[tac_plus] Cisco DCNM tacacs roles

Munroe Sollog mus3 at lehigh.edu
Tue Jun 22 17:59:55 UTC 2021


According to the Cisco documentation, DCNM expects the role of
'network-admin' to be supplied to grant a user administrator privileges.  I
was able to provide that role using this config:

        service = exec {

             priv-lvl = 15

            cisco-av-pair:shell:roles= "network-admin"

            #optional shell:roles = "network-admin"


             }

However, this causes my switches to balk.  I'm trying to convert that to an
"optional" parameter as you can see in the commented line.  However I am
not having any success.  I have been trying to confirm that DCNM is
actually requesting the role attribute, but none of my debug commands or
packet captures seem to make that clear.  Here is some debug output of both
the authentication and authorization phase.  Any help would be
appreciated.  Thanks.

root at rover:/etc/tacacs+# /usr/sbin/tac_plus -C /etc/tacacs+/tac_plus.conf
-g -d24
Reading config
Version F4.0.4.27a Initialized 1
tac_plus server F4.0.4.27a starting
socket FD 4 AF 2
uid=0 euid=0 gid=0 egid=0 s=-178230864
connect from 192.168.1.248 [192.168.1.248]
192.168.1.248 : fd 5 eof (connection closed)
Read -1 bytes from 192.168.1.248 , expecting 12
connect from 192.168.1.248 [192.168.1.248]
login query for 'mus3' port 49 from 192.168.1.248 accepted
connect from 192.168.1.248 [192.168.1.248]
Start authorization request
do_author: user='mus3'
user 'mus3' found
mus3 may run an unlimited number of sessions
exec authorization request for mus3
exec is explicitly permitted by line 226
nas:service=shell (passed thru)
nas:protocol=ip (passed thru)
nas:cmd= (passed thru)
nas:cisco-av-pair*  svr:absent/deny -> delete cisco-av-pair*  (i)
nas:shell:roles*  svr:shell:roles*network-admin -> replace with
shell:roles*network-admin (h)
nas:absent, server:priv-lvl=15 -> add priv-lvl=15 (k)
replaced 2 args
authorization query for 'mus3' 49 from 192.168.1.248 accepted


-- 
Munroe Sollog (He/Him/His)
Senior Network Engineer
munroe at lehigh.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20210622/3c963756/attachment.htm>


More information about the tac_plus mailing list