[tac_plus] Re: question about tac_plus
john heasley
heas at shrubbery.net
Wed Oct 29 00:16:30 UTC 2008
Tue, Oct 28, 2008 at 12:41:04PM -0700, Jesse Zbikowski:
> On Mon, Oct 27, 2008 at 8:04 PM, Ian Batterbee <ibatterb at gmail.com> wrote:
> > What I would like to do is have the tac_plus server pass a group
> > policy name back as part of the reply so that the group the user is placed
> > into can be centrally managed.
>
> TACACS+ supports passing attribute/value pairs. I am not sure how to
> do this in tac_plus. I would be very interested if anyone knows how
> to send arbitrary a/v pairs from the server and how the client can use
> them.
>
> One way you can accomplish group assignment this is to specify a fake
> "protocol" to indicate group membership. For example in my
> tac_plus.conf:
>
> user = admin {
> pap = des ...
> service = ppp protocol = my-admin-group {}
> }
>
> user = mike {
> pap = des ...
> service = ppp protocol = my-user-group {}
> }
>
> When "mike" tries to log in, he will first attempt to authorize
> service=ppp protocol=my-admin-group. When this fails, the client
> software should fall back to service=ppp protocol=my-user-group.
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
without searching through the code; i know for certain that any AV pair
can be sent with authorization scripts.
More information about the tac_plus
mailing list