tacacs on IOSXR
898 views
Skip to first unread message
Adam
Jul 2, 2011, 5:17:14 PM7/2/11
to Event-Driven Servers
I seem to be having an issue trying to get tacacs working properly on
IOS XR. When I try the following it doesn't work.
group = readwrite {
default service = permit
service = shell {
default command = permit
set tasks = "#root-system,#cisco-support"
}
}
The system just shows no tasks on the system. When I use the
following in tasks I get the proper tasks on the router.
set tasks = "rwx:bgp,#operator"
show user tasks
Thu Jun 30 05:16:21.868 CDT
Task: basic-services : READ WRITE EXECUTE DEBUG
Task: bgp : READ WRITE EXECUTE
Task: cdp : READ
Task: diag : READ
Task: ext-access : READ EXECUTE
Task: logging : READ
So I'm wondering what is going on here. If I use the FreeBSD port of
tacplus4 with the following config it works.
group = admin {
default service = permit
service = exec {
priv-lvl = 15
optional task = "#root-system,#cisco-support"
}
}
Does anyone have a sample config for IOS XR here.
Thanks,
Adam
IOS XR. When I try the following it doesn't work.
group = readwrite {
default service = permit
service = shell {
default command = permit
set tasks = "#root-system,#cisco-support"
}
}
The system just shows no tasks on the system. When I use the
following in tasks I get the proper tasks on the router.
set tasks = "rwx:bgp,#operator"
show user tasks
Thu Jun 30 05:16:21.868 CDT
Task: basic-services : READ WRITE EXECUTE DEBUG
Task: bgp : READ WRITE EXECUTE
Task: cdp : READ
Task: diag : READ
Task: ext-access : READ EXECUTE
Task: logging : READ
So I'm wondering what is going on here. If I use the FreeBSD port of
tacplus4 with the following config it works.
group = admin {
default service = permit
service = exec {
priv-lvl = 15
optional task = "#root-system,#cisco-support"
}
}
Does anyone have a sample config for IOS XR here.
Thanks,
Adam
Marc Huber
Jul 3, 2011, 2:43:36 AM7/3/11
to Event-Driven Servers
Hi Adam,
On 2 Jul., 23:17, Adam <afur...@gmail.com> wrote:
> I seem to be having an issue trying to get tacacs working properly on
> IOS XR. When I try the following it doesn't work.
>
> group = readwrite {
> default service = permit
> service = shell {
> default command = permit
> set tasks = "#root-system,#cisco-support"
try "task" instead of "tasks" and all should be fine.
> So I'm wondering what is going on here. If I use the FreeBSD port of
> tacplus4 with the following config it works.
>
> group = admin {
> default service = permit
> service = exec {
> priv-lvl = 15
> optional task = "#root-system,#cisco-support"
> }
>
> }
The corresponding group declaration would look only slightly different
in this version:
group = admin {
default service = permit
service = shell {
set priv-lvl = 15
optional task = "#root-system,#cisco-support"
}
}
Cheers,
Marc
On 2 Jul., 23:17, Adam <afur...@gmail.com> wrote:
> I seem to be having an issue trying to get tacacs working properly on
> IOS XR. When I try the following it doesn't work.
>
> group = readwrite {
> default service = permit
> service = shell {
> default command = permit
> set tasks = "#root-system,#cisco-support"
> So I'm wondering what is going on here. If I use the FreeBSD port of
> tacplus4 with the following config it works.
>
> group = admin {
> default service = permit
> service = exec {
> priv-lvl = 15
> optional task = "#root-system,#cisco-support"
> }
>
> }
in this version:
group = admin {
default service = permit
set priv-lvl = 15
optional task = "#root-system,#cisco-support"
}
}
Cheers,
Marc
Lionel Jacquet
May 6, 2022, 3:29:42 AM5/6/22
to Event-Driven Servers
Hi,
optional task = "#admin-reseau"
}
}
default service = permit
service = exec {
I am currently experiencing the same issue.
I try these configuration :
Config1:
group = reseau
{
default service = permit
service = shell {
default command = permit
set task = "#admin-reseau"
}
Config 2 :
group = reseau {
default service = permit
service = shell {default service = permit
optional task = "#admin-reseau"
}
}
With my other tacacs (tac_plus version F4.0.4.27a) this configuration is ok :
group = reseau {
default service = permit
service = exec {
# pour prise en compte de IOS XR
optional task="#admin-reseau"
}
}
optional task="#admin-reseau"
}
}
Regards,
Lionel
Le dimanche 3 juillet 2011 à 08:43:36 UTC+2, Marc Huber a écrit :
Hi Adam,
On 2 Jul., 23:17, Adam wrote:
Marc Huber
May 6, 2022, 12:08:29 PM5/6/22
to event-driv...@googlegroups.com
Hi,
I think NXOS expects quoted values.
Copy-paste from the manual:
|
service = shell {
set shell:roles="\"network-admin\""
}
and service = shell {
double-quote-values = yes
set shell:roles="network-admin"
}
are equivalent, but the latter is more readable. |
Cheers,
Marc
--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/event-driven-servers/265d3552-3d27-4f4f-bc0a-647d2b88218fn%40googlegroups.com.
Lionel Jacquet
May 9, 2022, 4:43:37 AM5/9/22
to Event-Driven Servers
Hi,
Thanks for your reply.
It's doesn't work.
I tested :
service = shell {
set shell:roles="\"#
admin-reseau\""
}
and
service = shell {
double-quote-values = yes
set shell:roles="#
admin-reseau"
}
I use router in IOS-XR.
With this config :
Task group 'admin-reseau'
Inherits from task group 'root-lr'
Inherits from task group 'cisco-support'
Inherits from task group 'root-lr'
Inherits from task group 'cisco-support'
When i 'm log, i have no group or taskgroup
RP/0/RP0/CPU0:Test-RC#sh user tasks
Mon May 9 08:34:25.481 UTC
No task ids available
RP/0/RP0/CPU0:Test-RC#sh user group
Mon May 9 08:34:30.535 UTC
Mon May 9 08:34:25.481 UTC
No task ids available
RP/0/RP0/CPU0:Test-RC#sh user group
Mon May 9 08:34:30.535 UTC
Lionel Jacquet
May 9, 2022, 9:17:07 AM5/9/22
to event-driv...@googlegroups.com
Hi,
I find my mistake, set task is not ok when is it's set on group just ok with user config
this is ok :
user = ljacquet {
default service = permit
service = shell {
default command = permit
set task = "#admin-reseau"
}
}
this not ok :
group = reseau {
default service = permit
default service = permit
service = shell {
set task = "#admin-reseau"
}
}
user = ljacquet {
default service = permit
member = reseau
}
}
set task = "#admin-reseau"
}
}
user = ljacquet {
default service = permit
member = reseau
}
}
Cordialement,
Lionel Jacquet
You received this message because you are subscribed to a topic in the Google Groups "Event-Driven Servers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/event-driven-servers/Hr1rzGEvj28/unsubscribe.
To unsubscribe from this group and all its topics, send an email to event-driven-ser...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/event-driven-servers/887c9657-8632-4441-a6cf-214aa1046d26n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages