Thanks Dan, I will give do_auth a shot in the lab and report back sometime between that time and eterinity. :)<br><br><div class="gmail_quote">On Mon, Oct 3, 2011 at 8:34 AM, Daniel Schmidt <span dir="ltr"><<a href="mailto:daniel.schmidt@wyo.gov">daniel.schmidt@wyo.gov</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">I've never had this trouble you speak of with Brocade, but then again I<br>
have only used the CER, CES & FCX. The config I posed on <a href="http://tacacs.org" target="_blank">tacacs.org</a><br>
seemed to work fine.<br>
<br>
Also, users CAN be members of multiple groups, you just have to write an<br>
authorization script. Or, just use my do_auth.py script from <a href="http://tacacs.org" target="_blank">tacacs.org</a> -<br>
several people have told me it works well. Tac_plus, I would argue, is<br>
more flexible than Cisco's solution.<br>
<br>
I'm working on key replacement with do_auth - what is your issue with<br>
Nexus? As for brcd-role, if you are willing to do try do_auth and turn on<br>
the debug, I should easily be able to add something for a certain IP range<br>
that strips the pairs you don't want and appends the pairs you do.<br>
<br>
-----Original Message-----<br>
From: <a href="mailto:tac_plus-bounces@shrubbery.net">tac_plus-bounces@shrubbery.net</a><br>
[mailto:<a href="mailto:tac_plus-bounces@shrubbery.net">tac_plus-bounces@shrubbery.net</a>] On Behalf Of Alan McKinnon<br>
Sent: Friday, September 30, 2011 3:43 PM<br>
To: <a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
Subject: Re: [tac_plus] Configuring a/v pair expected by Brocade VDX<br>
switch<br>
<div><div></div><div class="h5"><br>
On Fri, 30 Sep 2011 14:14:03 -0700<br>
Jathan McCollum <<a href="mailto:jathan@gmail.com">jathan@gmail.com</a>> wrote:<br>
<br>
> Hey John, thanks for the reply. That's a good suggestion that I'll<br>
> tuck away for future reference.<br>
><br>
> I actually tracked down access to the Brocade support knowledge base<br>
> and found a document someone had posted using Cisco ASA.<br>
><br>
> And it is:<br>
><br>
> brcd-role = <role><br>
><br>
> So my group config would be:<br>
><br>
> group = admin {<br>
> default service = permit<br>
> service = exec {<br>
> priv-lvl = 15<br>
> brcd-role = admin<br>
> }<br>
> }<br>
><br>
> However, sharing that with Cisco devices causes them to be unhappy<br>
> and fail authorization. I tried prepending the "optional" keyword<br>
> e.g. "optional brcd-role = admin", which makes Cisco devices happy<br>
> again, but breaks it on the Brocade.<br>
><br>
> So... almost there, but still missing something.<br>
<br>
<br>
Hi Jathan,<br>
<br>
I had a very similar issue getting my Cisco and Nexus kit to work<br>
together. Short answer is I couldn't get them to work together.<br>
<br>
The solution I opted for was to run two instances of tac_plus, the<br>
original on port 49 for Cisco and the second on port 50 for Nexus, and<br>
keep the configs entirely separate. This works for me and is probably<br>
more intuitive than trying to express the same thing in a single config<br>
file.<br>
<br>
One of the shortcomings of tac_plus in it's current form is how<br>
inflexible it can be. Users can be a member of only one group, which is<br>
a member of only one group etc. Freeradius has a concept of "vhosts"<br>
which would be insanely useful on tac_plus, but there is no comparable<br>
feature. You seem to have run into this.<br>
<br>
I'm not complaining (for the asking price of free tac_plus is a great<br>
product) and until I start submitting patches I have very little<br>
street-cred. In the meantime I accept that sometimes we have to do<br>
things in unusual ways (like run two daemons) to get what we want.<br>
<br>
<br>
<br>
><br>
> On Fri, Sep 30, 2011 at 1:59 PM, john heasley <<a href="mailto:heas@shrubbery.net">heas@shrubbery.net</a>><br>
> wrote:<br>
><br>
> > Fri, Sep 30, 2011 at 01:39:32PM -0700, Jathan McCollum:<br>
> > > The documentation indicates the device is expecting the server to<br>
> > > send an a/v pair that specifies the authenticated user's role. I<br>
> > > assume the value would be "admin" in this case. The problem is<br>
> > > that nowhere in the documentation so far have I seen what<br>
> > > attribute the device is expecting. There may also be a unique<br>
> > > service type (again similar to JUNOS' "junos-exec") that is being<br>
> > > expected.<br>
> > ><br>
> > > So... After all that background, anyone had experience with this<br>
> > > platform and gotten it working successfully w/ tac_plus?<br>
> ><br>
> > none, but some devices send the av pairs they have when they perform<br>
> > authen and/or author. if you enable the appropriate debugging<br>
> > knobs, it might reveal it to you.<br>
> ><br>
> > or, take the image that you load on the box, uncompress it, unzip<br>
> > it or whatever their packaging method is, then run strings(1) on it<br>
> > and look for strings that might be related to authorization. then<br>
> > send a bomb to brocade offices.<br>
> ><br>
><br>
><br>
><br>
<br>
<br>
<br>
--<br>
Alan McKinnnon<br>
<a href="mailto:alan.mckinnon@gmail.com">alan.mckinnon@gmail.com</a><br>
_______________________________________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a><br>
_______________________________________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Jathan.<br>--<br>