[tac_plus] DCNM tacacs roles

heasley heas at shrubbery.net
Tue Jun 22 19:23:27 UTC 2021 

Tue, Jun 22, 2021 at 01:01:37PM -0400, Munroe Sollog:
> According to the Cisco documentation, DCNM expects the role of
> 'network-admin' to be supplied to grant a user administrator privileges.  I
> was able to provide that role using this config:
> 
>         service = exec {
> 
>              priv-lvl = 15
> 
>             cisco-av-pair:shell:roles= "network-admin"
> 
>             #optional shell:roles = "network-admin"
> 
> 
>              }
> 
> However, this causes my switches to balk.  I'm trying to convert that to an
> "optional" parameter as you can see in the commented line.  However I am
> not having any success.  I have been trying to confirm that DCNM is
> actually requesting the role attribute, but none of my debug commands or
> packet captures seem to make that clear.  Here is some debug output of both
> the authentication and authorization phase.  Any help would be
> appreciated.  Thanks.

There is no "request" of the attribute.  The attribute is passed with
an authorization reply.

I suspect that you have some other configuration error.

> root at rover:/etc/tacacs+# /usr/sbin/tac_plus -C /etc/tacacs+/tac_plus.conf
> -g -d24
> Reading config
> Version F4.0.4.27a Initialized 1
> tac_plus server F4.0.4.27a starting
> socket FD 4 AF 2
> uid=0 euid=0 gid=0 egid=0 s=-178230864
> connect from 192.168.1.248 [192.168.1.248]
> 192.168.1.248 : fd 5 eof (connection closed)
> Read -1 bytes from 192.168.1.248 , expecting 12
> connect from 192.168.1.248 [192.168.1.248]
> login query for 'mus3' port 49 from 192.168.1.248 accepted
> connect from 192.168.1.248 [192.168.1.248]
> Start authorization request
> do_author: user='mus3'
> user 'mus3' found
> mus3 may run an unlimited number of sessions
> exec authorization request for mus3
> exec is explicitly permitted by line 226
> nas:service=shell (passed thru)
> nas:protocol=ip (passed thru)
> nas:cmd= (passed thru)
> nas:cisco-av-pair*  svr:absent/deny -> delete cisco-av-pair*  (i)
> nas:shell:roles*  svr:shell:roles*network-admin -> replace with
> shell:roles*network-admin (h)
> nas:absent, server:priv-lvl=15 -> add priv-lvl=15 (k)
> replaced 2 args
> authorization query for 'mus3' 49 from 192.168.1.248 accepted
> 
> 
> 
> -- 
> Munroe Sollog (He/Him/His)
> Senior Network Engineer
> munroe at lehigh.edu
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20210622/4be317c5/attachment.htm>
> _______________________________________________
> tac_plus mailing list
> tac_plus at www.shrubbery.net
> https://www.shrubbery.net/mailman/listinfo/tac_plus

More information about the tac_plus mailing list