[tac_plus] DCNM tacacs roles
heasley
heas at shrubbery.net
Tue Jun 22 19:23:27 UTC 2021
Tue, Jun 22, 2021 at 01:01:37PM -0400, Munroe Sollog:
> According to the Cisco documentation, DCNM expects the role of
> 'network-admin' to be supplied to grant a user administrator privileges. I
> was able to provide that role using this config:
>
> service = exec {
>
> priv-lvl = 15
>
> cisco-av-pair:shell:roles= "network-admin"
>
> #optional shell:roles = "network-admin"
>
>
> }
>
> However, this causes my switches to balk. I'm trying to convert that to an
> "optional" parameter as you can see in the commented line. However I am
> not having any success. I have been trying to confirm that DCNM is
> actually requesting the role attribute, but none of my debug commands or
> packet captures seem to make that clear. Here is some debug output of both
> the authentication and authorization phase. Any help would be
> appreciated. Thanks.
There is no "request" of the attribute. The attribute is passed with
an authorization reply.
I suspect that you have some other configuration error.
> root at rover:/etc/tacacs+# /usr/sbin/tac_plus -C /etc/tacacs+/tac_plus.conf
> -g -d24
> Reading config
> Version F4.0.4.27a Initialized 1
> tac_plus server F4.0.4.27a starting
> socket FD 4 AF 2
> uid=0 euid=0 gid=0 egid=0 s=-178230864
> connect from 192.168.1.248 [192.168.1.248]
> 192.168.1.248 : fd 5 eof (connection closed)
> Read -1 bytes from 192.168.1.248 , expecting 12
> connect from 192.168.1.248 [192.168.1.248]
> login query for 'mus3' port 49 from 192.168.1.248 accepted
> connect from 192.168.1.248 [192.168.1.248]
> Start authorization request
> do_author: user='mus3'
> user 'mus3' found
> mus3 may run an unlimited number of sessions
> exec authorization request for mus3
> exec is explicitly permitted by line 226
> nas:service=shell (passed thru)
> nas:protocol=ip (passed thru)
> nas:cmd= (passed thru)
> nas:cisco-av-pair* svr:absent/deny -> delete cisco-av-pair* (i)
> nas:shell:roles* svr:shell:roles*network-admin -> replace with
> shell:roles*network-admin (h)
> nas:absent, server:priv-lvl=15 -> add priv-lvl=15 (k)
> replaced 2 args
> authorization query for 'mus3' 49 from 192.168.1.248 accepted
>
>
>
> --
> Munroe Sollog (He/Him/His)
> Senior Network Engineer
> munroe at lehigh.edu
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20210622/4be317c5/attachment.htm>
> _______________________________________________
> tac_plus mailing list
> tac_plus at www.shrubbery.net
> https://www.shrubbery.net/mailman/listinfo/tac_plus
More information about the tac_plus
mailing list