[tac_plus] DCNM tacacs roles

Munroe Sollog mus3 at lehigh.edu
Tue Jun 22 19:26:20 UTC 2021 

I thought optional pairs are only sent to the device if they are requested.

On Tue, Jun 22, 2021 at 3:23 PM heasley <heas at shrubbery.net> wrote:

> Tue, Jun 22, 2021 at 01:01:37PM -0400, Munroe Sollog:
> > According to the Cisco documentation, DCNM expects the role of
> > 'network-admin' to be supplied to grant a user administrator
> privileges.  I
> > was able to provide that role using this config:
> >
> >         service = exec {
> >
> >              priv-lvl = 15
> >
> >             cisco-av-pair:shell:roles= "network-admin"
> >
> >             #optional shell:roles = "network-admin"
> >
> >
> >              }
> >
> > However, this causes my switches to balk.  I'm trying to convert that to
> an
> > "optional" parameter as you can see in the commented line.  However I am
> > not having any success.  I have been trying to confirm that DCNM is
> > actually requesting the role attribute, but none of my debug commands or
> > packet captures seem to make that clear.  Here is some debug output of
> both
> > the authentication and authorization phase.  Any help would be
> > appreciated.  Thanks.
>
> There is no "request" of the attribute.  The attribute is passed with
> an authorization reply.
>
> I suspect that you have some other configuration error.
>
> > root at rover:/etc/tacacs+# /usr/sbin/tac_plus -C
> /etc/tacacs+/tac_plus.conf
> > -g -d24
> > Reading config
> > Version F4.0.4.27a Initialized 1
> > tac_plus server F4.0.4.27a starting
> > socket FD 4 AF 2
> > uid=0 euid=0 gid=0 egid=0 s=-178230864
> > connect from 192.168.1.248 [192.168.1.248]
> > 192.168.1.248 : fd 5 eof (connection closed)
> > Read -1 bytes from 192.168.1.248 , expecting 12
> > connect from 192.168.1.248 [192.168.1.248]
> > login query for 'mus3' port 49 from 192.168.1.248 accepted
> > connect from 192.168.1.248 [192.168.1.248]
> > Start authorization request
> > do_author: user='mus3'
> > user 'mus3' found
> > mus3 may run an unlimited number of sessions
> > exec authorization request for mus3
> > exec is explicitly permitted by line 226
> > nas:service=shell (passed thru)
> > nas:protocol=ip (passed thru)
> > nas:cmd= (passed thru)
> > nas:cisco-av-pair*  svr:absent/deny -> delete cisco-av-pair*  (i)
> > nas:shell:roles*  svr:shell:roles*network-admin -> replace with
> > shell:roles*network-admin (h)
> > nas:absent, server:priv-lvl=15 -> add priv-lvl=15 (k)
> > replaced 2 args
> > authorization query for 'mus3' 49 from 192.168.1.248 accepted
> >
> >
> >
> > --
> > Munroe Sollog (He/Him/His)
> > Senior Network Engineer
> > munroe at lehigh.edu
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: <
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20210622/4be317c5/attachment.htm
> >
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at www.shrubbery.net
> > https://www.shrubbery.net/mailman/listinfo/tac_plus
>
-- 
Munroe Sollog (He/Him/His)
Senior Network Engineer
munroe at lehigh.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20210622/85d683cb/attachment.htm>

More information about the tac_plus mailing list