[tac_plus] Different AV pairs for the same service

Daniel Schmidt daniel.schmidt at wyo.gov
Mon May 15 22:32:36 UTC 2017 

That is why do_auth allows the use of multiple groups, it can't know the OS
of the device which is talking to it.  A notable exception is nexus,
do_auth is kluged to know when it is talking to a nexus and will strip the
shell:roles when talking to other devices.  (nexus sends a "cmd=\n" which
nobody else seems to)  I don't know about FXOS, you would have to send set
debug in do_auth and send me the returned tac pairs.  i suspect is is the
same as NXOS, in which case you would be required to make two different
groups by IP and assign both of them to the user with av_pairs statement to
send different roles.

On Mon, May 15, 2017 at 2:41 PM, Munroe Sollog <mus3 at lehigh.edu> wrote:

> I know about do_auth.py and I have been avoiding re-implementing my config
> using it until I understand how to do everything.  I haven't found an
> example of a do_auth config that allows me to specify different AV pairs
> for different devices within the same group though.
>
> On Mon, May 15, 2017 at 4:11 PM, Daniel Schmidt <daniel.schmidt at wyo.gov>
> wrote:
>
>> Have you considered using the after authentication "do_auth.py?"
>>
>> On Mon, May 15, 2017 at 11:38 AM, Munroe Sollog <mus3 at lehigh.edu> wrote:
>>
>>> I am using tacacs to aaa nexus equipment and now a firepower chassis
>>> manager.  My 'admins' group is configured like so:
>>>
>>> group = admins {
>>>         default service = permit
>>>         service = exec {
>>>              priv-lvl = 15
>>> #           optional shell:roles = "admin network-admin"
>>>              optional shell:roles = "network-admin"
>>>              optional shell:roles = "admin"
>>>              }
>>>         service = AMP {
>>>             role = "tacacs"
>>>         }
>>>         service = gigamon {
>>>         }
>>>
>>> }
>>>
>>> The problem is the nexus equipment uses the network-admin role while the
>>> firepower chassis manager uses the admin role.  While I can probably
>>> create
>>> one role on the other box, I was wondering if there was an easier way to
>>> resolve this issue.  As you see I have tried a space separated list as
>>> well
>>> as individual statements.
>>>
>>> For further reference here is the documentation on the firepower tacacs
>>> config:
>>>
>>> http://www.cisco.com/c/en/us/td/docs/security/firepower/fxos
>>> /fxos201/web-config/b_GUI_ConfigGuide_FXOS_201/user_manageme
>>> nt.html#concept_2770BFB3259042F5A4420595A0A6946C
>>>
>>>
>>>
>>>
>>> --
>>> Munroe Sollog
>>> Senior Network Engineer
>>> munroe at lehigh.edu
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/201
>>> 70515/6acdab2b/attachment.html>
>>> _______________________________________________
>>> tac_plus mailing list
>>> tac_plus at shrubbery.net
>>> http://www.shrubbery.net/mailman/listinfo/tac_plus
>>>
>>
>>
>>
>> E-Mail to and from me, in connection with the transaction
>> of public business, is subject to the Wyoming Public Records
>> Act and may be disclosed to third parties.
>>
>
>
>
> --
> Munroe Sollog
> Senior Network Engineer
> munroe at lehigh.edu
>

-- 

E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20170515/44f335fe/attachment.html>

More information about the tac_plus mailing list