<div dir="ltr">Here is an example:<div><br></div><div>tac_plus.conf:</div><div><br></div><div><div><font face="monospace, monospace">key = "blah-blah-blah"</font></div><div><font face="monospace, monospace">accounting file = /some/location/tacplus.acct</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">default authentication = file /etc/passwd</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">#</font></div><div><font face="monospace, monospace"># Default group to run all command authentication through do_auth.</font></div><div><font face="monospace, monospace">#</font></div><div><font face="monospace, monospace">group = doauthaccess {</font></div><div><font face="monospace, monospace"> default service = permit</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"> service = exec {</font></div><div><font face="monospace, monospace"> priv-lvl = 1</font></div><div><font face="monospace, monospace"> optional idletime = 30</font></div><div><font face="monospace, monospace"> optional acl = 2</font></div><div><font face="monospace, monospace"> shell:roles="\"network-operator vdc-operator\""</font></div><div><font face="monospace, monospace"> }</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"> service = junos-exec {</font></div><div><font face="monospace, monospace"> bug-fix = "first pair is lost"</font></div><div><font face="monospace, monospace"> local-user-name = "remote"</font></div><div><font face="monospace, monospace"> allow-commands = "(.*exit)|(show cli auth.*)"</font></div><div><font face="monospace, monospace"> deny-commands = ".*"</font></div><div><font face="monospace, monospace"> allow-configuration = "" </font></div><div><font face="monospace, monospace"> deny-configuration = ".*"</font></div><div><font face="monospace, monospace"> }</font></div><div><font face="monospace, monospace"> after authorization "/usr/bin/python /some-location/do_auth.py -i $address -u $user -d $name -l /some-location/do_auth.log -f /some-location/do_auth.ini"<br></font></div><div><font face="monospace, monospace">}</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">#<br></font></div><div><font face="monospace, monospace"># Default user - Used when no user specific stanza exists in tac_plus.conf.</font></div><div><font face="monospace, monospace">#</font></div><div><font face="monospace, monospace">user = DEFAULT {</font></div><div><font face="monospace, monospace"> member = doauthaccess</font></div><div><font face="monospace, monospace"> login = PAM</font></div><div><font face="monospace, monospace">}</font></div></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="arial, helvetica, sans-serif">And then, in do_auth.ini:</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">[users]</font></div><div><font face="monospace, monospace">default =</font></div><div><font face="monospace, monospace"> no_authority</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">ren =</font></div><div><font face="monospace, monospace"> lab</font></div><div><font face="monospace, monospace"> no_authority</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">stimpy =</font></div><div><font face="monospace, monospace"> lab</font></div><div><font face="monospace, monospace"> production_readonly</font></div><div><font face="monospace, monospace"> no_authority</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"># Groups start here</font></div><div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"># Default group. Can only log out and check</font></div><div><font face="monospace, monospace"># privilege level (JUNOS)</font></div><div><font face="monospace, monospace">[no_authority]</font></div><div><font face="monospace, monospace">host_deny =</font></div><div><font face="monospace, monospace">host_allow =<br></font></div><div><font face="monospace, monospace"> .*</font></div><div><font face="monospace, monospace">device_deny =</font></div><div><font face="monospace, monospace">device_permit =<br></font></div><div><font face="monospace, monospace"> .*</font></div><div><font face="monospace, monospace">command_deny =</font></div><div><font face="monospace, monospace"> .*</font></div><div><font face="monospace, monospace">command_permit =</font></div><div><font face="monospace, monospace"> exit.*</font></div><div><font face="monospace, monospace">av_pairs =<br></font></div><div><font face="monospace, monospace"> priv-lvl=0</font></div><div><font face="monospace, monospace"> shell:roles="network-operator vdc-operator"</font></div><div><font face="monospace, monospace"> local-user-name = test</font></div><div><font face="monospace, monospace"> allow-commands = (.*exit)|(show cli auth.*)</font></div><div><font face="monospace, monospace"> deny-commands = .