[tac_plus] Re: firewall 0.0.0.0??

Schmidt, Daniel dan.schmidt at uplinkdata.com
Tue Jun 9 18:13:31 UTC 2009 

That is exactly what I want.  So, we see the user coming from 0.0.0.0
instead of a valid IP.  The initial login is successful, so we see that
the PIX does at least that right.  After that, it returns 0.0.0.0.  

Gar... do I really want to open a tac case and argue with those guys?
It would take at least a week to get them to even FIND the problem.
Maybe I'll just put 0.0.0.0 in all my "host_allow" lists.  

-----Original Message-----
From: john heasley [mailto:heas at shrubbery.net] 
Sent: Tuesday, June 09, 2009 12:05 PM
To: Schmidt, Daniel
Cc: john heasley; tac_plus at shrubbery.net
Subject: Re: [tac_plus] firewall 0.0.0.0??

Tue, Jun 09, 2009 at 11:40:47AM -0600, Schmidt, Daniel:
> Rather unlikely seeing as how a router/switch never yields a 0.0.0.0.
> In other words, if it was a bug I would see it on other places and I
do
> not.  Also, there is no 0.0.0.0 anywhere in my script, and mind that
> variable is just a string!  If the problem was in my script, the
> variable would be empty, or it would just plain crash, it's impossible
> for the script to set 0.0.0.0 as it had to come from somewhere. 
> 
> http://pastie.org/506002

I think that you're passing $address to your script.  $address is
rem_addr,
which is:
   An ASCII string that describes the user's remote location. This field
   is optional (since the information may not be available). It is
   intended to hold a network address if the user is connected via a
   network, a caller ID is the user is connected via ISDN or a POTS, or
   any other remote location information that is available. This field
   value is client specified.

i think you really want $ip, the IP of PIX?  if you really want
$address,
then you're at the mercy of the PIX to fill that field in the tacacs
request.

> The firewall does not send a cmd-arg=<cr>, which was not expected.
That
> will be fixed. 

that is the PIX's fault.

> -----Original Message-----
> From: john heasley [mailto:heas at shrubbery.net] 
> Sent: Tuesday, June 09, 2009 10:55 AM
> To: Schmidt, Daniel
> Cc: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] firewall 0.0.0.0??
> 
> Tue, Jun 09, 2009 at 09:58:50AM -0600, Schmidt, Daniel:
> > Hum... Anybody ever noticed that, when you try to enable on a PIX,
> your
> > source ip is given as 0.0.0.0?  As of yet, I am unsure whether to
> blame
> > tac_plus or the pix. 
> > 
> > 2009-06-09 09:26:06: User 'homer' not allowed from source '0.0.0.0'
in
> > 'BN'->'host_allow'
> > 2009-06-09 09:26:09: User 'homer' not allowed from source '0.0.0.0'
in
> > 'BN'->'host_allow'
> 
> i'd lean toward your script.  tacacs gets the ip from the tcp socket.
> 
> > If I allow 0.0.0.0 as a source and look at the tac_pairs I get:  
> > 
> > service=shell
> > cmd*
> > priv-lvl=15
> > idletime=10
> > 2009-06-09 09:36:33: User 'homer' granted access to device
> > '192.168.168.168' in group 'BN' from '172.16.25.17'
> > service=shell
> > cmd=enable
> > 2009-06-09 09:37:00: User 'homer' allowed command 'enable' to device
> > '192.168.168.168' in 'BN'->'command_permit'
> > service=shell
> > cmd=enable
> > 2009-06-09 09:37:00: User 'homer' allowed command 'enable' to device
> > '192.168.168.168' in 'BN'->'command_permit'
> > service=shell
> > cmd*
> > priv-lvl=15
> > idletime=10
> > 2009-06-09 09:37:02: User 'homer' granted access to device
> > '192.168.168.168' in group 'BN' from '172.16.25.17'
> > 
> > (Notice also, firewall doesn't give a cmd-arg=<cr> at the end.
Odd.)
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus

More information about the tac_plus mailing list