<div dir="ltr">tac_plus can be run -d 8 to debug authorization</div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Mar 19, 2018 at 5:35 PM, Bruce Ferrell <span dir="ltr"><<a href="mailto:bferrell@baywinds.org" target="_blank">bferrell@baywinds.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Daniel,<br>
<br>
What I do to trouble shoot this type of issue is to use tcpdump and capture the tacacs connection data to a file.<br>
<br>
Yes, I know, the transaction is encrypted. Since you control both ends and posses the shared secret info, you can feed that into wireshark. Under perferences/protocols, locate tacacs+. One of the options allows you to store the shared secret... Now you can see the transaction in wireshark)<br>
<br>
regards<div class="HOEnZb"><div class="h5"><br>
<br>
<br>
On 03/19/2018 07:49 AM, Daniel Schmidt wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Are Brocade FOS switches capable of authorization?<br>
<br>
On Fri, Mar 16, 2018 at 11:42 PM, 83358066 <<a href="mailto:83358066@qq.com" target="_blank">83358066@qq.com</a>> wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Dear Shrubbery<br>
<br>
Thank you very much for your contributes for the excellent TACACS<br>
plus tools ,Currently we plan to test the tacacs plus to manage Brocade<br>
SAN switch ,most of the functions are working well and very powerful, But<br>
only one point we still have some issue ,Would you kindly help to provide<br>
some advice ,Thanks in advance.<br>
<br>
<br>
The question we meet is that we defined the groups and users, for example<br>
,I want to forbid the user in the group usergroup can not run the<br>
the explicit command "reboot" , as we know the brocade FOS command mode is<br>
not same as CISCO, We found the setting was not in effect and the command<br>
"reboot"still can be run after the user got authorized by Tacac_plus server<br>
daemon, So would you kindly let me know how can i configure that can forbid<br>
the explicit command like "reboot" be executed and took effect. Thanks for<br>
your support !<br>
<br>
<br>
our setting for the tac_plus config as follows :<br>
<br>
group = usergroup {<br>
default service = permit<br>
login = file /etc/passwd<br>
enable = file /etc/passwd<br>
cmd = reboot {<br>
deny .*<br>
}<br>
<br>
<br>
user = stuser {<br>
member = usergroup<br>
login = file /etc/passwd service = exec {<br>
brcd-role = Admin<br>
brcd-AV-Pair1 = "homeLF=128;LFRoleList=1-128"<br>
brcd-AV-Pair2 = "chassisRole=switchadmin"<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://www.shrubbery.net/pipermail/tac_plus/" rel="noreferrer" target="_blank">http://www.shrubbery.net/pipe<wbr>rmail/tac_plus/</a><br>
attachments/20180317/58bea644/<wbr>attachment.html><br>
______________________________<wbr>_________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo/tac_plus" rel="noreferrer" target="_blank">http://www.shrubbery.net/mailm<wbr>an/listinfo/tac_plus</a><br>
<br>
</blockquote></blockquote>
<br>
______________________________<wbr>_________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo/tac_plus" rel="noreferrer" target="_blank">http://www.shrubbery.net/mailm<wbr>an/listinfo/tac_plus</a><br>
</div></div></blockquote></div><br></div>
<br>
<br>E-Mail to and from me, in connection with the transaction <br>of public business, is subject to the Wyoming Public Records <br>Act and may be disclosed to third parties.<br>