[f-nsp] AAA, TACACS, some users enabled on login, others not

Tom Storey tom at snnap.net
Fri Nov 4 07:26:28 EDT 2016


Hi everyone,

Implementing a TACACS server for a network that I am working on, and I am
trying to determine how to have certain users (e.g. network admins) enabled
by default once they have logged in, but certain other users (e.g. support
group) logged in as read only, and requiring them to enable manually.

Ive seen some suggestions of using an optional av pair "brcd-role = admin"
in the TACACS config, but seems this is for VDX devices, and I am working
with ICX.

The usual "priv-lvl = 15" that works with Cisco doesnt seem to apply, and
Im finding scant other information about how to do this other than
specifying "aaa authentication login privilege-mode", but that would have
all users enabled once they have logged in.

My configs look like:

aaa authentication enable default enable
aaa authentication login default tacacs+
aaa authorization commands 0 default tacacs+
aaa authorization exec default tacacs+
aaa accounting commands 0 default start-stop tacacs+
aaa accounting exec default start-stop tacacs+
aaa accounting system default start-stop tacacs+

and on the TACACS server Ive tried:

group = read_write {
    default service = permit
    acl = network_nets

    service = exec {
        priv-lvl = 15
        optional brcd-role = admin
    }
}

Or maybe the reason I cant find any information is because this just isnt
possible on a Brocade?

Any help appreciated!

Thanks
Tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20161104/c1ae1a83/attachment.html>


More information about the foundry-nsp mailing list