From x0sin0x at gmail.com Tue Nov 13 00:15:47 2007 From: x0sin0x at gmail.com (SiN) Date: Mon, 12 Nov 2007 17:15:47 -0700 Subject: [tac_plus] Possible to get tac_plus to authenticate using pam_radius? Message-ID: <8e885d590711121615p25ffad11lb2d137c334f59acf@mail.gmail.com> I seen that PAM can be used to authenticate users, but not sure where to start. I tried to just set "login = PAM" to see if any errors would help determine where to get started (looking for missing config or something of that nature). But, I get nothing. Is it possible to use PAM to authenticate users to my current radius implementation? The only reason I even need authentication set up on tac_plus is due to some of our devices not supporting radius at all, for those I will need to authenticate using tac_plus - other then that everything is radius and id like to keep it that way if possible. Mon Nov 12 17:05:56 2007 [3912]: pam_verify testing Mon Nov 12 17:05:56 2007 [3912]: pam_tacacs received 1 pam_messages Mon Nov 12 17:05:56 2007 [3912]: Error 10.248.18.17 tty2: PAM_PROMPT_ECHO_OFF Mon Nov 12 17:05:58 2007 [3912]: Password is incorrect is all I see in the logs. and nothing shows up in the radius logs so I know its not being sent off to radius How can I get this set up to use the current PAM implementation on the system already? Do I need to install something extra? this is on solaris 10 using tac_plus version F4.0.4.14 From JCharlton at DataPointInc.com Tue Nov 13 16:23:01 2007 From: JCharlton at DataPointInc.com (JCharlton at DataPointInc.com) Date: Tue, 13 Nov 2007 11:23:01 -0500 Subject: [tac_plus] Re: Privilege Level / Configuration Changes In-Reply-To: <20071022201156.GE24944@shrubbery.net> References: <267399925EED774693895C2FF51A6117598E4E@dpttpexch01.DataPointinc.local> <20071022192322.GD24944@shrubbery.net> <267399925EED774693895C2FF51A6117598E68@dpttpexch01.DataPointinc.local> <20071022201156.GE24944@shrubbery.net> Message-ID: <267399925EED774693895C2FF51A6117599549@dpttpexch01.DataPointinc.local> John, We had spoke a few weeks back, the suggestion you made to my question in the email below did not seem to work. I may be using the wrong command on my Cisco gear, can you verify if this is the command I need to work in conjuction with the TACACS+ server commands you provided. aaa authorization exec default group tacacs+ I am trying to be able to use TACACS+, but not have to type in the enable password when logging in, for some users, not all. Thanks. Jason Charlton, CCNA DataPoint Inc. 410-209-6770 noc at datapointinc.com -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Monday, October 22, 2007 4:12 PM To: Jason Charlton Cc: heas at shrubbery.net; tac_plus at shrubbery.net Subject: Re: [tac_plus] Privilege Level / Configuration Changes the device must also be configured for authorizatoin. Mon, Oct 22, 2007 at 03:49:17PM -0400, JCharlton at DataPointInc.com: > Thank You, The restarting command works great, but I still can't login > and have a user be in enable mode without having to type the enable > password. > > > The statement for this user looks like: > > user = jcharlton { > login = des ***** > member = staff > } > > > With the commands you provided me, my file looks like this, but not > acting as I thought it would. > > user = jcharlton { > login = des sK7fnk8/W5Cvc > member = staff > service = exec { > priv-lvl=15 > } > > } > > > Thanks for any further help. > > > > > > Jason Charlton, CCNA > DataPoint Inc. > 410-209-6770 > noc at datapointinc.com > > -----Original Message----- > From: john heasley [mailto:heas at shrubbery.net] > Sent: Monday, October 22, 2007 3:23 PM > To: Jason Charlton > Cc: tac_plus at shrubbery.net > Subject: Re: [tac_plus] Privilege Level / Configuration Changes > > Mon, Oct 22, 2007 at 03:15:29PM -0400, JCharlton at DataPointInc.com: > > Hello, > > > > > > > > I have 2 questions. First one is, I am using tacacs+-F4.0.4.10, on > > CentOS 5. I am trying to make it so on a per user basis, when they > > authenticate to our Cisco gear, they go into enable mode instead of > > starting in user mode, like you are able to do when you configure > > usernames with privilege 15 on a Cisco router or switch. > > user = name { > service = exec { > priv-lvl=15 > } > } > > > Another thing is that I am trying to make a script or make it so that > if > > you change the configuration file, that you do not have to restart the > > box to make the change go though, because unfortunately that is the > only > > way I have found to make it apply the configuration changes in the > conf > > file, and I still have to do tac_plus -C /(file) after