Tacacs and PAM : Map users to groups
468 views
Skip to first unread message
Bjorn Reckner
Dec 17, 2021, 12:09:11 PM12/17/21
to Event-Driven Servers
Hello,
group = Network_Admins {
default service = permit
enable = login
acl = permit a
acl = permit b
acl = permit c
acl = permit d
acl = permit f
acl = permit g
acl = permit h
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
service = pap {
default attribute = permit
set priv-lvl = 15
}
service = PaloAlto {
set protocol = firewall
set role1 = ALL?
}
service = ciscowlc {
set protocol = common
set role1 = ALL?
}
}
I setted up a Tacacs Server with a mavis backend that forward the authentication requests to the PAM. The PAM uses SSSD and google authenticator modules to provide MFA between the AD password and an OTP.
That's work great, but now I would like to map the users to logs through the PAM to the groups defined in my tac_plus.cfg, does someone know how I can do that ?
Here is one group for example :
default service = permit
enable = login
acl = permit a
acl = permit b
acl = permit c
acl = permit d
acl = permit f
acl = permit g
acl = permit h
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
service = pap {
default attribute = permit
set priv-lvl = 15
}
service = PaloAlto {
set protocol = firewall
set role1 = ALL?
}
service = ciscowlc {
set protocol = common
set role1 = ALL?
}
}
I would like that a user that is a member of the corresponding Network_Admins group is automatically added to the TACACS group and gets the multiple ACLs and service rules that are defined within the group.
How is that possible ? Thanks in advance.
Reply all
Reply to author
Forward
0 new messages