From asaykao at gmail.com Tue Dec 1 22:53:27 2009 From: asaykao at gmail.com (Andy Saykao) Date: Wed, 2 Dec 2009 09:53:27 +1100 Subject: [tac_plus] Re: Installing tac_plus as a different user other than root?? In-Reply-To: <4B134098.5090501@gmail.com> References: <964ee8e00911241845s62354b87w462c4ae0314ed646@mail.gmail.com> <200911250843.30183.alan.mckinnon@gmail.com> <964ee8e00911261734j19c698bfx5096da6e9a0ec787@mail.gmail.com> <200911271037.30123.alan.mckinnon@gmail.com> <964ee8e00911291335w645afeaw38a6cee6faaa1b5d@mail.gmail.com> <4B12EE4C.1070102@gmail.com> <964ee8e00911291414w4cc31bcdxe313cad193f57f8f@mail.gmail.com> <4B134098.5090501@gmail.com> Message-ID: <964ee8e00912011453q2dc222a4t9ee3e234d89002e8@mail.gmail.com> Hi Adam, I've read your post on getting PAM working under RHEL but have a few more questions about it. http://www.shrubbery.net/pipermail/tac_plus/2009-May/000435.html For those on Ubuntu I had to install libpam0g-dev first and ./configure again so PAM was detected. # apt-get install libpam0g-dev 1/ How does the tac_plus daemon know to look for the PAM authentication in /etc/pam.d/tac_plus. I created the tac_plus file but I notice that when I deleted it and restarted the tac_plus daemon, PAM auth still works with or without it. Not sure if the PAM auth just defaults to using the common-* files in /etc/pam.d/ if it doesn't find the tac_plus file in there. 2/ The tac_plus user guide says that PAM doesn't work if the tac_plus daemon is started as a non-root user (which is how I am running the daemon). So once again to get around this I had to configure the daemon to use the shadow GID. "Be aware that when the tac_plus daemon runs as a non-root user (as is the default in FreeBSD /usr/ports), it will not be able to authenticate using the pam_unix.so module. This is because the system function getpwnam() called by pam_unix.so requires root privileges to retrieve the password to validate from the /etc/master.passwd or /etc/shadow file. The symptom will be that for each authentiction that is attempted, the password will appear to be wrong whether it was typed correctly or not." Cheers. Andy On Mon, Nov 30, 2009 at 2:48 PM, adam wrote: > Andy Saykao wrote: > >> Hi Adam, >> >> I came across that post but it was for RHEL so I just skimmed through it >> bc I'm working on a Ubuntu box. I really just want to use the users in >> /etc/passwd for now (maybe LDAP further down the track) - nevertheless thank >> you for your suggestion. >> >> So my question is that if I just want to authenticate against /etc/passwd, >> is it worth me reading up more about PAM and try to get this going or do I >> just compile is using the GID of the shadow group as per this guide. >> >> >> http://www.billyguthrie.com:8081/billyguthrie.com/projects/test/various-cisco-howtos-documents-and-notes/cisco-and-tacacs >> >> Thanks. >> >> Andy >> >> For Number 2, these instructions use pam_ldap for tac_plus as an >> example, but you can configure the pam stack for tac_plus to be >> whatever suits you. >> >> Instructions for RHEL5: >> >> 1. install the pam-devel package from your repository >> >> 2. compile the source for tacacs+, making sure that -lpam was >> discovered in the configure script >> >> 3. define users in the conf file as such: >> >> user = { >> login = PAM >> } >> >> 4. Place a pam stack configuration in /etc/pam.d/tac_plus that has >> whatever mechanisms you require for authentication (see below) >> >> 5. celebrate >> >> The pam stack I use looks like this: >> >> #cat /etc/pam.d/tac_plus: >> >> #%PAM-1.0 >> auth include system-auth >> account required pam_nologin.so >> account include system-auth >> password include system-auth >> session optional pam_keyinit.so force revoke >> session include system-auth >> session required pam_loginuid.so >> >> It's not very obvious in that file, but I include system-auth, which >> looks like this: >> >> #%PAM-1.0 >> # This file is auto-generated. >> # User changes will be destroyed the next time authconfig is run. >> auth required pam_env.so >> auth sufficient pam_unix.so nullok try_first_pass >> auth requisite pam_succeed_if.so uid >= 500 quiet >> auth sufficient pam_ldap.so use_first_pass >> auth required pam_deny.so >> >> account required pam_unix.so broken_shadow >> account sufficient pam_localuser.so >> account sufficient pam_succeed_if.so uid < 500 quiet >> account [default=bad success=ok user_unknown=ignore] pam_ldap.so >> account required pam_permit.so >> >> password requisite pam_cracklib.so try_first_pass retry=3 >> password sufficient pam_unix.so md5 shadow nullok try_first_pass >> use_authtok >> password sufficient pam_ldap.so use_authtok >> password required pam_deny.so >> >> session optional pam_keyinit.so revoke >> session required pam_limits.so >> session [success=1 default=ignore] pam_succeed_if.so service in >> crond quiet use_uid >> session required pam_unix.so >> session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 >> session optional pam_ldap.so >> >> So, in this manner, tacacs+, talking to PAM, and using pam_ldap, can >> authenticate a user with ldap-based credentials. Of course, you can >> use whatever you like in terms of pam modules. >> >> Thanks, >> >> Adam >> >> >> > These instructions for RHEL should work 95% for ubuntu. Note that the > pam_unix module in use in the system-auth file is /etc/passwd and > /etc/shadow...so using pam_unix in your tac_plus pam conf should be > sufficient. As I recall, while RHEL uses a single system-auth, debian and > ubuntu use system auth broken out into common-auth common-password > common-account, and common-session in the pam.d directory. You'll need to > translate the pam conf files for ubuntu, but the compilation and > configuration of tac_plus should remain the same. > > Adam > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091202/ba755c10/attachment.html From prozaconstilts at gmail.com Wed Dec 2 00:22:24 2009 From: prozaconstilts at gmail.com (adam) Date: Tue, 01 Dec 2009 19:22:24 -0500 Subject: [tac_plus] Re: Installing tac_plus as a different user other than root?? In-Reply-To: <964ee8e00912011453q2dc222a4t9ee3e234d89002e8@mail.gmail.com> References: <964ee8e00911241845s62354b87w462c4ae0314ed646@mail.gmail.com> <200911250843.30183.alan.mckinnon@gmail.com> <964ee8e00911261734j19c698bfx5096da6e9a0ec787@mail.gmail.com> <200911271037.30123.alan.mckinnon@gmail.com> <964ee8e00911291335w645afeaw38a6cee6faaa1b5d@mail.gmail.com> <4B12EE4C.1070102@gmail.com> <964ee8e00911291414w4cc31bcdxe313cad193f57f8f@mail.gmail.com> <4B134098.5090501@gmail.com> <964ee8e00912011453q2dc222a4t9ee3e234d89002e8@mail.gmail.com> Message-ID: <4B15B340.8070906@gmail.com> Andy Saykao wrote: > Hi Adam, > > I've read your post on getting PAM working under RHEL but have a few > more questions about it. > > http://www.shrubbery.net/pipermail/tac_plus/2009-May/000435.html > > For those on Ubuntu I had to install libpam0g-dev first and ./configure > again so PAM was detected. > > # apt-get install libpam0g-dev > > 1/ How does the tac_plus daemon know to look for the PAM authentication > in /etc/pam.d/tac_plus. I created the tac_plus file but I notice that > when I deleted it and restarted the tac_plus daemon, PAM auth still > works with or without it. Not sure if