Sorry, I meant VDX, not MDX. Anyway...<br><br><div class="gmail_quote">On Tue, Feb 21, 2012 at 2:15 PM, Jathan McCollum <span dir="ltr"><<a href="mailto:jathan@gmail.com">jathan@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Very briefly on this topic:<div><br></div><div>Brocade has admitted that on the MDX platform choosing to accept any AV pairs whether the device could process them or not was a design decision. This breaks TACACS+ and I've since asked them to fix this.</div>
<div><br></div><div>In any case, the correct behavior according to the TACACS+ protocol when a device receives a mandatory attribute it cannot process is to FAIL authorization, thereby booting you from the device.</div><div>
<br></div><div>At least you know that in some cases, the devices are behaving correctly by flat out denying you. <div><div class="h5"><br><br><div class="gmail_quote">On Tue, Feb 21, 2012 at 2:00 PM, Daniel Schmidt <span dir="ltr"><<a href="mailto:daniel.schmidt@wyo.gov" target="_blank">daniel.schmidt@wyo.gov</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I previously reported that a Cisco, given the mandatory brocade-privlvl<br>
(which it doesn’t understand), will simply default to disable. This<br>
assertion appears to be incorrect. On some devices/versions it puts you<br>
in disable, in some it puts you in enable, and on some it flat out denies<br>
access telling you authorization failed. Serves me right, expecting<br>
consistency when Heasley flat out warned me not to! Brocades new method of<br>
using optional av pairs will serve them better - one has to wonder if Cisco<br>
makes it work incorrect on purpose.<br>
<br>
<br>
<br>
Feb 21 21:30:32.346: AAA/AUTHOR (0x12B): Pick method list 'default' - FAIL<br>
<br>
Feb 21 21:30:32.390: AAA/AUTHOR/EXEC(0000012B): Authorization FAILED<br>
<br>
E-Mail to and from me, in connection with the transaction<br>
of public business, is subject to the Wyoming Public Records<br>
Act and may be disclosed to third parties.<br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20120221/29fea2ab/attachment.html" target="_blank">http://www.shrubbery.net/pipermail/tac_plus/attachments/20120221/29fea2ab/attachment.html</a>><br>
_______________________________________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a><br>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span class="HOEnZb"><font color="#888888">-- <br>Jathan.<br>--<br>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Jathan.<br>--<br>