From pvdovets at optimum.net Wed Jul 15 03:30:15 2009 From: pvdovets at optimum.net (Paul Vdovets) Date: Tue, 14 Jul 2009 23:30:15 -0400 Subject: [tac_plus] tac_plus with NX-OS Message-ID: <8f9b69300907142030n8179914oe511972743c34934@mail.gmail.com> i have a working tac_plus server that provides authentication for all the Cisco IOS switches and routers in our env. we just added 2 cisco nexus 5010 and unlike there IOS brethren they do not seem to work with the tac_plus server has anyone seen this i have been running with debug level 16 and still get only this for a result Jul 14 23:18:20 ldap1 tac_plus[30496]: Reading config Jul 14 23:18:20 ldap1 tac_plus[30496]: Version F4.0.4.18 Initialized 1 Jul 14 23:18:20 ldap1 tac_plus[30496]: session.peerip is 10.88.2.10 Jul 14 23:18:20 ldap1 tac_plus[30496]: pap-login query for 'my-user' 0 from distsw1 rejected Jul 14 23:18:20 ldap1 tac_plus[30496]: login failure: pvdovets distsw1 (10.88.2.10) 0 Jul 14 23:18:20 ldap1 xinetd[30445]: EXIT: tacacs status=0 pid=30496 duration=0(sec) on the nexus when using the test aaa server tacacs comand i get the following error authenticating to server 7 thanks, -- Paul -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090714/8996cb55/attachment.html From heas at shrubbery.net Wed Jul 15 07:15:30 2009 From: heas at shrubbery.net (john heasley) Date: Wed, 15 Jul 2009 07:15:30 +0000 Subject: [tac_plus] Re: tac_plus with NX-OS In-Reply-To: <8f9b69300907142030n8179914oe511972743c34934@mail.gmail.com> References: <8f9b69300907142030n8179914oe511972743c34934@mail.gmail.com> Message-ID: <20090715071530.GD24675@shrubbery.net> Tue, Jul 14, 2009 at 11:30:15PM -0400, Paul Vdovets: > i have a working tac_plus server that provides authentication for all the > Cisco IOS switches and routers in our env. > > we just added 2 cisco nexus 5010 and unlike there IOS brethren they do not > seem to work with the tac_plus server > > has anyone seen this i have been running with debug level 16 and still get > only this for a result > > Jul 14 23:18:20 ldap1 tac_plus[30496]: Reading config > Jul 14 23:18:20 ldap1 tac_plus[30496]: Version F4.0.4.18 Initialized 1 > Jul 14 23:18:20 ldap1 tac_plus[30496]: session.peerip is 10.88.2.10 > Jul 14 23:18:20 ldap1 tac_plus[30496]: pap-login query for 'my-user' 0 from > distsw1 rejected why is it a 'pap-login'? > Jul 14 23:18:20 ldap1 tac_plus[30496]: login failure: pvdovets distsw1 > (10.88.2.10) 0 > Jul 14 23:18:20 ldap1 xinetd[30445]: EXIT: tacacs status=0 pid=30496 > duration=0(sec) > > > > on the nexus when using the test aaa server tacacs comand i get the > following > > error authenticating to server > 7 > > > thanks, > > -- > Paul > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090714/8996cb55/attachment.html > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From john at sackheads.org Wed Jul 15 15:42:57 2009 From: john at sackheads.org (John Payne) Date: Wed, 15 Jul 2009 11:42:57 -0400 Subject: [tac_plus] Aruba controllers Message-ID: <54A102BC-D238-4A6D-880B-3FC900C39E3F@sackheads.org> Anyone aware of any attributes that the Aruba controller will obey to allow auto-privilege CLI access? I have TACACS+ authentication working for administrative access to both web and CLI interfaces, but the CLI access requires me to enter a (static - not AAA'd) enable password :( From pvdovets at gmail.com Wed Jul 15 13:48:49 2009 From: pvdovets at gmail.com (Paul Vdovets) Date: Wed, 15 Jul 2009 09:48:49 -0400 Subject: [tac_plus] Re: tac_plus with NX-OS In-Reply-To: <8f9b69300907150334r717200e1sabd9d4cb762b1d3f@mail.gmail.com> References: <8f9b69300907142030n8179914oe511972743c34934@mail.gmail.com> <20090715071530.GD24675@shrubbery.net> <8f9b69300907150334r717200e1sabd9d4cb762b1d3f@mail.gmail.com> Message-ID: <8f9b69300907150648taf4e482p20b8ba6b23619f56@mail.gmail.com> it looks like the nexus seems to require either pap or mschap mschap is a no go since based on config.c cleartext is the only supported config