[f-nsp] AAA, TACACS, some users enabled on login, others not

[Eldon Koyle]

We use foundry-privlvl = 0 for admin access.

See also: http://www.brocade.com/content/html/en/configuration-guide/FI_08030_SECURITY/GUID-A2449097-2DA4-4CD1-B2DA-C531D7A90587.html

-- 
Eldon

On Fri, Nov 4, 2016 at 5:26 AM, Tom Storey <tom at snnap.net> wrote:
> Hi everyone,
>
> Implementing a TACACS server for a network that I am working on, and I am
> trying to determine how to have certain users (e.g. network admins) enabled
> by default once they have logged in, but certain other users (e.g. support
> group) logged in as read only, and requiring them to enable manually.
>
> Ive seen some suggestions of using an optional av pair "brcd-role = admin"
> in the TACACS config, but seems this is for VDX devices, and I am working
> with ICX.
>
> The usual "priv-lvl = 15" that works with Cisco doesnt seem to apply, and Im
> finding scant other information about how to do this other than specifying
> "aaa authentication login privilege-mode", but that would have all users
> enabled once they have logged in.
>
> My configs look like:
>
> aaa authentication enable default enable
> aaa authentication login default tacacs+
> aaa authorization commands 0 default tacacs+
> aaa authorization exec default tacacs+
> aaa accounting commands 0 default start-stop tacacs+
> aaa accounting exec default start-stop tacacs+
> aaa accounting system default start-stop tacacs+
>
> and on the TACACS server Ive tried:
>
> group = read_write {
>     default service = permit
>     acl = network_nets
>
>     service = exec {
>         priv-lvl = 15
>         optional brcd-role = admin
>     }
> }
>
> Or maybe the reason I cant find any information is because this just isnt
> possible on a Brocade?
>
> Any help appreciated!
>
> Thanks
> Tom
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp