[tac_plus] Different AV pairs for the same service

Munroe Sollog mus3 at lehigh.edu
Mon May 15 20:41:08 UTC 2017 

I know about do_auth.py and I have been avoiding re-implementing my config
using it until I understand how to do everything.  I haven't found an
example of a do_auth config that allows me to specify different AV pairs
for different devices within the same group though.

On Mon, May 15, 2017 at 4:11 PM, Daniel Schmidt <daniel.schmidt at wyo.gov>
wrote:

> Have you considered using the after authentication "do_auth.py?"
>
> On Mon, May 15, 2017 at 11:38 AM, Munroe Sollog <mus3 at lehigh.edu> wrote:
>
>> I am using tacacs to aaa nexus equipment and now a firepower chassis
>> manager.  My 'admins' group is configured like so:
>>
>> group = admins {
>>         default service = permit
>>         service = exec {
>>              priv-lvl = 15
>> #           optional shell:roles = "admin network-admin"
>>              optional shell:roles = "network-admin"
>>              optional shell:roles = "admin"
>>              }
>>         service = AMP {
>>             role = "tacacs"
>>         }
>>         service = gigamon {
>>         }
>>
>> }
>>
>> The problem is the nexus equipment uses the network-admin role while the
>> firepower chassis manager uses the admin role.  While I can probably
>> create
>> one role on the other box, I was wondering if there was an easier way to
>> resolve this issue.  As you see I have tried a space separated list as
>> well
>> as individual statements.
>>
>> For further reference here is the documentation on the firepower tacacs
>> config:
>>
>> http://www.cisco.com/c/en/us/td/docs/security/firepower/fxos
>> /fxos201/web-config/b_GUI_ConfigGuide_FXOS_201/user_manageme
>> nt.html#concept_2770BFB3259042F5A4420595A0A6946C
>>
>>
>>
>>
>> --
>> Munroe Sollog
>> Senior Network Engineer
>> munroe at lehigh.edu
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/
>> 20170515/6acdab2b/attachment.html>
>> _______________________________________________
>> tac_plus mailing list
>> tac_plus at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo/tac_plus
>>
>
>
>
> E-Mail to and from me, in connection with the transaction
> of public business, is subject to the Wyoming Public Records
> Act and may be disclosed to third parties.
>



-- 
Munroe Sollog
Senior Network Engineer
munroe at lehigh.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20170515/18e7717b/attachment.html>

More information about the tac_plus mailing list