[tac_plus] Re: DEFAULT user option not working?

Robert Lister robl at linx.net
Mon Jan 8 03:34:03 UTC 2007 

.. I wonder if I could ask another question.

I have a cisco router with console lines on, and tac_plus config that calls 
a pre_authorize script to look in a group file to decide which users are 
allowed to access what devices (by IP)

When I telnet to the router to port 23, tac_plus calls the script and I get 
allowed or denied as expected.

When I telnet to a console line, tac_plus runs but does not seem to call my 
script, and allows every user in.

I'm not sure what's different from the telnet request to the console access 
request about the tacacs request? Clearly the aaa config is set up on the 
router, and the debug output from tac_plus shows the requests, but the only 
difference I can see between them is that my script does not get called for
console requests? Is it because "exec" auth is not getting called for 
console lines?

Is there a way to make it call my script for all login requests?


Cisco conf:

aaa new-model
!
!
aaa authentication login default group tacacs+ enable
aaa authorization exec default group tacacs+ none
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common


* Correct for telnet:

spitfire:~>telnet ar1
Connected to ar1.
Escape character is '^]'.

User Access Verification

Username: tac
Password:
% Authorization Failed - denied by TACACS+ cisco_group_acl:101

Connection closed by foreign host.

* Incorrect for console lines:

spitfire:~>telnet ar1 2052
Connected to ar1.
Escape character is '^]'.

User Access Verification

Username: tac
Password:

AlterPath ACS

acs.tfm7 login:


tac_plus conf:

#
# tac_plus configuration
#

accounting file = /var/log/tac_plus_cisco_acct.log

# logging = <syslog_fac>

key = "<key>"

default authentication = file /etc/tacacs/passwd.remote

group = tac_auth {
        default service = permit
        # this script looks up the group for the user in passwd.remote and
        # then checks the ACL for that group in cisco_group_acl.
        # It returns a permit or deny accordingly:
        before authorization "/etc/tacacs/pre_authorize $user $name $address"

        service = exec {
         priv-lvl = 1
        }
}

user = DEFAULT {
         member = tac_auth
}


Thanks,


Rob


-- 
Robert Lister   -   London Internet Exchange    -  http://www.linx.net/
robl at linx.net   -   tel: +44 (0)20 7645 3510    -  RL786-RIPE

More information about the tac_plus mailing list