[tac_plus] Re: Query

Thu Apr 2 21:50:11 UTC 2009

Thanks much, John!  

However, I think we may misunderstand the passed variables because
$address returns the IP of the user, not the device.  

>From the tac_plus developers kit guide.  

    user    -- user name
    name    -- Nas name
    port    -- Nas port
    address -- Nac address (remote user location)
    priv    -- privilege level (a digit, 0 to 15)
    method  -- (a digit, 1 to 4)
    type    -- (a digit, 1 to 4)
    service -- (a digit, 1 to 7)
    status  -- (pass, fail, error, unknown)

NAS --- A Network Access Server e.g. a Cisco box, or any other
	*client* which makes tacacs+ authentication and authorization
	requests, or generates Tacacs+ accounting packets.

Rather confusing - Nac address would be the Cisco box, but in
parenthesis, it very specifically says "remote user location."  Which,
is exactly what I have found it to return. 

They keys it returns were:
service=shell
cmdref.pdf
priv-lvl=15

Which were less than helpful. (cmdref.pdf?)  

The user address is useful - we could forbid users from certain IP
ranges.  Some sort of integration with fail2ban comes to mind.  But,
another variable is needed in the code for device address.  

Any takers?   

-----Original Message-----
From: john heasley [mailto:heas at shrubbery.net] 
Sent: Thursday, April 02, 2009 12:14 PM
To: Schmidt, Daniel
Cc: john heasley; Lance Vermilion; tac_plus at shrubbery.net
Subject: Re: [tac_plus] Re: Query

Thu, Apr 02, 2009 at 08:56:43AM -0600, Schmidt, Daniel:
> Thank you for your reply and for your time. 
> 
> I found something like this that Ben Kennedy had tried (and failed) in
> 2007.  Attempting to use/modify/change this simple bash script was of
no
> use - I could not make it work, I could not so much as login.  The
exit
> values look correct and it echo's to stdout.  Can anybody see
something
> wrong?

first, you MUST drain stdin, even if you do not want to use the data.
second, the output is AV pairs only.  this script is producing
tacplus.conf
like output.

while read avp - ; do 
 :
done
echo avp=bar
exit 2

> <>
> 
> Here is an example of the config file:
> user = test {
>   after authorization "/etc/tac-plus/authen $user $address"
> }
> 
> Example of script:
> #!/bin/sh
> 
> if [ "$1" = 'test' ]
> then
>   if [ "$2" = 'X.X.X.X' ] #ip of switch
>   then
>      echo default service=permit
>      echo login=cleartext XXX
>      echo service=exec
>      echo {
>        echo priv-lvl=15
>      echo
>      echo cmd=arp
>      echo {
>      echo permit timeout
>      echo }
>      echo cmd=no
>      echo {
>      echo permit arp
>      echo }
>      echo cmd=show
>      echo {
>      echo permit run
>      echo permit start
>      echo }
>      echo cmd=configure
>      echo {
>      echo permit terminal
>      echo permit interface
>      echo deny .*
>      echo }
>    exit 2
>   fi
> fi
> exit 1
> 
> -----Original Message-----
> From: john heasley [mailto:heas at shrubbery.net] 
> Sent: Wednesday, April 01, 2009 4:23 PM
> To: Schmidt, Daniel
> Cc: john heasley; Lance Vermilion; tac_plus at shrubbery.net
> Subject: Re: [tac_plus] Re: Query
> 
> Tue, Mar 31, 2009 at 03:44:01PM -0600, Schmidt, Daniel:
> > I've never been able to make it work... if anybody has a working
> example
> > they could provide, that would be greatly appreciated.  
> 
> you read all the AVPs on stdin
> then write the appropriate AVPs on stdout
> and/or finally exit with the appropriate exit code
> 
> there shouldnt be any voodoo.  its not something i do or test on a
> regular
> basis.  i suppose the daemon's handling could be broken, but doubt it.