Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
960
Views
0
Helpful
1
Replies

attribute definition syntax

xine xine
Level 1
Level 1

‎11-29-2010 10:33 AM - edited ‎03-10-2019 05:37 PM

Hi !

I planned to migrate our MDS switches to TACACS+ for AAA services.  I the documentation I find some different way to defining attributes :

http://www.cisco.com/en/US/docs/storage/san_switches/mds9000/sw/rel_2_x/fm/configuration/guide/radius.html#wp1224864

shell:roles="network-admin"


shell:roles*"network-admin"


cisco-av-pair*shell:roles="network-admin"


cisco-av-pair*shell:roles*"network-admin"


cisco-av-pair=shell:roles*"network-admin"

what is difference between those syntaxe ?

Labels:
0 Helpful
1 Reply 1

Javier Henderson
Level 4
Level 4

‎11-29-2010 12:18 PM

Whether you put shell: or cisco-av-pair: depends on the RADIUS server.

The * instead of the = makes the attribute optional rather than mandatory. This will have relevance if those attributes will be sent to all devices in which the user logs in, in that case you will want to make the attributes optional or the device might fail authorization if it doesn't know what to do with a mandatory attribute (IOS, for example, will fail authorization if it receives a role assignment as mandatory).

0 Helpful
Customers Also Viewed These Support Documents