and i'm not looking forward to having my password lying around that way.. i got it working by adding pap = des is there anyway to get either or the two option above working with PAM / LDAP below is the entire config used to get tacacs enabled feature tacacs+ tacacs+ enable tacacs-server key 7 "*********" tacacs-server host 10.88.4.52 key 7 "*********" timeout 5 tacacs-server host 10.88.4.52 test username test password test aaa group server tacacs+ conaaa server 10.88.4.52 use-vrf default #needed since i am not using the mgmt port on the switch aaa authentication login default group conaaa local aaa authentication login console group conaaa local aaa accounting default group conaaa local no aaa authentication login error-enable no aaa authentication login mschap enable no radius-server directed-request tacacs-server directed-request -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090715/15f4ce43/attachment.html From heas at shrubbery.net Wed Jul 15 18:04:52 2009 From: heas at shrubbery.net (john heasley) Date: Wed, 15 Jul 2009 11:04:52 -0700 Subject: [tac_plus] Re: Aruba controllers In-Reply-To: <54A102BC-D238-4A6D-880B-3FC900C39E3F@sackheads.org> References: <54A102BC-D238-4A6D-880B-3FC900C39E3F@sackheads.org> Message-ID: <20090715180452.GK10411@shrubbery.net> Wed, Jul 15, 2009 at 11:42:57AM -0400, John Payne: > Anyone aware of any attributes that the Aruba controller will obey to > allow auto-privilege CLI access? I have TACACS+ authentication ask the mfg or try strings(1) on it o/s image might reveal an AVP name. > working for administrative access to both web and CLI interfaces, but > the CLI access requires me to enter a (static - not AAA'd) enable > password :( > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From heas at shrubbery.net Wed Jul 15 21:14:01 2009 From: heas at shrubbery.net (john heasley) Date: Wed, 15 Jul 2009 14:14:01 -0700 Subject: [tac_plus] Re: tac_plus with NX-OS In-Reply-To: <8f9b69300907150334r717200e1sabd9d4cb762b1d3f@mail.gmail.com> References: <8f9b69300907142030n8179914oe511972743c34934@mail.gmail.com> <20090715071530.GD24675@shrubbery.net> <8f9b69300907150334r717200e1sabd9d4cb762b1d3f@mail.gmail.com> Message-ID: <20090715211401.GB10411@shrubbery.net> Wed, Jul 15, 2009 at 06:34:16AM -0400, Paul Vdovets: > that seems to be what the nexus requires i have no extra config specifying > pap that seems broken. you should file a bug with cisco. > below is the entire config used to get tacacs enabled > > feature tacacs+ > tacacs+ enable > > tacacs-server key 7 "*********" > tacacs-server host 10.88.4.52 key 7 "*********" timeout 5 > tacacs-server host 10.88.4.52 test username test password test > aaa group server tacacs+ conaaa > server 10.88.4.52 > use-vrf default #needed since i am not > using the mgmt port on the switch > aaa authentication login default group conaaa local > aaa authentication login console group conaaa local > aaa accounting default group conaaa local > no aaa authentication login error-enable > no aaa authentication login mschap enable > no radius-server directed-request > tacacs-server directed-request > > > > On Wed, Jul 15, 2009 at 3:15 AM, john heasley wrote: > > > Tue, Jul 14, 2009 at 11:30:15PM -0400, Paul Vdovets: > > > i have a working tac_plus server that provides authentication for all the > > > Cisco IOS switches and routers in our env. > > > > > > we just added 2 cisco nexus 5010 and unlike there IOS brethren they do > > not > > > seem to work with the tac_plus server > > > > > > has anyone seen this i have been running with debug level 16 and still > > get > > > only this for a result > > > > > > Jul 14 23:18:20 ldap1 tac_plus[30496]: Reading config > > > Jul 14 23:18:20 ldap1 tac_plus[30496]: Version F4.0.4.18 Initialized 1 > > > Jul 14 23:18:20 ldap1 tac_plus[30496]: session.peerip is 10.88.2.10 > > > Jul 14 23:18:20 ldap1 tac_plus[30496]: pap-login query for 'my-user' 0 > > from > > > distsw1 rejected > > > > why is it a 'pap-login'? > > > > > Jul 14 23:18:20 ldap1 tac_plus[30496]: login failure: pvdovets distsw1 > > > (10.88.2.10) 0 > > > Jul 14 23:18:20 ldap1 xinetd[30445]: EXIT: tacacs status=0 pid=30496 > > > duration=0(sec) > > > > > > > > > > > > on the nexus when using the test aaa server tacacs comand i get the > > > following > > > > > > error authenticating to server > > > 7 > > > > > > > > > thanks, > > > > > > -- > > > Paul > > > -------------- next part -------------- > > > An HTML attachment was scrubbed... > > > URL: > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20090714/8996cb55/attachment.html > > > _______________________________________________ > > > tac_plus mailing list > > > tac_plus at shrubbery.net > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > > > > -- > Paul Vdovets From heas at shrubbery.net Wed Jul 15 22:40:05 2009 From: heas at shrubbery.net (john heasley) Date: Wed, 15 Jul 2009 15:40:05 -0700 Subject: [tac_plus] Re: tac_plus with NX-OS In-Reply-To: <8f9b69300907150648taf4e482p20b8ba6b23619f56@mail.gmail.com> References: <8f9b69300907142030n8179914oe511972743c34934@mail.gmail.com> <20090715071530.GD24675@shrubbery.net> <8f9b69300907150334r717200e1sabd9d4cb762b1d3f@mail.gmail.com> <8f9b69300907150648taf4e482p20b8ba6b23619f56@mail.gmail.com> Message-ID: <20090715224005.GE19176@shrubbery.net> Wed, Jul 15, 2009 at 09:48:49AM -0400, Paul Vdovets: > it looks like the nexus seems to require either pap or mschap > > mschap is a no go since based on config.c cleartext is the only supported > config and i'm not looking forward to having my password lying around that > way.. > > i got it working by adding > pap = des > > is there anyway to get either or the two option above working with PAM / > LDAP ldap is only offered via pam. i think pam for pap would be possible, but it'l have to be coded. > > below is the entire config used to get tacacs enabled > > feature tacacs+ > tacacs+ enable > > tacacs-server key 7 "*********" > tacacs-server host 10.88.4.52 key 7 "*********" timeout 5 > tacacs-server host 10.88.4.52 test username test password test > aaa group server tacacs+ conaaa > server 10.88.4.52 > use-vrf default #needed since i am not > using the mgmt port on the switch > aaa authentication login default group conaaa local > aaa authentication login console group conaaa local > aaa accounting default group conaaa local > no aaa authentication login error-enable > no aaa authentication login mschap enable > no radius-server directed-request > tacacs-server directed-request From john at sackheads.org Thu Jul 16 14:04:32 2009 From: john at sackheads.org (John Payne) Date: Thu, 16 Jul 2009 10:04:32 -0400 Subject: [tac_plus] Re: Aruba controllers In-Reply-To: <20090715180452.GK10411@shrubbery.net> References: <54A102BC-D238-4A6D-880B-3FC900C39E3F@sackheads.org> <20090715180452.GK10411@shrubbery.net> Message-ID: <5E7C354A-6E4A-4C97-A1E3-374FAF657E6C@sackheads.org> On Jul 15, 2009, at 2:04 PM, john heasley wrote: > Wed, Jul 15, 2009 at 11:42:57AM -0400, John Payne: >> Anyone aware of any attributes that the Aruba controller will obey to >> allow auto-privilege CLI access? I have TACACS+ authentication > > ask the mfg or try strings(1) on it o/s image might reveal an AVP > name. mfg can barely spell TACACS+ (and definitely not consistently) :( strings I hadn't thought about.... will give that a go > > >> working for administrative access to both web and CLI interfaces, but >> the CLI access requires me to enter a (static - not AAA'd) enable >> password :( >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090716/74f4365a/attachment.html From dan.schmidt at uplinkdata.com Thu Jul 30 16:16:26 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Thu, 30 Jul 2009 10:16:26 -0600 Subject: [tac_plus] parse accounting data Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BC70DA7E@che-exch-003.uplinkdata.com> Anybody had any luck parsing the accounting log into a searchable database or something similar?