'shell:roles' unexpected in parsing config file

[nilie]

Hello everybody,

I'm looking to configure AAA with TACACS+ for Cisco MDS9100 SAN
switches. According to Cisco configuration guides, upon successful
authentication the tac_plus server should return an AV pair that will
be used for command authorization. Cisco describes it as cisco-av-
pair=shell:roles="network-admin" and there is also an example in
tac_plus documentation on how this should be used.
The relevant part of my tac_plus.conf file looks like this :

group = telecom-admin {
default service = permit
service = shell {
default command = permit
double-quote-values = yes
shell:roles="network-admin"
}
}

However when tac_plus daemon is parsing the config file, it fails with
the following error message :

'shell:roles' unexpected

I tried to add cisco-av-pair= in front of it but the parsing still
fails with 'cisco-av-pair' unexpected

Am I doing something wrong here ?

Any idea will be appreciated.

Thanks

[Marc Huber]

Hi,

On Friday, May 25, 2012 3:44:56 AM UTC+2, nilie wrote:

group = telecom-admin {
    default service = permit
    service = shell {
        default command = permit
        double-quote-values = yes
        shell:roles="network-admin"
    }
}

the "set" keyword is mandatory here. try

           set shell:roles="network-admin"

Cheers,

Marc

[nilie]

Thank you very much, Marc, this solved my problem.

Also a note for those who would like to use tac_plus for Cisco MDS SAN
switches, I had to add "pap backend = mavis" in order to make it work
since MDS is using pap by default for authentication.

Once again I appreciate your help.

Nicu