<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Georgia;
panose-1:2 4 5 2 5 4 5 2 3 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">It doesn’t look like Mavis would interfere with authorization. Based on your configs authorization should still be handled by tac_plus itself.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<pre><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Linking tac_plus.conf to do_auth is done with the stanza “</span>after authorization<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">“ inside a user or group definition.<o:p></o:p></span></pre>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">John Fraizer did a good write-up of how to use do_auth here:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><a href="http://www.shrubbery.net/pipermail/tac_plus/2015-April/001622.html">http://www.shrubbery.net/pipermail/tac_plus/2015-April/001622.html</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Locate your source for tac_plus and find the do_auth.py file. Inside that are some good instructions for setting it up. The web page for do_auth is here and
has some specific examples:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">http://www.tacacs.org/<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Kevin.Cruse@Instinet.com [mailto:Kevin.Cruse@Instinet.com]
<br>
<b>Sent:</b> Thursday, July 23, 2015 8:59 AM<br>
<b>To:</b> Aaron Wasserott<br>
<b>Cc:</b> tac_plus@shrubbery.net<br>
<b>Subject:</b> RE: [tac_plus] Cisco Nexus Authorization problem<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">I am using the mavis backend and wonder if that is the problem? How do i configure do_auth? I am using tac_plus version 201503121920. I cannot find great example of how to use do_auth with existing
configuration ie how do i tell the config file to use do_auth? </span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> </span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif"">id = tac_plus {</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> debug = AUTHEN ACCT MAVIS PACKET</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> access log = /var/log/tac_plus/access/%Y%m%d.log</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> authentication log = /var/log/tac_plus/auth/%Y%m%d.log</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> accounting log = /var/log/tac_plus/acct/%Y%m%d.log</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> authorization log = /var/log/tac_plus/authorization/%Y%m%d.log</span><br>
<br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> mavis module = external {</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> setenv LDAP_SERVER_TYPE = "microsoft"</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> setenv LDAP_HOSTS = "server:389"</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> setenv LDAP_BASE = "dc=domain,dc=corp,dc=local"</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> setenv LDAP_SCOPE = sub</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> #setenv LDAP_FILTER = "(&(objectclass=user) (sAMAccountName = % s))"</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> setenv LDAP_USER = "svcTacacs"</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> setenv LDAP_PASSWD = "T@c@c$!"</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> setenv AD_GROUP_PREFIX = "prv-AMS_Tacacs"</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> setenv EXPAND_AD_GROUP_MEMBERSHIP = 1</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> setenv FLAG_USE_MEMBEROF = 1</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> #setenv REQUIRE_TACACS_GROUP_PREFIX = 1</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> #setenv FLAG_USE_MEMBEROF = 1</span><br>
<br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> }</span><br>
<br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> login backend = mavis</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> user backend = mavis</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> pap backend = mavis</span><br>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> host = world {</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> address = ::/0</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> prompt = "This is a protected device. Unauthorized access is prohibited\n"</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> enable 15 = clear secret</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> key = password</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> }</span><br>
<br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> group = admin {</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> message = "[Admin Privileges]"</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> default service = permit</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> service = shell {</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> default command = permit</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> default attribute = permit</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> set priv-lvl = 15</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> cmd = debug{deny .*}</span><br>
<br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> }</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""> }</span><br>
<br>
<br>
<br>
<img border="0" width="16" height="16" id="_x0000_i1025" src="cid:image001.gif@01D0C528.865B52C0" alt="Inactive hide details for Aaron Wasserott ---07/22/2015 03:28:27 PM---Kevin, I just tested this and it works for me. User can r"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#424282">Aaron
Wasserott ---07/22/2015 03:28:27 PM---Kevin, I just tested this and it works for me. User can run show commands, but not enter conf t mode</span><br>
<br>
<span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F">From:
</span><span style="font-size:7.5pt;font-family:"Arial","sans-serif"">Aaron Wasserott <<a href="mailto:aaron.wasserott@viawest.com">aaron.wasserott@viawest.com</a>></span><br>
<span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F">To: </span>
<span style="font-size:7.5pt;font-family:"Arial","sans-serif"">"<a href="mailto:Kevin.Cruse@Instinet.com">Kevin.Cruse@Instinet.com</a>" <<a href="mailto:Kevin.Cruse@Instinet.com">Kevin.Cruse@Instinet.com</a>>,
</span><br>
<span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F">Cc: </span>
<span style="font-size:7.5pt;font-family:"Arial","sans-serif"">"<a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a>" <<a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a>></span><br>
<span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F">Date:
</span><span style="font-size:7.5pt;font-family:"Arial","sans-serif"">07/22/2015 03:28 PM</span><br>
<span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F">Subject:
</span><span style="font-size:7.5pt;font-family:"Arial","sans-serif"">RE: [tac_plus] Cisco Nexus Authorization problem</span><o:p></o:p></p>
<div class="MsoNormal">
<hr size="2" width="100%" noshade="" style="color:#8091A5" align="left">
</div>
<p class="MsoNormal"><br>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Kevin,</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I just tested this and it works for me. User can run show commands, but not enter conf t mode.
