[tac_plus] Re: DEFAULT user option not working?

Tue Jan 9 06:29:55 UTC 2007

> .. I wonder if I could ask another question.
> 
> I have a cisco router with console lines on, and tac_plus config that calls 
> a pre_authorize script to look in a group file to decide which users are 
> allowed to access what devices (by IP)
> 
> When I telnet to the router to port 23, tac_plus calls the script and I get 
> allowed or denied as expected.
> 
> When I telnet to a console line, tac_plus runs but does not seem to call my 
> script, and allows every user in.
> 
> I'm not sure what's different from the telnet request to the console access 
> request about the tacacs request? Clearly the aaa config is set up on the 
> router, and the debug output from tac_plus shows the requests, but the only 
> difference I can see between them is that my script does not get called for
> console requests? Is it because "exec" auth is not getting called for 
> console lines?
> 
> Is there a way to make it call my script for all login requests?

IIRC, the console/aux of the cisco simply does not perform the same
authorization as a vty.  If you enable authorization logging you can
see the difference.

Maybe there is some configuration knob that will make it act normally,
but its unknown to me.

> 
> Cisco conf:
> 
> aaa new-model
> !
> !
> aaa authentication login default group tacacs+ enable
> aaa authorization exec default group tacacs+ none
> aaa accounting send stop-record authentication failure
> aaa accounting exec default start-stop group tacacs+
> aaa accounting commands 0 default start-stop group tacacs+
> aaa accounting commands 15 default start-stop group tacacs+
> aaa session-id common
> 
> 
> * Correct for telnet:
> 
> spitfire:~>telnet ar1
> Connected to ar1.
> Escape character is '^]'.
> 
> User Access Verification
> 
> Username: tac
> Password:
> % Authorization Failed - denied by TACACS+ cisco_group_acl:101
> 
> Connection closed by foreign host.
> 
> * Incorrect for console lines:
> 
> spitfire:~>telnet ar1 2052
> Connected to ar1.
> Escape character is '^]'.
> 
> User Access Verification
> 
> Username: tac
> Password:
> 
> AlterPath ACS
> 
> acs.tfm7 login:
> 
> 
> tac_plus conf:
> 
> #
> # tac_plus configuration
> #
> 
> accounting file = /var/log/tac_plus_cisco_acct.log
> 
> # logging = <syslog_fac>
> 
> key = "<key>"
> 
> default authentication = file /etc/tacacs/passwd.remote
> 
> group = tac_auth {
>         default service = permit
>         # this script looks up the group for the user in passwd.remote and
>         # then checks the ACL for that group in cisco_group_acl.
>         # It returns a permit or deny accordingly:
>         before authorization "/etc/tacacs/pre_authorize $user $name $address"
> 
>         service = exec {
>          priv-lvl = 1
>         }
> }
> 
> user = DEFAULT {
>          member = tac_auth
> }
> 
> 
> Thanks,
> 
> 
> Rob
> 
> 
> -- 
> Robert Lister   -   London Internet Exchange    -  http://www.linx.net/
> robl at linx.net   -   tel: +44 (0)20 7645 3510    -  RL786-RIPE

> From: tac_plus-request at shrubbery.net
> Subject: confirm cbb9cf040d45266048e5f0ed48ced0ccb83e01e8
> 
> If you reply to this message, keeping the Subject: header intact,
> Mailman will discard the held message.  Do this if the message is
> spam.  If you reply to this message and include an Approved: header
> with the list password in it, the message will be approved for posting
> to the list.  The Approved: header can also appear in the first line
> of the body of the reply.