<div dir="ltr">I know about do_auth.py and I have been avoiding re-implementing my config using it until I understand how to do everything. I haven't found an example of a do_auth config that allows me to specify different AV pairs for different devices within the same group though.</div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, May 15, 2017 at 4:11 PM, Daniel Schmidt <span dir="ltr"><<a href="mailto:daniel.schmidt@wyo.gov" target="_blank">daniel.schmidt@wyo.gov</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Have you considered using the after authentication "do_auth.py?"</div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On Mon, May 15, 2017 at 11:38 AM, Munroe Sollog <span dir="ltr"><<a href="mailto:mus3@lehigh.edu" target="_blank">mus3@lehigh.edu</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">I am using tacacs to aaa nexus equipment and now a firepower chassis<br>
manager. My 'admins' group is configured like so:<br>
<br>
group = admins {<br>
default service = permit<br>
service = exec {<br>
priv-lvl = 15<br>
# optional shell:roles = "admin network-admin"<br>
optional shell:roles = "network-admin"<br>
optional shell:roles = "admin"<br>
}<br>
service = AMP {<br>
role = "tacacs"<br>
}<br>
service = gigamon {<br>
}<br>
<br>
}<br>
<br>
The problem is the nexus equipment uses the network-admin role while the<br>
firepower chassis manager uses the admin role. While I can probably create<br>
one role on the other box, I was wondering if there was an easier way to<br>
resolve this issue. As you see I have tried a space separated list as well<br>
as individual statements.<br>
<br>
For further reference here is the documentation on the firepower tacacs<br>
config:<br>
<br>
<a href="http://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos201/web-config/b_GUI_ConfigGuide_FXOS_201/user_management.html#concept_2770BFB3259042F5A4420595A0A6946C" rel="noreferrer" target="_blank">http://www.cisco.com/c/en/us/t<wbr>d/docs/security/firepower/fxos<wbr>/fxos201/web-config/b_GUI_Conf<wbr>igGuide_FXOS_201/user_manageme<wbr>nt.html#concept_2770BFB3259042<wbr>F5A4420595A0A6946C</a><br>
</div></div><span class="m_4114236830703015216HOEnZb"><font color="#888888"><div><div class="h5"><br>
<br>
<br>
<br>
--<br>
Munroe Sollog<br>
Senior Network Engineer<br>
<a href="mailto:munroe@lehigh.edu" target="_blank">munroe@lehigh.edu</a><br></div></div>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20170515/6acdab2b/attachment.html" rel="noreferrer" target="_blank">http://www.shrubbery.net/pipe<wbr>rmail/tac_plus/attachments/<wbr>20170515/6acdab2b/attachment.<wbr>html</a>><br>
______________________________<wbr>_________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo/tac_plus" rel="noreferrer" target="_blank">http://www.shrubbery.net/mailm<wbr>an/listinfo/tac_plus</a><br>
</font></span></blockquote></div><br></div>
<br>
<br>E-Mail to and from me, in connection with the transaction <br>of public business, is subject to the Wyoming Public Records <br>Act and may be disclosed to third parties.<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Munroe Sollog<div>Senior Network Engineer</div><div><a href="mailto:munroe@lehigh.edu">munroe@lehigh.edu</a></div></div></div>
</div>