[tac_plus] Need your help

Daniel Schmidt daniel.schmidt at wyo.gov
Mon Mar 19 21:15:07 UTC 2018 

But not authorization.  Look under "Role-Based Access Control"

On Mon, Mar 19, 2018 at 9:33 AM, 83358066 <83358066 at qq.com> wrote:

> Hi Daniel
>
>    Thanks for the quick update,  Please excuse me for i'm taking the
> liberty of writing to you.  I checked Brocade FOS  administrator guide ,and
> can confirmed that from the FOS 7.1.x Brocade  FOS began to support  the
> TACACS+. through the result of testing in lab I found it works well.
>
> During the test ,I configured the file "tac_plus.conf" and tried to
> forbid some commands t"reboot" for example )to run for users in
> a  explicit  group,  But it have no effect . So i'm taking the liberty of
> writing to you and intend to know if you have some experience on this hand
> or Would you kindly help to provide some advice .
>
>
>
> Best regards
>
> ----------------- Original ------------------
> *From: * "Daniel Schmidt";<daniel.schmidt at wyo.gov>;
> *Send time:* Monday, Mar 19, 2018 10:49 PM
> *To:* "83358066"<83358066 at qq.com>;
> *Cc:* "tac_plus"<tac_plus at shrubbery.net>;
> *Subject: * Re: [tac_plus] Need your help
>
> Are Brocade FOS switches capable of authorization?
>
> On Fri, Mar 16, 2018 at 11:42 PM, 83358066 <83358066 at qq.com> wrote:
>
>> Hi Dear Shrubbery
>>
>>       Thank you very much for your contributes for the excellent TACACS
>> plus tools ,Currently we plan to test the tacacs plus to manage Brocade
>> SAN switch ,most of the functions are working well and very powerful, But
>> only one point we still have some issue ,Would you kindly help to provide
>> some advice ,Thanks in advance.
>>
>>
>>  The question we meet is that we defined the groups and users, for
>> example ,I want to forbid the user in the group usergroup can not run the
>> the explicit command "reboot" , as we know the brocade FOS command mode
>> is not same as CISCO, We found the setting was not in effect and the
>> command "reboot"still can be run after the user got authorized by
>> Tacac_plus server daemon, So would you kindly let me know how can i
>> configure that can forbid the explicit command like "reboot" be executed
>> and took effect. Thanks for your support !
>>
>>
>>  our setting for the tac_plus config as follows :
>>
>> group = usergroup {
>>          default service = permit
>>          login = file /etc/passwd
>>          enable = file /etc/passwd
>>          cmd = reboot {
>>                  deny .*
>> }
>>
>>
>>  user = stuser {
>>          member = usergroup
>>          login = file /etc/passwd         service = exec {
>>         brcd-role = Admin
>>         brcd-AV-Pair1 = "homeLF=128;LFRoleList=1-128"
>>         brcd-AV-Pair2 = "chassisRole=switchadmin"
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/
>> 20180317/58bea644/attachment.html>
>> _______________________________________________
>> tac_plus mailing list
>> tac_plus at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo/tac_plus
>>
>
>
>
> E-Mail to and from me, in connection with the transaction
> of public business, is subject to the Wyoming Public Records
> Act and may be disclosed to third parties.
>

-- 

E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20180319/dd2a1252/attachment.html>

More information about the tac_plus mailing list