[tac_plus] Different AV pairs for the same service
Daniel Schmidt
daniel.schmidt at wyo.gov
Mon May 15 20:11:08 UTC 2017
Have you considered using the after authentication "do_auth.py?"
On Mon, May 15, 2017 at 11:38 AM, Munroe Sollog <mus3 at lehigh.edu> wrote:
> I am using tacacs to aaa nexus equipment and now a firepower chassis
> manager. My 'admins' group is configured like so:
>
> group = admins {
> default service = permit
> service = exec {
> priv-lvl = 15
> # optional shell:roles = "admin network-admin"
> optional shell:roles = "network-admin"
> optional shell:roles = "admin"
> }
> service = AMP {
> role = "tacacs"
> }
> service = gigamon {
> }
>
> }
>
> The problem is the nexus equipment uses the network-admin role while the
> firepower chassis manager uses the admin role. While I can probably create
> one role on the other box, I was wondering if there was an easier way to
> resolve this issue. As you see I have tried a space separated list as well
> as individual statements.
>
> For further reference here is the documentation on the firepower tacacs
> config:
>
> http://www.cisco.com/c/en/us/td/docs/security/firepower/
> fxos/fxos201/web-config/b_GUI_ConfigGuide_FXOS_201/user_
> management.html#concept_2770BFB3259042F5A4420595A0A6946C
>
>
>
>
> --
> Munroe Sollog
> Senior Network Engineer
> munroe at lehigh.edu
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.shrubbery.net/pipermail/tac_plus/
> attachments/20170515/6acdab2b/attachment.html>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>
--
E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20170515/d3ad4235/attachment.html>
More information about the tac_plus
mailing list