On 08/01/2013 09:06 PM, David Heinz wrote: > I've been trying to craft an AuthorizeGroup statement to match: > Thu Aug 1 18:01:06 2013: DEBUG: TacacsplusConnection Authorization > REQUEST 6, 1, 2, 1, heinzdb, 0, 192.168.10.10, 4, service=shell cmd= > cisco-av-pair* shell:roles*
How about this: AuthorizeGroup nxos permit service=shell cmd= cisco-av-pair\* shell:roles\* {shell:roles="network-operator vdc-admin"} > But as of yet haven't been able to get one that works. From my > experience I think those are all "check" items aren't they? Not Reply items? > Has anyone got this working in production on a Nexus device? The 4 arguments service=shell cmd= cisco-av-pair* shell:roles* describe "the services and options for which authorization is requested" as the TACACS+ doc says. So I'd say they are sort of check items. An example of reply attributes, or reply items, is inside the braces {}. For quick testing you could also try goodies/tacacsplustest. Something like this should match the about AuthorizeGroup: perl goodies/tacacsplustest -port 4949 -trace 4 -noacct -user heinzdb -author_args service=shell,cmd=,cisco-av-pair'*',shell:roles'*' Thanks, Heikki -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator