From jnijhof at nijhofnet.nl Tue Oct 14 13:28:58 2008 From: jnijhof at nijhofnet.nl (Jeroen Nijhof) Date: Tue, 14 Oct 2008 15:28:58 +0200 Subject: [tac_plus] TACACS+ improved pam patch incl. pap Message-ID: Hi, I've wrote a patch to include PAM support for pap in tacacs+ F4.0.4.15. It also includes some minor fixes. With kind regards, Jeroen Nijhof -------------- next part -------------- A non-text attachment was scrubbed... Name: tacacs+-F4.0.4.15.pam.patch Type: text/x-patch Size: 3826 bytes Desc: not available Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20081014/ae07961a/attachment.bin From john at sackheads.org Tue Oct 14 22:25:39 2008 From: john at sackheads.org (John Payne) Date: Tue, 14 Oct 2008 18:25:39 -0400 Subject: [tac_plus] ACE authentication Message-ID: Has anyone had luck translating: 4. Under the TACACS+ Settings section of the page, configure the following settings: ? Click the Shell (exec) check box. ? Click the Custom attributes check box. ? In the text box below Custom attributes, enter the user role and associated domain for a specific context in the following format: shell:= ... For example, to assign the selected user to the C1 context with the role ROLE1 and the domain DOMAIN1, enter shell:C1=ROLE1 DOMAIN1. Into tac_plus format? I'm trying various combinations under service=shell, but I'm getting stuck with the Network-Monitor role, not the Admin role. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20081014/195e8159/attachment.html From john at sackheads.org Tue Oct 14 22:26:30 2008 From: john at sackheads.org (John Payne) Date: Tue, 14 Oct 2008 18:26:30 -0400 Subject: [tac_plus] ScreenOS hints Message-ID: <71EE407C-A9E6-498D-892D-25683A09015A@sackheads.org> This took a while to find, so sending here to document. ScreenOS 6+ will authenticate via TACACS+. Necessary tac_plus.cfg snippet: service = netscreen { vsys = root privilege = read-write } From mark.thomas at corp.aol.com Tue Oct 14 22:35:32 2008 From: mark.thomas at corp.aol.com (Mark Ellzey Thomas) Date: Tue, 14 Oct 2008 18:35:32 -0400 Subject: [tac_plus] Re: ScreenOS hints In-Reply-To: <71EE407C-A9E6-498D-892D-25683A09015A@sackheads.org> References: <71EE407C-A9E6-498D-892D-25683A09015A@sackheads.org> Message-ID: <20081014223532.GS5528@corp.aol.com> On Tue, Oct 14, 2008 at 06:26:30PM -0400, John Payne wrote: > This took a while to find, so sending here to document. ScreenOS 6+ > will authenticate via TACACS+. > > Necessary tac_plus.cfg snippet: > > service = netscreen { > vsys = root > privilege = read-write > } > > Greetings John, Thank you very much for posting this. Do you know whether authorization is supported with 6.0 (or will be)? I remember seeing that it is only read or read/write. From john at sackheads.org Tue Oct 14 23:22:20 2008 From: john at sackheads.org (John Payne) Date: Tue, 14 Oct 2008 19:22:20 -0400 Subject: [tac_plus] Re: ScreenOS hints In-Reply-To: <20081014223532.GS5528@corp.aol.com> References: <71EE407C-A9E6-498D-892D-25683A09015A@sackheads.org> <20081014223532.GS5528@corp.aol.com> Message-ID: <16EBA388-6543-41BC-A1E9-84E692AC1B93@sackheads.org> On Oct 14, 2008, at 6:35 PM, Mark Ellzey Thomas wrote: > On Tue, Oct 14, 2008 at 06:26:30PM -0400, John Payne wrote: >> This took a while to find, so sending here to document. ScreenOS 6+ >> will authenticate via TACACS+. >> >> Necessary tac_plus.cfg snippet: >> >> service = netscreen { >> vsys = root >> privilege = read-write >> } >> >> > > Greetings John, > > Thank you very much for posting this. Do you know whether > authorization > is supported with 6.0 (or will be)? I remember seeing that it is > only read or > read/write. I'm only looking at 6.1 at this point. Authorization is not yet available, but there is read-only, read-write and something else... I think admin or superuser (basically read-write but a few extra privs like setting up nsrp and local user maintenance). I will say that tacacs+ support is not complete yet. The biggest issue for me right now is that failover isn't working between primary and backup servers. I did get a patch for remote address in about 2 weeks though, so engineering is invested. From john at sackheads.org Wed Oct 15 23:12:20 2008 From: john at sackheads.org (John Payne) Date: Wed, 15 Oct 2008 19:12:20 -0400 Subject: [tac_plus] Re: ACE authentication In-Reply-To: References: Message-ID: <12B0E932-B37B-499E-8BA5-453E204F2339@sackheads.org> On Oct 14, 2008, at 6:25 PM, John Payne wrote: > Has anyone had luck translating: > > 4. Under the TACACS+ Settings section of the page, configure the > following > settings: > ? Click the Shell (exec) check box. > ? Click the Custom attributes check box. > ? In the text box below Custom attributes, enter the user role and > associated > domain for a specific context in the following format: > shell:= ... > For example, to assign the selected user to the C1 context with the > role > ROLE1 and the domain DOMAIN1, enter shell:C1=ROLE1 DOMAIN1. > > > Into tac_plus format? I'm trying various combinations under > service=shell, but I'm getting stuck with the Network-Monitor role, > not the Admin role. Answering my own question: service = exec { shell:Admin = "Admin default-domain" } (shell:context = "role domain") From john at sackheads.org Thu Oct 16 04:02:50 2008 From: john at sackheads.org (John Payne) Date: Thu, 16 Oct 2008 00:02:50 -0400 Subject: [tac_plus] Re: ACE authentication In-Reply-To: <12B0E932-B37B-499E-8BA5-453E204F2339@sackheads.org> References: <12B0E932-B37B-499E-8BA5-453E204F2339@sackheads.org> Message-ID: <675D4344-A000-4B5A-A743-2085A2FE1CE1@sackheads.org> On Oct 15, 2008, at 7:12 PM, John Payne wrote: > > On Oct 14, 2008, at 6:25 PM, John Payne wrote: > >> Has anyone had luck translating: >> >> 4. Under the TACACS+ Settings section of the page, configure the >> following >> settings: >> ? Click the Shell (exec) check box. >> ? Click the Custom attributes check box. >> ? In the text box below Custom attributes, enter the user role and >> associated >> domain for a specific context in the following format: >> shell:= ... >> For example, to assign the selected user to the C1 context with the >> role >> ROLE1 and the domain DOMAIN1, enter shell:C1=ROLE1 DOMAIN1. >> >> >> Into tac_plus format? I'm trying various combinations under >> service=shell, but I'm getting stuck with the Network-Monitor role, >> not the Admin role. > > Answering my own question: > > service = exec { > shell:Admin = "Admin default-domain" > } > > (shell:context = "role domain") Argh... Except that broke authentication for IOS devices.... Help? From john at sackheads.org Thu Oct 16 20:54:42 2008 From: john at sackheads.org (John Payne) Date: Thu, 16 Oct 2008 16:54:42 -0400 Subject: [tac_plus] Re: ACE authentication In-Reply-To: <4e0e47490810161311t5667612cv4f54c6adfda25cb1@mail.gmail.com> References: <12B0E932-B37B-499E-8BA5-453E204F2339@sackheads.org> <675D4344-A000-4B5A-A743-2085A2FE1CE1@sackheads.org> <4e0e47490810161311t5667612cv4f54c6adfda25cb1@mail.gmail.com> Message-ID: <28998FF3-D70D-44C0-BCF0-461194BECDFE@sackheads.org> On Oct 16, 2008, at 4:11 PM, jathan. wrote: > Try adding the keyword 'optional' before the conditional > shell:Admin. Example: > > service = exec { > optional shell:Admin = "Admin default-domain" > } Yep... Mr Heasley mentioned this last night, I didn't realise it didn't go to the list :) Thanks! > > > This tells the NAS to ignore this or override it if it doesn't > understand it. Not sure if that will work in this case, but I've > used that in the past to enable special-case support for Procket > hardware. > > On Wed, Oct 15, 2008 at 9:02 