<div dir="ltr"><div>That is why do_auth allows the use of multiple groups, it can't know the OS of the device which is talking to it. A notable exception is nexus, do_auth is kluged to know when it is talking to a nexus and will strip the shell:roles when talking to other devices. (nexus sends a "cmd=\n" which nobody else seems to) I don't know about FXOS, you would have to send set debug in do_auth and send me the returned tac pairs. i suspect is is the same as NXOS, in which case you would be required to make two different groups by IP and assign both of them to the user with av_pairs statement to send different roles. <br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, May 15, 2017 at 2:41 PM, Munroe Sollog <span dir="ltr"><<a href="mailto:mus3@lehigh.edu" target="_blank">mus3@lehigh.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I know about do_auth.py and I have been avoiding re-implementing my config using it until I understand how to do everything. I haven't found an example of a do_auth config that allows me to specify different AV pairs for different devices within the same group though.</div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On Mon, May 15, 2017 at 4:11 PM, Daniel Schmidt <span dir="ltr"><<a href="mailto:daniel.schmidt@wyo.gov" target="_blank">daniel.schmidt@wyo.gov</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr">Have you considered using the after authentication "do_auth.py?"</div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="m_7615601372792875186h5">On Mon, May 15, 2017 at 11:38 AM, Munroe Sollog <span dir="ltr"><<a href="mailto:mus3@lehigh.edu" target="_blank">mus3@lehigh.edu</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="m_7615601372792875186h5">I am using tacacs to aaa nexus equipment and now a firepower chassis<br>
manager. My 'admins' group is configured like so:<br>
<br>
group = admins {<br>
default service = permit<br>
service = exec {<br>
priv-lvl = 15<br>
# optional shell:roles = "admin network-admin"<br>
optional shell:roles = "network-admin"<br>
optional shell:roles = "admin"<br>
}<br>
service = AMP {<br>
role = "tacacs"<br>
}<br>
service = gigamon {<br>
}<br>
<br>
}<br>
<br>
The problem is the nexus equipment uses the network-admin role while the<br>
firepower chassis manager uses the admin role. While I can probably create<br>
one role on the other box, I was wondering if there was an easier way to<br>
resolve this issue. As you see I have tried a space separated list as well<br>
as individual statements.<br>
<br>
For further reference here is the documentation on the firepower tacacs<br>
config:<br>
<br>
<a href="http://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos201/web-config/b_GUI_ConfigGuide_FXOS_201/user_management.html#concept_2770BFB3259042F5A4420595A0A6946C" rel="noreferrer" target="_blank">http://www.cisco.com/c/en/us/t<wbr>d/docs/security/firepower/fxos<wbr>/fxos201/web-config/b_GUI_Conf<wbr>igGuide_FXOS_201/user_manageme<wbr>nt.html#concept_2770BFB3259042<wbr>F5A4420595A0A6946C</a><br>
</div></div><span class="m_7615601372792875186m_4114236830703015216HOEnZb"><font color="#888888"><div><div class="m_7615601372792875186h5"><br>
<br>
<br>
<br>
--<br>
Munroe Sollog<br>
Senior Network Engineer<br>
<a href="mailto:munroe@lehigh.edu" target="_blank">munroe@lehigh.edu</a><br></div></div>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20170515/6acdab2b/attachment.html" rel="noreferrer" target="_blank">http://www.shrubbery.net/pipe<wbr>rmail/tac_plus/attachments/201<wbr>70515/6acdab2b/attachment.html</a><wbr>><br>
______________________________<wbr>_________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo/tac_plus" rel="noreferrer" target="_blank">http://www.shrubbery.net/mailm<wbr>an/listinfo/tac_plus</a><br>
</font></span></blockquote></div><br></div>
<br>
<br></div></div>E-Mail to and from me, in connection with the transaction <br>of public business, is subject to the Wyoming Public Records <br>Act and may be disclosed to third parties.<br></blockquote></div><span class=""><br><br clear="all"><div><br></div>-- <br><div class="m_7615601372792875186gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Munroe Sollog<div>Senior Network Engineer</div><div><a href="mailto:munroe@lehigh.edu" target="_blank">munroe@lehigh.edu</a></div></div></div>
</span></div>
</blockquote></div><br></div>
<br>
<br>E-Mail to and from me, in connection with the transaction <br>of public business, is subject to the Wyoming Public Records <br>Act and may be disclosed to third parties.<br>