Hi List, Has anyone got AAA command authorization working correctly on modern Netiron code, on the MLX/CER's?
With a working TACACS+ server, with the below aaa configuration, I don't receive Command Authorization commands (confirmed with logs / pcap) for commands prefaced with 'no', but do for other configuration level commands. This presents a problem when I can block commands like 'router mpls', but other commands such as 'no router mpls' still work. Testing is done with a logged in user with priv level 0 (super user). Testing has been done with a few varents of 5.8, 6.0 and 6.2 code all with the same results. Has anyone else ran into this issue? Or has working command authorization with a different (eg; radius) setup? AAA config: tacacs-server host 192.0.2.200 tacacs-server key tacacskeyhere aaa authentication enable default tacacs+ aaa authentication login default tacacs+ aaa authentication login privilege-mode aaa authorization commands 0 default tacacs+ aaa authorization exec default tacacs+ aaa accounting commands 0 default start-stop tacacs+ aaa accounting exec default start-stop tacacs+ aaa accounting system default start-stop tacacs+ -- Email: [email protected]
_______________________________________________ foundry-nsp mailing list [email protected] http://puck.nether.net/mailman/listinfo/foundry-nsp
