Loading ...
Loading ...
Loading ...
175
Note: When using remote groups with LDAP remote authorization, you need to have corresponding local groups on the console server.
However, where the LDAP group names can contain upper case and space characters, the local group name on the console server must be
all lower case and the spaces replaced with underscores. For example, a remote group on the LDAP server may be My Ldap Access Group
needs a corresponding local group on the console server called my_ldap_access_group (both without the single quotes). The local group
on the console server must specify what the group member is granted access to for any group membership to be effective.
9.1.9 Remote Groups with TACACS+ Authentication
When using TACACS+ authentication, there are two ways to grant a remotely authenticated user privileges. The first is to set
the priv-lvl and port attributes of the raccess service to 12 (refer to 9.2 PAM for more information). Group names can also be
provided to the console server using the groupname custom attribute of the raccess service.
An example Linux tac-plus config snippet might look like:
user = myuser {
service = raccess {
groupname=”users”
groupname1=”routers”
groupname2=”dracs”
}
}
You may also specify multiple groups in one comma-delimited (e.g., groupname=”users,routers,dracs”), but be aware that
the maximum length of the attribute value string is 255 characters.
To use an attribute name other than groupname, set Authentication -> TACACS+ -> TACACS Group Membership
Attribute.
9. Authentication
Loading ...
Loading ...
Loading ...