[tac_plus] Different AV pairs for the same service
Munroe Sollog
mus3 at lehigh.edu
Mon May 15 17:38:14 UTC 2017
I am using tacacs to aaa nexus equipment and now a firepower chassis
manager. My 'admins' group is configured like so:
group = admins {
default service = permit
service = exec {
priv-lvl = 15
# optional shell:roles = "admin network-admin"
optional shell:roles = "network-admin"
optional shell:roles = "admin"
}
service = AMP {
role = "tacacs"
}
service = gigamon {
}
}
The problem is the nexus equipment uses the network-admin role while the
firepower chassis manager uses the admin role. While I can probably create
one role on the other box, I was wondering if there was an easier way to
resolve this issue. As you see I have tried a space separated list as well
as individual statements.
For further reference here is the documentation on the firepower tacacs
config:
http://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos201/web-config/b_GUI_ConfigGuide_FXOS_201/user_management.html#concept_2770BFB3259042F5A4420595A0A6946C
--
Munroe Sollog
Senior Network Engineer
munroe at lehigh.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20170515/6acdab2b/attachment.html>
More information about the tac_plus
mailing list