<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I have tested using Cisco devices against other TACACS+ software (Cisco ACS and tacacs.net) both of which do send optional a/v pairs and Cisco devices do exactly what I would expect they should do with optional a/v pairs and ignore them and authorisation is passed.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Daniel Schmidt [mailto:daniel.schmidt@wyo.gov] <br><b>Sent:</b> 24 January 2012 16:31<br><b>To:</b> Jathan McCollum<br><b>Cc:</b> Mick Day; tac_plus@shrubbery.net<br><b>Subject:</b> RE: [tac_plus] Should optional A/V pair be sent?<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>In do_auth, I simply provide ways to get around the #*(@ stupid things vendors do. I do not think that tac_plus should change to accommodate the whim of every vendor who does something different. If there is a bug in that the optional roles were not sent, Cisco would probably freak out when it received them anyway. Please see if you can get the Cisco to honor it’s priv-lvl while ignoring the brcd-role. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Jathan McCollum [mailto:<a href="mailto:jathan@gmail.com">jathan@gmail.com</a>] <br><b>Sent:</b> Tuesday, January 24, 2012 9:02 AM<br><b>To:</b> Daniel Schmidt<br><b>Cc:</b> Mick Day; <a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br><b>Subject:</b> Re: [tac_plus] Should optional A/V pair be sent?</span><span lang=EN-US><o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Thanks, Dan. <o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>I tested this and it works replacing the attribute with "brcd-role*admin". I need to test whether I can have this interop with my Cisco gear and lock in a working solution. I should have a confirmation before the end of the day.<o:p></o:p></span></p></div><div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>In the meantime, is the official stance now to rely on do_auth.py now that it's being bundled with the daemon? If not, it seems to me like there is a bug in the daemon preventing it from properly sending optional attributes over the wire, and I feel like addressing it there is the right place. Please correct me if I'm wrong! <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>jathan.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US>On Tue, Jan 24, 2012 at 7:51 AM, Daniel Schmidt <<a href="mailto:daniel.schmidt@wyo.gov">daniel.schmidt@wyo.gov</a>> wrote:<o:p></o:p></span></p><div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Cisco sends a “cmd*” as the first thing. Being no expert on the subject, I can only say that unless you strip it, it will not honor your priv-lvl or any other keys you send. I’d like to see a valid example of the actual tac_keys received/sent of a working optional key. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I might recommend Jathan try the following experiment:</span><span lang=EN-US><o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>group = admin {<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> default service = permit<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> service = exec {<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> priv-lvl = 15<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> }<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>}<o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US>user = jathan {<o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US> login = cleartext jathan<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> pap = cleartext jathan<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> member = admin<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>}<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>And in do_auth 1.9:</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>av_pairs =</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> priv-lvl,</span><span lang=EN-US> </span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>brcd-role=admin</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>or perhaps experiment with:</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>av_pairs =</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> priv-lvl,</span><span lang=EN-US> </span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>brcd-role*admin</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Mick Day [mailto:<a href="mailto:mick@mickday.com" target="_blank">mick@mickday.com</a>] <br><b>Sent:</b> Tuesday, January 24, 2012 6:50 AM<br><b>To:</b> 'Daniel Schmidt'; 'Jathan McCollum'</span><span lang=EN-US><o:p></o:p></span></p><div><div><p class=MsoNormal><span lang=EN-US><br><b>Cc:</b> <a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br><b>Subject:</b> RE: [tac_plus] Should optional A/V pair be sent?<o:p></o:p></span></p></div></div></div></div><div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I thought the whole point of optional a/v pairs was that tac_plus should send these to the NAS with * rather than = and then the NAS has the option to ignore the attribute whereas with mandatory attributes the NAS must obey them or deny authorisation, as per the tac_plus FAQ</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><snip></span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>Q). Can someone expand on the use of the "optional" keyword.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>A). Most attributes are mandatory i.e. if the daemon sends them to the</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'> NAS, the NAS must obey them or deny the authorization. This is the</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'> default. It is possible to mark attributes as optional, in which case</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'> a NAS which cannot support the attribute is free to simply ignore it</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'> without causing the authorization to fail.