Section: Maintenance Commands (8)Updated: February 27, 2010Local indexUp
do_auth - Program allowing more granular control than tac_plus.
-u user [-i Ip Address] [-d Device address] [-f Config filename] [-l Log file] [-D Debug mode]
do_auth is a python program written to work as an authorization script for
tacacs to allow greater flexability in tacacs authentication. It allows
a user to be part of many predefined groups that can allow different
access to different devices based on ip, user, and source address.
Groups are assigned to users in the [users] section. A user must
be assigned to one or more groups, one per line. Groups are defined
in brackets, but can be any name. Each group can have up to 6 options
as defined below.
host_deny Deny any user coming from this host. Optional.
host_allowAllow users from this range. Mandatory with -i.
device_denyDeny any device with this IP. Optional.
device_permitAllow this range. Mandatory if -d is specified.
command_denyDeny these commands. Optional.
command_permitAllow these commands. Mandatory.
The options are parsed in order till a match is found. Obviously,
for login, the commands section is not parsed. If a match is not
found, or a deny is found, we move on to the next group. At the
end, we have an implicit deny if no groups match. All tacacs keys
passed on login to do_auth are returned. (except cmd*) It is
possible to modify them, but I haven't implemented this yet as
I don't need it. Future versions may have an av_pair &
Username. Mandatory. $user
Ip address of user. Optional. If not specified, all host_ entries
are ignored and can be omitted. $address
Device address. Optional. If not specified, all device_ entries
are ignored and can be omitted. $name