[tac_plus] Re: Working Command Authorization Script

Tue Jun 9 18:33:58 UTC 2009

Greetings,

I have been playing with after authorization using Barry's script as an
example.  What I have seen is that TACACS never calls the script after
the initial authentication and authorization is done during login.  This
means that the command control feature used in the script or for after
authorization can't work.  Is this expected or am I missing a
configuration?

Tacacs 4.0.18:
group = LimitedAccess {
        default service = permit
        service = exec {
                priv-lvl=15
                idletime=15
                timeout=0
        }
        after authorization "/app/tacacs/etc/auth.pl $user $name
$address /app/tacacs/etc/allow"
}

aaa new-model
aaa authentication login default group tacacs+ line
aaa authorization exec default group tacacs+ if-authenticated

Thanks,
Mike

Fri, Apr 03, 2009 at 05:58:32PM +0100, Barry Stephen (YDD08) Derwent
Shared Services:
> I posted the other day about providing some users different levels of
> access depending on the specific device they logged onto, in my case
> Access versus Distribution & Core switches.
> 
> Having read previous responses from various people I have managed to
> create a working authorization script which checks what NAS a user
> logged onto and if the NAS/Switch is in a specific list the commands
are
> checked against a list and only those commands are permitted. For all
> other NASes (those not in the list) all commands are allowed.
> 
> It took me a while to realise that the script is effectively taking on
> the role of the tacacs+ deamon to some extent, that is to say that it
is
> not returning config/options to the tac_plus deamon in config file
> format but direct to the NAS/switch. In any case, in this example we
> simply say allow or deny rather than passing any AV pairs back to the
> NAS.
> 
> It is important to parse STDIN to see what command the NAS is
requesting
> auth for.
> 
> I am using the after authorization method as the before authorization
> method seemed a little harder to get working.
> 
> This is my tac_plus.conf definition for these group of people:
> 
> # Read/Write Access to non distribution devices - All commands
> authorised
> group = rw-except-distribution {
>         default service = permit
>         service = exec {
>                 priv-lvl=15
>                 idletime=15
>                 timeout=0
>         }
>         after authorization "/usr/bin/perl /etc/tac_plus_auth.pl $user
> $name $address"
> }
> 
> I pass username, nas ip address and client ip address to my script but
> only use nas address ($name) in my script. In my case $name is the NAS
> IP address but possibly may not be in all cases.