</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Arista DCS-7050S-52-R running code 4.8.3. In production we run do_auth. It comes bundled with the latest version of tac_plus and makes tweaking authorization a lot easier. It’s
more scalable, syntax is cleaner, and it has its own authorization logs which are easier to read.</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D"># tac_plus.conf</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D">group = tier1 {</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> default service = permit</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> login = PAM</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> pap = PAM</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> default command = deny</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> cmd = show {permit .*}</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> service = exec {</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> priv-lvl = 15</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> }</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> service = raccess {</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> priv-lvl = 0</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> }</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D">}</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D">user = first.last {</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> member = tier1</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D">}</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D"># switch AAA commands</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D">aaa group server tacacs+ TacGroup</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D">aaa authentication login default group TacGroup local</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D">aaa authorization exec default group TacGroup none</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D">aaa authorization commands 15 default group TacGroup none</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D">aaa accounting exec default start-stop group TacGroup</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D">aaa accounting commands 15 default start-stop group TacGroup</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D">no aaa root</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D">-Aaron</span><br>
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><br>
<b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:Kevin.Cruse@Instinet.com">Kevin.Cruse@Instinet.com</a> [<a href="mailto:Kevin.Cruse@Instinet.com">mailto:Kevin.Cruse@Instinet.com</a>]
<b><br>
Sent:</b> Wednesday, July 22, 2015 12:44 PM<b><br>
To:</b> Aaron Wasserott<b><br>
Cc:</b> <a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><b><br>
Subject:</b> RE: [tac_plus] Cisco Nexus Authorization problem</span><br>
<o:p></o:p></p>
<p><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Aaron</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""><br>
Do you have experience with Arista? It seems I am having similar problem with this device. Authentication works fine, but once i login and send enable password I can run any command i'd like. It's not restricting access to my preconfigured commands:</span><br>
<br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""><br>
Arista1#sh run | i aaa<br>
aaa group server tacacs+ CiscoACS<br>
aaa authentication login default group CiscoACS local<br>
aaa authorization exec default group CiscoACS local<br>
aaa authorization commands all default group CiscoACS local<br>
aaa accounting exec default start-stop group CiscoACS<br>
aaa accounting commands all default start-stop group CiscoACS<br>
no aaa root</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""><br>
----- </span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""><br>
user = testuser {<br>
login = clear "test123"<br>
pap = clear "test123"<br>
member = snm<br>
}</span><br>
<br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""><br>
group = snm {<br>
default service = deny<br>
service = shell {<br>
set shell:roles="\"network-admin\""<br>
default command = deny<br>
default attribute = deny<br>
set priv-lvl = 15<br>
cmd = configure {deny .*}<br>
cmd = clear {<br>
permit "counters"<br>
permit "qos stat"<br>
permit "mls qos int"<br>
}<br>
cmd = disable {permit .*}<br>
cmd = enable {permit .*}<br>
cmd = end {permit .*}<br>
cmd = exit {permit .*}<br>
cmd = logout {permit .*}<br>
