Heikki, Thanks for the help. The cmd= was the trick as I was still attempting to do the cmd\*.
On another not.. The shell:roles="blah1 blah2" doesn't work, but if you do "blah1,blah2" then you get assigned both roles as expected. Dave Heinz On 8/1/13 5:07 PM, "Heikki Vatiainen" <h...@open.com.au> wrote: >On 08/01/2013 09:06 PM, David Heinz wrote: > >> I've been trying to craft an AuthorizeGroup statement to match: >> Thu Aug 1 18:01:06 2013: DEBUG: TacacsplusConnection Authorization >> REQUEST 6, 1, 2, 1, heinzdb, 0, 192.168.10.10, 4, service=shell cmd= >> cisco-av-pair* shell:roles* > >How about this: > >AuthorizeGroup nxos permit service=shell cmd= cisco-av-pair\* >shell:roles\* {shell:roles="network-operator vdc-admin"} > >> But as of yet haven't been able to get one that works. From my >> experience I think those are all "check" items aren't they? Not Reply >>items? >> Has anyone got this working in production on a Nexus device? > >The 4 arguments service=shell cmd= cisco-av-pair* shell:roles* describe >"the services and options for which authorization is requested" as the >TACACS+ doc says. So I'd say they are sort of check items. An example of >reply attributes, or reply items, is inside the braces {}. > >For quick testing you could also try goodies/tacacsplustest. Something >like this should match the about AuthorizeGroup: > >perl goodies/tacacsplustest -port 4949 -trace 4 -noacct -user heinzdb >-author_args service=shell,cmd=,cisco-av-pair'*',shell:roles'*' > >Thanks, >Heikki > >-- >Heikki Vatiainen <h...@open.com.au> > >Radiator: the most portable, flexible and configurable RADIUS server >anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, >NetWare etc. >_______________________________________________ >radiator mailing list >radiator@open.com.au >http://www.open.com.au/mailman/listinfo/radiator _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator