<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"><meta name="Generator" content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang="EN-US" link="blue" vlink="purple"><div class="WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> 7600 is required to support it, tacacs isn’t required to have it though. How would tac_plus answer if nobody defined priv-lvl? </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal">
<b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Jathan McCollum [mailto:<a href="mailto:jathan@gmail.com">jathan@gmail.com</a>] <br>
<b>Sent:</b> Wednesday, January 25, 2012 12:51 PM<br><b>To:</b> heasley<br><b>Cc:</b> Daniel Schmidt; <a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br><b>Subject:</b> Re: [tac_plus] Should optional A/V pair be sent?</span></p>
</div><p class="MsoNormal"> </p><p class="MsoNormal">This is an interesting case, because what I have discovered in this debugging is that the Cisco hardware in fact, does not send along any attributes it requires other than "service=shell". For testing I am using a Cisco 7600.</p>
<div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">I configured tac_plus like so:</p></div><div><p class="MsoNormal"> </p></div><div><div><p class="MsoNormal">group = admin {</p></div><div><p class="MsoNormal">
</p></div><div><p class="MsoNormal"> default service = permit</p></div><div><p class="MsoNormal"> service = exec {</p></div><div><p class="MsoNormal"> optional priv-lvl = 15</p></div><div><p class="MsoNormal">
bogus = fail</p></div><div><p class="MsoNormal"> }</p></div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">}</p></div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">So that's "priv-lvl*15" and "bogus=fail" on the wire... </p>
</div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">On the 7600 I turned on "debug aaa authorization", and upon trying to login, this was the debug output:</p></div><div><p class="MsoNormal"> </p>
</div><div><div><p class="MsoNormal">31w1d: AAA: parse name=tty1 idb type=-1 tty=-1</p></div><div><p class="MsoNormal">31w1d: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0</p></div><div><p class="MsoNormal">
31w1d: AAA/MEMORY: create_user (0x5105D0E8) user='NULL' ruser='NULL' ds0=0 port='tty1' rem_addr='10.178.91.108' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)</p>
</div><div><p class="MsoNormal">31w1d: tty1 AAA/AUTHOR/EXEC (431951709): Port='tty1' list='' service=EXEC</p></div><div><p class="MsoNormal">31w1d: AAA/AUTHOR/EXEC: tty1 (431951709) user='jathan'</p>
</div><div><p class="MsoNormal">31w1d: tty1 AAA/AUTHOR/EXEC (431951709): send AV service=shell</p></div><div><p class="MsoNormal">31w1d: tty1 AAA/AUTHOR/EXEC (431951709): send AV cmd*</p></div><div><p class="MsoNormal">31w1d: tty1 AAA/AUTHOR/EXEC (431951709): found list "default"</p>
</div><div><p class="MsoNormal">31w1d: tty1 AAA/AUTHOR/EXEC (431951709): Method=tacacs+ (tacacs+)</p></div><div><p class="MsoNormal">31w1d: AAA/AUTHOR/TAC+: (431951709): user=jathan</p></div><div><p class="MsoNormal">31w1d: AAA/AUTHOR/TAC+: (431951709): send AV service=shell</p>
</div><div><p class="MsoNormal">31w1d: AAA/AUTHOR/TAC+: (431951709): send AV cmd*</p></div><div><p class="MsoNormal">31w1d: AAA/AUTHOR (431951709): Post authorization status = PASS_ADD</p></div><div><p class="MsoNormal">31w1d: AAA/AUTHOR/EXEC: Processing AV service=shell</p>
</div><div><p class="MsoNormal">31w1d: AAA/AUTHOR/EXEC: Processing AV cmd*</p></div><div><p class="MsoNormal">31w1d: AAA/AUTHOR/EXEC: Processing AV bogus=fail</p></div><div><p class="MsoNormal">31w1d: AAA/AUTHOR/EXEC: received unknown mandatory AV: bogus=fail</p>
</div><div><p class="MsoNormal">31w1d: AAA/AUTHOR/EXEC: Authorization FAILED</p></div><div><p class="MsoNormal">31w1d: AAA/MEMORY: free_user (0x5105D0E8) user='jathan' ruser='NULL' port='tty1' rem_addr='10.178.91.108' authen_type=ASCII service=LOGIN priv=1</p>
</div></div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">Per the RFC, the Cisco 7600 received a mandatory attribute it could not process, and it failed authorization. Bravo! Observe, however, that the Cisco device never sent "priv-lvl" in its authorization request to the server.</p>
</div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">That means we also learned is that the Cisco is never propositioning the server to say "I require priv-lvl" to be set, because it really doesn't. This attribute defaults internally to 1. One may successfully obtain a shell without that attribute set and upon login, you are dropped to a non-enabled ">" prompt. By sending along priv-lvl, you are telling the device escalate your privileges to the number specified (where 15 is super-user), thereby auto-enabling you and presenting you with the "#" prompt.</p>
</div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">With that in mind, it's now clear that the Brocade VDX is in fact NOT behaving correctly when it receives unknown attributes. If I attempt to connect to the VDX again using those same attributes including "bogus=fail", it still allows me to connect as a read-only user. The VDX requires the "brcd-role=admin" attribute set in order to escalate your shell to super-user, but it is not by definition a mandatory attribute.</p>
</div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">So... I still think there is value in having a way within the tac_plus server configuration to always send optional attributes to devices. We need a way to tell the server to send optional attributes that weren't necessarily requested by the NAS. I think the ability to utilize a utility like do_auth.py is invaluable, but I believe it would be wise for us to consider whether that is the best place to maintain that functionality in the long term. </p>
</div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">jathan.</p></div><p class="MsoNormal"> </p><div><p class="MsoNormal">On Wed, Jan 25, 2012 at 2:10 PM, heasley <<a href="mailto:heas@shrubbery.net">heas@shrubbery.net</a>> wrote:</p>
<p class="MsoNormal">Wed, Jan 25, 2012 at 08:20:50AM -0700, Daniel Schmidt:</p><div><p class="MsoNormal" style="margin-bottom:12.0pt">> This I why I added the "av_pair kluging" to do_auth. Users with Nexus,<br>
> Brocade, Cisco, XR & whatever can all play nice together on one tac_plus<br>> server. And, network operators can all have appropriate read-only<br>> accounts, despite vendor differences. It's not to fix the limitations of<br>
> tac_plus, it's to fix the limitations (bugs) of the vendors. Well, that<br>> and multiple groups per user.</p></div><p class="MsoNormal">I'll leave the code as is for now. perhaps a host {} knob to enable it<br>
is appropriate, or disable it.</p></div><p class="MsoNormal"><br><br clear="all"></p><div><p class="MsoNormal"> </p></div><p class="MsoNormal">-- <br>Jathan.<br>--</p></div></div></body></html>
<pre>E-Mail to and from me, in connection with the transaction
of public business,is subject to the Wyoming Public Records
Act, and may be disclosed to third parties.