<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"><meta name="Generator" content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang="EN-US" link="blue" vlink="purple"><div class="WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">U don’t even need a lab, just add a new user and a new group to your tac_plus.conf. Leave your existing users alone and it’s completely safe. </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Anybody else having issues with Nexus & tac_plus?</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span></p><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal">
<b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Jathan McCollum [mailto:<a href="mailto:jathan@gmail.com">jathan@gmail.com</a>] <br>
<b>Sent:</b> Monday, October 03, 2011 10:04 AM<br><b>To:</b> Daniel Schmidt<br><b>Cc:</b> Alan McKinnon; <a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br><b>Subject:</b> Re: [tac_plus] Configuring a/v pair expected by Brocade VDX switch</span></p>
</div><p class="MsoNormal"> </p><p class="MsoNormal" style="margin-bottom:12.0pt">Thanks Dan, I will give do_auth a shot in the lab and report back sometime between that time and eterinity. :)</p><div><p class="MsoNormal">
On Mon, Oct 3, 2011 at 8:34 AM, Daniel Schmidt <<a href="mailto:daniel.schmidt@wyo.gov">daniel.schmidt@wyo.gov</a>> wrote:</p><p class="MsoNormal">I've never had this trouble you speak of with Brocade, but then again I<br>
have only used the CER, CES & FCX. The config I posed on <a href="http://tacacs.org" target="_blank">tacacs.org</a><br>seemed to work fine.<br><br>Also, users CAN be members of multiple groups, you just have to write an<br>
authorization script. Or, just use my do_auth.py script from <a href="http://tacacs.org" target="_blank">tacacs.org</a> -<br>several people have told me it works well. Tac_plus, I would argue, is<br>more flexible than Cisco's solution.<br>
<br>I'm working on key replacement with do_auth - what is your issue with<br>Nexus? As for brcd-role, if you are willing to do try do_auth and turn on<br>the debug, I should easily be able to add something for a certain IP range<br>
that strips the pairs you don't want and appends the pairs you do.<br><br>-----Original Message-----<br>From: <a href="mailto:tac_plus-bounces@shrubbery.net">tac_plus-bounces@shrubbery.net</a><br>[mailto:<a href="mailto:tac_plus-bounces@shrubbery.net">tac_plus-bounces@shrubbery.net</a>] On Behalf Of Alan McKinnon<br>
Sent: Friday, September 30, 2011 3:43 PM<br>To: <a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>Subject: Re: [tac_plus] Configuring a/v pair expected by Brocade VDX<br>switch</p><div><div><p class="MsoNormal">
<br>On Fri, 30 Sep 2011 14:14:03 -0700<br>Jathan McCollum <<a href="mailto:jathan@gmail.com">jathan@gmail.com</a>> wrote:<br><br>> Hey John, thanks for the reply. That's a good suggestion that I'll<br>> tuck away for future reference.<br>
><br>> I actually tracked down access to the Brocade support knowledge base<br>> and found a document someone had posted using Cisco ASA.<br>><br>> And it is:<br>><br>> brcd-role = <role><br>><br>
> So my group config would be:<br>><br>> group = admin {<br>> default service = permit<br>> service = exec {<br>> priv-lvl = 15<br>> brcd-role = admin<br>> }<br>> }<br>
><br>> However, sharing that with Cisco devices causes them to be unhappy<br>> and fail authorization. I tried prepending the "optional" keyword<br>> e.g. "optional brcd-role = admin", which makes Cisco devices happy<br>
> again, but breaks it on the Brocade.<br>><br>> So... almost there, but still missing something.<br><br><br>Hi Jathan,<br><br>I had a very similar issue getting my Cisco and Nexus kit to work<br>together. Short answer is I couldn't get them to work together.<br>
<br>The solution I opted for was to run two instances of tac_plus, the<br>original on port 49 for Cisco and the second on port 50 for Nexus, and<br>keep the configs entirely separate. This works for me and is probably<br>
more intuitive than trying to express the same thing in a single config<br>file.<br><br>One of the shortcomings of tac_plus in it's current form is how<br>inflexible it can be. Users can be a member of only one group, which is<br>
a member of only one group etc. Freeradius has a concept of "vhosts"<br>which would be insanely useful on tac_plus, but there is no comparable<br>feature. You seem to have run into this.<br><br>I'm not complaining (for the asking price of free tac_plus is a great<br>
product) and until I start submitting patches I have very little<br>street-cred. In the meantime I accept that sometimes we have to do<br>things in unusual ways (like run two daemons) to get what we want.<br><br><br><br>><br>
> On Fri, Sep 30, 2011 at 1:59 PM, john heasley <<a href="mailto:heas@shrubbery.net">heas@shrubbery.net</a>><br>> wrote:<br>><br>> > Fri, Sep 30, 2011 at 01:39:32PM -0700, Jathan McCollum:<br>> > > The documentation indicates the device is expecting the server to<br>
> > > send an a/v pair that specifies the authenticated user's role. I<br>> > > assume the value would be "admin" in this case. The problem is<br>> > > that nowhere in the documentation so far have I seen what<br>
> > > attribute the device is expecting. There may also be a unique<br>> > > service type (again similar to JUNOS' "junos-exec") that is being<br>> > > expected.<br>> > ><br>
> > > So... After all that background, anyone had experience with this<br>> > > platform and gotten it working successfully w/ tac_plus?<br>> ><br>> > none, but some devices send the av pairs they have when they perform<br>
> > authen and/or author. if you enable the appropriate debugging<br>> > knobs, it might reveal it to you.<br>> ><br>> > or, take the image that you load on the box, uncompress it, unzip<br>> > it or whatever their packaging method is, then run strings(1) on it<br>
> > and look for strings that might be related to authorization. then<br>> > send a bomb to brocade offices.<br>> ><br>><br>><br>><br><br><br><br>--<br>Alan McKinnnon<br><a href="mailto:alan.mckinnon@gmail.com">alan.mckinnon@gmail.com</a><br>
_______________________________________________<br>tac_plus mailing list<br><a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br><a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a><br>
_______________________________________________<br>tac_plus mailing list<br><a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br><a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a></p>
</div></div></div><p class="MsoNormal"><br><br clear="all"></p><div><p class="MsoNormal"> </p></div><p class="MsoNormal">-- <br>Jathan.<br>--</p></div></body></html>