<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jun 17, 2014 at 12:44 PM, Asif Iqbal <span dir="ltr"><<a href="mailto:vadud3@gmail.com" target="_blank">vadud3@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">
<div><div class="h5">On Tue, Jun 17, 2014 at 11:08 AM, Asif Iqbal <span dir="ltr"><<a href="mailto:vadud3@gmail.com" target="_blank">vadud3@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">
<div>On Mon, Jun 16, 2014 at 5:52 PM, Aaron Wasserott <span dir="ltr"><<a href="mailto:aaron.wasserott@viawest.com" target="_blank">aaron.wasserott@viawest.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">I think the issue you were seeing with still having access for that user is because you have DEFAULT user listed first. do_auth will act on the first match
it finds. In my do_auth.ini files I put the DEFAULT user after all the specific users as a catch-all.</span></p></div></div></blockquote><div><br></div></div><div>I am failing to connect to any router with this config and not seeing any log</div>
<div><br></div><div>do_auth.ini</div><div>========</div><div><div>[users]</div><div>DEFAULT =</div><div> opseng</div></div><div><div>[opseng]</div><div>host_allow =</div><div> .*</div><div>device_permit =</div><div>
.*</div><div>command_deny =</div><div> clear "^route-map counters"</div><div> show "^list"</div><div> debug "^all"</div><div> mpls "traffic-eng attribute-flags"</div>
<div> no "^ip routing"</div><div> no "^router .*"</div><div> write ^terminal</div><div>command_permit =</div><div> clear .*</div><div> show .*</div><div> debug .*</div><div> ## prevent setting admin-group < 2^16... must be 6 decimal digits</div>
<div> mpls "traffic-eng attribute-flags [0-9][0-9][0-9][0-9][0-9][0-9]"</div><div> mpls .*</div><div> no .*</div><div> write .*</div></div><div><br></div><div>tac_plus.conf</div><div>===========</div>
<div><div>group = doauthaccess {</div><div> default service = permit</div><div> service = exec {</div><div> priv-lvl = 15</div><div> idletime = 10</div><div> }</div><div>
after authorization "/usr/bin/python /root/do_auth/do_auth_orig.py -i $address -u $user -d $name -l /root/do_auth/do_auth.log -f /root/do_auth/do_auth.ini"</div><div>}</div></div><div><br></div><div><div>
user = DEFAULT {</div><div> pap = PAM<br></div><div><div> login = PAM</div><div> member = doauthaccess</div><div>}</div></div></div><div><br></div><div>enabled DEBUG on do_auth.py</div><div>
<br></div><div>DEBUG = os.getenv('DEBUG', True)<br>
</div><div><br></div><div>I am not seeing any log in do_auth.log </div></div></div></div></blockquote><div><br></div></div></div><div>I guess there is no log because user = DEFAULT {..} block is never consulted.</div><div>
<br></div>
<div>man page says:</div><div><br></div><div>"</div><div> default authentication</div><div> By default, authentication fails for users that do not appear in the configuration file. This</div>
<div> overrides that behavior, thus permitting all authentication requests for such users.</div><div><br></div><div> default authentication = file <filename></div><div><br></div><div> Such users will be authentication via the <user> "DEFAULT".</div>
<div>"</div><div><br></div><div>So that explains why I do not see any log, since I am not using default authentication = file <filename>.</div><div>I am using login = PAM for users.<br></div><div><br></div><div>
So to comply with that I added default authentication = file /etc/tacacs-passwd and added my account</div><div>in there. </div><div><br></div><div>Now I can login with user = DEFAULT {..} and I do see logs and DEBUG logs in do_auth.log file.</div>
<div><br></div><div>Is there a way I can make default authentication = PAM ? </div></div></div></div></blockquote><div><br></div><div><br></div><div><br></div><div>This does not work today. Errors out</div><div><br></div>
<div>Tue Jun 17 17:15:51 2014 [11884]: Error expecting 'file' but found 'PAM' on line 7</div><div><br></div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div><br></div><div>Our LDAP password changes frequently as corporate policy. sync up that password to /etc/tacacs-passwd would be pain. We have no admin access to corporate LDAP to force sync that to /etc/tacacs-passwd.</div>
<div><div class="h5">
<div><br></div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">
<div class="gmail_extra"><div class="gmail_quote"><div><br></div><div>What am I doing wrong?</div><div><div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:10pt;font-family:Tahoma,sans-serif">From:</span></b><span style="font-size:10pt;font-family:Tahoma,sans-serif"> Asif Iqbal [mailto:<a href="mailto:vadud3@gmail.com" target="_blank">vadud3@gmail.com</a>]
<br>
<b>Sent:</b> Monday, June 16, 2014 3:20 PM<br>
<b>To:</b> Aaron Wasserott<br>
<b>Cc:</b> <a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br>
<b>Subject:</b> Re: [tac_plus] user DEFAULT - anyone can login?<u></u><u></u></span></p><div><div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal" style="margin-bottom:12pt"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Mon, Jun 16, 2014 at 5:02 PM, Asif Iqbal <<a href="mailto:vadud3@gmail.com" target="_blank">vadud3@gmail.com</a>> wrote:<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal" style="margin-bottom:12pt"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">On Mon, Jun 16, 2014 at 4:20 PM, Aaron Wasserott <<a href="mailto:aaron.wasserott@viawest.com" target="_blank">aaron.wasserott@viawest.com</a>> wrote:<u></u><u></u></p>
<p class="MsoNormal">If you use DEFAULT in both tac_plus.conf and do_auth.ini then, no, you could not restrict who can login to what. Only restriction there would be locking that user account in LDAP/AD to prevent any access for that user.<br>
<br>
But you could use DEFAULT in tac_plus.conf and then define users/groups in do_auth.ini you can restrict it that way who can login to what.<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
<div>
<p class="MsoNormal">device_deny is not being honored.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<div>
