From carelsm at xs4all.net Tue Oct 6 12:33:01 2009 From: carelsm at xs4all.net (Maarten Carels) Date: Tue, 6 Oct 2009 14:33:01 +0200 Subject: [tac_plus] Patch for tac_pwd Message-ID: tac_pwd echoes the password by default, this can be prevented by the -e flag. Here is a patch that * changes the default so the password is not echoed * adds a -E flag to tac_pwd to force echo Manual page is also patched. --maarten -------------- next part -------------- A non-text attachment was scrubbed... Name: %tac_pwd.patch Type: application/applefile Size: 123 bytes Desc: not available Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20091006/9e7c3678/attachment.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: tac_pwd.patch Type: application/octet-stream Size: 1837 bytes Desc: not available Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20091006/9e7c3678/attachment.obj From heas at shrubbery.net Tue Oct 6 17:03:21 2009 From: heas at shrubbery.net (john heasley) Date: Tue, 6 Oct 2009 17:03:21 +0000 Subject: [tac_plus] Re: Patch for tac_pwd In-Reply-To: References: Message-ID: <20091006170321.GL15866@shrubbery.net> Tue, Oct 06, 2009 at 02:33:01PM +0200, Maarten Carels: > tac_pwd echoes the password by default, this can be prevented by the -e flag. > > Here is a patch that > * changes the default so the password is not echoed > * adds a -E flag to tac_pwd to force echo Thanks, but why change the default? The ability to turn off echoing is already there in -e. > Manual page is also patched. > > --maarten > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: %tac_pwd.patch > Type: application/applefile > Size: 123 bytes > Desc: not available > Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20091006/9e7c3678/attachment.bin > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: tac_pwd.patch > Type: application/octet-stream > Size: 1837 bytes > Desc: not available > Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20091006/9e7c3678/attachment.obj > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From dan.schmidt at uplinkdata.com Tue Oct 6 17:52:35 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Tue, 6 Oct 2009 11:52:35 -0600 Subject: [tac_plus] Re: Patch for tac_pwd In-Reply-To: <20091006170321.GL15866@shrubbery.net> References: <20091006170321.GL15866@shrubbery.net> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BC70DEE0@che-exch-003.uplinkdata.com> Better yet, why not just replace tac_pwd with a little shell script or python program that runs mkpasswd --hash=md5? tac_pwd only works for the first 8 characters anyway. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of john heasley Sent: Tuesday, October 06, 2009 11:03 AM To: Maarten Carels Cc: tac_plus at shrubbery.net Subject: [tac_plus] Re: Patch for tac_pwd Tue, Oct 06, 2009 at 02:33:01PM +0200, Maarten Carels: > tac_pwd echoes the password by default, this can be prevented by the -e flag. > > Here is a patch that > * changes the default so the password is not echoed > * adds a -E flag to tac_pwd to force echo Thanks, but why change the default? The ability to turn off echoing is already there in -e. > Manual page is also patched. > > --maarten > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: %tac_pwd.patch > Type: application/applefile > Size: 123 bytes > Desc: not available > Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20091006/9e7c367 8/attachment.bin > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: tac_pwd.patch > Type: application/octet-stream > Size: 1837 bytes > Desc: not available > Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20091006/9e7c367 8/attachment.obj > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From kissg at ssg.ki.iif.hu Tue Oct 6 18:35:56 2009 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Tue, 6 Oct 2009 20:35:56 +0200 (CEST) Subject: [tac_plus] Re: Patch for tac_pwd In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BC70DEE0@che-exch-003.uplinkdata.com> References: <20091006170321.GL15866@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BC70DEE0@che-exch-003.uplinkdata.com> Message-ID: > Better yet, why not just