[tac_plus] Authorization problems
Pontus Zoladz
Pontus.Zoladz at bahnhof.net
Fri Jan 26 10:15:01 UTC 2018
Hi!,
I have set up a tac_plus server to authorize certain users to run show commands on a Cisco ASA running 9.9.
My configuration looks like the following:
group = read-only {
default service = permit
service = exec {
priv-lvl = 15
}
}
user = bob {
login = des $1$VF$kBGTjygux4xckHjGUSSwd1
service = shell { priv-lvl=5 }
cmd = show { permit .* }
member = read-only
}
However, in the logs, i can see this:
Fri Jan 26 11:09:08 2018 [31706]: Start authorization request
Fri Jan 26 11:09:08 2018 [31706]: do_author: user='enable_15'
Fri Jan 26 11:09:08 2018 [31706]: user 'enable_15' found
Fri Jan 26 11:09:08 2018 [31706]: authorize_cmd: user=enable_15, cmd=show
Fri Jan 26 11:09:08 2018 [31706]: cmd show does not exist, denied by default
Why is this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20180126/1e77e13a/attachment.html>
More information about the tac_plus
mailing list