the PAM auth just defaults to > using the common-* files in /etc/pam.d/ if it doesn't find the tac_plus > file in there. tac_plus just make a C library call to pam_authenticate. For RHEL, this required a tac_plus file in pam.d This may not be the case for ubuntu. > > 2/ The tac_plus user guide says that PAM doesn't work if the tac_plus > daemon is started as a non-root user (which is how I am running the > daemon). So once again to get around this I had to configure the daemon > to use the shadow GID. poop. I should have read and known about that. You could make the jump and go straight to your LDAP solution. Sorry if that caused you to waste your time :( > "Be aware that when the tac_plus daemon runs as a non-root user (as is the > default in FreeBSD /usr/ports), it will not be able to authenticate using > the pam_unix.so module. This is because the system function getpwnam() > called by pam_unix.so requires root privileges to retrieve the password to > validate from the /etc/master.passwd or /etc/shadow file. The symptom will > be that for each authentiction that is attempted, the password will appear > to be wrong whether it was typed correctly or not." > > Cheers. > > Andy From asaykao at gmail.com Wed Dec 2 00:45:46 2009 From: asaykao at gmail.com (Andy Saykao) Date: Wed, 2 Dec 2009 11:45:46 +1100 Subject: [tac_plus] Re: Installing tac_plus as a different user other than root?? In-Reply-To: <4B15B340.8070906@gmail.com> References: <964ee8e00911241845s62354b87w462c4ae0314ed646@mail.gmail.com> <200911250843.30183.alan.mckinnon@gmail.com> <964ee8e00911261734j19c698bfx5096da6e9a0ec787@mail.gmail.com> <200911271037.30123.alan.mckinnon@gmail.com> <964ee8e00911291335w645afeaw38a6cee6faaa1b5d@mail.gmail.com> <4B12EE4C.1070102@gmail.com> <964ee8e00911291414w4cc31bcdxe313cad193f57f8f@mail.gmail.com> <4B134098.5090501@gmail.com> <964ee8e00912011453q2dc222a4t9ee3e234d89002e8@mail.gmail.com> <4B15B340.8070906@gmail.com> Message-ID: <964ee8e00912011645n274cddag8f673009f8055685@mail.gmail.com> Hi Adam, On Ubuntu, PAM auth looks for /etc/pam.d/tac_plus. To test this I used the below code in the tac_plus file and was unable to logon as per the pam_deny modules. ------------------------------------------------------------------------------------------------------- #%PAM-1.0 #(The above "magic" header is optional) # The modules for defaulting services as defined # in "/etc/pam.d/other" this configuration is # accepted by Linux-PAM-0.56 and higher. # auth required pam_deny.so auth required pam_warn.so account required pam_deny.so session required pam_deny.so password required pam_warn.so password required pam_deny.so # end of file. ------------------------------------------------------------------------------------------------------- On the cisco device, I'm not even prompted for the password: User Access Verification Username: user1 % Authentication failed Logs showing me being denied access: pam_verify user1 Password is incorrect login query for 'user1' tty2 from 203.17.101.x rejected login failure: user1 203.17.101.x (203.17.101.x) tty2 ------------------------------------------------------------------------------------------------------- I found out that there's a fallback for PAM auth which uses /etc/pam.d/other - so without any /etc/pam.d/tac_plus present, it just defaults to using /etc/pam.d/other. ------------------------------------------------------------------------------------------------------- # /etc/pam.d/other - specify the PAM fallback behaviour # # Note that this file is used for any unspecified service; for example #if /etc/pam.d/cron specifies no session modules but cron calls #pam_open_session, the session module out of /etc/pam.d/other is #used. If you really want nothing to happen then use pam_permit.so or #pam_deny.so as appropriate. # We fall back to the system default in /etc/pam.d/common-* # @include common-auth @include common-account @include common-password @include common-session ------------------------------------------------------------------------------------------------------- I'm not an expert on PAM so hope that helps some other people trying to get PAM working with tac_plus. A good read on PAM is here: http://www.linuxjournal.com/article/2120 Cheers. Andy On Wed, Dec 2, 2009 at 11:22 AM, adam wrote: > Andy Saykao wrote: > >> Hi Adam, >> >> I've read your post on getting PAM working under RHEL but have a few more >> questions about it. >> >> http://www.shrubbery.net/pipermail/tac_plus/2009-May/000435.html >> >> For those on Ubuntu I had to install libpam0g-dev first and ./configure >> again so PAM was detected. >> >> # apt-get install libpam0g-dev >> >> 1/ How does the tac_plus daemon know to look for the PAM authentication in >> /etc/pam.d/tac_plus. I created the tac_plus file but I notice that when I >> deleted it and restarted the tac_plus daemon, PAM auth still works with or >> without it. Not sure if the PAM auth just defaults to using the common-* >> files in /etc/pam.d/ if it doesn't find the tac_plus file in there. >> > > tac_plus just make a C library call to pam_authenticate. For RHEL, this > required a tac_plus file in pam.d This may not be the case for ubuntu. > > > >> 2/ The tac_plus user guide says that PAM doesn't work if the tac_plus >> daemon is started as a non-root user (which is how I am running the daemon). >> So once again to get around this I had to configure the daemon to use the >> shadow GID. >> > > poop. I should have read and known about that. You could make the jump and > go straight to your LDAP solution. Sorry if that caused you to waste your > time :( > > > "Be aware that when the tac_plus daemon runs as a non-root user (as is the >> default in FreeBSD /usr/ports), it will not be able to authenticate using >> the pam_unix.so module. This is because the system function getpwnam() >> called by pam_unix.so requires root privileges to retrieve the password to >> validate from the /etc/master.passwd or /etc/shadow file. The symptom will >> be that for each authentiction that is attempted, the password will appear >> to be wrong whether it was typed correctly or not." >> > > > >> Cheers. >> >> Andy >> > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091202/248eabb0/attachment.html From asaykao at gmail.com Wed Dec 2 03:12:40 2009 From: asaykao at gmail.com (Andy Saykao) Date: Wed, 2 Dec 2009 14:12:40 +1100 Subject: [tac_plus] Re: Can you log ping and traceroute commands? In-Reply-To: <20091127061909.GK22013@shrubbery.net> References: <964ee8e00911251645x3befbfb7ie798f93ff7138d2f@mail.gmail.com> <20091127061909.GK22013@shrubbery.net> Message-ID: <964ee8e00912011912u5e1ff3c2mea73cc463c831737@mail.gmail.com> Hi All, Turns out IOS wasn't broken after all. It appears that IOS sees a ping command as a priv-lvl 3 command and I didn't have priv-lvl 3 configured for accounting. aaa accounting commands 3 default start-stop group tacacs+ A 'debug aaa accounting' helped me figure out that ping command is a priv-lvl 3 command. Dec 2 13:56:29 AEDT: AAA/MEMORY: create_user (0x66146308) user='user1' ruser='myrouter' ds0=0 port='tty2' rem_addr='210.15.210.x' authen_type=ASCII service=NONE priv=3 initial_task_id='0', vrf= (id=0) Once I added priv-lvl 3 commands to aaa accounting, it showed