cmd = ping {permit .*}<br>
cmd = set {<br>
permit "length 0"<br>
}<br>
cmd = show {<br>
deny "controllers vip"<br>
permit .*<br>
}<br>
cmd = skip-page-display {permit .*}<br>
cmd = terminal {<br>
permit "length 0"<br>
}<br>
cmd = write {<br>
permit "network"<br>
permit "terminal"<br>
permit "memory"<br>
}<br>
}<br>
}</span><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""><br>
----</span><br>
<br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""><br>
Arista1 login: testuser<br>
Password:<br>
Last login: Wed Jul 22 18:49:42 on ttyS0<br>
Arista1>en<br>
Password:<br>
Arista1#conf t <--- This command should be restricted<br>
Arista1(config)#interface eth 10 <--- This command should be restricted<br>
Arista1(config-if-Et10)#shut <--- This command should be restricted<br>
Arista1(config-if-Et10)#end<br>
Arista1#exit</span><br>
<br>
<br>
<br>
<img border="0" width="16" height="16" id="_x0000_i1027" src="cid:image001.gif@01D0C528.865B52C0" alt="Inactive hide details for Aaron Wasserott ---07/16/2015 09:26:32 PM---Try changing "service = shell" to "service = exec" and se"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#424282">Aaron
Wasserott ---07/16/2015 09:26:32 PM---Try changing "service = shell" to "service = exec" and see if that works. I have NX-OS working fine</span><br>
<span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F"><br>
From: </span><span style="font-size:7.5pt;font-family:"Arial","sans-serif"">Aaron Wasserott <</span><a href="mailto:aaron.wasserott@viawest.com"><span style="font-size:7.5pt;font-family:"Arial","sans-serif"">aaron.wasserott@viawest.com</span></a><span style="font-size:7.5pt;font-family:"Arial","sans-serif"">><span style="color:#5F5F5F"><br>
To: </span>"</span><a href="mailto:Kevin.Cruse@Instinet.com"><span style="font-size:7.5pt;font-family:"Arial","sans-serif"">Kevin.Cruse@Instinet.com</span></a><span style="font-size:7.5pt;font-family:"Arial","sans-serif"">" <</span><a href="mailto:Kevin.Cruse@Instinet.com"><span style="font-size:7.5pt;font-family:"Arial","sans-serif"">Kevin.Cruse@Instinet.com</span></a><span style="font-size:7.5pt;font-family:"Arial","sans-serif"">>,
"</span><a href="mailto:tac_plus@shrubbery.net"><span style="font-size:7.5pt;font-family:"Arial","sans-serif"">tac_plus@shrubbery.net</span></a><span style="font-size:7.5pt;font-family:"Arial","sans-serif"">" <</span><a href="mailto:tac_plus@shrubbery.net"><span style="font-size:7.5pt;font-family:"Arial","sans-serif"">tac_plus@shrubbery.net</span></a><span style="font-size:7.5pt;font-family:"Arial","sans-serif"">>,
<span style="color:#5F5F5F"><br>
Date: </span>07/16/2015 09:26 PM<span style="color:#5F5F5F"><br>
Subject: </span>RE: [tac_plus] Cisco Nexus Authorization problem</span><o:p></o:p></p>
<div class="MsoNormal">
<hr size="2" width="100%" noshade="" style="color:#A0A0A0" align="left">
</div>
<p class="MsoNormal"><br>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Courier New""><br>
Try changing "service = shell" to "service = exec" and see if that works. I have NX-OS working fine using that. Also, I have never seen the shell service used in real-world examples for network devices. But reading the manpage it appears it should work to prevent
them from entering configuration mode, as long as your AAA commands are set right.<br>
<br>
service=shell<br>
for exec startup, and also for command authorizations. Requires: aaa authorization exec tacacs+<br>
<br>
Whether authorization happens, and at which prompt level, depends on the aaa authorization settings. It's possible to only restrict exec level commands, and prevent them from entering the 'conf t' command. But if you want them in conf t mode but restrict their
commands at that level, you need to enable something like this:<br>
<br>
aaa authorization config-commands default group myTacacsGroup local<br>
<br>
If changing the service doesn't work, include the AAA commands on your NX-OS switches.<br>
<br>
-----Original Message-----<br>
From: tac_plus [</span><a href="mailto:tac_plus-bounces@shrubbery.net"><span style="font-size:10.0pt;font-family:"Courier New"">mailto:tac_plus-bounces@shrubbery.net</span></a><span style="font-size:10.0pt;font-family:"Courier New"">] On Behalf Of
</span><a href="mailto:Kevin.Cruse@Instinet.com"><span style="font-size:10.0pt;font-family:"Courier New"">Kevin.Cruse@Instinet.com</span></a><span style="font-size:10.0pt;font-family:"Courier New""><br>
Sent: Thursday, July 16, 2015 3:40 PM<br>
