[RADIATOR] TACACS on NX-OS Devices
Heikki Vatiainen
hvn at open.com.au
Thu Aug 1 16:07:07 CDT 2013
On 08/01/2013 09:06 PM, David Heinz wrote:
> I've been trying to craft an AuthorizeGroup statement to match:
> Thu Aug 1 18:01:06 2013: DEBUG: TacacsplusConnection Authorization
> REQUEST 6, 1, 2, 1, heinzdb, 0, 192.168.10.10, 4, service=shell cmd=
> cisco-av-pair* shell:roles*
How about this:
AuthorizeGroup nxos permit service=shell cmd= cisco-av-pair\*
shell:roles\* {shell:roles="network-operator vdc-admin"}
> But as of yet haven't been able to get one that works. From my
> experience I think those are all "check" items aren't they? Not Reply items?
> Has anyone got this working in production on a Nexus device?
The 4 arguments service=shell cmd= cisco-av-pair* shell:roles* describe
"the services and options for which authorization is requested" as the
TACACS+ doc says. So I'd say they are sort of check items. An example of
reply attributes, or reply items, is inside the braces {}.
For quick testing you could also try goodies/tacacsplustest. Something
like this should match the about AuthorizeGroup:
perl goodies/tacacsplustest -port 4949 -trace 4 -noacct -user heinzdb
-author_args service=shell,cmd=,cisco-av-pair'*',shell:roles'*'
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list