Hi all, there are inquiries every once in a while here about how to enable command authorization for Cisco devices in a Cisco-AVPair. The usual answer is: find out if the NAS has an attribute for it. Now I'm myself trying to get rid of a haunting daemon, the tac_plus daemon, and so I investigated. Cisco claims that there is a complete mapping scheme to translate TACACS+ expressions into Cisco-AVPair Vendor-Specific. This works for example with the priv-lvl attribute: cisco-avpair = "shell:priv-lvl=15" There is a web page for Cisco IOS at http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chap... detailing which TACACS+ commands exist, and it suggests that cisco-avpair = "shell:cmd=show" would do the trick to authorize the "show" command. EXCEPT that there is a tiny note for the commands "cmd" and "cmd-arg" saying that they cannot be used for encapsulation in the Vendor-Specific space. These two are the ONLY ones. Since it's just about parsing the string content of cisco-avpair at the router side, there is absolutely no technical reason why these two wouldn't go through. The only explanation then is that this is a deliberate step by Cisco to make sure that TACACS+ is "superior" to RADIUS by arbitrarily cutting down functionality. Probably the code in IOS is larger with an exception handling to make sure that it doesn't work. I must say: I'm pissed. But I hope I could at least clarify this topic. My next-best approach to circumvent this would be to define an intermediate privilege level that only has the permission to do the commands in question, and only assign the users in question to that lower priv-level. Scales poorly, but enough for us. Maybe that approach serves some others as well. Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473