[f-nsp] AAA command authorization
Patrick Ohearn
pat at ge3k.net
Wed Mar 13 20:50:43 EDT 2019
Hi List,
Has anyone got AAA command authorization working correctly on modern
Netiron code, on the MLX/CER's?
With a working TACACS+ server, with the below aaa configuration, I don't
receive Command Authorization commands (confirmed with logs / pcap) for
commands prefaced with 'no', but do for other configuration level commands.
This presents a problem when I can block commands like 'router mpls', but
other commands such as 'no router mpls' still work.
Testing is done with a logged in user with priv level 0 (super user).
Testing has been done with a few varents of 5.8, 6.0 and 6.2 code all with
the same results.
Has anyone else ran into this issue? Or has working command authorization
with a different (eg; radius) setup?
AAA config:
tacacs-server host 192.0.2.200
tacacs-server key tacacskeyhere
aaa authentication enable default tacacs+
aaa authentication login default tacacs+
aaa authentication login privilege-mode
aaa authorization commands 0 default tacacs+
aaa authorization exec default tacacs+
aaa accounting commands 0 default start-stop tacacs+
aaa accounting exec default start-stop tacacs+
aaa accounting system default start-stop tacacs+
--
Email: pat at ge3k.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20190314/c8c51697/attachment.html>
More information about the foundry-nsp
mailing list