up in the logs now. Wed Dec 2 13:55:58 2009 203.17.101.y user1 tty2 210.15.210.x stop task_id=42 timezone=AEDT service=shell start_time=1259722589 priv-lvl=3 cmd=ping 210.15.254.x Just a caveat with this, ping is priv-lvl3 on the two IOS I tested, but traceroute showed up as priv-lvl3 using 122-31.SB13 and privi-lvl15 using 124-24.T1. That's Cisco for you with their priv-lvl's... Glad to finally get to the bottom of this. Cheers. Andy On Fri, Nov 27, 2009 at 5:19 PM, john heasley wrote: > Thu, Nov 26, 2009 at 11:45:07AM +1100, Andy Saykao: > > Hi All, > > > > I've set up a hdtest user that can run privilege commands by using > > privilege-level 3 and going into "enable 3". Whilst the user can run the > > privilege commands like ping and traceroute, I am not seeing these > commands > > appear in the accounting logs for this user. > > > > It looks like the command 'ping' does not appear anywhere in the log even > > when I use a privilege-level 15 user, so I can only assume that this is > the > > desired behaviour. But with traceroute, I see it appearing in the logs > for a > > privilege-level 15 user but not for a privilege-level 3 user? Any ideas > why > > this is so or how to see it in the log for a privilege-level 3 user? > > that'd seem a clear indication that your ios is broken. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091202/14625dd5/attachment.html From mddeath at gwu.edu Wed Dec 2 15:22:11 2009 From: mddeath at gwu.edu (Matthew Deatherage) Date: Wed, 02 Dec 2009 10:22:11 -0500 Subject: [tac_plus] feature request Message-ID: <4B168623.1070502@gwu.edu> It would be very helpful if your TACACS+ daemon also included Devrim Seral's time limiting feature. http://www.gazi.edu.tr/tacacs/docs/tac_plus.v8.txt Thank you -- Matthew Deatherage Sr. Info Sys Engineer The George Washington University 202.994.6421 mddeath at gwu.edu From dan.schmidt at uplinkdata.com Wed Dec 2 15:48:31 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Wed, 2 Dec 2009 08:48:31 -0700 Subject: [tac_plus] Re: Can you log ping and traceroute commands? In-Reply-To: <964ee8e00912011912u5e1ff3c2mea73cc463c831737@mail.gmail.com> References: <964ee8e00911251645x3befbfb7ie798f93ff7138d2f@mail.gmail.com><20091127061909.GK22013@shrubbery.net> <964ee8e00912011912u5e1ff3c2mea73cc463c831737@mail.gmail.com> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BCC74AD3@che-exch-003.uplinkdata.com> That should not be, Cisco only uses 0,1 and 15 by default. You have not done any privilege exec level commands? -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Andy Saykao Sent: Tuesday, December 01, 2009 8:13 PM To: john heasley Cc: tac_plus at shrubbery.net Subject: [tac_plus] Re: Can you log ping and traceroute commands? Hi All, Turns out IOS wasn't broken after all. It appears that IOS sees a ping command as a priv-lvl 3 command and I didn't have priv-lvl 3 configured for accounting. aaa accounting commands 3 default start-stop group tacacs+ A 'debug aaa accounting' helped me figure out that ping command is a priv-lvl 3 command. Dec 2 13:56:29 AEDT: AAA/MEMORY: create_user (0x66146308) user='user1' ruser='myrouter' ds0=0 port='tty2' rem_addr='210.15.210.x' authen_type=ASCII service=NONE priv=3 initial_task_id='0', vrf= (id=0) Once I added priv-lvl 3 commands to aaa accounting, it showed up in the logs now. Wed Dec 2 13:55:58 2009 203.17.101.y user1 tty2 210.15.210.x stop task_id=42 timezone=AEDT service=shell start_time=1259722589 priv-lvl=3 cmd=ping 210.15.254.x Just a caveat with this, ping is priv-lvl3 on the two IOS I tested, but traceroute showed up as priv-lvl3 using 122-31.SB13 and privi-lvl15 using 124-24.T1. That's Cisco for you with their priv-lvl's... Glad to finally get to the bottom of this. Cheers. Andy On Fri, Nov 27, 2009 at 5:19 PM, john heasley wrote: > Thu, Nov 26, 2009 at 11:45:07AM +1100, Andy Saykao: > > Hi All, > > > > I've set up a hdtest user that can run privilege commands by using > > privilege-level 3 and going into "enable 3". Whilst the user can run the > > privilege commands like ping and traceroute, I am not seeing these > commands > > appear in the accounting logs for this user. > > > > It looks like the command 'ping' does not appear anywhere in the log even > > when I use a privilege-level 15 user, so I can only assume that this is > the > > desired behaviour. But with traceroute, I see it appearing in the logs > for a > > privilege-level 15 user but not for a privilege-level 3 user? Any ideas > why > > this is so or how to see it in the log for a privilege-level 3 user? > > that'd seem a clear indication that your ios is broken. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091202/14625dd 5/attachment.html _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From heas at shrubbery.net Wed Dec 2 18:55:42 2009 From: heas at shrubbery.net (john heasley) Date: Wed, 2 Dec 2009 10:55:42 -0800 Subject: [tac_plus] Re: Can you log ping and traceroute commands? In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BCC74AD3@che-exch-003.uplinkdata.com> References: <964ee8e00911251645x3befbfb7ie798f93ff7138d2f@mail.gmail.com> <20091127061909.GK22013@shrubbery.net> <964ee8e00912011912u5e1ff3c2mea73cc463c831737@mail.gmail.com> <05CC562AFB5A9446A1BC3F66AD04A3BCC74AD3@che-exch-003.uplinkdata.com> Message-ID: <20091202185542.GG18370@shrubbery.net> Wed, Dec 02, 2009 at 08:48:31AM -0700, Schmidt, Daniel: > That should not be, Cisco only uses 0,1 and 15 by default. You have not > done any privilege exec level commands? expecting consistency here is foolish, and we know you're not foolish. From asaykao at gmail.com Wed Dec 2 22:17:33 2009 From: asaykao at gmail.com (Andy Saykao) Date: Thu, 3 Dec 2009 09:17:33 +1100 Subject: [tac_plus] Re: Can you log ping and traceroute commands? In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BCC74AD3@che-exch-003.uplinkdata.com> References: <964ee8e00911251645x3befbfb7ie798f93ff7138d2f@mail.gmail.com> <20091127061909.GK22013@shrubbery.net> <964ee8e00912011912u5e1ff3c2mea73cc463c831737@mail.gmail.com> <05CC562AFB5A9446A1BC3F66AD04A3BCC74AD3@che-exch-003.uplinkdata.com> Message-ID: <964ee8e00912021417p126a539bx80e3ab5806565daf@mail.gmail.com> Thanks to John and Daniel... Daniel - you're right on the money. I did have ping defined as a priv-lvl 3 command on the router. privilege exec level 3 ping ip privilege exec level 3 ping Note that if I do not configure "privilege exec level 3 ping ip" it appears as a priv-lvl1 command. Thu Dec 3 09:12:08 2009 203.17.101.x hdtest tty3 210.15.210.y stop task_id=108 timezone=AEDT service=shell start_time=1259791962priv-lvl=1 cmd=ping 210.15.254.x Same deal with traceroute. If you want to see the traceroute appear as something other than a priv-lvl1 command, you need both traceroute and traceroute ip configured. Therefore, I will withdraw everything said about the caveats in my earlier post, however, but be aware that Cisco does place their ping command in different privilege levels depending on the IOS and/or hardware platform you're running. For example on 124-24.T1 and 122-31.SB14, ping defaults to a priv-lvl 1 command but on the newer ASR which we're running 122-33.XNB3, I have to enable into a higher privilege level to run the ping command (it does not default to a priv-lvl1 command). Cheers. Andy On Thu, Dec 3, 2009 at 2:48 AM, Schmidt, Daniel wrote: > That should not be, Cisco only uses 0,1 and 15 by default. You have not > done any privilege exec level commands? > > -----Original Message----- > From: tac_plus-bounces at shrubbery.net > [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Andy Saykao > Sent: Tuesday, December 01, 2009 8:13 PM > To: john heasley > Cc: tac_plus at shrubbery.net > Subject: [tac_plus] Re: Can you log ping and traceroute commands? > > Hi All, > > Turns out IOS wasn't broken after all. It appears that IOS sees a ping > command as a priv-lvl 3 command and I didn't have priv-lvl 3 configured > for > accounting. > > aaa accounting commands 3 default start-stop group tacacs+ > > A 'debug aaa accounting' helped me figure out that ping command is a > priv-lvl 3 command. > > Dec 2 13:56:29 AEDT: AAA/MEMORY: create_user (0x66146308) user='user1' > ruser='myrouter' ds0=0 port='tty2' rem_addr='210.15.210.x' > authen_type=ASCII > service=NONE priv=3 initial_task_id='0', vrf= (id=0) > > Once I added priv-lvl 3 commands to aaa accounting, it showed up in the > logs > now. > > Wed Dec 2 13:55:58 2009 203.17.101.y user1 tty2 > 210.15.210.x > stop task_id=42 timezone=AEDT service=shell > start_time=1259722589 priv-lvl=3 cmd=ping 210.15.254.x > > Just a caveat with this, ping is priv-lvl3 on the two IOS I tested, but > traceroute showed up as priv-lvl3 using 122-31.SB13 and privi-lvl15 > using > 124-24.T1. That's Cisco for you with their priv-lvl's... > > Glad to finally get to the bottom of this. > > Cheers. > > Andy > > On Fri, Nov 27, 2009 at 5:19 PM, john heasley > wrote: > > > Thu, Nov 26, 2009 at 11:45:07AM +1100, Andy Saykao: > > > Hi All, > > > > > > I've set up a hdtest user that can run privilege commands by using > > > privilege-level 3 and going into "enable 3". Whilst the user can run > the > > > privilege commands like ping and traceroute, I am not seeing these > > commands > > > appear in the accounting logs for this user. > > > > > > It looks like the command 'ping' does not appear anywhere in the log > even > > > when I use a privilege-level 15 user, so I can only assume that this > is > > the > > > desired behaviour. But with traceroute, I see it appearing in the > logs > > for a > > > privilege-level 15 user but not for a privilege-level 3 user? Any > ideas > > why > > > this is so or how to see it in the log for a privilege-level 3 user? > > > > that'd seem a clear indication that your ios is broken. > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091202/14625dd > 5/attachment.html > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091203/cde3d4ee/attachment.html From dan.schmidt at uplinkdata.com Wed Dec 2 21:07:19 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Wed, 2 Dec 2009 14:07:19 -0700 Subject: [tac_plus] Re: Can you log ping and traceroute commands? In-Reply-To: <20091202185542.GG18370@shrubbery.net> References: <964ee8e00911251645x3befbfb7ie798f93ff7138d2f@mail.gmail.com> <20091127061909.GK22013@shrubbery.net> <964ee8e00912011912u5e1ff3c2mea73cc463c831737@mail.gmail.com> <05CC562AFB5A9446A1BC3F66AD04A3BCC74AD3@che-exch-003.uplinkdata.com> <20091202185542.GG18370@shrubbery.net> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BCC74AE5@che-exch-003.uplinkdata.com> Indeed. One would think I would have learned my lesson from IOSXR, Pix, or perhaps from expecting tac_plus to give the same output to an authentication script that it would supply to the log. ;-) -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Wednesday, December 02, 2009 11:56 AM To: Schmidt, Daniel Cc: Andy Saykao; tac_plus at shrubbery.net Subject: Re: [tac_plus] Re: Can you log ping and traceroute commands? Wed, Dec 02, 2009 at 08:48:31AM -0700, Schmidt, Daniel: > That should not be, Cisco only uses 0,1 and 15 by default. You have not > done any privilege exec level commands? expecting consistency here is foolish, and we know you're not foolish. From heas at shrubbery.net Wed Dec 2 23:41:56 2009 From: heas at shrubbery.net (john heasley) Date: Wed, 2 Dec 2009 15:41:56 -0800 Subject: [tac_plus] Re: Can you log ping and traceroute commands? In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BCC74AE5@che-exch-003.uplinkdata.com> References: <964ee8e00911251645x3befbfb7ie798f93ff7138d2f@mail.gmail.com> <20091127061909.GK22013@shrubbery.net> <964ee8e00912011912u5e1ff3c2mea73cc463c831737@mail.gmail.com> <05CC562AFB5A9446A1BC3F66AD04A3BCC74AD3@che-exch-003.uplinkdata.com> <20091202185542.GG18370@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BCC74AE5@che-exch-003.uplinkdata.com> Message-ID: <20091202234156.GG18370@shrubbery.net> Wed, Dec 02, 2009 at 02:07:19PM -0700, Schmidt, Daniel: > Indeed. One would think I would have learned my lesson from IOSXR, Pix, > or perhaps from expecting tac_plus to give the same output to an > authentication script that it would supply to the log. ;-) ooh, you bitch. sorry that we disagree on that. > -----Original Message----- > From: john heasley [mailto:heas at shrubbery.net] > Sent: Wednesday, December 02, 2009 11:56 AM > To: Schmidt, Daniel > Cc: Andy Saykao; tac_plus at shrubbery.net > Subject: Re: [tac_plus] Re: Can you log ping and traceroute commands? > > Wed, Dec 02, 2009 at 08:48:31AM -0700, Schmidt, Daniel: > > That should not be, Cisco only uses 0,1 and 15 by default. You have > not > > done any privilege exec level commands? > > expecting consistency here is foolish, and we know you're not foolish. From psy.chaotic1 at gmail.com Thu Dec 3 18:15:42 2009 From: psy.chaotic1 at gmail.com (psy chaotic) Date: Thu, 3 Dec 2009 19:15:42 +0100 Subject: [tac_plus] problem with conversion of configuration file for old version of TACACS+ to configuration file for current version of TACACS+ Message-ID: <8a1577bf0912031015l3cdbc202xdee1f3d1c8a2b4da@mail.gmail.com> Hi, I have this problem. I have configuration file from old version TACACS+ "tac_plus-F4.0.3.alpha.8.gts4", if I tried this configuration file use in the version - "tacacs+-F4.0.4.19" => "tac_plus -C my_old_conf_file" it ended with the errors. I found at the testing problems in the grammar of the old configuration file. This are problematic tokens and keywords (and their usage in conf. file): 1) Unrecognised token "authorization" on line ... authorization = recursive - in head of configuration file 2) Unrecognised keyword "when" for user on line ... user = user_name { login = des des_string when = group group_name { member = group1 } } 3) Unrecognised keyword "enlist" for user on line ... group = group_name { enlist = host IP1 enlist = host IP2 } 4) Duplicated value for group1 and group2 on line ... => keyword "member" user = user_name { login = des des_string pap = des des_string member = group1 member = group2 } I didn?t create this configuration file, my task is this old configuration file convert to functional configuration file for current version "tacacs+-F4.0.4.19". I don?t know functionality of these (deprecated) keywords/tokens and therefore I don?t know how replace these tokens for current version TACACS+ with the same functionality. I need any suggestion or at least link onto the documentation with detailed description keywords and tokens from