[RADIATOR] TACACS on NX-OS Devices

[David Heinz]

I'm attempting to get TACACS working on Cisco's NX-OS platform with Radiator. According to the documentation you need to send back a cisco-avpair of shell:roles* followed by the role types for the user to obtain the proper "privilege". The priv-lvl is no longer valid it would seem.

After my Access-Accept I'm seeing the following:

Thu Aug  1 18:01:06 2013: DEBUG: TacacsplusConnection result Access-Accept
Thu Aug  1 18:01:06 2013: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, ,
Thu Aug  1 18:01:06 2013: DEBUG: TacacsplusConnection disconnected from 10.7.249.27:41097
Thu Aug  1 18:01:06 2013: DEBUG: New TacacsplusConnection created for 10.7.249.27:41214
Thu Aug  1 18:01:06 2013: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 683790301, 76
Thu Aug  1 18:01:06 2013: DEBUG: TacacsplusConnection Authorization REQUEST 6, 1, 2, 1, heinzdb, 0, 192.168.10.10, 4, service=shell cmd= cisco-av-pair* shell:roles*
Thu Aug  1 18:01:06 2013: DEBUG: AuthorizeGroup rule match found: permit .* {  }
Thu Aug  1 18:01:06 2013: INFO: permitted USER=heinzdb NAS_IP=10.7.249.27 GROUP=TEST COMMANDS=service=shell cmd= cisco-av-pair* shell:roles*
Thu Aug  1 18:01:06 2013: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , ,
Thu Aug  1 18:01:06 2013: DEBUG: TacacsplusConnection disconnected from 10.7.249.27:41214


I've been trying to craft an AuthorizeGroup statement to match:
Thu Aug  1 18:01:06 2013: DEBUG: TacacsplusConnection Authorization REQUEST 6, 1, 2, 1, heinzdb, 0, 192.168.10.10, 4, service=shell cmd= cisco-av-pair* shell:roles*

But as of yet haven't been able to get one that works. From my experience I think those are all "check" items aren't they? Not Reply items?
Has anyone got this working in production on a Nexus device?

Thanks!

Dave Heinz

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20130801/c4a51264/attachment.html