[RADIATOR] TACACS on NX-OS Devices

David Heinz heinzdb at corp.earthlink.com
Tue Aug 13 14:32:18 CDT 2013


Heikki,
Thanks for the help. The cmd= was the trick as I was still attempting to
do the cmd\*. 

On another not.. The shell:roles="blah1 blah2" doesn't work, but if you do
"blah1,blah2" then you get assigned both roles as expected.

Dave Heinz




On 8/1/13 5:07 PM, "Heikki Vatiainen" <hvn at open.com.au> wrote:

>On 08/01/2013 09:06 PM, David Heinz wrote:
>
>> I've been trying to craft an AuthorizeGroup statement to match:
>> Thu Aug  1 18:01:06 2013: DEBUG: TacacsplusConnection Authorization
>> REQUEST 6, 1, 2, 1, heinzdb, 0, 192.168.10.10, 4, service=shell cmd=
>> cisco-av-pair* shell:roles*
>
>How about this:
>
>AuthorizeGroup nxos permit service=shell cmd= cisco-av-pair\*
>shell:roles\* {shell:roles="network-operator vdc-admin"}
>
>> But as of yet haven't been able to get one that works. From my
>> experience I think those are all "check" items aren't they? Not Reply
>>items?
>> Has anyone got this working in production on a Nexus device?
>
>The 4 arguments service=shell cmd= cisco-av-pair* shell:roles* describe
>"the services and options for which authorization is requested" as the
>TACACS+ doc says. So I'd say they are sort of check items. An example of
>reply attributes, or reply items, is inside the braces {}.
>
>For quick testing you could also try goodies/tacacsplustest. Something
>like this should match the about AuthorizeGroup:
>
>perl goodies/tacacsplustest -port 4949 -trace 4 -noacct -user heinzdb
>-author_args service=shell,cmd=,cisco-av-pair'*',shell:roles'*'
>
>Thanks,
>Heikki
>
>-- 
>Heikki Vatiainen <hvn at open.com.au>
>
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>NetWare etc.
>_______________________________________________
>radiator mailing list
>radiator at open.com.au
>http://www.open.com.au/mailman/listinfo/radiator



More information about the radiator mailing list