<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Jun 16, 2014 at 4:20 PM, Aaron Wasserott <span dir="ltr"><<a href="mailto:aaron.wasserott@viawest.com" target="_blank">aaron.wasserott@viawest.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">If you use DEFAULT in both tac_plus.conf and do_auth.ini then, no, you could not restrict who can login to what. Only restriction there would be locking that user account in LDAP/AD to prevent any access for that user.<br>
<br>
But you could use DEFAULT in tac_plus.conf and then define users/groups in do_auth.ini you can restrict it that way who can login to what.<br></blockquote><div><br></div><div>device_deny is not being honored.</div><div><br>
</div><div><div>[users]</div><div>DEFAULT =</div><div> noprivs</div><div>iqbala =</div><div> noprivs</div><div>[noprivs]</div><div>host_deny =</div><div> .*</div><div>host_allow =</div><div>device_deny =</div><div>
.*</div><div>device_allow =</div><div>command_deny =</div><div> .*</div><div>command_permit =</div></div><div><br></div><div>user ``iqbala'' still can login to a router. command_deny works fine.</div><div>
<br>
</div><div>I do not see any log</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
I remember reading your emails before, and it sounds like you have a pretty complicated user base setup. The best way is to model user access around the tried-and-true tier groups, like tier1, tier2, tier3. Then you could have those three groups defined in tac_plus.conf pointing to different do_auth.ini files that control access to certain devices. The big issue for you will be something you mentioned a few weeks back, where you said you want users in different groups. You might want to think about letting more trusted/privileged users have access to things they don't necessary need, so you can just stick them in one group like tier2.<br>
<div><div class="h5"><br>
-----Original Message-----<br>
From: tac_plus [mailto:<a href="mailto:tac_plus-bounces@shrubbery.net">tac_plus-bounces@shrubbery.net</a>] On Behalf Of Asif Iqbal<br>
Sent: Monday, June 16, 2014 1:17 PM<br>
To: <a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
Subject: [tac_plus] user DEFAULT - anyone can login?<br>
<br>
So if I understand correctly with the following stanza in tac_plus.conf anyone with valid LDAP credentials (PAM is pointing to LDAP in my case) can login to a router?<br>
<br>
user = DEFAULT {<br>
login = PAM<br>
member = doauthaccess<br>
}<br>
<br>
I am guessing I cannot really use this should I want to limit who can login?<br>
<br>
I guess I cannot take advantage of do_auth to prevent login since it gets called after authorization?<br>
<br>
May be I can use do_auth with before authorization as well and define the allowed users under the [users] stanza and limti that way if I want to shrink my tac_plus conf user blocks to just DEFAULT?<br>
<br>
Please advise.<br>
<br>
--<br>
Asif Iqbal<br>
PGP Key: 0xE62693C5 KeyServer: <a href="http://pgp.mit.edu" target="_blank">pgp.mit.edu</a><br>
A: Because it messes up the order in which people normally read text.<br>
Q: Why is top-posting such a bad thing?<br>
</div></div>-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20140616/321bd514/attachment.html" target="_blank">http://www.shrubbery.net/pipermail/tac_plus/attachments/20140616/321bd514/attachment.html</a>><br>
_______________________________________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo/tac_plus</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Asif Iqbal<br>PGP Key: 0xE62693C5 KeyServer: <a href="http://pgp.mit.edu">pgp.mit.edu</a><br>A: Because it messes up the order in which people normally read text.<br>
Q: Why is top-posting such a bad thing?<br><br>
</div></div>