(RADIATOR) CommandAuth with TACACS+

Fri Mar 19 00:36:11 CST 2004

I have a TACACS+ server set up using Radiator 3.9, and am having a small
problem configuring CommandAuth to work correctly.

In my configuration file, I have the following:

        # support group
        GroupAuthAttr support priv-lvl=1
        CommandAuth support permit debug:ppp:.*
        CommandAuth support deny .*  Access Denied

ie, I want to permit members of the support group to enter 'debug ppp'
commands, but deny all other exec-level commands, including other debug
commands.

However, users in this group are able to enter any debug command at all,
not just 'debug ppp' commands. It seems that only the first part of the
CommandAuth string is checked (ie, the 'debug' part). In this example,
I would expect the second debug command to fail:

        router#deb ppp auth
        PPP authentication debugging is on
        router#deb bgp ev
        BGP events debugging is on

However, it clearly works. It appears that only the first "word" of the
command string is checked. Is anyone able to shed light on why this is
happening?

Cheers,

Nick

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.