do_auth – av_pairs

7 09 2011

One of the long promised features has finally been added, the ability to modify av pairs. Let’s say you have a group which you simply want a user to have disable access to. Simply add this to the group:

av_pairs =
    priv-lvl=1

This assumes you have priv-lvl in your tac_plus.conf. (Like examples in other posts) Note, of course, you’ll also need to add a command_deny for enable or they’ll just type ‘en’ if they have an enable password. Better yet, just don’t give them an enable password!

In addition, we can replace one pair with something completely different, like for a brocade device. priv-lvl,brocade-privlvl=5 will replace any priv-lvl with that brocade-privlv. Think of it as a find/replace function.
Some devices do not like to have their tac_pairs messed with. They don’t accept AUTHOR_STATUS_PASS_REPL and I’ll spare the rest of the details for lack of time. These include the procurves and the Cisco WLC. Attempts to make these devices work have resulted in much “code sprawl” in do_auth and are the reason that any service other than shell return 0 unless you explicitly modify a tac_pair. For these devices, you will have to do all your config in tac_plus.conf.

One last thing, don’t use v1.6 – it had a bug. Also sorry if you’re comments don’t get approved, apparently I don’t have rights to do that.

« Password Hash CGI Cisco Nexus – HowTo *Updated* »


Actions

Informations

Leave a comment

You can use these tags : <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>