<p dir="ltr">I did notice that document says privlvl and not priv-lvl. Depending on what you changed, you may be able to see the enable attempt on the tacacs server (it may just be expecting the same username/password with admin privs on tacacs).</p>
<div class="gmail_extra"><br><div class="gmail_quote">On Nov 5, 2016 11:06 AM, "Tom Storey" <<a href="mailto:tom@snnap.net">tom@snnap.net</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Eldon,<div><br></div><div>Thanks for pointing me to this document.</div><div><br></div><div>If I understand it correctly, my existing configuration should have been working just fine as it is. Since I wasnt specifying the "foundry-privlvl" attribute, it should look for the last exec attribute with a number in it and treat that number as the priv level. In my case Im using "priv-lvl" with a value of 15 for my Cisco devices, so the Brocade should have translated that to mean level 0 given a lack of "foundry-privlvl" attribute.</div><div><br></div><div>But for what ever reason that doesnt seem to be working. So I also tried specifying it explicitly in my config, including removing the priv-lvl attribute, but still to no avail.</div><div><br></div><div>Ive managed to lock myself out of my test device now (can no longer enable, its asking for a username, doh!), its in the office and Im at home. So I guess I'll resume on Monday if anyone else comes up with anything. :-)</div><div><br></div><div>Thanks</div><div>Tom</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 4 November 2016 at 20:53, Eldon Koyle <span dir="ltr"><<a href="mailto:ekoyle+puck.nether.net@gmail.com" target="_blank">ekoyle+puck.nether.net@gmail.<wbr>com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">We use foundry-privlvl = 0 for admin access.<br>
<br>
See also: <a href="http://www.brocade.com/content/html/en/configuration-guide/FI_08030_SECURITY/GUID-A2449097-2DA4-4CD1-B2DA-C531D7A90587.html" rel="noreferrer" target="_blank">http://www.brocade.com/content<wbr>/html/en/configuration-guide/<wbr>FI_08030_SECURITY/GUID-A244909<wbr>7-2DA4-4CD1-B2DA-C531D7A90587.<wbr>html</a><br>
<br>
--<br>
Eldon<br>
<div><div class="m_-5859492176705583369h5"><br>
On Fri, Nov 4, 2016 at 5:26 AM, Tom Storey <<a href="mailto:tom@snnap.net" target="_blank">tom@snnap.net</a>> wrote:<br>
> Hi everyone,<br>
><br>
> Implementing a TACACS server for a network that I am working on, and I am<br>
> trying to determine how to have certain users (e.g. network admins) enabled<br>
> by default once they have logged in, but certain other users (e.g. support<br>
> group) logged in as read only, and requiring them to enable manually.<br>
><br>
> Ive seen some suggestions of using an optional av pair "brcd-role = admin"<br>
> in the TACACS config, but seems this is for VDX devices, and I am working<br>
> with ICX.<br>
><br>
> The usual "priv-lvl = 15" that works with Cisco doesnt seem to apply, and Im<br>
> finding scant other information about how to do this other than specifying<br>
> "aaa authentication login privilege-mode", but that would have all users<br>
> enabled once they have logged in.<br>
><br>
> My configs look like:<br>
><br>
> aaa authentication enable default enable<br>
> aaa authentication login default tacacs+<br>
> aaa authorization commands 0 default tacacs+<br>
> aaa authorization exec default tacacs+<br>
> aaa accounting commands 0 default start-stop tacacs+<br>
> aaa accounting exec default start-stop tacacs+<br>
> aaa accounting system default start-stop tacacs+<br>
><br>
> and on the TACACS server Ive tried:<br>
><br>
> group = read_write {<br>
> default service = permit<br>
> acl = network_nets<br>
><br>
> service = exec {<br>
> priv-lvl = 15<br>
> optional brcd-role = admin<br>
> }<br>
> }<br>
><br>
> Or maybe the reason I cant find any information is because this just isnt<br>
> possible on a Brocade?<br>
><br>
> Any help appreciated!<br>
><br>
> Thanks<br>
> Tom<br>
><br>
</div></div>> ______________________________<wbr>_________________<br>
> foundry-nsp mailing list<br>
> <a href="mailto:foundry-nsp@puck.nether.net" target="_blank">foundry-nsp@puck.nether.net</a><br>
> <a href="http://puck.nether.net/mailman/listinfo/foundry-nsp" rel="noreferrer" target="_blank">http://puck.nether.net/mailman<wbr>/listinfo/foundry-nsp</a><br>
</blockquote></div><br></div>
</blockquote></div></div>