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'></snip></span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The problem is tac_plus is not sending any optional a/v pairs to the NAS at all and only sends mandatory ones.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Daniel Schmidt [<a href="mailto:daniel.schmidt@wyo.gov" target="_blank">mailto:daniel.schmidt@wyo.gov</a>] <br><b>Sent:</b> 23 January 2012 19:15<br><b>To:</b> Jathan McCollum; Mick Day<br><b>Cc:</b> <a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br><b>Subject:</b> RE: [tac_plus] Should optional A/V pair be sent?</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal> <span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Do_auth 1.9 can append or remove* av_pairs now, that’s essentially what I’m doing below. I think I added that feature while trying to fix the Nexus. (Thought I told Jathan?) I believe 1.9 is in the tarball, but I haven’t posted anything on <a href="http://tacacs.org" target="_blank">tacacs.org</a> because I’ve been busy and there wasn’t a lot of interest in it or the Nexus fixes. (tac_plus does what most people need without do_auth) </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>In short: The tac_pairs for the nexus created the same problem people experience with Brocade, but there was an easy way to distinguish the nexus from everything else by noting a subtle difference in the tac_pairs nexus sends. (If Brocade didn’t mimic Cisco, I could implement a fix for it as well) Hence, in do_auth is a trivial, automatic routine: if(found_nexus), send(“shell:roles”), else pass. Thus, it sends shell:roles only to the nexus, and priv-lvl to the Cisco. It’s a kluge, and Cisco may change the pairs, but it works quite well for now. If you wish to establish roles and priv-lvls, it appears impossible to use one tac_plus server for nexus and Cisco unless you use do_auth 1.9 or some other after-authentication fix/kluge. Not to imply this is an issue with tac_plus, it’s a Cisco issue.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Anyway, I would imagine “optional” would have to be triggered somehow by the Brocade sending some sort of tac_key to tac_plus, but I’ve never seen anything like that – please comment if you know more on the subject or have an example of the tac_pairs sent. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:8.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>*Haven’t actually tried to remove pairs, but should work if you put nothing after the comma </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Jathan McCollum [mailto:<a href="mailto:jathan@gmail.com" target="_blank">jathan@gmail.com</a>] <br><b>Sent:</b> Monday, January 23, 2012 10:41 AM<br><b>To:</b> Mick Day<br><b>Cc:</b> Daniel Schmidt; <a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br><b>Subject:</b> Re: [tac_plus] Should optional A/V pair be sent?</span><span lang=EN-US><o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><div><div><div><div><p class=MsoNormal><span lang=EN-US>I am still having the exact same problem. <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>The tac_plus daemon is NOT sending optional a/v pairs over the wire at all. I had been in communication with Dan back in September about modifying do_auth.py to be able to append or remove a/v pairs. Currently do_auth.py is only able to replace existing pairs. I was going to try to contribute code to make do_auth.py do this, but it got de-prioritized until last week and I had to move onto something else. I am just now revisiting this issue.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Using this configuration:<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>group = admin {<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> default service = permit<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> service = exec {<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> optional brcd-role = admin<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> priv-lvl = 15<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> }<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>}<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>user = jathan {<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> login = cleartext jathan<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> pap = cleartext jathan<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> member = admin<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>}<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>And running tac_plus with maximum debug output, you see this when I login to the device and it sends the authorization request:<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: Start authorization request<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_value: name=jathan isuser=1 attr=acl rec=1<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_value: recurse group = admin<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_pvalue: returns NULL<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: do_author: user='jathan'<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_value: name=jathan isuser=1 attr=before rec=1<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_value: recurse group = admin<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_pvalue: returns NULL<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: user 'jathan' found<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: exec authorization request for jathan<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: username=jathan N_svc_exec proto= svcname= rec=1<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: recurse group = admin<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: found N_svc_exec proto= svcname=<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: exec is explicitly permitted by line 6<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: username=jathan N_svc_exec proto= svcname= rec=1<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: recurse group = admin<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: found N_svc_exec proto= svcname=<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: nas:service=shell (passed thru)<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: nas:cmd= (passed thru)<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: nas:absent, server:priv-lvl=15 -> add priv-lvl=15 (k)<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: added 1 args<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: out_args[0] = service=shell input copy discarded<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: out_args[1] = cmd= input copy discarded<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: out_args[2] = priv-lvl=15 compacted to out_args[0]<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: 1 output args<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_value: name=jathan isuser=1 attr=after rec=1<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_value: recurse group = admin<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_pvalue: returns NULL<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:26:11 2012 [11716]: Writing AUTHOR/PASS_ADD size=30<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Which results in this experience on the device:<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>vdxhub1-lab-sw0 login: jathan<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Password: <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>User's role is unavailable, using default.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Welcome to the Brocade Network Operating System Software<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>jathan connected from 10.178.91.108 using console on vdxhub1-lab-sw0<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>vdxhub1-lab-sw0# <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Now, if I change that a/v pair to mandatory (remove the optional prefix):<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: Start authorization request<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_value: name=jathan isuser=1 attr=acl rec=1<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_value: recurse group = admin<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_pvalue: returns NULL<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: do_author: user='jathan'<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_value: name=jathan isuser=1 attr=before rec=1<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_value: recurse group = admin<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_pvalue: returns NULL<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: user 'jathan' found<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: exec authorization request for jathan<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_svc_node: username=jathan N_svc_exec proto= svcname= rec=1<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_svc_node: recurse group = admin<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_svc_node: found N_svc_exec proto= svcname=<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: exec is explicitly permitted by line 6<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_svc_node: username=jathan N_svc_exec proto= svcname= rec=1<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_svc_node: recurse group = admin<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_svc_node: found N_svc_exec proto= svcname=<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: nas:service=shell (passed thru)<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: nas:cmd= (passed thru)<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: nas:absent, server:brcd-role=admin -> add brcd-role=admin (k)<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: nas:absent, server:priv-lvl=15 -> add priv-lvl=15 (k)<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: added 2 args<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: out_args[0] = service=shell input copy discarded<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: out_args[1] = cmd= input copy discarded<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: out_args[2] = brcd-role=admin compacted to out_args[0]<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: out_args[3] = priv-lvl=15 compacted to out_args[1]<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: 2 output args<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_value: name=jathan isuser=1 attr=after rec=1<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_value: recurse group = admin<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_pvalue: returns NULL<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Mon Jan 23 09:30:29 2012 [11851]: Writing AUTHOR/PASS_ADD size=46<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Note that it accurately picked up the attribute from the config and sent it back to the device. When I login to the device, I get the admin privileges I am expecting:<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>vdxhub1-lab-sw0 login: jathan<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Password: <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Welcome to the Brocade Network Operating System Software<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>jathan connected from 10.178.91.108 using console on vdxhub1-lab-sw0<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>vdxhub1-lab-sw0# <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>This does seem like a bug in tac_plus in which it is not sending optional A/V pairs at all. So I have two asks of this list:<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>1. Would it be possible by someone familiar with the C code to confirm as to whether this is actually a bug or not? If so, would it be possible to get it addressed for a upcoming release? <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>2. Dan, if you have the resources/time would you be willing to add the support for the av_pairs_append thing you and I had talked about in email? (I had gotten it working in my lab before, but you have since updated do_auth.py to version 1.8).