configuration file for old and current version of TACACS+. Thanks for any suggestion Paul From heas at shrubbery.net Thu Dec 3 20:46:30 2009 From: heas at shrubbery.net (john heasley) Date: Thu, 3 Dec 2009 12:46:30 -0800 Subject: [tac_plus] Re: problem with conversion of configuration file for old version of TACACS+ to configuration file for current version of TACACS+ In-Reply-To: <8a1577bf0912031015l3cdbc202xdee1f3d1c8a2b4da@mail.gmail.com> References: <8a1577bf0912031015l3cdbc202xdee1f3d1c8a2b4da@mail.gmail.com> Message-ID: <20091203204630.GP16944@shrubbery.net> Thu, Dec 03, 2009 at 07:15:42PM +0100, psy chaotic: > Hi, > I have this problem. I have configuration file from old version TACACS+ > > "tac_plus-F4.0.3.alpha.8.gts4", > > if I tried this configuration file use in the version - "tacacs+-F4.0.4.19" > > => "tac_plus -C my_old_conf_file" > > it ended with the errors. I found at the testing problems in the > grammar of the old configuration file. This are > problematic tokens and keywords (and their usage in conf. file): > > 1) Unrecognised token "authorization" on line ... > > authorization = recursive > > - in head of configuration file > > 2) Unrecognised keyword "when" for user on line ... > > user = user_name { > login = des des_string > when = group group_name { > member = group1 > } > } > > 3) Unrecognised keyword "enlist" for user on line ... > > group = group_name { > enlist = host IP1 > enlist = host IP2 > } > > 4) Duplicated value for group1 and group2 on line ... => > keyword "member" > > user = user_name { > login = des des_string > pap = des des_string > member = group1 > member = group2 > } it currents allows only one group membership, but group2 could be a member of group1. that may be the authorizationb=recursive bit above. otherwise, i dont know what those keywords do. you will have to look at the manpage for the old tacacs to know what the equivalent is in the new. > I didn?t create this configuration file, my task is this old > configuration file convert > to functional configuration file for current version > "tacacs+-F4.0.4.19". I don?t > know functionality of these (deprecated) keywords/tokens and therefore > I don?t know how > replace these tokens for current version TACACS+ with the same > functionality. I need any > suggestion or at least link onto the documentation with detailed > description keywords and > tokens from configuration file for old and current version of TACACS+. > Thanks for any > suggestion the tac_plus.conf(5) manpage has a fairly thorough description of the configuration. let us know if anything is missing. From heas at shrubbery.net Thu Dec 3 22:08:33 2009 From: heas at shrubbery.net (john heasley) Date: Thu, 3 Dec 2009 14:08:33 -0800 Subject: [tac_plus] Re: feature request In-Reply-To: <4B168623.1070502@gwu.edu> References: <4B168623.1070502@gwu.edu> Message-ID: <20091203220833.GE16944@shrubbery.net> Wed, Dec 02, 2009 at 10:22:11AM -0500, Matthew Deatherage: > It would be very helpful if your TACACS+ daemon also included Devrim > Seral's time limiting feature. > http://www.gazi.edu.tr/tacacs/docs/tac_plus.v8.txt possibly; maybe with slight adjustment to make it like the uucp syntax. anyway, not until i'm done rewriting the config parsing code. > Thank you > > -- > Matthew Deatherage > Sr. Info Sys Engineer > The George Washington University > 202.994.6421 > mddeath at gwu.edu > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From asaykao at gmail.com Fri Dec 4 00:55:16 2009 From: asaykao at gmail.com (Andy Saykao) Date: Fri, 4 Dec 2009 11:55:16 +1100 Subject: [tac_plus] aaa authorization if-authenticated Message-ID: <964ee8e00912031655v1bb0992fq2b5156ae4d795749@mail.gmail.com> Hi All, I'm trying to get my head around when you would want to use "if-authenticated" for "aaa authorization" and what the best practice might be. At what other times might you want to use "local" or "none"? aaa authorization exec default group tacacs+ if-authenticated aaa authorization commands 0 default group tacacs+ if-authenticated aaa authorization commands 1 default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ if-authenticated My understanding is that "if-authenticated" allows you to continue to run in an exec shell and execute commands when the tacacs+ server becomes unreachable/dies. This is provided that you have successfully authenticated to the tacacs+ server before it became unreachable or died. When would you use if-authenticated, local and none??? Thanks. Andy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091204/3396712f/attachment.html From asaykao at gmail.com Fri Dec 4 01:02:26 2009 From: asaykao at gmail.com (Andy Saykao) Date: Fri, 4 Dec 2009 12:02:26 +1100 Subject: [tac_plus] tac_plus log file Message-ID: <964ee8e00912031702wf3067d5v5519441b68e5a26a@mail.gmail.com> Sorry if this question has been answered before... The tac_plus log file (eg: /var/log/tac_plus.log) - does this just log debugging information? I notice that when I start the tac_plus daemon and stop it, there's no trace of this in the tac_plus log file that's all - not sure if this is how it is? Thanks. Andy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091204/ca784904/attachment.html From asaykao at gmail.com Fri Dec 4 02:28:24 2009 From: asaykao at gmail.com (Andy Saykao) Date: Fri, 4 Dec 2009 13:28:24 +1100 Subject: [tac_plus] Global prompt for all hosts Message-ID: <964ee8e00912031828p21e59b58haf35fedabe3c0a96@mail.gmail.com> Hi All, Has anyone been been able to create a global prompt for all hosts? I've read the man pages and it doesn't appear this is possible. I've tried using regex as the IP address, but no go... host = { key = prompt = enable = } Would be nice to have a global prompt for all devices so we don't have to list each host individually in the conf file. Thanks. Andy From alan.mckinnon at gmail.com Fri Dec 4 09:56:38 2009 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Fri, 4 Dec 2009 11:56:38 +0200 Subject: [tac_plus] Re: tac_plus log file In-Reply-To: <964ee8e00912031702wf3067d5v5519441b68e5a26a@mail.gmail.com> References: <964ee8e00912031702wf3067d5v5519441b68e5a26a@mail.gmail.com> Message-ID: <200912041156.38462.alan.mckinnon@gmail.com> On Friday 04 December 2009 03:02:26 Andy Saykao wrote: > Sorry if this question has been answered before... > > The tac_plus log file (eg: /var/log/tac_plus.log) - does this just log > debugging information? I notice that when I start the tac_plus daemon and > stop it, there's no trace of this in the tac_plus log file that's all - not > sure if this is how it is? It's a regular log file logging what the daemon is doing - login queries, successful logins, debug info and more. Log level is enable with the -d switch, the levels are detailed in the man page. -- alan dot mckinnon at gmail dot com From heas at shrubbery.net Fri Dec 4 20:21:02 2009 From: heas at shrubbery.net (john heasley) Date: Fri, 4 Dec 2009 12:21:02 -0800 Subject: [tac_plus] Re: aaa authorization if-authenticated In-Reply-To: <964ee8e00912031655v1bb0992fq2b5156ae4d795749@mail.gmail.com> References: <964ee8e00912031655v1bb0992fq2b5156ae4d795749@mail.gmail.com> Message-ID: <20091204202102.GB22387@shrubbery.net> Fri, Dec 04, 2009 at 11:55:16AM +1100, Andy Saykao: > Hi All, > > I'm