[tac_plus] per-host user attribute

Asif Iqbal vadud3 at gmail.com
Tue Jan 6 21:12:37 UTC 2015


On Tue, Jan 6, 2015 at 12:40 PM, Daniel Schmidt <daniel.schmidt at wyo.gov>
wrote:

> Thanks Alan - quick clarification, if you want to use do_auth, it MUST be
> able to accept exit value of 2.  For instance, HP (at least the old junk
> I've played with) and Cisco WLC won't, and that completely breaks do_auth's
> ability to modify the return pairs.  It can still deny or accept based on
> IP addr', but it can't modify any roles set in tac_plus.  Nexus works
> though.
>
> It looks like tacacs.org is completely gone, along with all the examples I
> had put up there back when I had time to do that sort of thing.  That
> certainly sucks.
>

I guess you can collect them back through wayback?

 https://web.archive.org/web/20110506210622/http://tacacs.org/



> On Tue, Jan 6, 2015 at 10:14 AM, Alan McKinnon <alan.mckinnon at gmail.com>
> wrote:
>
> > On 06/01/2015 17:56, Munroe Sollog wrote:
> > > I have a server that supports tacacs+ but requires me to send a user
> > attribute of 'role' that
> > > needs to be either 'admin' or 'read-only' along with the
> > authentication.  I'm looking for
> > > documenation for how to do this but I can't seem to find anything
> useful.
> >
> >
> > Hi Munroe
> >
> > What you want is this inside a group definition:
> >
> > service = exec {
> >   role = admin
> > }
> >
> > or
> >
> > service = exec {
> >   role = read-only
> > }
> >
> > I assume this is for login authorization, and the device uses a service
> > called "exec"..
> >
> > Keep in mind that this runs out of steam very quickly, mostly because
> > tac_plus.conf is designed to do whatever it does globally. You can't
> > easily specify this per-host without breaking other things for example.
> >
> > If you run into this yourself, switch to using Dan Schmidt's do_auth
> > script shipped with recent versions of tac_plus. It gives you vastly
> > more control.
> >
> > --
> > Alan McKinnon
> > alan.mckinnon at gmail.com
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo/tac_plus
> >
>
>
> E-Mail to and from me, in connection with the transaction
> of public business, is subject to the Wyoming Public Records
> Act and may be disclosed to third parties.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20150106/67a9c8dd/attachment.html
> >
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>



-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150106/003b7c8f/attachment.html>


More information about the tac_plus mailing list