Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

attribute definition syntax

Hi !

I planned to migrate our MDS switches to TACACS+ for AAA services.  I the documentation I find some different way to defining attributes :

http://www.cisco.com/en/US/docs/storage/san_switches/mds9000/sw/rel_2_x/fm/configuration/guide/radius.html#wp1224864

shell:roles="network-admin"

shell:roles*"network-admin"

cisco-av-pair*shell:roles="network-admin"

cisco-av-pair*shell:roles*"network-admin"

cisco-av-pair=shell:roles*"network-admin"

what is difference between those syntaxe ?

1 REPLY
Cisco Employee

Re: attribute definition syntax

Whether you put shell: or cisco-av-pair: depends on the RADIUS server.

The * instead of the = makes the attribute optional rather than mandatory. This will have relevance if those attributes will be sent to all devices in which the user logs in, in that case you will want to make the attributes optional or the device might fail authorization if it doesn't know what to do with a mandatory attribute (IOS, for example, will fail authorization if it receives a role assignment as mandatory).

640
Views
0
Helpful
1
Replies
CreatePlease to create content