I'm attempting to get TACACS working on Cisco's NX-OS platform with Radiator.
According to the documentation you need to send back a cisco-avpair of
shell:roles* followed by the role types for the user to obtain the proper
"privilege". The priv-lvl is no longer valid it would seem.
After my Access-Accept I'm seeing the following:
Thu Aug 1 18:01:06 2013: DEBUG: TacacsplusConnection result Access-Accept
Thu Aug 1 18:01:06 2013: DEBUG: TacacsplusConnection Authentication REPLY 1,
0, ,
Thu Aug 1 18:01:06 2013: DEBUG: TacacsplusConnection disconnected from
10.7.249.27:41097
Thu Aug 1 18:01:06 2013: DEBUG: New TacacsplusConnection created for
10.7.249.27:41214
Thu Aug 1 18:01:06 2013: DEBUG: TacacsplusConnection request 192, 2, 1, 0,
683790301, 76
Thu Aug 1 18:01:06 2013: DEBUG: TacacsplusConnection Authorization REQUEST 6,
1, 2, 1, heinzdb, 0, 192.168.10.10, 4, service=shell cmd= cisco-av-pair*
shell:roles*
Thu Aug 1 18:01:06 2013: DEBUG: AuthorizeGroup rule match found: permit .* { }
Thu Aug 1 18:01:06 2013: INFO: permitted USER=heinzdb NAS_IP=10.7.249.27
GROUP=TEST COMMANDS=service=shell cmd= cisco-av-pair* shell:roles*
Thu Aug 1 18:01:06 2013: DEBUG: TacacsplusConnection Authorization RESPONSE 1,
, ,
Thu Aug 1 18:01:06 2013: DEBUG: TacacsplusConnection disconnected from
10.7.249.27:41214
I've been trying to craft an AuthorizeGroup statement to match:
Thu Aug 1 18:01:06 2013: DEBUG: TacacsplusConnection Authorization REQUEST 6,
1, 2, 1, heinzdb, 0, 192.168.10.10, 4, service=shell cmd= cisco-av-pair*
shell:roles*
But as of yet haven't been able to get one that works. From my experience I
think those are all "check" items aren't they? Not Reply items?
Has anyone got this working in production on a Nexus device?
Thanks!
Dave Heinz
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