PM, John Payne > wrote: > > > On Oct 15, 2008, at 7:12 PM, John Payne wrote: > > > > > On Oct 14, 2008, at 6:25 PM, John Payne wrote: > > > >> Has anyone had luck translating: > >> > >> 4. Under the TACACS+ Settings section of the page, configure the > >> following > >> settings: > >> ? Click the Shell (exec) check box. > >> ? Click the Custom attributes check box. > >> ? In the text box below Custom attributes, enter the user role and > >> associated > >> domain for a specific context in the following format: > >> shell:= ... > >> For example, to assign the selected user to the C1 context with the > >> role > >> ROLE1 and the domain DOMAIN1, enter shell:C1=ROLE1 DOMAIN1. > >> > >> > >> Into tac_plus format? I'm trying various combinations under > >> service=shell, but I'm getting stuck with the Network-Monitor role, > >> not the Admin role. > > > > Answering my own question: > > > > service = exec { > > shell:Admin = "Admin default-domain" > > } > > > > (shell:context = "role domain") > > Argh... Except that broke authentication for IOS devices.... > > Help? > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > > -- > Jathan. > - -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20081016/a3ab065f/attachment.html From jathan at gmail.com Thu Oct 16 20:11:56 2008 From: jathan at gmail.com (jathan.) Date: Thu, 16 Oct 2008 13:11:56 -0700 Subject: [tac_plus] Re: ACE authentication In-Reply-To: <675D4344-A000-4B5A-A743-2085A2FE1CE1@sackheads.org> References: <12B0E932-B37B-499E-8BA5-453E204F2339@sackheads.org> <675D4344-A000-4B5A-A743-2085A2FE1CE1@sackheads.org> Message-ID: <4e0e47490810161311t5667612cv4f54c6adfda25cb1@mail.gmail.com> Try adding the keyword 'optional' before the conditional shell:Admin. Example: service = exec { optional shell:Admin = "Admin default-domain" } This tells the NAS to ignore this or override it if it doesn't understand it. Not sure if that will work in this case, but I've used that in the past to enable special-case support for Procket hardware. On Wed, Oct 15, 2008 at 9:02 PM, John Payne wrote: > > > On Oct 15, 2008, at 7:12 PM, John Payne wrote: > > > > > On Oct 14, 2008, at 6:25 PM, John Payne wrote: > > > >> Has anyone had luck translating: > >> > >> 4. Under the TACACS+ Settings section of the page, configure the > >> following > >> settings: > >> ? Click the Shell (exec) check box. > >> ? Click the Custom attributes check box. > >> ? In the text box below Custom attributes, enter the user role and > >> associated > >> domain for a specific context in the following format: > >> shell:= ... > >> For example, to assign the selected user to the C1 context with the > >> role > >> ROLE1 and the domain DOMAIN1, enter shell:C1=ROLE1 DOMAIN1. > >> > >> > >> Into tac_plus format? I'm trying various combinations under > >> service=shell, but I'm getting stuck with the Network-Monitor role, > >> not the Admin role. > > > > Answering my own question: > > > > service = exec { > > shell:Admin = "Admin default-domain" > > } > > > > (shell:context = "role domain") > > Argh... Except that broke authentication for IOS devices.... > > Help? > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -- Jathan. - -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20081016/892b0dd9/attachment.html From ibatterb at gmail.com Tue Oct 28 03:04:09 2008 From: ibatterb at gmail.com (Ian Batterbee) Date: Tue, 28 Oct 2008 16:04:09 +1300 Subject: [tac_plus] question about tac_plus Message-ID: <489d9f1e0810272004k51d223f6h254961c76cd59778@mail.gmail.com> Hi, We currently use your tac_plus daemon to authenticate logins to numerous cisco devices. It is also being used to authenticate VPN users on a PIX firewall. What I would like to do is have the tac_plus server pass a group policy name back as part of the reply so that the group the user is placed