To: </span><a href="mailto:tac_plus@shrubbery.net"><span style="font-size:10.0pt;font-family:"Courier New"">tac_plus@shrubbery.net</span></a><span style="font-size:10.0pt;font-family:"Courier New""><br>
Subject: [tac_plus] Cisco Nexus Authorization problem<br>
<br>
<br>
<br>
Hello<br>
<br>
I have configured TACPLUS to work with cisco nexus device. I am able to successfully authenticate, however, I am able to run all commands on router. It seems the router is not restricted to the commands specified in my group config. Has anyone gotten Cisco
nexus to work properly with tacplus? I need to limit certain users and cannot get this working properly. Any help is greatly appreciated!!! Thanks.<br>
<br>
Group Config:<br>
<br>
group = snm {<br>
default service = deny<br>
service = shell {<br>
set shell:roles="\"network-admin\""<br>
default command = deny<br>
default attribute = deny<br>
set priv-lvl = 15<br>
cmd = configure {deny .*}<br>
cmd = clear {<br>
permit "counters"<br>
permit "qos stat"<br>
permit "mls qos int"<br>
}<br>
cmd = disable {permit .*}<br>
cmd = enable {permit .*}<br>
cmd = end {permit .*}<br>
cmd = exit {permit .*}<br>
cmd = logout {permit .*}<br>
cmd = ping {permit .*}<br>
cmd = set {<br>
permit "length 0"<br>
}<br>
cmd = show {<br>
deny "controllers vip"<br>
permit .*<br>
}<br>
cmd = skip-page-display {permit .*}<br>
cmd = terminal {<br>
permit "length 0"<br>
}<br>
cmd = write {<br>
permit "network"<br>
permit "terminal"<br>
permit "memory"<br>
}<br>
}<br>
}<br>
<br>
<br>
user = testuser {<br>
<br>
member = snm<br>
}<br>
<br>
<br>
Session output from router:<br>
<br>
telnet labrouter<br>
Trying labrouter...<br>
Connected to labrouter.<br>
Escape character is '^]'.<br>
User Access Verification<br>
login: testuser<br>
Password:<br>
Cisco Nexus Operating System (NX-OS) Software TAC support: </span><a href="http://www.cisco.com/tac"><span style="font-size:10.0pt;font-family:"Courier New"">http://www.cisco.com/tac</span></a><span style="font-size:10.0pt;font-family:"Courier New""> Copyright
(c) 2002-2014, Cisco Systems, Inc. All rights reserved.<br>
The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General
Public License (LGPL) Version 2.1. A copy of each such license is available at </span>
<a href="http://www.opensource.org/licenses/gpl-2.0.php"><span style="font-size:10.0pt;font-family:"Courier New"">http://www.opensource.org/licenses/gpl-2.0.php</span></a><span style="font-size:10.0pt;font-family:"Courier New""> and
</span><a href="http://www.opensource.org/licenses/lgpl-2.1.php"><span style="font-size:10.0pt;font-family:"Courier New"">http://www.opensource.org/licenses/lgpl-2.1.php</span></a><span style="font-size:10.0pt;font-family:"Courier New""><br>
LABROUTER# configure<br>
<------------------------------------------------------------ This should be denied Enter configuration commands, one per line. End with CNTL/Z.<br>
LABROUTER(config)# interface ethernet 1/1 configure<br>
<------------------------------------------------------------ This should be denied LABROUTER(config-if)# shut<br>
<------------------------------------------------------------ This should be denied LABROUTER(config-if)# no shut<br>
<------------------------------------------------------------ This should be denied LABROUTER(config-if)# end LABROUTER#<br>
<br>
========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately
notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is
forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding
any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an “as is” basis. It
contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted,
or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: </span><a href="http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt"><span style="font-size:10.0pt;font-family:"Courier New"">http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt</span></a><span style="font-size:10.0pt;font-family:"Courier New"">
Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet
Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The
Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC.<br>
<br>
=========================================================================================================<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <</span><a href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20150716/5c309608/attachment.html"><span style="font-size:10.0pt;font-family:"Courier New"">http://www.shrubbery.net/pipermail/tac_plus/attachments/20150716/5c309608/attachment.html</span></a><span style="font-size:10.0pt;font-family:"Courier New"">><br>