replace tac_pwd with a little shell script or > python program that runs mkpasswd --hash=md5? tac_pwd only works for > the first 8 characters anyway. I'm afraid you are wrong. On Linux (e.g.) where libcrypt supports it md5 password are handled transparently. Gabor From heas at shrubbery.net Tue Oct 6 18:42:56 2009 From: heas at shrubbery.net (john heasley) Date: Tue, 6 Oct 2009 18:42:56 +0000 Subject: [tac_plus] Re: Patch for tac_pwd In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BC70DEE0@che-exch-003.uplinkdata.com> References: <20091006170321.GL15866@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BC70DEE0@che-exch-003.uplinkdata.com> Message-ID: <20091006184256.GT15866@shrubbery.net> Tue, Oct 06, 2009 at 11:52:35AM -0600, Schmidt, Daniel: > Better yet, why not just replace tac_pwd with a little shell script or > python program that runs mkpasswd --hash=md5? tac_pwd only works for > the first 8 characters anyway. I agree that md5 support needs to be added to tac_pwd. but, it can not rely upon mkpasswd existing. > -----Original Message----- > From: tac_plus-bounces at shrubbery.net > [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of john heasley > Sent: Tuesday, October 06, 2009 11:03 AM > To: Maarten Carels > Cc: tac_plus at shrubbery.net > Subject: [tac_plus] Re: Patch for tac_pwd > > Tue, Oct 06, 2009 at 02:33:01PM +0200, Maarten Carels: > > tac_pwd echoes the password by default, this can be prevented by the > -e flag. > > > > Here is a patch that > > * changes the default so the password is not echoed > > * adds a -E flag to tac_pwd to force echo > > Thanks, but why change the default? The ability to turn off echoing is > already there in -e. > > > Manual page is also patched. > > > > --maarten > > -------------- next part -------------- > > A non-text attachment was scrubbed... > > Name: %tac_pwd.patch > > Type: application/applefile > > Size: 123 bytes > > Desc: not available > > Url : > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091006/9e7c367 > 8/attachment.bin > > -------------- next part -------------- > > A non-text attachment was scrubbed... > > Name: tac_pwd.patch > > Type: application/octet-stream > > Size: 1837 bytes > > Desc: not available > > Url : > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091006/9e7c367 > 8/attachment.obj > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From chris at spence.org.uk Wed Oct 7 12:46:12 2009 From: chris at spence.org.uk (chris at spence.org.uk) Date: Wed, 7 Oct 2009 14:46:12 +0200 (CEST) Subject: [tac_plus] tac_plus MD5 passwords Message-ID: <403095666.284798.1254919572558.JavaMail.open-xchange@oxltgw04.schlund.de> Hi We've been running tac_plus on the network on Solaris 10 and identified a need for stronger password hashing - we have some code changes to enable md5 password hashes in tac_plus (haven't bothered with pac_pwd).? Would you be interested in them? ? Cheers Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091007/02084f58/attachment.html From heas at shrubbery.net Wed Oct 7 14:29:17 2009 From: heas at shrubbery.net (john heasley) Date: Wed, 7 Oct 2009 14:29:17 +0000 Subject: [tac_plus] Re: tac_plus MD5 passwords In-Reply-To: <403095666.284798.1254919572558.JavaMail.open-xchange@oxltgw04.schlund.de> References: <403095666.284798.1254919572558.JavaMail.open-xchange@oxltgw04.schlund.de> Message-ID: <20091007142916.GC22134@shrubbery.net> Wed, Oct 07, 2009 at 02:46:12PM +0200, chris at spence.org.uk: > > Hi > > We've been running tac_plus on the network on Solaris 10 and identified a need > for stronger password hashing - we have some code changes to enable md5 password > hashes in tac_plus (haven't bothered with pac_pwd).? Would you be interested in > them? Yes, please. > Cheers > > Chris > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091007/02084f58/attachment.html > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From alan.mckinnon at gmail.com Wed Oct 7 14:24:33 2009 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Wed, 7 Oct 2009 16:24:33 +0200 Subject: [tac_plus] Re: tac_plus MD5 passwords In-Reply-To: <403095666.284798.1254919572558.JavaMail.open-xchange@oxltgw04.schlund.de> References: <403095666.284798.1254919572558.JavaMail.open-xchange@oxltgw04.schlund.de> Message-ID: <200910071624.33585.alan.mckinnon@gmail.com> On Wednesday 07 October 2009 14:46:12 chris at spence.org.uk wrote: > Hi > > We've been running tac_plus on the network on Solaris 10 and identified a > need for stronger password hashing - we have some code changes to enable > md5 password hashes in tac_plus (haven't bothered with pac_pwd). Would > you be interested in them? That's odd. One of my tac_plus systems has been running on nothing but md5 hashes for two years now :-) -- alan dot mckinnon at gmail dot com From steve.Langridge at caa.qld.gov.au Thu Oct 8 23:55:31 2009 From: steve.Langridge at caa.qld.gov.au (steve Langridge) Date: Fri, 9 Oct 2009 09:55:31 +1000 Subject: [tac_plus] tacacs+ install Message-ID: <200910090955.31418.steve.Langridge@caa.qld.gov.au> HI During the make install on suse 11.0 I receive the following configure: creating ./config.status cd && /bin/sh ./config.status Makefile depfiles /bin/sh: ./config.status: No such file or directory make: *** [Makefile] Error 127 I have found config.status in the following directory /usr/src/tacacs+- F4.0.4.10 but as a newbie with Linux I do not know how to fix this any ideas would be appreciated Regards Steve From heas at shrubbery.net Fri Oct 9 00:38:15 2009 From: heas at shrubbery.net (john heasley) Date: Thu, 8 Oct 2009 17:38:15 -0700 Subject: [tac_plus] Re: tacacs+ install In-Reply-To: <200910090955.31418.steve.Langridge@caa.qld.gov.au> References: <200910090955.31418.steve.Langridge@caa.qld.gov.au> Message-ID: <20091009003815.GB27088@shrubbery.net> Fri, Oct 09, 2009 at 09:55:31AM +1000, steve Langridge: > HI > > During the make install on suse 11.0 I receive the following > > configure: creating ./config.status > cd && /bin/sh ./config.status Makefile depfiles ^^ missing argument there. i dont know whats wrong with your dist. just pick-up a more recent one from the ftp site. > /bin/sh: ./config.status: No such file or directory > make: *** [Makefile] Error 127 > > I have found config.status in the following directory /usr/src/tacacs+- > F4.0.4.10 but as a newbie with Linux I do not know how to fix this > > any ideas would be appreciated > > Regards > > Steve > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From dterry at dollartree.com Tue Oct 20 14:35:11 2009 From: dterry at dollartree.com (dterry at dollartree.com) Date: Tue, 20 Oct 2009 10:35:11 -0400 Subject: [tac_plus] Restricting Cisco 'interface' command Message-ID: Hello, I am trying to restrict the usage of the 'interface' command within Cisco gear. I would like the users to have access to issue "interface Gi.*" or "interface Fa.*". I do not want them to have the ability to issue "interface Te.*". The configuration that I have in place now for this is: cmd = interface { permit ".*Gi.*" permit ".*Fa.*" deny .* } Should this work? If not, where's my error? ************************************ Darren Terry Security Analyst Dollar Tree, Inc. Desk: 757.321.5538 ************************************ From heas at shrubbery.net Tue Oct 20 16:09:31 2009 From: heas at shrubbery.net (john heasley) Date: Tue, 20 Oct 2009 09:09:31 -0700 Subject: [tac_plus] Re: Restricting Cisco 'interface' command In-Reply-To: References: Message-ID: <20091020160931.GA16284@shrubbery.net> Tue, Oct 20, 2009 at 10:35:11AM -0400, dterry at dollartree.com: > > Hello, > > I am trying to restrict the usage of the 'interface' command within > Cisco gear. I would like the users to have access to issue "interface Gi.*" > or "interface Fa.*". I do not want them to have the ability to issue > "interface Te.*". The configuration that I have in place now for this is: > > cmd = interface { > permit ".*Gi.*" > permit ".*Fa.*" > deny .* > } > > Should this work? If not, where's my error? make sure authorization is configured on the device, else enable tacacs authorization debugging to find-out why its not matching. From dan.schmidt at uplinkdata.com Tue Oct 20 16:25:45 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Tue, 20 Oct 2009 10:25:45 -0600 Subject: [tac_plus] Re: Restricting Cisco 'interface' command In-Reply-To: <20091020160931.GA16284@shrubbery.net> References: <20091020160931.GA16284@shrubbery.net> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BCC7485C@che-exch-003.uplinkdata.com> default service = deny cmd = interface { permit [fFgG].