trying to get my head around when you would want to use > "if-authenticated" for "aaa authorization" and what the best practice might > be. At what other times might you want to use "local" or "none"? > > aaa authorization exec default group tacacs+ if-authenticated > aaa authorization commands 0 default group tacacs+ if-authenticated > aaa authorization commands 1 default group tacacs+ if-authenticated > aaa authorization commands 15 default group tacacs+ if-authenticated > > My understanding is that "if-authenticated" allows you to continue to run in > an exec shell and execute commands when the tacacs+ server becomes > unreachable/dies. This is provided that you have successfully authenticated > to the tacacs+ server before it became unreachable or died. > > When would you use if-authenticated, local and none??? we use 'local', which afaik, basically means that 'enable' works as expected and so should 'user foo priv N'. experiment with it. From heas at shrubbery.net Fri Dec 4 22:42:37 2009 From: heas at shrubbery.net (john heasley) Date: Fri, 4 Dec 2009 14:42:37 -0800 Subject: [tac_plus] Re: Global prompt for all hosts In-Reply-To: <964ee8e00912031828p21e59b58haf35fedabe3c0a96@mail.gmail.com> References: <964ee8e00912031828p21e59b58haf35fedabe3c0a96@mail.gmail.com> Message-ID: <20091204224237.GL22387@shrubbery.net> Fri, Dec 04, 2009 at 01:28:24PM +1100, Andy Saykao: > Hi All, > > Has anyone been been able to create a global prompt for all hosts? > I've read the man pages and it doesn't appear this is possible. I've > tried using regex as the IP address, but no go... > > host = { > key = > prompt = > enable = > } > > Would be nice to have a global prompt for all devices so we don't have > to list each host individually in the conf file. there isnt a config knob for this, afaik. From asaykao at gmail.com Mon Dec 14 03:29:15 2009 From: asaykao at gmail.com (Andy Saykao) Date: Mon, 14 Dec 2009 14:29:15 +1100 Subject: [tac_plus] Console login issue??? Message-ID: <964ee8e00912131929k4b131512kb286f1cab8e1f2a3@mail.gmail.com> Hi All, I've noticed that with all the AAA commands applied, when I log into a router/switch via the console, I get two username prompts before I successfully authenticate. It seems that on the first try, it detects a "abort reason=Carrier dropped" when waiting for the username (See debugs below). On the second try, it's able to receive the username. All of our devices are plugged into a term server (cisco 2511). Example: > telnet ts1-cr 2001 Trying 203.10.110.x... Connected to ts1-cr. Escape character is '^]'. User Access Verification Username: testuser Password: User Access Verification Username: testuser Password: myrouter> Debug - first try: Dec 14 14:22:20.303 AEDT: AAA: parse name=tty2 idb type=-1 tty=-1 Dec 14 14:22:20.303 AEDT: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0 Dec 14 14:22:20.303 AEDT: AAA/MEMORY: create_user (0x315B210) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='210.15.210.x' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0) Dec 14 14:22:20.303 AEDT: AAA/AUTHEN/START (1220359403): port='tty2' list='' action=LOGIN service=LOGIN Dec 14 14:22:20.303 AEDT: AAA/AUTHEN/START (1220359403): using "default" list Dec 14 14:22:20.303 AEDT: AAA/AUTHEN/START (1220359403): Method=tacacs+ (tacacs+) Dec 14 14:22:20.303 AEDT: TAC+: send AUTHEN/START packet ver=192 id=1220359403 Dec 14 14:22:20.504 AEDT: TAC+: ver=192 id=1220359403 received AUTHEN status = GETUSER Dec 14 14:22:20.504 AEDT: AAA/AUTHEN (1220359403): status = GETUSER Dec 14 14:22:20.504 AEDT: AAA/AUTHEN/ABORT: (1220359403) because Carrier dropped. Dec 14 14:22:20.504 AEDT: TAC+: send abort reason=Carrier dropped Dec 14 14:22:20.605 AEDT: AAA/AUTHEN/ABORT: (1220359403) because Carrier dropped. Dec 14 14:22:20.605 AEDT: TAC+: send abort reason=Carrier dropped Dec 14 14:22:20.706 AEDT: AAA/MEMORY: free_user (0x315B210) user='NULL' ruser='NULL' port='tty2' rem_addr='210.15.210.x' authen_type=ASCII service=LOGIN priv=1 Debug continued - second try: Dec 14 14:22:43.380 AEDT: AAA: parse name=tty0 idb type=-1 tty=-1 Dec 14 14:22:43.380 AEDT: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0 Dec 14 14:22:43.380 AEDT: AAA/MEMORY: create_user (0x43C6B80) user='NULL' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0) Dec 14 14:22:43.380 AEDT: AAA/AUTHEN/START (1183523905): port='tty0' list='' action=LOGIN service=LOGIN Dec 14 14:22:43.380 AEDT: AAA/AUTHEN/START (1183523905): using "default" list Dec 14 14:22:43.380 AEDT: AAA/AUTHEN/START (1183523905): Method=tacacs+ (tacacs+) Dec 14 14:22:43.380 AEDT: TAC+: send AUTHEN/START packet ver=192 id=1183523905 Dec 14 14:22:43.581 AEDT: TAC+: ver=192 id=1183523905 received AUTHEN status = GETUSER Dec 14 14:22:43.581 AEDT: AAA/AUTHEN (1183523905): status = GETUSER Dec 14 14:22:52.515 AEDT: AAA/AUTHEN/CONT (1183523905): continue_login (user='(undef)') Dec 14 14:22:52.515 AEDT: AAA/AUTHEN (1183523905): status = GETUSER Dec 14 14:22:52.515 AEDT: AAA/AUTHEN (1183523905): Method=tacacs+ (tacacs+) Dec 14 14:22:52.515 AEDT: TAC+: send AUTHEN/CONT packet id=1183523905 Dec 14 14:22:52.717 AEDT: TAC+: ver=192 id=1183523905 received AUTHEN status = GETPASS Dec 14 14:22:52.717 AEDT: AAA/AUTHEN (1183523905): status = GETPASS Dec 14 14:22:58.874 AEDT: AAA/AUTHEN/CONT (1183523905): continue_login (user='asaykao') Dec 14 14:22:58.874 AEDT: AAA/AUTHEN (1183523905): status = GETPASS Dec 14 14:22:58.874 AEDT: AAA/AUTHEN (1183523905): Method=tacacs+ (tacacs+) Dec 14 14:22:58.874 AEDT: TAC+: send AUTHEN/CONT packet id=1183523905 Dec 14 14:22:59.075 AEDT: TAC+: ver=192 id=1183523905 received AUTHEN status = PASS Dec 14 14:22:59.075 AEDT: AAA/AUTHEN (1183523905): status = PASS AAA config: aaa new-model aaa authentication login default group tacacs+ local enable aaa authentication enable default group tacacs+ enable aaa authorization config-commands aaa authorization exec default group tacacs+ if-authenticated aaa authorization commands 0 default group tacacs+ if-authenticated aaa authorization commands 1 default group tacacs+ if-authenticated aaa authorization commands 3 default group tacacs+ if-authenticated aaa authorization commands 4 default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ if-authenticated aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 3 default start-stop group tacacs+ aaa accounting commands 4 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting connection default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ aaa session-id common Why is this happening that it is unable to receive the username on the first try? Is there a way to fix this? Thanks. Andy From heas at shrubbery.net Mon Dec 14 15:33:42 2009 From: heas at shrubbery.net (john heasley) Date: Mon, 14 Dec 2009 07:33:42 -0800 Subject: [tac_plus] Re: Console login issue??? In-Reply-To: <964ee8e00912131929k4b131512kb286f1cab8e1f2a3@mail.gmail.com> References: <964ee8e00912131929k4b131512kb286f1cab8e1f2a3@mail.gmail.com> Message-ID: <20091214153342.GB5495@shrubbery.net> Mon, Dec 14, 2009 at 02:29:15PM +1100, Andy Saykao: > Hi All, > > I've noticed that with all the AAA commands applied, when I log into a > router/switch via the console, I get two username prompts before I > successfully authenticate. It seems that on the first try, it detects > a "abort reason=Carrier dropped" when waiting for the username (See > debugs below). On the second try, it's able to receive the username. > All of our devices are plugged into a term server (cisco 2511). fix the term server. most likely it cycles dtr. From dan.schmidt at uplinkdata.com Mon Dec 14 16:21:51 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Mon, 14 Dec 2009 09:21:51 -0700 Subject: [tac_plus] Re: Console login issue??? In-Reply-To: <964ee8e00912131929k4b131512kb286f1cab8e1f2a3@mail.gmail.com> References: <964ee8e00912131929k4b131512kb286f1cab8e1f2a3@mail.gmail.com> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BCC74B6C@che-exch-003.uplinkdata.com> You aren't, perchance, using single-connection are you? You omitted the one line I wanted to see. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Andy Saykao Sent: Sunday, December 13, 2009 8:29 PM To: tac_plus at shrubbery.net Subject: [tac_plus] Console login issue??? Hi All, I've noticed that with all the AAA commands applied, when I log into a router/switch via the console, I get two username prompts before I successfully authenticate. It seems that on the first try, it detects a "abort reason=Carrier dropped" when waiting for the username (See debugs below). On the second try, it's able to receive the username. All of our devices are plugged into a term server (cisco 2511). Example: > telnet ts1-cr 2001 Trying 203.10.110.x... Connected to ts1-cr. Escape character is '^]'. User Access Verification Username: testuser Password: User Access Verification Username: testuser Password: myrouter> Debug - first try: Dec 14 14:22:20.303 AEDT: AAA: parse name=tty2 idb type=-1 tty=-1 Dec 14 14:22:20.303 AEDT: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0 Dec 14 14:22:20.303 AEDT: AAA/MEMORY: create_user (0x315B210) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='210.15.210.x' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0) Dec 14 14:22:20.303 AEDT: AAA/AUTHEN/START (1220359403): port='tty2' list='' action=LOGIN service=LOGIN Dec 14 14:22:20.303 AEDT: AAA/AUTHEN/START (1220359403): using "default" list Dec 14 14:22:20.303 AEDT: AAA/AUTHEN/START (1220359403): Method=tacacs+ (tacacs+) Dec 14 14:22:20.303 AEDT: TAC+: send AUTHEN/START packet ver=192 id=1220359403 Dec 14 14:22:20.504 AEDT: TAC+: ver=192 id=1220359403 received AUTHEN status = GETUSER Dec 14 14:22:20.504 AEDT: AAA/AUTHEN (1220359403): status = GETUSER Dec 14 14:22:20.504 AEDT: AAA/AUTHEN/ABORT: (1220359403) because Carrier dropped. Dec 14 14:22:20.504 AEDT: TAC+: send abort reason=Carrier dropped Dec 14 14:22:20.605 AEDT: AAA/AUTHEN/ABORT: (1220359403) because Carrier dropped. Dec 14 14:22:20.605 AEDT: TAC+: send abort reason=Carrier dropped Dec 14 14:22:20.706 AEDT: AAA/MEMORY: free_user (0x315B210) user='NULL' ruser='NULL' port='tty2' rem_addr='210.15.210.x' authen_type=ASCII service=LOGIN priv=1 Debug continued - second try: Dec 14 14:22:43.380 AEDT: AAA: parse name=tty0 idb type=-1 tty=-1 Dec 14 14:22:43.380 AEDT: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0 Dec 14 14:22:43.380 AEDT: AAA/MEMORY: create_user (0x43C6B80) user='NULL' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0) Dec 14 14:22:43.380 AEDT: AAA/AUTHEN/START (1183523905): port='tty0' list='' action=LOGIN service=LOGIN Dec 14 14:22:43.380 AEDT: AAA/AUTHEN/START (1183523905): using "default" list Dec 14 14:22:43.380 AEDT: AAA/AUTHEN/START (1183523905): Method=tacacs+ (tacacs+) Dec 14 14:22:43.380 AEDT: TAC+: send AUTHEN/START packet ver=192 id=1183523905 Dec 14 14:22:43.581 AEDT: TAC+: ver=192 id=1183523905 received AUTHEN status = GETUSER Dec 14 14:22:43.581 AEDT: AAA/AUTHEN (1183523905): status = GETUSER Dec 14 14:22:52.515 AEDT: AAA/AUTHEN/CONT (1183523905): continue_login (user='(undef)') Dec 14 14:22:52.515 AEDT: AAA/AUTHEN (1183523905): status = GETUSER Dec 14 14:22:52.515 AEDT: AAA/AUTHEN (1183523905): Method=tacacs+ (tacacs+) Dec 14 14:22:52.515 AEDT: TAC+: send AUTHEN/CONT packet id=1183523905 Dec 14 14:22:52.717 AEDT: TAC+: ver=192 id=1183523905 received AUTHEN status = GETPASS Dec 14 14:22:52.717 AEDT: AAA/AUTHEN (1183523905): status = GETPASS Dec 14 14:22:58.874 AEDT: AAA/AUTHEN/CONT (1183523905): continue_login (user='asaykao') Dec 14 14:22:58.874 AEDT: AAA/AUTHEN (1183523905): status = GETPASS Dec 14 14:22:58.874 AEDT: AAA/AUTHEN (1183523905): Method=tacacs+ (tacacs+) Dec 14 14:22:58.874 AEDT: TAC+: send AUTHEN/CONT packet id=1183523905 Dec 14 14:22:59.075 AEDT: TAC+: ver=192 id=1183523905 received AUTHEN status = PASS Dec 14 14:22:59.075 AEDT: AAA/AUTHEN (1183523905): status = PASS AAA config: aaa new-model aaa authentication login default group tacacs+ local enable aaa authentication enable default group tacacs+ enable aaa authorization config-commands aaa authorization exec default group tacacs+ if-authenticated aaa authorization commands 0 default group tacacs+ if-authenticated aaa authorization commands 1 default group tacacs+ if-authenticated aaa authorization commands 3 default group tacacs+ if-authenticated aaa authorization commands 4 default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ if-authenticated aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 3 default start-stop group tacacs+ aaa accounting commands 4 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting connection default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ aaa session-id common Why is this happening that it is unable to receive the username on the first try? Is there a way to fix this? Thanks. Andy _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From asaykao at gmail.com Tue Dec 15 00:05:13 2009 From: asaykao at gmail.com (Andy Saykao) Date: Tue, 15 Dec 2009 11:05:13 +1100 Subject: [tac_plus] tacacs-server timeout Message-ID: <964ee8e00912141605x310341c0sd6a0ce301f0fbbd@mail.gmail.com> Hi All, On another issue, the default timeout for the tac_plus server to reply is 5 seconds. I purposely brought down my tac_plus server and it seems like a lifetime to wait for a response from the cisco device. Does anyone have a optimum value that they use? I've got set mine to 3 seconds which is a little more bearable, but not sure if setting it too low will mean more frequent timeouts when the tac_plus server is under load. Thanks. Andy From asaykao at gmail.com Tue Dec 15 04:01:23 2009 From: asaykao at gmail.com (Andy Saykao) Date: Tue, 15 Dec 2009 15:01:23 +1100 Subject: [tac_plus] tacacs+ redundancy Message-ID: <964ee8e00912142001g72ccf0b0l8e75dcf5bbc149fc@mail.gmail.com> I understand you can configure a aaa group so that if the first tac_plus server fails to respond, it moves onto the second server. aaa group server tacacs+ TacPlusServers server 1.2.3.4 server 1.2.3.5 ! tacacs-server host 1.2.3.4 tacacs-server host 1.2.3.5 Is there any mechanism/configuration possible where the cisco device marks the first server as being dead/unresponsive and uses the second server instead until such times as the first server is online again? It seems that when the first server dies, you have to wait for the timeout period to expire before trying the second server. Would certainly be more speedy if there was a way that the IOS could mark the first server as being