restart. > > kill -1 `cat /var/run/tac_plus.pid` From heas at shrubbery.net Wed Nov 14 00:03:15 2007 From: heas at shrubbery.net (john heasley) Date: Tue, 13 Nov 2007 16:03:15 -0800 Subject: [tac_plus] Re: Possible to get tac_plus to authenticate using pam_radius? In-Reply-To: <8e885d590711121615p25ffad11lb2d137c334f59acf@mail.gmail.com> References: <8e885d590711121615p25ffad11lb2d137c334f59acf@mail.gmail.com> Message-ID: <20071114000315.GG20650@shrubbery.net> Mon, Nov 12, 2007 at 05:15:47PM -0700, [SiN]: > I seen that PAM can be used to authenticate users, but not sure where > to start. I tried to just set "login = PAM" to see if any errors > would help determine where to get started (looking for missing config > or something of that nature). But, I get nothing. Is it possible to > use PAM to authenticate users to my current radius implementation? I have not tried it, but it should be. PAM (the library, not tacacs) often refers to defaults when there is no specific setup for "tac_plus"; so you are unlikely to see errors. > The only reason I even need authentication set up on tac_plus is due > to some of our devices not supporting radius at all, for those I will > need to authenticate using tac_plus - other then that everything is > radius and id like to keep it that way if possible. > > Mon Nov 12 17:05:56 2007 [3912]: pam_verify testing > Mon Nov 12 17:05:56 2007 [3912]: pam_tacacs received 1 pam_messages > Mon Nov 12 17:05:56 2007 [3912]: Error 10.248.18.17 tty2: PAM_PROMPT_ECHO_OFF > Mon Nov 12 17:05:58 2007 [3912]: Password is incorrect > > is all I see in the logs. and nothing shows up in the radius logs so > I know its not being sent off to radius > > How can I get this set up to use the current PAM implementation on the > system already? Do I need to install something extra? I'm no PAM expert, but you will need a PAM module that will make the radius query when tac_plus calls PAM to authenticate the user and configure PAM to use it when called/used by tac_plus. > this is on solaris 10 using tac_plus version F4.0.4.14 > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From heas at shrubbery.net Wed Nov 14 00:18:55 2007 From: heas at shrubbery.net (john heasley) Date: Tue, 13 Nov 2007 16:18:55 -0800 Subject: [tac_plus] Re: Privilege Level / Configuration Changes In-Reply-To: <267399925EED774693895C2FF51A6117599549@dpttpexch01.DataPointinc.local> References: <267399925EED774693895C2FF51A6117598E4E@dpttpexch01.DataPointinc.local> <20071022192322.GD24944@shrubbery.net> <267399925EED774693895C2FF51A6117598E68@dpttpexch01.DataPointinc.local> <20071022201156.GE24944@shrubbery.net> <267399925EED774693895C2FF51A6117599549@dpttpexch01.DataPointinc.local> Message-ID: <20071114001855.GI20650@shrubbery.net> Tue, Nov 13, 2007 at 11:23:01AM -0500, JCharlton at DataPointInc.com: > John, > > We had spoke a few weeks back, the suggestion you made to my question in > the email below did not seem to work. > > I may be using the wrong command on my Cisco gear, can you verify if > this is the command I need to work in conjuction with the TACACS+ server > commands you provided. > > aaa authorization exec default group tacacs+ yes, but may want: aaa authorization exec default group tacacs+ none > I am trying to be able to use TACACS+, but not have to type in the > enable password when logging in, for some users, not all. this does not work on the console. only vtys. ask cisco TAC why. > Thanks. > > Jason Charlton, CCNA > DataPoint Inc. > 410-209-6770 > noc at datapointinc.com > > > -----Original Message----- > From: john heasley [mailto:heas at shrubbery.net] > Sent: Monday, October 22, 2007 4:12 PM > To: Jason Charlton > Cc: heas at shrubbery.net; tac_plus at shrubbery.net > Subject: Re: [tac_plus] Privilege Level / Configuration Changes > > the device must also be configured for authorizatoin. > > Mon, Oct 22, 2007 at 03:49:17PM -0400, JCharlton at DataPointInc.com: > > Thank You, The restarting command works great, but I still can't login > > and have a user be in enable mode without having to type the enable > > password. > > > > > > The statement for this user looks like: > > > > user = jcharlton { > > login = des ***** > > member = staff > > } > > > > > > With the commands you provided me, my file looks like this, but not > > acting as I thought it would. > > > > user = jcharlton { > > login = des sK7fnk8/W5Cvc > > member = staff > > service = exec { > > priv-lvl=15 > > } > > > > } > > > > > > Thanks for any further help. > > > > > > > > > > > > Jason Charlton, CCNA > > DataPoint Inc. > > 410-209-6770 > > noc at datapointinc.com > > > > -----Original Message----- > > From: john heasley [mailto:heas at shrubbery.net] > > Sent: Monday, October 22, 2007 3:23 PM > > To: Jason Charlton > > Cc: tac_plus at shrubbery.net > > Subject: Re: [tac_plus] Privilege Level / Configuration Changes > > > > Mon, Oct 22, 2007 at 03:15:29PM -0400, JCharlton at DataPointInc.com: > > > Hello, > > > > > > > > > > > > I have 2 questions. First one is, I am using tacacs+-F4.0.4.10, on > > > CentOS 5. I am trying to make it so on a per user basis, when they > > > authenticate to our Cisco gear, they go into enable mode instead of > > > starting in user mode, like you are able to do when you configure > > > usernames with privilege 15 on a Cisco router or switch. > > > > user = name { > > service = exec { > > priv-lvl=15 > > } > > } > > > > > Another thing is that I am trying to make a script or make it so > that > > if > > > you change the configuration file, that you do not have to restart > the > > > box to make the change go though, because unfortunately that is the > > only > > > way I have found to make it apply the configuration changes in the > > conf > > > file, and I still have to do tac_plus -C /(file) after restart. > > > > kill -1 `cat /var/run/tac_plus.pid` From JCharlton at DataPointInc.com Wed Nov 14 18:29:22 2007 From: JCharlton at DataPointInc.com (JCharlton at DataPointInc.com) Date: Wed, 14 Nov 2007 13:29:22 -0500 Subject: [tac_plus] Re: Privilege Level / Configuration Changes In-Reply-To: <20071114001855.GI20650@shrubbery.net> References: <267399925EED774693895C2FF51A6117598E4E@dpttpexch01.DataPointinc.local> <20071022192322.GD24944@shrubbery.net> <267399925EED774693895C2FF51A6117598E68@dpttpexch01.DataPointinc.local> <20071022201156.GE24944@shrubbery.net> <267399925EED774693895C2FF51A6117599549@dpttpexch01.DataPointinc.local> <20071114001855.GI20650@shrubbery.net> Message-ID: <267399925EED774693895C2FF51A61175995F6@dpttpexch01.DataPointinc.local> Thanks a lot for the help, that worked how I thought it would. Jason Charlton, CCNA DataPoint Inc. 410-209-6770 noc at datapointinc.com -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Tuesday, November 13, 2007 7:19 PM To: Jason Charlton Cc: heas at shrubbery.net; tac_plus at shrubbery.net Subject: Re: [tac_plus] Privilege Level / Configuration Changes Tue, Nov 13, 2007 at 11:23:01AM -0500, JCharlton at DataPointInc.com: > John, > > We had spoke a few weeks back, the suggestion you made to my question in > the email below did not seem to work. > > I may be using the wrong command on my Cisco gear, can you verify if > this is the command I need to work in conjuction with the TACACS+ server > commands you provided. > > aaa authorization exec default group tacacs+ yes, but may want: aaa authorization exec default group tacacs+ none > I am trying to be able to use TACACS+, but not have to type in the > enable password when logging in, for some users, not all. this does not work on the console. only vtys. ask cisco TAC why. > Thanks. > > Jason Charlton, CCNA > DataPoint Inc. > 410-209-6770 > noc at datapointinc.com > > > -----Original Message----- > From: john heasley [mailto:heas at shrubbery.net] > Sent: Monday, October 22, 2007 4:12 PM > To: Jason Charlton > Cc: heas at shrubbery.net; tac_plus at shrubbery.net > Subject: Re: [tac_plus] Privilege Level / Configuration Changes > > the device must also be configured for authorizatoin. > > Mon, Oct 22, 2007 at 03:49:17PM -0400, JCharlton at DataPointInc.com: > > Thank You, The restarting command works great, but I still can't login > > and have a user be in enable mode without having to type the enable > > password. > > > > > > The statement for this user looks like: > > > > user = jcharlton { > > login = des ***** > > member = staff > > } > > > > > > With the commands you provided me, my file looks like this, but not > > acting as I thought it would. > > > > user = jcharlton { > > login = des sK7fnk8/W5Cvc > > member = staff > > service = exec { > > priv-lvl=15 > > } > > > > } > > > > > > Thanks for any further help. > > > > > > > > > > > > Jason Charlton, CCNA > > DataPoint Inc. > > 410-209-6770 > > noc at datapointinc.com > > > > -----Original Message----- > > From: john heasley [mailto:heas at shrubbery.net] > > Sent: Monday, October 22, 2007 3:23 PM > > To: Jason Charlton > > Cc: tac_plus at shrubbery.net > > Subject: Re: [tac_plus] Privilege Level / Configuration Changes > > > > Mon, Oct 22, 2007 at 03:15:29PM -0400, JCharlton at DataPointInc.com: > > > Hello, > > > > > > > > > > > > I have 2 questions. First one is, I am using tacacs+-F4.0.4.10, on > > > CentOS 5. I am trying to make it so on a per user basis, when they > > > authenticate to our Cisco gear, they go into enable mode instead of > > > starting in user mode, like you are able to do when you configure > > > usernames with privilege 15 on a Cisco router or switch. > > > > user = name { > > service = exec { > > priv-lvl=15 > > } > > } > > > > > Another thing is that I am trying to make a script or make it so > that > > if > > > you change the configuration file, that you do not have to restart > the > > > box to make the change go though, because unfortunately that is the > > only > > > way I have found to make it apply the configuration changes in the > > conf > > > file, and I still have to do tac_plus -C /(file) after restart. > > > > kill -1 `cat /var/run/tac_plus.pid` From heas at shrubbery.net Wed Nov 14 19:32:24 2007 From: heas at shrubbery.net (john heasley) Date: Wed, 14 Nov 2007 11:32:24 -0800 Subject: [tac_plus] Re: Possible to get tac_plus to authenticate using pam_radius? In-Reply-To: <8e885d590711131636p3ea2d4aco3a803ab00b5c391d@mail.gmail.com> References: <8e885d590711121615p25ffad11lb2d137c334f59acf@mail.gmail.com> <20071114000315.GG20650@shrubbery.net> <8e885d590711131636p3ea2d4aco3a803ab00b5c391d@mail.gmail.com> Message-ID: <20071114193224.GC15755@shrubbery.net> Tue, Nov 13, 2007 at 05:36:49PM -0700, [SiN]: > Looks like my problem was how pam.conf was set up. I thought it would > go to the "other", as in not defined but I actually needed to define > tac_plus > > ex > tac_plus auth required /path/to/radius.so > > seems fine now, though working out how to get either "default > authentication" or the DEFAULT user to use PAM for authentication. > Ive made a few quick hacks at it, for the most part its working just > need to work out some issues. > > come to think of it, I wonder why "default authentcation" only > supports a password file, would be nice to support at least PAM as a > default. never considered that; good point. another for the to-do list, i think. > On Nov 13, 2007 5:03 PM, john heasley wrote: > > Mon, Nov 12, 2007 at 05:15:47PM -0700, [SiN]: > > > I seen that PAM can be used to authenticate users, but not sure where > > > to start. I tried to just set "login = PAM" to see if any errors > > > would help determine where to get started (looking for missing config > > > or something of that nature). But, I get nothing. Is it possible to > > > use PAM to authenticate users to my current radius implementation? > > > > I have not tried it, but it should be. PAM (the library, not tacacs) > > often refers to defaults when there is no specific setup for "tac_plus"; > > so you are unlikely to see errors. > > > > > The only reason I even need authentication set up on tac_plus is due > > > to some of our devices not supporting radius at all, for those I will > > > need to authenticate using tac_plus - other then that everything is > > > radius and id like to keep it that way if possible. > > > > > > Mon Nov 12 17:05:56 2007 [3912]: pam_verify testing > > > Mon Nov 12 17:05:56 2007 [3912]: pam_tacacs received 1 pam_messages > > > Mon Nov 12 17:05:56 2007 [3912]: Error 10.248.18.17 tty2: PAM_PROMPT_ECHO_OFF > > > Mon Nov 12 17:05:58 2007 [3912]: Password is incorrect > > > > > > is all I see in the logs. and nothing shows up in the radius logs so > > > I know its not being sent off to radius > > > > > > How can I get this set up to use the current PAM implementation on the > > > system already? Do I need to install something extra? > > > > I'm no PAM expert, but you will need a PAM module that will make the > > radius query when tac_plus calls PAM to authenticate the user and > > configure PAM to use it when called/used by tac_plus. > > > > > this is on solaris 10 using tac_plus version F4.0.4.14 > > > _______________________________________________ > > > tac_plus mailing list > > > tac_plus at shrubbery.net > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > > > > -- > ..::x0SiN0x::.. > G4m3R 4 L1F3 From kissg at ssg.ki.iif.hu Thu Nov 22 12:37:57 2007 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Thu, 22 Nov 2007 13:37:57 +0100 (CET) Subject: [tac_plus] Logging facility bugfix Message-ID: Hi folks, If you specify 'logging' facility in config file it won't be in effect after startup till the next config reload. This is because main() calls open_logfile() again after reading config and forking daemon process. Patch http://bakacsin.ki.iif.hu/~kissg/pd/tac_plus/tacacs+-F4.0.4.14-k6.diff fixes this bug too. Other interesting features and bugfixes listed in http://bakacsin.ki.iif.hu/~kissg/pd/tac_plus/README Gabor