* } If you're looking for a simpler configuration, look at my authentication script on tacacs.org. However, the above should work for your purposes. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of john heasley Sent: Tuesday, October 20, 2009 10:10 AM To: dterry at dollartree.com Cc: tac_plus at shrubbery.net Subject: [tac_plus] Re: Restricting Cisco 'interface' command Tue, Oct 20, 2009 at 10:35:11AM -0400, dterry at dollartree.com: > > Hello, > > I am trying to restrict the usage of the 'interface' command within > Cisco gear. I would like the users to have access to issue "interface Gi.*" > or "interface Fa.*". I do not want them to have the ability to issue > "interface Te.*". The configuration that I have in place now for this is: > > cmd = interface { > permit ".*Gi.*" > permit ".*Fa.*" > deny .* > } > > Should this work? If not, where's my error? make sure authorization is configured on the device, else enable tacacs authorization debugging to find-out why its not matching. _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From dterry at dollartree.com Tue Oct 20 16:53:31 2009 From: dterry at dollartree.com (dterry at dollartree.com) Date: Tue, 20 Oct 2009 12:53:31 -0400 Subject: [tac_plus] Re: Restricting Cisco 'interface' command In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BCC7485C@che-exch-003.uplinkdata.com> References: <20091020160931.GA16284@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BCC7485C@che-exch-003.uplinkdata.com> Message-ID: I have everything setup correctly on the Cisco side. I have tried your suggestion below and was unable to prevent a user from configuring interfaces other than Gi and Fa ports. Debugging tacacs authorization produced no helpful information. Further suggestions would be appreciative. "Schmidt, Daniel" To "john heasley" 10/20/2009 12:26 , PM cc Subject RE: [tac_plus] Re: Restricting Cisco 'interface' command default service = deny cmd = interface { permit [faFAgiGI].* } If you're looking for a simpler configuration, look at my authentication script on tacacs.org. However, the above should work for your purposes. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of john heasley Sent: Tuesday, October 20, 2009 10:10 AM To: dterry at dollartree.com Cc: tac_plus at shrubbery.net Subject: [tac_plus] Re: Restricting Cisco 'interface' command Tue, Oct 20, 2009 at 10:35:11AM -0400, dterry at dollartree.com: > > Hello, > > I am trying to restrict the usage of the 'interface' command within > Cisco gear. I would like the users to have access to issue "interface Gi.*" > or "interface Fa.*". I do not want them to have the ability to issue > "interface Te.*". The configuration that I have in place now for this is: > > cmd = interface { > permit ".*Gi.*" > permit ".*Fa.*" > deny .* > } > > Should this work? If not, where's my error? make sure authorization is configured on the device, else enable tacacs authorization debugging to find-out why its not matching. _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From dan.schmidt at uplinkdata.com Tue Oct 20 16:56:40 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Tue, 20 Oct 2009 10:56:40 -0600 Subject: [tac_plus] Re: Restricting Cisco 'interface' command In-Reply-To: References: <20091020160931.GA16284@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BCC7485C@che-exch-003.uplinkdata.com> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BCC7485F@che-exch-003.uplinkdata.com> post: sh run | inc tacacs|aaa -----Original Message----- From: dterry at dollartree.com [mailto:dterry at dollartree.com] Sent: Tuesday, October 20, 2009 10:54 AM To: Schmidt, Daniel Cc: john heasley; tac_plus at shrubbery.net Subject: RE: [tac_plus] Re: Restricting Cisco 'interface' command I have everything setup correctly on the Cisco side. I have tried your suggestion below and was unable to prevent a user from configuring interfaces other than Gi and Fa ports. Debugging tacacs authorization produced no helpful information. Further suggestions would be appreciative. "Schmidt, Daniel" To "john heasley" 10/20/2009 12:26 , PM cc Subject RE: [tac_plus] Re: Restricting Cisco 'interface' command default service = deny cmd = interface { permit [faFAgiGI].