I have only messed around (recently) with a few old Procurves, so I will not promise that the following is valid for all devices. Their tacacs implementation appears to be quite poor. If you use exclusively Procurves, do not use do\_auth as procurves don't properly support authorization. Some Procurves do not have the “aaa authentication login privilege-mode “ command. Hence, do\_auth is not even called. If you have these, you will have to do all your security in tac\_plus.conf. Beware, any security defined in your do\_auth.ini is void on these.
Other (newer?) Procurves did call an after-authentication script, but did not work right. In English, you can't modify any pairs as you have to tell it to kludge a response as 0. Do\_auth will do this for you if you add the following to your Procurve group:
This is the wrong exit value, but will make everything work with “aaa authentication login privilege-mode “ (Again, which is flat out wrong – do not send that to Cisco/Brocade/Anybody else as it voids keys changed in do\_auth) You can't modify the privilege level, but you can at least deny a person access to a switch based on user/ip/yada. If you have a mixed environment, I would highly suggest having a separate group exclusively for your Procurves. One last thing, the -fix-crs-bug also fixes the Procurves and is mandatory as it doesn't send $address. Yes, I know it's a silly workaround, it's on my "to do" list.