how different command authorization syntax can be consolidated?

Sorry about injecting offtopic conversation here.


--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20140406/87d21fc4/attachment.html>
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo/tac_plus


More information about the tac_plus mailing list