_______________________________________________<br>
tac_plus mailing list<u><span style="color:blue"><br>
</span></u></span><a href="mailto:tac_plus@shrubbery.net"><span style="font-size:10.0pt;font-family:"Courier New"">tac_plus@shrubbery.net</span></a><u><span style="font-size:10.0pt;font-family:"Courier New";color:blue"><br>
</span></u><a href="http://www.shrubbery.net/mailman/listinfo/tac_plus"><span style="font-size:10.0pt;font-family:"Courier New"">http://www.shrubbery.net/mailman/listinfo/tac_plus</span></a><span style="font-size:10.0pt;font-family:"Courier New""><br>
This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review,
copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message.</span><br>
<i><span style="font-size:7.5pt;font-family:"Georgia","serif""><br>
<br>
=========================================================================================================
</span></i><o:p></o:p></p>
<p><b><i><span style="font-size:7.5pt;font-family:"Georgia","serif""><<<< Disclaimer >>>></span></i></b><i><span style="font-size:7.5pt;font-family:"Georgia","serif""> </span></i><o:p></o:p></p>
<p><i><span style="font-size:7.5pt;font-family:"Georgia","serif"">This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether
in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications.
This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender,
except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an “as is” basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its
or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the
following link for important information and instructions: </span></i><a href="%20http:/instinet.com/includes/index.jsp?thePage=/html/le_index.txt"><i><span style="font-size:7.5pt;font-family:"Georgia","serif"">http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt</span></i></a><i><span style="font-size:7.5pt;font-family:"Georgia","serif""> </span></i><o:p></o:p></p>
<p><i><span style="font-size:7.5pt;font-family:"Georgia","serif"">Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated
by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated
by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC.
</span></i><o:p></o:p></p>
<p><i><span style="font-size:7.5pt;font-family:"Georgia","serif""><br>
<br>
=========================================================================================================
</span></i><o:p></o:p></p>
<p>This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not
review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message.
<o:p></o:p></p>
<div>
<p class="MsoNormal"><i><span style="font-size:9.0pt;font-family:"Georgia","serif""><br>
<br>
=========================================================================================================
<o:p></o:p></span></i></p>
<div>
<p><b><i><span style="font-size:9.0pt;font-family:"Georgia","serif""><<<< Disclaimer >>>></span></i></b><i><span style="font-size:9.0pt;font-family:"Georgia","serif"">
<o:p></o:p></span></i></p>
<p><i><span style="font-size:9.0pt;font-family:"Georgia","serif"">This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether
in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications.
This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender,
except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an “as is” basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its
or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the
following link for important information and instructions: <a href="%20http:/instinet.com/includes/index.jsp?thePage=/html/le_index.txt">
http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt</a> <o:p></o:p></span></i></p>
<p><i><span style="font-size:9.0pt;font-family:"Georgia","serif"">Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated
by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated
by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC.
<o:p></o:p></span></i></p>
<p><i><span style="font-size:9.0pt;font-family:"Georgia","serif""><br>
<br>
=========================================================================================================
<o:p></o:p></span></i></p>
</div>
</div>
</div>
This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review,
copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message.
</body>
</html>