Authorization
Page 30 7450 ESS System Mangement Guide
• The operator can configure local profiles and map tacplus priv-lvl based
authorization to those profiles (the use-priv-lvl option)
To use a single common default profile to control command authorization for TACACS+
users, the operator must configure the tacplus use-default-template option and configure the
parameters in the tacplus_default user-template to point to a valid local profile.
If the default template is not being used for TACACAS+ authorization and the use-priv-lvl
option is not configured, then each CLI command issued by an operator is sent to the
TACACS+ server for authorization. The authorization request sent by SR OS contains the first
word of the CLI command as the value for the TACACS+ cmd and all following words
become a cmd-arg. Quoted values are expanded so that the quotation marks are stripped off
and the enclosed value are seen as one cmd or cmd-arg.
Examples
Here is a set of examples, where the following commands are typed in the CLI:
- “show”
- “show router”
- “show port 1/1/1”
- “configure port 1/1/1 description “my port”
This results in the following AVPairs:
cmd=show
cmd=show
cmd-arg=router
cmd=show
cmd-arg=port
cmd-arg=1/1/1
cmd=configure
cmd-arg=port
cmd-arg=1/1/1
cmd-arg=description
cmd-arg=my port
To Next Page
Loading...