*</font></div><div><font face="monospace, monospace"> allow-configuration =</font></div><div><font face="monospace, monospace"> deny-configuration =</font></div></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"># LAB group can do anything - as long as the device</font></div><div><font face="monospace, monospace"># they're logging into is in <a href="http://192.168.56.0/24">192.168.56.0/24</a> which is</font></div><div><font face="monospace, monospace"># the IP address space used for management in the LAB.</font></div><div><div><font face="monospace, monospace">[lab]</font></div><div><font face="monospace, monospace">host_deny =<br></font></div><div><font face="monospace, monospace">host_allow =<br></font></div><div><font face="monospace, monospace"> .*</font></div><div><font face="monospace, monospace">device_deny =</font></div><div><font face="monospace, monospace">device_permit =<br></font></div><div><font face="monospace, monospace"> 192.168.56.*</font></div><div><font face="monospace, monospace">command_deny =<br></font></div><div><font face="monospace, monospace">command_permit =<br></font></div><div><font face="monospace, monospace"> .*</font></div><div><font face="monospace, monospace">av_pairs =<br></font></div><div><font face="monospace, monospace"> priv-lvl=15</font></div><div><font face="monospace, monospace"> shell:roles="network-admin vdc-admin"</font></div><div><font face="monospace, monospace"> local-user-name = remote</font></div><div><font face="monospace, monospace"> allow-commands = .*</font></div><div><font face="monospace, monospace"> deny-commands = </font></div><div><font face="monospace, monospace"> allow-configuration = .*</font></div><div><font face="monospace, monospace"> deny-configuration =</font></div></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"># This group provides read-only access to ANY device.</font></div><div><div><font face="monospace, monospace">[production_readonly]</font></div><div><font face="monospace, monospace">host_deny =</font></div><div><font face="monospace, monospace">host_allow =</font></div><div><font face="monospace, monospace"> .*</font></div><div><font face="monospace, monospace">device_deny =</font></div><div><font face="monospace, monospace">device_permit =</font></div><div><font face="monospace, monospace"> .*</font></div><div><font face="monospace, monospace">command_deny =</font></div><div><font face="monospace, monospace">command_permit =</font></div><div><font face="monospace, monospace"> ping.*</font></div><div><font face="monospace, monospace"> traceroute.*</font></div><div><font face="monospace, monospace"> terminal.*</font></div><div><font face="monospace, monospace"> write terminal.*</font></div><div><font face="monospace, monospace"> copy running-config terminal.*</font></div><div><font face="monospace, monospace"> copy running-config tftp.*</font></div><div><font face="monospace, monospace"> copy startup-config terminal.*</font></div><div><font face="monospace, monospace"> copy startup-config tftp.*</font></div><div><font face="monospace, monospace"> show.*</font></div><div><font face="monospace, monospace">av_pairs =<br></font></div><div><font face="monospace, monospace"> priv-lvl=15</font></div><div><font face="monospace, monospace"> shell:roles="network-admin vdc-admin"</font></div><div><font face="monospace, monospace"> local-user-name = remote</font></div><div><font face="monospace, monospace"> allow-commands = </font></div><div><font face="monospace, monospace"> deny-commands = (.*edit)|(.*configure)</font></div><div><font face="monospace, monospace"> allow-configuration = </font></div><div><font face="monospace, monospace"> deny-configuration =</font></div></div><div><font face="monospace, monospace"><br></font></div><div><br></div><div><br></div><div><br></div><div>With the above configuration, user "joe" does not have a user stanza in do_auth.ini so, he will fall through to the "default" group (no_authority) no matter which device he logs into. He will only be able to log out. ;-)</div><div>User ren is a member of "lab" and "no_authority" so, if he logs into any devices in <a href="http://192.168.56.0/24">192.168.56.0/24</a>, he can do anything. For anything else, he will fall through to the "no_authority" group and only be able to log out.</div><div>User stimpy is a member of all three groups: lab, production_readonly and no_authority. If he logs into a device in <a href="http://192.168.56.0/24">192.168.56.0/24</a>, he can do anything. If he logs in ANYWHERE else, he will receive the "production_readonly" privileges since it matches on .* for "device_permit". </div><div><br></div><div>If you look in group "production_readonly", I'm setting priv-lvl=15 or giving "network-admin vdc-admin" or "local-user-name = remote" (depending on which AV pair(s) the device sent to tac_plus. On my Junipers, user "remote" is "super-user" which is basically the same as priv-lvl=15.