[tac_plus] Re: firewall 0.0.0.0??

john heasley heas at shrubbery.net
Tue Jun 9 18:04:51 UTC 2009


Tue, Jun 09, 2009 at 11:40:47AM -0600, Schmidt, Daniel:
> Rather unlikely seeing as how a router/switch never yields a 0.0.0.0.
> In other words, if it was a bug I would see it on other places and I do
> not.  Also, there is no 0.0.0.0 anywhere in my script, and mind that
> variable is just a string!  If the problem was in my script, the
> variable would be empty, or it would just plain crash, it's impossible
> for the script to set 0.0.0.0 as it had to come from somewhere. 
> 
> http://pastie.org/506002

I think that you're passing $address to your script.  $address is rem_addr,
which is:
   An ASCII string that describes the user's remote location. This field
   is optional (since the information may not be available). It is
   intended to hold a network address if the user is connected via a
   network, a caller ID is the user is connected via ISDN or a POTS, or
   any other remote location information that is available. This field
   value is client specified.

i think you really want $ip, the IP of PIX?  if you really want $address,
then you're at the mercy of the PIX to fill that field in the tacacs
request.

> The firewall does not send a cmd-arg=<cr>, which was not expected.  That
> will be fixed. 

that is the PIX's fault.

> -----Original Message-----
> From: john heasley [mailto:heas at shrubbery.net] 
> Sent: Tuesday, June 09, 2009 10:55 AM
> To: Schmidt, Daniel
> Cc: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] firewall 0.0.0.0??
> 
> Tue, Jun 09, 2009 at 09:58:50AM -0600, Schmidt, Daniel:
> > Hum... Anybody ever noticed that, when you try to enable on a PIX,
> your
> > source ip is given as 0.0.0.0?  As of yet, I am unsure whether to
> blame
> > tac_plus or the pix. 
> > 
> > 2009-06-09 09:26:06: User 'homer' not allowed from source '0.0.0.0' in
> > 'BN'->'host_allow'
> > 2009-06-09 09:26:09: User 'homer' not allowed from source '0.0.0.0' in
> > 'BN'->'host_allow'
> 
> i'd lean toward your script.  tacacs gets the ip from the tcp socket.
> 
> > If I allow 0.0.0.0 as a source and look at the tac_pairs I get:  
> > 
> > service=shell
> > cmd*
> > priv-lvl=15
> > idletime=10
> > 2009-06-09 09:36:33: User 'homer' granted access to device
> > '192.168.168.168' in group 'BN' from '172.16.25.17'
> > service=shell
> > cmd=enable
> > 2009-06-09 09:37:00: User 'homer' allowed command 'enable' to device
> > '192.168.168.168' in 'BN'->'command_permit'
> > service=shell
> > cmd=enable
> > 2009-06-09 09:37:00: User 'homer' allowed command 'enable' to device
> > '192.168.168.168' in 'BN'->'command_permit'
> > service=shell
> > cmd*
> > priv-lvl=15
> > idletime=10
> > 2009-06-09 09:37:02: User 'homer' granted access to device
> > '192.168.168.168' in group 'BN' from '172.16.25.17'
> > 
> > (Notice also, firewall doesn't give a cmd-arg=<cr> at the end.  Odd.)
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus


More information about the tac_plus mailing list