into can be centrally managed. I'm pretty sure radius can do this, and it appears the tacacs protocol is similarly capable, but it's unclear whether tac_plus provides any way to do it. The main thing stopping me from figuring this out myself is that I can't find any documentation for the syntax of the tacacs.conf file - I can find numerous examples showing how to set up users and command authentication, but nothing to describe what else is available. The man page for the daemon notes that the syntax is complex, but doesn't elaborate further. Is there a URL with the syntax for the config file, or can what I want to do even be done with tac_plus ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20081028/62d0ab3c/attachment.html From embeddedlinuxguy at gmail.com Tue Oct 28 19:41:04 2008 From: embeddedlinuxguy at gmail.com (Jesse Zbikowski) Date: Tue, 28 Oct 2008 12:41:04 -0700 Subject: [tac_plus] Re: question about tac_plus In-Reply-To: <489d9f1e0810272004k51d223f6h254961c76cd59778@mail.gmail.com> References: <489d9f1e0810272004k51d223f6h254961c76cd59778@mail.gmail.com> Message-ID: <683785120810281241p22fa8585x5930e53a32633de4@mail.gmail.com> On Mon, Oct 27, 2008 at 8:04 PM, Ian Batterbee wrote: > What I would like to do is have the tac_plus server pass a group > policy name back as part of the reply so that the group the user is placed > into can be centrally managed. TACACS+ supports passing attribute/value pairs. I am not sure how to do this in tac_plus. I would be very interested if anyone knows how to send arbitrary a/v pairs from the server and how the client can use them. One way you can accomplish group assignment this is to specify a fake "protocol" to indicate group membership. For example in my tac_plus.conf: user = admin { pap = des ... service = ppp protocol = my-admin-group {} } user = mike { pap = des ... service = ppp protocol = my-user-group {} } When "mike" tries to log in, he will first attempt to authorize service=ppp protocol=my-admin-group. When this fails, the client software should fall back to service=ppp protocol=my-user-group. From heas at shrubbery.net Wed Oct 29 00:16:30 2008 From: heas at shrubbery.net (john heasley) Date: Tue, 28 Oct 2008 17:16:30 -0700 Subject: [tac_plus] Re: question about tac_plus In-Reply-To: <683785120810281241p22fa8585x5930e53a32633de4@mail.gmail.com> References: <489d9f1e0810272004k51d223f6h254961c76cd59778@mail.gmail.com> <683785120810281241p22fa8585x5930e53a32633de4@mail.gmail.com> Message-ID: <20081029001630.GL20387@shrubbery.net> Tue, Oct 28, 2008 at 12:41:04PM -0700, Jesse Zbikowski: > On Mon, Oct 27, 2008 at 8:04 PM, Ian Batterbee wrote: > > What I would like to do is have the tac_plus server pass a group > > policy name back as part of the reply so that the group the user is placed > > into can be centrally managed. > > TACACS+ supports passing attribute/value pairs. I am not sure how to > do this in tac_plus. I would be very interested if anyone knows how > to send arbitrary a/v pairs from the server and how the client can use > them. > > One way you can accomplish group assignment this is to specify a fake > "protocol" to indicate group membership. For example in my > tac_plus.conf: > > user = admin { > pap = des ... > service = ppp protocol = my-admin-group {} > } > > user = mike { > pap = des ... > service = ppp protocol = my-user-group {} > } > > When "mike" tries to log in, he will first attempt to authorize > service=ppp protocol=my-admin-group. When this fails, the client > software should fall back to service=ppp protocol=my-user-group. > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus without searching through the code; i know for certain that any AV pair can be sent with authorization scripts. From ibatterb at gmail.com Wed Oct 29 03:18:30 2008 From: ibatterb at