Group membership mechanism

mudengkoudai · May 18, 2023, 6:34am

Hi,
We have a user ‘AdminTest’ on Tacacs server , it’s group is operator .Then a same username ‘AdminTest’ also on local db,it’s group is admin.

When we login AdminTest via Tacacs , the expected role is operator,but the result is assigned to groups : admin, operator.
I find that the user is assigned to groups by consulting data under /nacm/groups in confd user guide.

So I want to know if there is a way that will not consult the data under /nacm/groups when login user via tacacs server.

refer ro the topic ’ TACACs and local users with the same user name but different permissions ’

cohult · May 18, 2023, 1:06pm

You are providing the group(s) that the user belongs to from the external tacacs or local authentication. That group assignment is then used by NACM for authorization.
Check your /confdConfig/aaa/authOrder setting in confd.conf, see the confd.conf(5) man page for details, and that the correct groups are returned by the external authentication executable configured in configured in /confdConfig/aaa/externalAuthentication/executable.
See also ConfD UG chapter “External authentication”.