do_auth - av_pairs

One of the long promised features has finally been added, the ability to modify av pairs. Let's say you have a group which you simply want a user to have disable access to. Simply add this to the group: av_pairs =

This assumes you have priv-lvl in your tac\_plus.conf. (Like examples in other posts) Note, of course, you’ll also need to add a command\_deny for enable or they’ll just type ‘en’ if they have an enable password. Better yet, just don’t give them an enable password!

In addition, we can replace one pair with something completely different, like for a brocade device. priv-lvl,brocade-privlvl=5 will replace any priv-lvl with that brocade-privlv. Think of it as a find/replace function.
Some devices do not like to have their tac\_pairs messed with. They don’t accept AUTHOR\_STATUS\_PASS\_REPL and I’ll spare the rest of the details for lack of time. These include the procurves and the Cisco WLC. Attempts to make these devices work have resulted in much “code sprawl” in do\_auth and are the reason that any service other than shell return 0 unless you explicitly modify a tac\_pair. For these devices, you will have to do all your config in tac\_plus.conf.

One last thing, don’t use v1.6 – it had a bug. Also sorry if you’re comments don’t get approved, apparently I don’t have rights to do that.