[tac_plus] per-host user attribute
Daniel Schmidt
daniel.schmidt at wyo.gov
Tue Jan 6 22:16:55 UTC 2015
Thanks, I didn't think wayback would have it.
On Tue, Jan 6, 2015 at 2:12 PM, Asif Iqbal <vadud3 at gmail.com> wrote:
>
>
> On Tue, Jan 6, 2015 at 12:40 PM, Daniel Schmidt <daniel.schmidt at wyo.gov>
> wrote:
>
>> Thanks Alan - quick clarification, if you want to use do_auth, it MUST be
>> able to accept exit value of 2. For instance, HP (at least the old junk
>> I've played with) and Cisco WLC won't, and that completely breaks
>> do_auth's
>> ability to modify the return pairs. It can still deny or accept based on
>> IP addr', but it can't modify any roles set in tac_plus. Nexus works
>> though.
>>
>> It looks like tacacs.org is completely gone, along with all the examples
>> I
>> had put up there back when I had time to do that sort of thing. That
>> certainly sucks.
>>
>
> I guess you can collect them back through wayback?
>
> https://web.archive.org/web/20110506210622/http://tacacs.org/
>
>
>
>> On Tue, Jan 6, 2015 at 10:14 AM, Alan McKinnon <alan.mckinnon at gmail.com>
>> wrote:
>>
>> > On 06/01/2015 17:56, Munroe Sollog wrote:
>> > > I have a server that supports tacacs+ but requires me to send a user
>> > attribute of 'role' that
>> > > needs to be either 'admin' or 'read-only' along with the
>> > authentication. I'm looking for
>> > > documenation for how to do this but I can't seem to find anything
>> useful.
>> >
>> >
>> > Hi Munroe
>> >
>> > What you want is this inside a group definition:
>> >
>> > service = exec {
>> > role = admin
>> > }
>> >
>> > or
>> >
>> > service = exec {
>> > role = read-only
>> > }
>> >
>> > I assume this is for login authorization, and the device uses a service
>> > called "exec"..
>> >
>> > Keep in mind that this runs out of steam very quickly, mostly because
>> > tac_plus.conf is designed to do whatever it does globally. You can't
>> > easily specify this per-host without breaking other things for example.
>> >
>> > If you run into this yourself, switch to using Dan Schmidt's do_auth
>> > script shipped with recent versions of tac_plus. It gives you vastly
>> > more control.
>> >
>> > --
>> > Alan McKinnon
>> > alan.mckinnon at gmail.com
>> > _______________________________________________
>> > tac_plus mailing list
>> > tac_plus at shrubbery.net
>> > http://www.shrubbery.net/mailman/listinfo/tac_plus
>> >
>>
>>
>> E-Mail to and from me, in connection with the transaction
>> of public business, is subject to the Wyoming Public Records
>> Act and may be disclosed to third parties.
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <
>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20150106/67a9c8dd/attachment.html
>> >
>> _______________________________________________
>> tac_plus mailing list
>> tac_plus at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo/tac_plus
>>
>
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>
>
E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150106/9667fc86/attachment.html>
More information about the tac_plus
mailing list