dead and re-try it at a later time while in the mean time logging/auth-ing everything to the second server. Thanks. Andy From dan.schmidt at uplinkdata.com Tue Dec 15 15:41:31 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Tue, 15 Dec 2009 08:41:31 -0700 Subject: [tac_plus] Re: tacacs+ redundancy In-Reply-To: <964ee8e00912142001g72ccf0b0l8e75dcf5bbc149fc@mail.gmail.com> References: <964ee8e00912142001g72ccf0b0l8e75dcf5bbc149fc@mail.gmail.com> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BCC74B7F@che-exch-003.uplinkdata.com> tacacs-server timeout -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Andy Saykao Sent: Monday, December 14, 2009 9:01 PM To: tac_plus at shrubbery.net Subject: [tac_plus] tacacs+ redundancy I understand you can configure a aaa group so that if the first tac_plus server fails to respond, it moves onto the second server. aaa group server tacacs+ TacPlusServers server 1.2.3.4 server 1.2.3.5 ! tacacs-server host 1.2.3.4 tacacs-server host 1.2.3.5 Is there any mechanism/configuration possible where the cisco device marks the first server as being dead/unresponsive and uses the second server instead until such times as the first server is online again? It seems that when the first server dies, you have to wait for the timeout period to expire before trying the second server. Would certainly be more speedy if there was a way that the IOS could mark the first server as being dead and re-try it at a later time while in the mean time logging/auth-ing everything to the second server. Thanks. Andy _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From Brett.Osiewicz at irs.gov Wed Dec 16 23:18:45 2009 From: Brett.Osiewicz at irs.gov (Osiewicz Brett R) Date: Wed, 16 Dec 2009 18:18:45 -0500 Subject: [tac_plus] Tacacs server key password config Message-ID: <8AA3B42717B3604EA360534BB77F23360675F412@NCT0010CP3MB04.ds.irsnet.gov> When setting up a TACACS+ server to authenticate a Cisco router/switch session, the tacacs-server key password entry provides the shared-secret key that authenticates the router on the TACACS+ server. This password permits AAA communications between the router and the TACACS+ server. The question: is this tacacs-server key entry now the new password used to access the router? In other words, instead of entering the enable secret username/password combination and having the router/IOS authenticate the session, you now enter the password you supplied for the tacacs-server key password config and the TACACS server authenticates you. If this is true, what username do you use? v/r Brett Osiewicz Washington, DC (202) 874-0329 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091216/4042f7e2/attachment.html From john at sackheads.org Thu Dec 17 14:26:02 2009 From: john at sackheads.org (John Payne) Date: Thu, 17 Dec 2009 09:26:02 -0500 Subject: [tac_plus] Re: Tacacs server key password config In-Reply-To: <8AA3B42717B3604EA360534BB77F23360675F412@NCT0010CP3MB04.ds.irsnet.gov> References: <8AA3B42717B3604EA360534BB77F23360675F412@NCT0010CP3MB04.ds.irsnet.gov> Message-ID: <6E8740BC-F111-4869-87A6-0379C788070B@sackheads.org> On Dec 16, 2009, at 6:18 PM, Osiewicz Brett R wrote: > When setting up a TACACS+ server to authenticate a Cisco router/switch > session, the tacacs-server key password entry provides the shared-secret > key that authenticates the router on the TACACS+ server. This password > permits AAA communications between the router and the TACACS+ server. The shared secret encrypts the communication between the TACACS+ server and the router. Its a mutual authentication in as much as both the router and the TACACS+ need to have the same key. > The question: is this tacacs-server key entry now the new password used > to access the router? In other words, instead of entering the enable > secret username/password combination and having the router/IOS > authenticate the session, you now enter the password you supplied for > the tacacs-server key password config and the TACACS server > authenticates you. If this is true, what username do you use? This is not true unless you've copied-n-pasted the password to a user stanza. The user id and password are configured into the tac_plus.cfg. See tac_plus.conf (5) user Define a user whose username is . user = { [ ] } Note: seventeen special usernames exist: "DEFAULT", "$enable$", and "$enabN$" (where N is a privilege level number, normally in the range 0-15 on a Cisco). The "$enable$" user is for backward compatibility with previous versions of tacacs that is queried for privilege level 15 in addition to "$enab15$". ... user_attr XXX: user = bart { arap = cleartext "arap password" chap = cleartext "chap password" enable = pap = cleartext "inbound pap password" opap = cleartext "outbound pap password" login = global = cleartext "outbound pap password" } global specifies the authentication method for all services. login applies to normal logins (exec). arap, chap, pap, and opap (outbound PAP) service passwords may be defined separately. From asaykao at gmail.com Thu Dec 17 21:40:52 2009 From: asaykao at gmail.com (Andy Saykao) Date: Fri, 18 Dec 2009 08:40:52 +1100 Subject: [tac_plus] Re: tacacs+ redundancy In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BCC74B7F@che-exch-003.uplinkdata.com> References: <964ee8e00912142001g72ccf0b0l8e75dcf5bbc149fc@mail.gmail.com> <05CC562AFB5A9446A1BC3F66AD04A3BCC74B7F@che-exch-003.uplinkdata.com> Message-ID: <964ee8e00912171340p64f5205bq5a17141168a6ad2@mail.gmail.com> Hi Daniel, I understand the use of the "tacacs-server timeout" but this still involves the router having to contact the first server, wait for time out and then try the second server. I know IOS has some mechanism to mark a radius server dead and use the other radius servers configured, but not sure if there's such a mechanism to mark the first tacacs+ server as being dead and to deal directly with the second tacacs+ servers so you don't have to wait for the timeout of the first tacacs+ server. Cheers. Andy On Wed, Dec 16, 2009 at 2:41 AM, Schmidt, Daniel wrote: > tacacs-server timeout > > -----Original Message----- > From: tac_plus-bounces at shrubbery.net > [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Andy Saykao > Sent: Monday, December 14, 2009 9:01 PM > To: tac_plus at shrubbery.net > Subject: [tac_plus] tacacs+ redundancy > > I understand you can configure a aaa group so that if the first > tac_plus server fails to respond, it moves onto the second server. > > aaa group server tacacs+ TacPlusServers > ?server 1.2.3.4 > ?server 1.2.3.5 > ! > tacacs-server host 1.2.3.4 > tacacs-server host 1.2.3.5 > > Is there any mechanism/configuration possible where the cisco device > marks the first server as being dead/unresponsive and uses the second > server instead until such times as the first server is online again? > It seems that when the first server dies, you have to wait for the > timeout period to expire before trying the second server. Would > certainly be more speedy if there was a way that the IOS could mark > the first server as being dead and re-try it at a later time while in > the mean time logging/auth-ing everything to the second server. > > Thanks. > > Andy > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >