Skip to main content
Open

TACACS role/DAP assignment

  • July 23, 2021
  • 3 replies
  • 59 views
M

Hello,

 

I’m searching for a way to overcome the “Map user role from TACACS+ to NetBrain” restriction:

I’d expect a function like:

“If the TACACS server is sending attributes Role=X;Y;Z and attribute DAP=A;B:C, assign the user to roles X, Y and Z and to DAPs A,B and C”.

But there seems to be only one attribute/value pair accepted by NetBrain.

So when I need a user to get assigned to multiple roles or device access policies, I need to create a new TACACS AV pair and entry in the NetBrain map.

And to create a separate AV pair and map entry for each role/DAP combination.

Which is annoying.

Has anybody found a better way?

 

Thanks,

Milan

3 replies

G
Forum|alt.badge.img+1
  • Gerry.zhang
  • Community Manager
  • 85 replies
  • July 23, 2021

Hi Milan,

Thanks for your post. Unfortunately, we don’t support multiple attribute/value pairs. I submitted a case for our PM team for researching.  Sorry for the inconvenience.

 

M
Forum|alt.badge.img
  • mil.kul
  • Author
  • New Participant
  • 4 replies
  • July 23, 2021

Hi Gerry,

 

thanks for your quick reply.

 

Another question:

I can see a warning on the bottom of DAP configuration screen:

“After modifying the privileges of an external user account, contact your system administrator to lock the account's privileges to prevent them from being restored to authentication settings.”

I don’t understand this warning.

I want NetBrain to check the user TACACS attributes EVERY time of the user login.

And if the TACACS attributes were changed (like the user is assigned to a different role by TACACS), the user privileges should also be changed in NetBrain!

That’s the basic function of TACACS authorization, isn’t it?

So the user accounts should NOT be locked with an exception of system admins, I guess?

 

Thanks,

Milan

 

G
Forum|alt.badge.img+1
  • Gerry.zhang
  • Community Manager
  • 85 replies
  • July 26, 2021

Milan, 

When authenticating TACACS+ user logs in, the NetBrain system checks the attribute name and value of their roles in the TACACS+ server and assigns the corresponding roles and privileges to the IE system to them again. It will overwrites the Device Access Policy privilege if the account is not locked.
 


Follow NetBrain on LinkedIn

Terms & ConditionsCookie settingsAccessibility statement