Extreme uses Role-Based Access Control (RBAC) to authorize access to system objects by authenticated users. In AAA environments, users might need to be authorized across platforms supported by this guide and other platforms. You can use TACACS+ to provide centralized AAA services to multiple network access servers or clients. To use TACACS+ services in mixed-vendor environments, you must configure the Attribute-Value Pair (AVP) argument to be optional, as shown in the following example.
brcd-role*admin
The device sends the optional argument brcd-role in the authorization request to the TACACS+ server. Most TACACS+ servers are programmed to return the same argument in response to the authorization request, If "brcd-role" is configured as an optional argument, it is sent in the authorization request, and Extreme users are able to successfully authorize with all TACACS+ servers in a mixed-vendor environment.
The following example is specific to the tac_plus package. The syntax for other packages might differ.
In the example, the mandatory attribute priv-lvl=15 is set to allow the server to authenticate. The optional brcd-role = admin argument is added to the tac_plus.conf file and allows devices to authenticate.
The following example configures a user with the optional AVP, brcd-role = admin. An Extreme user must match both the username and usergroup to authenticate successfully.
user = <username> { default service = permit service = exec { priv-lvl=15 optional brcd-role = admin } }
or
group = <usergroup> { default service = permit service = exec { priv-lvl=15 optional brcd-role = admin } } user = <username> { Member = <usergroup> }