[tac_plus] per-host user attribute
Daniel Schmidt
daniel.schmidt at wyo.gov
Tue Jan 6 17:40:22 UTC 2015
Thanks Alan - quick clarification, if you want to use do_auth, it MUST be
able to accept exit value of 2. For instance, HP (at least the old junk
I've played with) and Cisco WLC won't, and that completely breaks do_auth's
ability to modify the return pairs. It can still deny or accept based on
IP addr', but it can't modify any roles set in tac_plus. Nexus works
though.
It looks like tacacs.org is completely gone, along with all the examples I
had put up there back when I had time to do that sort of thing. That
certainly sucks.
On Tue, Jan 6, 2015 at 10:14 AM, Alan McKinnon <alan.mckinnon at gmail.com>
wrote:
> On 06/01/2015 17:56, Munroe Sollog wrote:
> > I have a server that supports tacacs+ but requires me to send a user
> attribute of 'role' that
> > needs to be either 'admin' or 'read-only' along with the
> authentication. I'm looking for
> > documenation for how to do this but I can't seem to find anything useful.
>
>
> Hi Munroe
>
> What you want is this inside a group definition:
>
> service = exec {
> role = admin
> }
>
> or
>
> service = exec {
> role = read-only
> }
>
> I assume this is for login authorization, and the device uses a service
> called "exec"..
>
> Keep in mind that this runs out of steam very quickly, mostly because
> tac_plus.conf is designed to do whatever it does globally. You can't
> easily specify this per-host without breaking other things for example.
>
> If you run into this yourself, switch to using Dan Schmidt's do_auth
> script shipped with recent versions of tac_plus. It gives you vastly
> more control.
>
> --
> Alan McKinnon
> alan.mckinnon at gmail.com
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>
E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150106/67a9c8dd/attachment.html>
More information about the tac_plus
mailing list