[tac_plus] Need your help

83358066 83358066 at qq.com
Sat Mar 17 05:42:05 UTC 2018


Hi Dear Shrubbery
  
      Thank you very much for your contributes for the excellent TACACS plus tools ,Currently we plan to test the tacacs plus to manage Brocade  SAN switch ,most of the functions are working well and very powerful, But only one point we still have some issue ,Would you kindly help to provide some advice ,Thanks in advance.


 The question we meet is that we defined the groups and users, for example ,I want to forbid the user in the group usergroup can not run the 
the explicit command "reboot" , as we know the brocade FOS command mode is not same as CISCO, We found the setting was not in effect and the command "reboot"still can be run after the user got authorized by Tacac_plus server daemon, So would you kindly let me know how can i configure that can forbid the explicit command like "reboot" be executed  and took effect. Thanks for your support !


 our setting for the tac_plus config as follows :

group = usergroup {
         default service = permit
         login = file /etc/passwd
         enable = file /etc/passwd
         cmd = reboot {
                 deny .*  
}
 
 
 user = stuser {
         member = usergroup
         login = file /etc/passwd         service = exec {
        brcd-role = Admin 
        brcd-AV-Pair1 = "homeLF=128;LFRoleList=1-128"
        brcd-AV-Pair2 = "chassisRole=switchadmin"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20180317/58bea644/attachment.html>


More information about the tac_plus mailing list