Stefan Winter wrote: ... > These two are the ONLY ones. Since it's just about parsing the string content > of cisco-avpair at the router side, there is absolutely no technical reason > why these two wouldn't go through. The only explanation then is that this is > a deliberate step by Cisco to make sure that TACACS+ is "superior" to RADIUS > by arbitrarily cutting down functionality. Probably the code in IOS is larger > with an exception handling to make sure that it doesn't work.
Yes. It's exactly what Cisco wants. > I must say: I'm pissed. But I hope I could at least clarify this topic. > > My next-best approach to circumvent this would be to define an intermediate > privilege level that only has the permission to do the commands in question, > and only assign the users in question to that lower priv-level. Scales > poorly, but enough for us. Maybe that approach serves some others as well. Or, use a tacacs+ to RADIUS gateway. Or, integrate Tacacs+ support into FreeRADIUS. If we had TCP as a transport layer, adding tacacs+ would be relatively easy. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
