[f-nsp] AAA, TACACS, some users enabled on login, others not

Eldon Koyle ekoyle+puck.nether.net at gmail.com
Sat Nov 5 15:32:26 EDT 2016 

I did notice that document says privlvl and not priv-lvl.  Depending on
what you changed, you may be able to see the enable attempt on the tacacs
server (it may just be expecting the same username/password with admin
privs on tacacs).

On Nov 5, 2016 11:06 AM, "Tom Storey" <tom at snnap.net> wrote:

> Hi Eldon,
>
> Thanks for pointing me to this document.
>
> If I understand it correctly, my existing configuration should have been
> working just fine as it is. Since I wasnt specifying the "foundry-privlvl"
> attribute, it should look for the last exec attribute with a number in it
> and treat that number as the priv level. In my case Im using "priv-lvl"
> with a value of 15 for my Cisco devices, so the Brocade should have
> translated that to mean level 0 given a lack of "foundry-privlvl" attribute.
>
> But for what ever reason that doesnt seem to be working. So I also tried
> specifying it explicitly in my config, including removing the priv-lvl
> attribute, but still to no avail.
>
> Ive managed to lock myself out of my test device now (can no longer
> enable, its asking for a username, doh!), its in the office and Im at home.
> So I guess I'll resume on Monday if anyone else comes up with anything. :-)
>
> Thanks
> Tom
>
> On 4 November 2016 at 20:53, Eldon Koyle <ekoyle+puck.nether.net at gmail.com
> > wrote:
>
>> We use foundry-privlvl = 0 for admin access.
>>
>> See also: http://www.brocade.com/content/html/en/configuration-guide/
>> FI_08030_SECURITY/GUID-A2449097-2DA4-4CD1-B2DA-C531D7A90587.html
>>
>> --
>> Eldon
>>
>> On Fri, Nov 4, 2016 at 5:26 AM, Tom Storey <tom at snnap.net> wrote:
>> > Hi everyone,
>> >
>> > Implementing a TACACS server for a network that I am working on, and I
>> am
>> > trying to determine how to have certain users (e.g. network admins)
>> enabled
>> > by default once they have logged in, but certain other users (e.g.
>> support
>> > group) logged in as read only, and requiring them to enable manually.
>> >
>> > Ive seen some suggestions of using an optional av pair "brcd-role =
>> admin"
>> > in the TACACS config, but seems this is for VDX devices, and I am
>> working
>> > with ICX.
>> >
>> > The usual "priv-lvl = 15" that works with Cisco doesnt seem to apply,
>> and Im
>> > finding scant other information about how to do this other than
>> specifying
>> > "aaa authentication login privilege-mode", but that would have all users
>> > enabled once they have logged in.
>> >
>> > My configs look like:
>> >
>> > aaa authentication enable default enable
>> > aaa authentication login default tacacs+
>> > aaa authorization commands 0 default tacacs+
>> > aaa authorization exec default tacacs+
>> > aaa accounting commands 0 default start-stop tacacs+
>> > aaa accounting exec default start-stop tacacs+
>> > aaa accounting system default start-stop tacacs+
>> >
>> > and on the TACACS server Ive tried:
>> >
>> > group = read_write {
>> >     default service = permit
>> >     acl = network_nets
>> >
>> >     service = exec {
>> >         priv-lvl = 15
>> >         optional brcd-role = admin
>> >     }
>> > }
>> >
>> > Or maybe the reason I cant find any information is because this just
>> isnt
>> > possible on a Brocade?
>> >
>> > Any help appreciated!
>> >
>> > Thanks
>> > Tom
>> >
>> > _______________________________________________
>> > foundry-nsp mailing list
>> > foundry-nsp at puck.nether.net
>> > http://puck.nether.net/mailman/listinfo/foundry-nsp
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20161105/cb0b30b2/attachment.html>

More information about the foundry-nsp mailing list