gmail.com (Ian Batterbee) Date: Wed, 29 Oct 2008 16:18:30 +1300 Subject: [tac_plus] Re: question about tac_plus In-Reply-To: <20081029001630.GL20387@shrubbery.net> References: <489d9f1e0810272004k51d223f6h254961c76cd59778@mail.gmail.com> <683785120810281241p22fa8585x5930e53a32633de4@mail.gmail.com> <20081029001630.GL20387@shrubbery.net> Message-ID: <489d9f1e0810282018w7a7f2b9ex53116c48e32cbb08@mail.gmail.com> That's good to know, but I'm still a bit confused about the configuration file syntax. Is there a reference for it somewhere I can read ? On Wed, Oct 29, 2008 at 1:16 PM, john heasley wrote: > Tue, Oct 28, 2008 at 12:41:04PM -0700, Jesse Zbikowski: > > On Mon, Oct 27, 2008 at 8:04 PM, Ian Batterbee > wrote: > > > What I would like to do is have the tac_plus server pass a group > > > policy name back as part of the reply so that the group the user is > placed > > > into can be centrally managed. > > > > TACACS+ supports passing attribute/value pairs. I am not sure how to > > do this in tac_plus. I would be very interested if anyone knows how > > to send arbitrary a/v pairs from the server and how the client can use > > them. > > > > One way you can accomplish group assignment this is to specify a fake > > "protocol" to indicate group membership. For example in my > > tac_plus.conf: > > > > user = admin { > > pap = des ... > > service = ppp protocol = my-admin-group {} > > } > > > > user = mike { > > pap = des ... > > service = ppp protocol = my-user-group {} > > } > > > > When "mike" tries to log in, he will first attempt to authorize > > service=ppp protocol=my-admin-group. When this fails, the client > > software should fall back to service=ppp protocol=my-user-group. > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > without searching through the code; i know for certain that any AV pair > can be sent with authorization scripts. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20081029/0d417a25/attachment.html From jon.hartman at verizon.com Wed Oct 29 17:50:56 2008 From: jon.hartman at verizon.com (Hartman, Jonathan M. (Jon)) Date: Wed, 29 Oct 2008 13:50:56 -0400 Subject: [tac_plus] Re: Forcing privilege level Message-ID: <4CE6E5A2519F9D45B891F624231F488D6F34BF@FHDP1LUMXCV15.us.one.verizon.com> Team- I've been attempting without success to get a TACACS login to pass my ID off as an auth level of 6. I've got some load-balancers that require that to determine your access level. There's no opportunity to enter an enable password, so whatever level you're granted by the daemon is what you'll get. Everytime I try, I get something similar to the following: Starting tacacs+: Error: Unrecognised keyword priv_lvl for user on line 82 Here's the config I'm using. I've also tried priv-lvl. I've tried this on the alpha code and the .15 rev with no success. When I tell the daemon to parse the config with the -p option, it doesn't complain but when I restart it, I get the error. user = testuser { default service = permit member = groupname login = des passwordhash name = "Jon Hartman" priv_lvl = 6 } I'd really appreciate any assistance you can provide. Thanks in advance, ________________________________ Jon Hartman, CCNP Network Engineering Verizon Internet Operations Phone: Cell: 214-513-6792 940-453-1111 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20081029/885fb678/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 4796 bytes Desc: attd5d9f.jpg Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20081029/885fb678/attachment.jpe From john at sackheads.org Wed Oct 29 18:03:48 2008 From: john at sackheads.org (John Payne) Date: Wed, 29 Oct 2008 14:03:48 -0400 Subject: [tac_plus] Re: Forcing privilege level In-Reply-To: <4CE6E5A2519F9D45B891F624231F488D6F34BF@FHDP1LUMXCV15.us.one.verizon.com> References: <4CE6E5A2519F9D45B891F624231F488D6F34BF@FHDP1LUMXCV15.us.one.verizon.com> Message-ID: <5FC40641-19CE-4D7F-B5ED-9F1DF7F6E919@sackheads.org> On Oct 29, 2008, at 1:50 PM, Hartman, Jonathan M. (Jon) wrote: > Team- > > I've been attempting without success to get a TACACS login to pass > my ID > off as an auth level of 6. I've got some load-balancers that require > that to determine your access level. There's no opportunity to enter > an > enable password, so whatever level you're granted by the daemon is > what > you'll get. > > Everytime I try, I get something similar to the following: > Starting tacacs+: Error: Unrecognised keyword priv_lvl for user on > line > 82 > > Here's the config I'm using. I've also tried priv-lvl. I've tried this > on the alpha code and the .15 rev with no success. When I tell the > daemon to parse the config with the -p option, it doesn't complain but > when I restart it, I get the error. > > user = testuser { > default service = permit > member = groupname > login = des passwordhash > name = "Jon Hartman" > priv_lvl = 6 > } > > I'd really appreciate any assistance you can provide. It's inside a service: service = exec { priv-lvl = 6 } Assuming that your load balancers use service = exec From embeddedlinuxguy at gmail.com Thu Oct 30 00:39:58 2008 From: embeddedlinuxguy at gmail.com (Jesse Zbikowski) Date: Wed, 29 Oct 2008 17:39:58 -0700 Subject: [tac_plus] Re: question about tac_plus In-Reply-To: <489d9f1e0810282018w7a7f2b9ex53116c48e32cbb08@mail.gmail.com> References: <489d9f1e0810272004k51d223f6h254961c76cd59778@mail.gmail.com> <683785120810281241p22fa8585x5930e53a32633de4@mail.gmail.com> <20081029001630.GL20387@shrubbery.net> <489d9f1e0810282018w7a7f2b9ex53116c48e32cbb08@mail.gmail.com> Message-ID: <683785120810291739l12452547t31a381cd277d7b9b@mail.gmail.com> On Tue, Oct 28, 2008 at 8:18 PM, Ian Batterbee wrote: > I'm still a bit confused about the configuration > file syntax. Is there a reference for it somewhere I can read ? Please see "man 5 tac_plus.conf". Here is some example server side configuration. You will have to process the A/V pairs on the client to make use of the custom "usergroup" attribute. # tac_plus.conf user = tryme { pap = cleartext tryme service=ppp protocol=users {} after authorization "/usr/local/tac/postauth $user" } # /usr/local/tac/postauth #!/usr/bin/perl my $user = shift @ARGV; while () { print; # pass A/V pairs from tac_plus } if ($user eq 'tryme') { print "usergroup=administrator\n"; # new A/V pair exit 2; # send A/V pairs to client } else { exit 1; # fail } From ibatterb at gmail.com Thu Oct 30 01:16:57 2008 From: ibatterb at gmail.com (Ian Batterbee) Date: Thu, 30 Oct 2008 14:16:57 +1300 Subject: [tac_plus] Re: question about tac_plus In-Reply-To: <489d9f1e0810291758j539dadb9l1c64de496949ad4b@mail.gmail.com> References: <489d9f1e0810272004k51d223f6h254961c76cd59778@mail.gmail.com> <683785120810281241p22fa8585x5930e53a32633de4@mail.gmail.com> <20081029001630.GL20387@shrubbery.net> <489d9f1e0810282018w7a7f2b9ex53116c48e32cbb08@mail.gmail.com> <683785120810291739l12452547t31a381cd277d7b9b@mail.gmail.com> <489d9f1e0810291758j539dadb9l1c64de496949ad4b@mail.gmail.com> Message-ID: <489d9f1e0810291816h56d58333l139bd6f18c1eaba3@mail.gmail.com> Further to my last, I've now downloaded the latest version and found the man page in there. I should probably have thought of that earlier. Thanks for letting me know it existed. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20081030/ea617c3a/attachment.html From ibatterb at gmail.com Thu Oct 30 00:58:07 2008 From: ibatterb at gmail.com (Ian Batterbee) Date: Thu, 30 Oct 2008 13:58:07 +1300 Subject: [tac_plus] Re: question about tac_plus In-Reply-To: <683785120810291739l12452547t31a381cd277d7b9b@mail.gmail.com> References: <489d9f1e0810272004k51d223f6h254961c76cd59778@mail.gmail.com> <683785120810281241p22fa8585x5930e53a32633de4@mail.gmail.com> <20081029001630.GL20387@shrubbery.net> <489d9f1e0810282018w7a7f2b9ex53116c48e32cbb08@mail.gmail.com> <683785120810291739l12452547t31a381cd277d7b9b@mail.gmail.com> Message-ID: <489d9f1e0810291758j539dadb9l1c64de496949ad4b@mail.gmail.com> Ahhh, thanks, I seem to be missing that man page, although the one for tac_plus itself exists. The Makefile only installs tac_plus.1. The version we have running is F4.0.4.alpha - perhaps that's my problem.. although I believe we have to use this version as it was modified some time ago to kludge an issue the company had with some device back then. Thanks also for the 'after authorization' suggestion - I take it that if the script returns 1 to tac_plus tac_plus will fail the authorization request ? On Thu, Oct 30, 2008 at 1:39 PM, Jesse Zbikowski wrote: > On Tue, Oct 28, 2008 at 8:18 PM, Ian Batterbee wrote: > > I'm still a bit confused about the configuration > > file syntax. Is there a reference for it somewhere I can read ? > > Please see "man 5 tac_plus.conf". Here is some example server side > configuration. You will have to process the A/V pairs on the client > to make use of the custom "usergroup" attribute. > > # tac_plus.conf > user = tryme { > pap = cleartext tryme > service=ppp protocol=users {} > after authorization "/usr/local/tac/postauth $user" > } > > # /usr/local/tac/postauth > > #!/usr/bin/perl > my $user = shift @ARGV; > while () { > print; # pass A/V pairs from tac_plus > } > if ($user eq 'tryme') { > print "usergroup=administrator\n"; # new A/V pair > exit 2; # send A/V pairs to client > } else { > exit 1; # fail > } > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20081030/f4235f11/attachment.html From ibatterb at gmail.com Fri Oct 31 01:55:43 2008 From: ibatterb at gmail.com (Ian Batterbee) Date: Fri, 31 Oct 2008 14:55:43 +1300 Subject: [tac_plus] after authorization Message-ID: <489d9f1e0810301855o538cdc4cod0504b61c28780b1@mail.gmail.com> Hi, I'm now trying (as suggested by previous posters) to use 'after authorization "external-process"' in order to provide arbitary AV values back to the client. The trouble is that while the config file parses okay, the external script never gets executed. I've tried "before authorization" as well, with the same results. user=test { before authorization "/usr/local/tac/postauth $user" } Currently, the script writes to a log file in /tmp/, so that I can see if it runs, and the file is never touched. I've tried the latest version of tacacs+ from shrubbery.net, with the same results. Am I doing something fundamentally wrong here, or does it not work as the documentation suggests it should ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20081031/002e114a/attachment.html From heas at shrubbery.net Fri Oct 31 06:45:28 2008 From: heas at shrubbery.net (john heasley) Date: Fri, 31 Oct 2008 06:45:28 +0000 Subject: [tac_plus] Re: after authorization In-Reply-To: <489d9f1e0810301855o538cdc4cod0504b61c28780b1@mail.gmail.com> References: <489d9f1e0810301855o538cdc4cod0504b61c28780b1@mail.gmail.com> Message-ID: <20081031064528.GA9209@shrubbery.net> Fri, Oct 31, 2008 at 02:55:43PM +1300, Ian Batterbee: > Hi, > > I'm now trying (as suggested by previous posters) to use 'after > authorization "external-process"' in order to provide arbitary AV values > back to the client. > > The trouble is that while the config file parses okay, the external script > never gets executed. I've tried "before authorization" as well, with the > same results. > > user=test { > before authorization "/usr/local/tac/postauth $user" > } > > Currently, the script writes to a log file in /tmp/, so that I can see if it > runs, and the file is never touched. > > I've tried the latest version of tacacs+ from shrubbery.net, with