<p class="MsoNormal">[users]<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">DEFAULT =<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> noprivs<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">iqbala =<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> noprivs<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">[noprivs]<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">host_deny =<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> .*<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">host_allow =<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">device_deny =<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> .*<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">device_allow =<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">command_deny =<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> .*<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">command_permit =<u></u><u></u></p>
</div>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">user ``iqbala'' still can login to a router. command_deny works fine.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">I do not see any log<u></u><u></u></p>
</div>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Oh yeah, DEFAULT on both tac_plus.conf and do_auth.ini and then device_deny works.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<blockquote style="border-style:none none none solid;border-left-color:rgb(204,204,204);border-left-width:1pt;padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<blockquote style="border-style:none none none solid;border-left-color:rgb(204,204,204);border-left-width:1pt;padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal"><br>
I remember reading your emails before, and it sounds like you have a pretty complicated user base setup. The best way is to model user access around the tried-and-true tier groups, like tier1, tier2, tier3. Then you could have those three groups defined in
tac_plus.conf pointing to different do_auth.ini files that control access to certain devices. The big issue for you will be something you mentioned a few weeks back, where you said you want users in different groups. You might want to think about letting more
trusted/privileged users have access to things they don't necessary need, so you can just stick them in one group like tier2.<u></u><u></u></p>
<div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">So I have over 1500 network devices. Each vendor type gets it own instance of tac_plus which can point to<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">separate do_auth.ini file like you suggested.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Otherwise I have to consolidate all the devices in permit or deny block for different groups. That would be nightmare if I want to consolidate to one do_auth.ini file. Plus it will be slow to read through list of devices for each authorization
request for 1000s of employees. May be there should be database option to read for device lists to make it perform well.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<blockquote style="border-style:none none none solid;border-left-color:rgb(204,204,204);border-left-width:1pt;padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<div>
<div>
<div>
<blockquote style="border-style:none none none solid;border-left-color:rgb(204,204,204);border-left-width:1pt;padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal">-----Original Message-----<br>
From: tac_plus [mailto:<a href="mailto:tac_plus-bounces@shrubbery.net" target="_blank">tac_plus-bounces@shrubbery.net</a>] On Behalf Of Asif Iqbal<br>
Sent: Monday, June 16, 2014 1:17 PM<br>
To: <a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br>
Subject: [tac_plus] user DEFAULT - anyone can login?<br>
<br>
So if I understand correctly with the following stanza in tac_plus.conf anyone with valid LDAP credentials (PAM is pointing to LDAP in my case) can login to a router?<br>
<br>
user = DEFAULT {<br>
login = PAM<br>
member = doauthaccess<br>
}<br>
<br>
I am guessing I cannot really use this should I want to limit who can login?<br>
<br>
I guess I cannot take advantage of do_auth to prevent login since it gets called after authorization?<br>
<br>
May be I can use do_auth with before authorization as well and define the allowed users under the [users] stanza and limti that way if I want to shrink my tac_plus conf user blocks to just DEFAULT?<br>
<br>
Please advise.<br>
<br>
--<br>
Asif Iqbal<br>
PGP Key: 0xE62693C5 KeyServer: <a href="http://pgp.mit.edu" target="_blank">pgp.mit.edu</a><br>
A: Because it messes up the order in which people normally read text.<br>
Q: Why is top-posting such a bad thing?<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal">-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20140616/321bd514/attachment.html" target="_blank">http://www.shrubbery.net/pipermail/tac_plus/attachments/20140616/321bd514/attachment.html</a>><br>
_______________________________________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo/tac_plus</a><u></u><u></u></p>
</blockquote>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><br>
<br clear="all">
<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal" style="margin-bottom:12pt">-- <br>
Asif Iqbal<br>
PGP Key: 0xE62693C5 KeyServer: <a href="http://pgp.mit.edu" target="_blank">pgp.mit.edu</a><br>
A: Because it messes up the order in which people normally read text.<br>
Q: Why is top-posting such a bad thing?<u></u><u></u></p>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal" style="margin-bottom:12pt">-- <br>
Asif Iqbal<br>
PGP Key: 0xE62693C5 KeyServer: <a href="http://pgp.mit.edu" target="_blank">pgp.mit.edu</a><br>
A: Because it messes up the order in which people normally read text.<br>
Q: Why is top-posting such a bad thing?<u></u><u></u></p>
</div>
</div>
</div></div></div>
</div>
</blockquote></div></div></div><div><div><br><br clear="all"><div><br></div>-- <br>Asif Iqbal<br>PGP Key: 0xE62693C5 KeyServer: <a href="http://pgp.mit.edu" target="_blank">pgp.mit.edu</a><br>A: Because it messes up the order in which people normally read text.<br>
Q: Why is top-posting such a bad thing?<br><br>
</div></div></div></div>
</blockquote></div></div></div><div><div class="h5"><br><br clear="all"><div><br></div>-- <br>Asif Iqbal<br>PGP Key: 0xE62693C5 KeyServer: <a href="http://pgp.mit.edu" target="_blank">pgp.mit.edu</a><br>A: Because it messes up the order in which people normally read text.<br>
Q: Why is top-posting such a bad thing?<br><br>
</div></div></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Asif Iqbal<br>PGP Key: 0xE62693C5 KeyServer: <a href="http://pgp.mit.edu">pgp.mit.edu</a><br>A: Because it messes up the order in which people normally read text.<br>
Q: Why is top-posting such a bad thing?<br><br>
</div></div>