<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Thanks,<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>jathan.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>On Mon, Jan 23, 2012 at 8:07 AM, Mick Day <<a href="mailto:mick@mickday.com" target="_blank">mick@mickday.com</a>> wrote:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Hi,<br><br>Thanks for the information but my specific question was regarding how<br>tac_plus deals with optional a/v pairs , in the following configuration<br>should the a/v pair " brcd-role*admin" be sent to NAS?<o:p></o:p></span></p><div><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US><br>group = admin {<br> default service = permit<br> service = exec {<br> priv-lvl = 15<br> optional brcd-role = admin<br> }<br>}<o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US>I have now tested this with Cisco ACS and TACACS.net both of which send the<br>optional a/v pair but tac_plus does not?<o:p></o:p></span></p><div><div><p class=MsoNormal><span lang=EN-US><br>-----Original Message-----<br>From: Daniel Schmidt [mailto:<a href="mailto:daniel.schmidt@wyo.gov" target="_blank">daniel.schmidt@wyo.gov</a>]<br>Sent: 23 January 2012 15:34<br>To: Mick Day; <a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br>Subject: RE: [tac_plus] Should optional A/V pair be sent?<br><br>I also have noted that if you send a Cisco switch/router anything other than<br>"priv-lvl", they do not work. One workaround is to use do_auth. The<br>following example is brocade's traditional privlvl, but the same concept<br>should work with the brcd-role you describe. (Note, this is more to fix a<br>Cisco bug than a Brocade) Simply put: If you match a brocade device and<br>find something that says "priv-lvl" replace it with "brocade-privlvl=5"<br><br>[brocade_disable]<br>host_allow =<br> .*<br>device_permit =<br> <list of brocade devices><br>command_permit =<br> .*<br>av_pairs =<br> priv-lvl,brocade-privlvl=5<br><br>-----Original Message-----<br>From: <a href="mailto:tac_plus-bounces@shrubbery.net" target="_blank">tac_plus-bounces@shrubbery.net</a><br>[mailto:<a href="mailto:tac_plus-bounces@shrubbery.net" target="_blank">tac_plus-bounces@shrubbery.net</a>] On Behalf Of Mick Day<br>Sent: Monday, January 23, 2012 4:31 AM<br>To: <a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br>Subject: [tac_plus] Should optional A/V pair be sent?<br><br>Hi Everyone,<br><br>I am having a problem with sending optional a/v pair from tac_plus, this is<br>related to post<br><a href="http://www.shrubbery.net/pipermail/tac_plus/2011-September/000978.html" target="_blank">http://www.shrubbery.net/pipermail/tac_plus/2011-September/000978.html</a> as it<br>now appears that the latest Brocade VDX code now supports optional a/v pairs<br>for 'brcd-role' the only problem is that when the NAS authenticates with the<br>server only the mandatory a/v pairs are being sent<br><br>My configuration is as follows:<br><br>group = admin {<br> default service = permit<br> service = exec {<br> priv-lvl = 15<br> optional brcd-role = admin<br> }<br>}<br><br>The NAS only ever receives the a/v pair ' priv-lvl = 15' is this expected<br>behaviour? If I reconfigure the 'brcd-role' to a mandatory it then sends<br>both 'priv-lvl' and 'brcd-role' but then this creates the same problem as<br>described in previous post<br><a href="http://www.shrubbery.net/pipermail/tac_plus/2011-September/000978.html" target="_blank">http://www.shrubbery.net/pipermail/tac_plus/2011-September/000978.html</a><br>where Cisco devices fail authorisation.<br><br>I have also tried the same with Cisco ACS and this sends both the mandatory<br>and optional a/v pairs allowing both devices to be able to login.<br><br>I am unclear as to whether it is expected behaviour for server to send<br>optional a/v pairs by default?<br><br>_______________________________________________<br>tac_plus mailing list<br><a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br><a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus%0d%0aE-Mail" target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus<br>E-Mail</a> to and from me, in connection with the transaction of public<br>business,is subject to the Wyoming Public Records Act, and may be disclosed<br>to third parties.<br><br>_______________________________________________<br>tac_plus mailing list<br><a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br><a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a><o:p></o:p></span></p></div></div></div><p class=MsoNormal><span lang=EN-US><br><br clear=all><o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US>-- <br>Jathan.<br>--<o:p></o:p></span></p></div></div></div><pre>E-Mail to and from me, in connection with the transaction <span lang=EN-US><o:p></o:p></span></pre><pre>of public business,is subject to the Wyoming Public Records <span lang=EN-US><o:p></o:p></span></pre><pre>Act, and may be disclosed to third parties.<span lang=EN-US><o:p></o:p></span></pre><pre> <span lang=EN-US><o:p></o:p></span></pre></div></div></div></div><div><div><pre><span lang=EN-US>E-Mail to and from me, in connection with the transaction <o:p></o:p></span></pre><pre><span lang=EN-US>of public business,is subject to the Wyoming Public Records <o:p></o:p></span></pre><pre><span lang=EN-US>Act, and may be disclosed to third parties.<o:p></o:p></span></pre><pre><span lang=EN-US> <o:p></o:p></span></pre></div></div></div><p class=MsoNormal><span lang=EN-US><br><br clear=all><o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US>-- <br>Jathan.<br>--<o:p></o:p></span></p></div></div><pre>E-Mail to and from me, in connection with the transaction <o:p></o:p></pre><pre>of public business,is subject to the Wyoming Public Records <o:p></o:p></pre><pre>Act, and may be disclosed to third parties.<o:p></o:p></pre><pre><o:p> </o:p></pre></div></body></html>