[tac_plus] per-host user attribute
Alan McKinnon
alan.mckinnon at gmail.com
Tue Jan 6 17:14:37 UTC 2015
On 06/01/2015 17:56, Munroe Sollog wrote:
> I have a server that supports tacacs+ but requires me to send a user attribute of 'role' that
> needs to be either 'admin' or 'read-only' along with the authentication. I'm looking for
> documenation for how to do this but I can't seem to find anything useful.
Hi Munroe
What you want is this inside a group definition:
service = exec {
role = admin
}
or
service = exec {
role = read-only
}
I assume this is for login authorization, and the device uses a service
called "exec"..
Keep in mind that this runs out of steam very quickly, mostly because
tac_plus.conf is designed to do whatever it does globally. You can't
easily specify this per-host without breaking other things for example.
If you run into this yourself, switch to using Dan Schmidt's do_auth
script shipped with recent versions of tac_plus. It gives you vastly
more control.
--
Alan McKinnon
alan.mckinnon at gmail.com
More information about the tac_plus
mailing list