That's good to know, but I'm still a bit confused about the configuration file syntax. Is there a reference for it somewhere I can read ?<br><br><div class="gmail_quote">On Wed, Oct 29, 2008 at 1:16 PM, john heasley <span dir="ltr"><<a href="mailto:heas@shrubbery.net">heas@shrubbery.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Tue, Oct 28, 2008 at 12:41:04PM -0700, Jesse Zbikowski:<br>
<div><div></div><div class="Wj3C7c">> On Mon, Oct 27, 2008 at 8:04 PM, Ian Batterbee <<a href="mailto:ibatterb@gmail.com">ibatterb@gmail.com</a>> wrote:<br>
> > What I would like to do is have the tac_plus server pass a group<br>
> > policy name back as part of the reply so that the group the user is placed<br>
> > into can be centrally managed.<br>
><br>
> TACACS+ supports passing attribute/value pairs. I am not sure how to<br>
> do this in tac_plus. I would be very interested if anyone knows how<br>
> to send arbitrary a/v pairs from the server and how the client can use<br>
> them.<br>
><br>
> One way you can accomplish group assignment this is to specify a fake<br>
> "protocol" to indicate group membership. For example in my<br>
> tac_plus.conf:<br>
><br>
> user = admin {<br>
> pap = des ...<br>
> service = ppp protocol = my-admin-group {}<br>
> }<br>
><br>
> user = mike {<br>
> pap = des ...<br>
> service = ppp protocol = my-user-group {}<br>
> }<br>
><br>
> When "mike" tries to log in, he will first attempt to authorize<br>
> service=ppp protocol=my-admin-group. When this fails, the client<br>
> software should fall back to service=ppp protocol=my-user-group.<br>
</div></div>> _______________________________________________<br>
> tac_plus mailing list<br>
> <a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
> <a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a><br>
<br>
without searching through the code; i know for certain that any AV pair<br>
can be sent with authorization scripts.<br>
</blockquote></div><br>