[tac_plus] Re: question about tac_plus
Jesse Zbikowski
embeddedlinuxguy at gmail.com
Tue Oct 28 19:41:04 UTC 2008
On Mon, Oct 27, 2008 at 8:04 PM, Ian Batterbee <ibatterb at gmail.com> wrote:
> What I would like to do is have the tac_plus server pass a group
> policy name back as part of the reply so that the group the user is placed
> into can be centrally managed.
TACACS+ supports passing attribute/value pairs. I am not sure how to
do this in tac_plus. I would be very interested if anyone knows how
to send arbitrary a/v pairs from the server and how the client can use
them.
One way you can accomplish group assignment this is to specify a fake
"protocol" to indicate group membership. For example in my
tac_plus.conf:
user = admin {
pap = des ...
service = ppp protocol = my-admin-group {}
}
user = mike {
pap = des ...
service = ppp protocol = my-user-group {}
}
When "mike" tries to log in, he will first attempt to authorize
service=ppp protocol=my-admin-group. When this fails, the client
software should fall back to service=ppp protocol=my-user-group.
More information about the tac_plus
mailing list