Hi Marc,
Attached also debug.
I used the profile example from one of your posts.
I tried other config examples, but it no luck.
tac trimmed config:
profile usertest {
script {
if (service == shell) {
if (cmd == "") {set priv-lvl = 15 permit }
if (cmd =~ /^show /) permit
deny
}
}
}
group usertest
user = swbackup {
password login = clear "test123"
member = usertest
}
ruleset {
rule localaccounts {
enabled = yes
script {
if (user == swbackup) { profile = usertest permit }
if (member == admins) { profile = admins permit }
}
}
rule scs {
enabled = yes
script {
if (memberof =~ /^CN=Switchaccess_Radius,/) { profile = admins permit }
}
}
rule localit {
enabled = yes
script {
########################EU2##
if (nas == TM) {if (memberof =~ /^CN=NetworkSupport,/) { profile = admins permit }}
}
}
}
}
sw config example:
aaa:
aaa authentication login default group tacGroup local
aaa authentication login tacAuthen group tacGroup local
aaa authentication login console local
aaa authentication dot1x default group Wired-NAC
aaa authorization config-commands
aaa authorization exec default group tacGroup local if-authenticated
aaa authorization exec tacAuthor group tacGroup local if-authenticated
aaa authorization network default group Wired-NAC
aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group Wired-NAC
aaa accounting exec default start-stop group tacGroup
aaa accounting commands 15 default start-stop group tacGroup
aaa accounting connection default start-stop group tacGroup
aaa accounting system default start-stop group tacGroup
vty:
line vty 0 4
session-timeout 3
exec-timeout 3 0
privilege level 15
authorization exec tacAuthor
logging synchronous
login authentication tacAuthen
transport preferred none
transport input ssh
line vty 5 15
session-timeout 3
exec-timeout 3 0
privilege level 15
authorization exec tacAuthor
logging synchronous
login authentication tacAuthen
transport preferred none
transport input ssh