the same > results. > > Am I doing something fundamentally wrong here, or does it not work as the > documentation suggests it should ? the client has to use authorization. also see the -d/debug options. From ibatterb at gmail.com Fri Oct 31 06:48:33 2008 From: ibatterb at gmail.com (Ian Batterbee) Date: Fri, 31 Oct 2008 19:48:33 +1300 Subject: [tac_plus] Re: after authorization In-Reply-To: <20081031064528.GA9209@shrubbery.net> References: <489d9f1e0810301855o538cdc4cod0504b61c28780b1@mail.gmail.com> <20081031064528.GA9209@shrubbery.net> Message-ID: <490AAA41.5030009@gmail.com> > the client has to use authorization. also see the -d/debug options. > You mean as opposed to authentication ? The client in this case is a PIX that's using tacacs to verify the user's credentials. From tacplus at gheek.net Fri Oct 31 16:21:56 2008 From: tacplus at gheek.net (Lance Vermilion) Date: Fri, 31 Oct 2008 09:21:56 -0700 Subject: [tac_plus] Re: after authorization In-Reply-To: <8423e7bb0810310752o3b115a14ub53a3aaac23369f6@mail.gmail.com> References: <489d9f1e0810301855o538cdc4cod0504b61c28780b1@mail.gmail.com> <20081031064528.GA9209@shrubbery.net> <490AAA41.5030009@gmail.com> <8423e7bb0810310752o3b115a14ub53a3aaac23369f6@mail.gmail.com> Message-ID: <8423e7bb0810310921u16121ca2wd57bfe5035c74742@mail.gmail.com> Ian, What do you have set for your AAA statements on your PIX? What commands are you executing on your PIX that you think require authorization? On Fri, Oct 31, 2008 at 7:52 AM, Lance Vermilion wrote: > Ian, > What do you have set for your AAA statements on your PIX? What commands are > you executing on your PIX that you think require authorization? > > > On Thu, Oct 30, 2008 at 11:48 PM, Ian Batterbee wrote: > >> >> > the client has to use authorization. also see the -d/debug options. >> > >> >> You mean as opposed to authentication ? The client in this case is a >> PIX that's using tacacs to verify the user's credentials. >> >> >> >> >> >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20081031/3f44269e/attachment.html From ibatterb at gmail.com Fri Oct 31 19:34:00 2008 From: ibatterb at gmail.com (Ian Batterbee) Date: Sat, 01 Nov 2008 08:34:00 +1300 Subject: [tac_plus] Re: after authorization In-Reply-To: <8423e7bb0810310752o3b115a14ub53a3aaac23369f6@mail.gmail.com> References: <489d9f1e0810301855o538cdc4cod0504b61c28780b1@mail.gmail.com> <20081031064528.GA9209@shrubbery.net> <490AAA41.5030009@gmail.com> <8423e7bb0810310752o3b115a14ub53a3aaac23369f6@mail.gmail.com> Message-ID: <490B5DA8.3030108@gmail.com> Sorry, I seem to have missed out a few words there - to clarify, the PIX is using tacacs to verify users who are terminating a VPN on it.. in other words, this is not for authorizing CLI commands, but rather to validate VPN user credentials. As a side issue, it also validates exec users trying to connect, but that's not what I'm trying to deal with at the moment. In addition to validating the user's name and password, I need tac_plus to pass back an AV pair that tells the PIX which group policy to apply to the conneting VPN user. I believe this can be done with radius or cisco ACS by returning a value for "IETF-Radius-Class" - and from what I can see of the tacacs+ protocol, it should be able to do the same thing. The issue is how do I tell tac_plus to return that AV pair. Lance Vermilion wrote, On Sat 01/11/2008 03:52: > Ian, > > What do you have set for your AAA statements on your PIX? What > commands are you executing on your PIX that you think require > authorization? > > On Thu, Oct 30, 2008 at 11:48 PM, Ian Batterbee > wrote: > > > > the client has to use authorization. also see the -d/debug options. > > > > You mean as opposed to authentication ? The client in this case is a > PIX that's using tacacs to verify the user's credentials. > >