Arista Tac_plus-ng config

[PacifiedParrot]

I may be missing something, but I'm trying to get tac-plus-ng working with arista gear in a migration from an older tac_plus config on now unsupported OS. Some searching has revealed that at least for tac_plus the configuration needs to include:

default command = permit
default attribute = permit
set cvp-roles = "network-admin"

or some combination of them. All 3 are present in my old tac_plus config, however adding "default command = permit" and/or "default attribute = permit" to the profile section causes the service to fail to start.

`

profile tacacs-NetAdmin {

  enable = login

  script {

    if (service == shell && cmd == "") {

      set priv-lvl = 15

      set cvp-roles = "network-admin"

      set local-user-name = "tac-netadmin"

      #default attribute = permit

      optional brcd-role = admin

      #permit

    }

    permit

  }

}

`

What am I missing? Removing those two lines allows the service to start, and I can successfully authenticate to the arista devices, but after it immediately errors and reports "Authorization denied" and disconnects me. Looking up that error is where I found that it seems I need "default attribute = permit", but then I run back into my original problem.

[MarcJHuber]

Hi,

thanks for reporting ... "attribute default = yes" should indeed work, but there's a slight error in the parsing code, I'll fixe that in 7742324.

I haven't noticed the "local-user-name" attribute in Arista documentation, so setting this to "optional" might help, too.

Cheers,

Marc

[PacifiedParrot]

Marc,

Thanks for the quick reply. setting local-user-name to optional seems to have resolved the issue, at least as far as I can tell, am able to log in successfully now, even without the default attribute. "yes" didn't work for me either, but I didn't re-make off the code change either. Thanks again.