[f-nsp] AAA, TACACS, some users enabled on login, others not

Tom Storey tom at snnap.net
Sat Nov 5 13:06:13 EDT 2016 

Hi Eldon,

Thanks for pointing me to this document.

If I understand it correctly, my existing configuration should have been
working just fine as it is. Since I wasnt specifying the "foundry-privlvl"
attribute, it should look for the last exec attribute with a number in it
and treat that number as the priv level. In my case Im using "priv-lvl"
with a value of 15 for my Cisco devices, so the Brocade should have
translated that to mean level 0 given a lack of "foundry-privlvl" attribute.

But for what ever reason that doesnt seem to be working. So I also tried
specifying it explicitly in my config, including removing the priv-lvl
attribute, but still to no avail.

Ive managed to lock myself out of my test device now (can no longer enable,
its asking for a username, doh!), its in the office and Im at home. So I
guess I'll resume on Monday if anyone else comes up with anything. :-)

Thanks
Tom

On 4 November 2016 at 20:53, Eldon Koyle <ekoyle+puck.nether.net at gmail.com>
wrote:

> We use foundry-privlvl = 0 for admin access.
>
> See also: http://www.brocade.com/content/html/en/configuration-
> guide/FI_08030_SECURITY/GUID-A2449097-2DA4-4CD1-B2DA-C531D7A90587.html
>
> --
> Eldon
>
> On Fri, Nov 4, 2016 at 5:26 AM, Tom Storey <tom at snnap.net> wrote:
> > Hi everyone,
> >
> > Implementing a TACACS server for a network that I am working on, and I am
> > trying to determine how to have certain users (e.g. network admins)
> enabled
> > by default once they have logged in, but certain other users (e.g.
> support
> > group) logged in as read only, and requiring them to enable manually.
> >
> > Ive seen some suggestions of using an optional av pair "brcd-role =
> admin"
> > in the TACACS config, but seems this is for VDX devices, and I am working
> > with ICX.
> >
> > The usual "priv-lvl = 15" that works with Cisco doesnt seem to apply,
> and Im
> > finding scant other information about how to do this other than
> specifying
> > "aaa authentication login privilege-mode", but that would have all users
> > enabled once they have logged in.
> >
> > My configs look like:
> >
> > aaa authentication enable default enable
> > aaa authentication login default tacacs+
> > aaa authorization commands 0 default tacacs+
> > aaa authorization exec default tacacs+
> > aaa accounting commands 0 default start-stop tacacs+
> > aaa accounting exec default start-stop tacacs+
> > aaa accounting system default start-stop tacacs+
> >
> > and on the TACACS server Ive tried:
> >
> > group = read_write {
> >     default service = permit
> >     acl = network_nets
> >
> >     service = exec {
> >         priv-lvl = 15
> >         optional brcd-role = admin
> >     }
> > }
> >
> > Or maybe the reason I cant find any information is because this just isnt
> > possible on a Brocade?
> >
> > Any help appreciated!
> >
> > Thanks
> > Tom
> >
> > _______________________________________________
> > foundry-nsp mailing list
> > foundry-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/foundry-nsp
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20161105/56d59c93/attachment.html>

More information about the foundry-nsp mailing list