[tac_plus] Re: Default service and authorization script don't work at the same time
john heasley
heas at shrubbery.net
Tue Jan 27 06:11:11 UTC 2009
Thu, Jan 22, 2009 at 12:33:50PM +0700, Kurenyshev Vjacheslav:
> Hi!
>
> I have a Tacacs+ on Debian server.
> The version of tac-plus is F4.0.4.alpha.
>
> There are following lines in the config file:
>
> user = test2 {
> member = admins
> login = nopassword
> }
>
> group = admins {
> before authorization "/etc/tac-plus/script $user $name $address"
> default service = permit
>
> cmd = ip {
> deny domain-lookup
> permit .*
> }
>
> service = exec {
> priv-lvl = 15
> idletime = 30
> }
> }
>
> When I try to start tacacs server I get:
> # /etc/init.d/tac-plus restart
> Restarting Tacacs+ server: Error: Unrecognised keyword default for user
> on line 49
> tac_plus.
>
> Line 49 is 'default service = permit'.
> Why is it wrong?
>
> But. if to change the order of lines to following:
> ...
> group = admins {
> default service = permit
> before authorization "/etc/tac-plus/script $user $name $address"
> ...
>
> Tacacs server starts correctly.
> But when I login to cisco and type any command I get: Command
> authorization failed.
> But, default service = permit is in config!!
>
> Why this happens and how to fix it ?
I don't know. enable authorization debugging/logging.
More information about the tac_plus
mailing list