</div><div><br></div><div>On anything that does command authorization, I'm only permitting:</div><div><div><font face="monospace, monospace"> ping.*</font></div><div><font face="monospace, monospace"> traceroute.*</font></div><div><font face="monospace, monospace"> terminal.*</font></div><div><font face="monospace, monospace"> write terminal.*</font></div><div><font face="monospace, monospace"> copy running-config terminal.*</font></div><div><font face="monospace, monospace"> copy running-config tftp.*</font></div><div><font face="monospace, monospace"> copy startup-config terminal.*</font></div><div><font face="monospace, monospace"> copy startup-config tftp.*</font></div><div><font face="monospace, monospace"> show.*</font></div></div><div><br></div><div>Anything else will be denied.</div><div><br></div><div>On the Junipers, since they do RBAC and don't ask to authorize individual commands, I'm simply denying "edit" and "configure" in the "deny-commands" regular expression so, they can't make config changes.</div><div><br></div><div>Note that ALL users are members of "no_authority" as their "last resort" group. This is because, without that group membership, Cisco's and Arista would get a "denied" authorization for the shell. Junipers flat-out IGNORE that though and the user would get uninhibited "super-user". Silly JUNOS! Placing everyone in "no_authority" makes sure that even if no other groups match, they will at least match on the no_authority group and be granted just enough access to log out of the device (and look at their authority on Junipers):<br></div><div><br></div><div><div><font face="monospace, monospace">command_deny =</font></div><div><font face="monospace, monospace"> .*</font></div><div><font face="monospace, monospace">command_permit =</font></div><div><font face="monospace, monospace"> exit.*</font></div><div><font face="monospace, monospace">av_pairs =<br></font></div><div><font face="monospace, monospace"> priv-lvl=0</font></div><div><font face="monospace, monospace"> shell:roles="network-operator vdc-operator"</font></div><div><font face="monospace, monospace"> local-user-name = test</font></div><div><font face="monospace, monospace"> allow-commands = (.*exit)|(show cli auth.*)</font></div><div><font face="monospace, monospace"> deny-commands = .*</font></div><div><font face="monospace, monospace"> allow-configuration =</font></div><div><font face="monospace, monospace"> deny-configuration =</font></div></div><div><br></div><div>There you go... a quick tutorial on using do_auth.py via the "after authorization" function in tac_plus. You'll never believe you lived without it once you set it up. Just be sure to TEST the configurations. You might find a corner-case like I did with silly JUNOS doing the opposite of what you would expect.</div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div>--</div>John Fraizer<div>LinkedIn profile: <a href="http://www.linkedin.com/in/johnfraizer/" target="_blank">http://www.linkedin.com/in/johnfraizer/</a></div><div><br><div><span style="color:rgb(53,53,53);font-family:Arial,sans-serif;font-size:12px;line-height:12px;background-color:rgb(244,244,244)"><br></span></div></div></div></div></div>
<br><div class="gmail_quote">On Thu, Apr 16, 2015 at 9:09 AM, Aaron Wasserott <span dir="ltr"><<a href="mailto:aaron.wasserott@viawest.com" target="_blank">aaron.wasserott@viawest.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Look into the do_auth.pyc script to control command authorization.<br>
<br>
<a href="http://www.tacacs.org/" target="_blank">http://www.tacacs.org/</a><br>
<div><div class="h5"><br>
-----Original Message-----<br>
From: tac_plus [mailto:<a href="mailto:tac_plus-bounces@shrubbery.net">tac_plus-bounces@shrubbery.net</a>] On Behalf Of Martin T<br>
Sent: Thursday, April 16, 2015 9:55 AM<br>
To: <a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
Subject: [tac_plus] enable additional commands centrally for IOS privilege levels other than 15<br>
<br>
Hi,<br>
<br>
privilege level 15 in IOS has all the possible commands for particular IOS release enabled. However, for example privilege level 1 has only few dozens of commands available. Now if I want to allow some of the privilege level 15 commands also for privilege level 1, then I could use the "privilege exec level 1 <command>" command. For example "privilege exec level 1 traceroute". However, is there a way to do this centrally in TACACS+ server?<br>
<br>
<br>
thanks,<br>
Martin<br>
_______________________________________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo/tac_plus</a><br>
</div></div>This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message.<br>
<div class="HOEnZb"><div class="h5">_______________________________________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo/tac_plus</a><br>
</div></div></blockquote></div><br></div>