https://community.cisco.com/t5/network-access-control/attribute-definition-syntax/m-p/1536565#M253924 <HTML><HEAD></HEAD><BODY><P>Whether you put shell: or cisco-av-pair: depends on the RADIUS server.</P><P></P><P>The * instead of the = makes the attribute optional rather than mandatory. This will have relevance if those attributes will be sent to all devices in which the user logs in, in that case you will want to make the attributes optional or the device might fail authorization if it doesn't know what to do with a mandatory attribute (IOS, for example, will fail authorization if it receives a role assignment as mandatory).</P></BODY></HTML> Mon, 29 Nov 2010 20:18:07 GMT Javier Henderson 2010-11-29T20:18:07Z https://community.cisco.com/t5/network-access-control/attribute-definition-syntax/m-p/1536564#M253895 <P>Hi !</P><P></P><P>I planned to migrate our MDS switches to TACACS+ for AAA services.&nbsp; I the documentation I find some different way to defining attributes :</P><P></P><P><A href="http://www.cisco.com/en/US/docs/storage/san_switches/mds9000/sw/rel_2_x/fm/configuration/guide/radius.html#wp1224864" target="_blank">http://www.cisco.com/en/US/docs/storage/san_switches/mds9000/sw/rel_2_x/fm/configuration/guide/radius.html#wp1224864</A></P><P></P><DIV class="pEx2_Example2"><PRE>shell:roles="network-admin" </PRE></DIV><P><A name="wp1224871" target="_blank"></A></P><DIV class="pEx2_Example2"><PRE>shell:roles*"network-admin" </PRE></DIV><P><A name="wp1224872" target="_blank"></A></P><DIV class="pEx2_Example2"><PRE>cisco-av-pair*shell:roles="network-admin" </PRE></DIV><P><A name="wp1224873" target="_blank"></A></P><DIV class="pEx2_Example2"><PRE>cisco-av-pair*shell:roles*"network-admin" </PRE></DIV><P><A name="wp1224874" target="_blank"></A></P><DIV class="pEx2_Example2"><PRE>cisco-av-pair=shell:roles*"network-admin" </PRE></DIV><P></P><P>what is difference between those syntaxe ?</P> Mon, 11 Mar 2019 00:37:14 GMT https://community.cisco.com/t5/network-access-control/attribute-definition-syntax/m-p/1536564#M253895 xine xine 2019-03-11T00:37:14Z https://community.cisco.com/t5/network-access-control/attribute-definition-syntax/m-p/1536565#M253924 <HTML><HEAD></HEAD><BODY><P>Whether you put shell: or cisco-av-pair: depends on the RADIUS server.</P><P></P><P>The * instead of the = makes the attribute optional rather than mandatory. This will have relevance if those attributes will be sent to all devices in which the user logs in, in that case you will want to make the attributes optional or the device might fail authorization if it doesn't know what to do with a mandatory attribute (IOS, for example, will fail authorization if it receives a role assignment as mandatory).</P></BODY></HTML> Mon, 29 Nov 2010 20:18:07 GMT https://community.cisco.com/t5/network-access-control/attribute-definition-syntax/m-p/1536565#M253924 Javier Henderson 2010-11-29T20:18:07Z