<div dir="ltr">Modified the config with right user name and still same error<br><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Jun 15, 2014 at 7:09 PM, Asif Iqbal <span dir="ltr"><<a href="mailto:vadud3@gmail.com" target="_blank">vadud3@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div>Let me know if there is a separate mailing list for do_auth related questions.</div>
<div><br></div><div>So I am trying to follow the do_auth.ini syntax and need some help.</div><div><br></div>I have setup the config file like below and failing to authorize.<div>
<br><div><div>Here is the do_auth.ini file</div><div><br></div><div>[users]<div>default =</div><div> noprivs</div><div>foo =</div><div> newgroup</div></div></div></div></div></blockquote><div> iqbala =</div><div>
newgroup </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div><div><div><div>
<br>
</div><div>[newgroup]</div><div>host_allow =</div><div> .*</div>
<div>command_permit =</div><div> show configuration.*</div><div>device_permit =</div><div> .*</div><div><br></div><div>[noprivs]</div><div>host_deny =</div><div> .*</div><div>device_deny =</div><div> .*</div>
<div>
command_deny =</div><div> .*</div><div><br></div><div>Here is the error message</div><div><br></div><div><div>Username: iqbala</div><div>Password: </div><div>% Authorization failed.</div><div>Connection closed by foreign host.</div>
</div><div><br></div><div><br></div><div>Here is the relevant part in tacacs.conf</div><div><br></div><div><div>group = doauthaccess {</div><div> after authorization "/usr/bin/python /root/do_auth/do_auth.pyc -i $address -fix_crs_bug -u $user -d $name -l /root/do_auth/do_auth.log -f /root/do_auth/do_auth.ini"</div>
<div>}</div></div><div><br></div><div><div>user = foo {</div><div> login = PAM</div><div> member = doauthaccess</div></div></div></div></div></div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr"><div><div><div><div><div>}</div></div><div><br></div></div></div></div></div></blockquote><div> user = iqbala {</div><div> login = PAM</div><div> member = doauthaccess</div><div> }</div>
<div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div><div><div><div></div><div>
If I change the member to another group which is regular group</div>
<div>and not using after authorization, user ``foo'' can login fine.</div><div><br></div><div>I must not do doing something right. </div><div><br></div><div>Please advise.</div><span class="HOEnZb"><font color="#888888"><div>
<br></div><div><br></div><div><br>
</div><div><br></div>-- <br>Asif Iqbal<br>PGP Key: 0xE62693C5 KeyServer: <a href="http://pgp.mit.edu" target="_blank">pgp.mit.edu</a><br>A: Because it messes up the order in which people normally read text.<br>Q: Why is top-posting such a bad thing?<br>
<br>
</font></span></div></div></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Asif Iqbal<br>PGP Key: 0xE62693C5 KeyServer: <a href="http://pgp.mit.edu">pgp.mit.edu</a><br>A: Because it messes up the order in which people normally read text.<br>
Q: Why is top-posting such a bad thing?<br><br>
</div></div>