On 08/01/2013 09:06 PM, David Heinz wrote:
> I've been trying to craft an AuthorizeGroup statement to match:
> Thu Aug 1 18:01:06 2013: DEBUG: TacacsplusConnection Authorization
> REQUEST 6, 1, 2, 1, heinzdb, 0, 192.168.10.10, 4, service=shell cmd=
> cisco-av-pair* shell:roles*
How about this:
AuthorizeGroup nxos permit service=shell cmd= cisco-av-pair\*
shell:roles\* {shell:roles="network-operator vdc-admin"}
> But as of yet haven't been able to get one that works. From my
> experience I think those are all "check" items aren't they? Not Reply items?
> Has anyone got this working in production on a Nexus device?
The 4 arguments service=shell cmd= cisco-av-pair* shell:roles* describe
"the services and options for which authorization is requested" as the
TACACS+ doc says. So I'd say they are sort of check items. An example of
reply attributes, or reply items, is inside the braces {}.
For quick testing you could also try goodies/tacacsplustest. Something
like this should match the about AuthorizeGroup:
perl goodies/tacacsplustest -port 4949 -trace 4 -noacct -user heinzdb
-author_args service=shell,cmd=,cisco-av-pair'*',shell:roles'*'
Thanks,
Heikki
--
Heikki Vatiainen <h...@open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