* } If you're looking for a simpler configuration, look at my authentication script on tacacs.org. However, the above should work for your purposes. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of john heasley Sent: Tuesday, October 20, 2009 10:10 AM To: dterry at dollartree.com Cc: tac_plus at shrubbery.net Subject: [tac_plus] Re: Restricting Cisco 'interface' command Tue, Oct 20, 2009 at 10:35:11AM -0400, dterry at dollartree.com: > > Hello, > > I am trying to restrict the usage of the 'interface' command within > Cisco gear. I would like the users to have access to issue "interface Gi.*" > or "interface Fa.*". I do not want them to have the ability to issue > "interface Te.*". The configuration that I have in place now for this is: > > cmd = interface { > permit ".*Gi.*" > permit ".*Fa.*" > deny .* > } > > Should this work? If not, where's my error? make sure authorization is configured on the device, else enable tacacs authorization debugging to find-out why its not matching. _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From dterry at dollartree.com Tue Oct 20 17:04:11 2009 From: dterry at dollartree.com (dterry at dollartree.com) Date: Tue, 20 Oct 2009 13:04:11 -0400 Subject: [tac_plus] Re: Restricting Cisco 'interface' command In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BCC7485F@che-exch-003.uplinkdata.com> References: <20091020160931.GA16284@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BCC7485C@che-exch-003.uplinkdata.com> <05CC562AFB5A9446A1BC3F66AD04A3BCC7485F@che-exch-003.uplinkdata.com> Message-ID: aaa new-model aaa authentication login default group tacacs+ local enable aaa authentication enable default group tacacs+ enable none aaa authentication ppp default if-needed group radius local aaa authorization exec default group tacacs+ local none aaa authorization commands 0 default group tacacs+ local none aaa authorization commands 1 default group tacacs+ local none aaa authorization commands 15 default group tacacs+ local none aaa authorization network default group tacacs+ local none aaa accounting delay-start aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting network default start-stop group tacacs+ aaa accounting connection default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ aaa session-id common ip tacacs source-interface Loopback0 tacacs-server host no tacacs-server directed-request tacacs-server key 7 "Schmidt, Daniel" To 10/20/2009 01:01 cc PM "john heasley" , Subject RE: [tac_plus] Re: Restricting Cisco 'interface' command post: sh run | inc tacacs|aaa -----Original Message----- From: dterry at dollartree.com [mailto:dterry at dollartree.com] Sent: Tuesday, October 20, 2009 10:54 AM To: Schmidt, Daniel Cc: john heasley; tac_plus at shrubbery.net Subject: RE: [tac_plus] Re: Restricting Cisco 'interface' command I have everything setup correctly on the Cisco side. I have tried your suggestion below and was unable to prevent a user from configuring interfaces other than Gi and Fa ports. Debugging tacacs authorization produced no helpful information. Further suggestions would be appreciative. "Schmidt, Daniel" To "john heasley" 10/20/2009 12:26 , PM cc Subject RE: [tac_plus] Re: Restricting Cisco 'interface' command default service = deny cmd = interface { permit [faFAgiGI].* } If you're looking for a simpler configuration, look at my authentication script on tacacs.org. However, the above should work for your purposes. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of john heasley Sent: Tuesday, October 20, 2009 10:10 AM To: dterry at dollartree.com Cc: tac_plus at shrubbery.net Subject: [tac_plus] Re: Restricting Cisco 'interface' command Tue, Oct 20, 2009 at 10:35:11AM -0400, dterry at dollartree.com: > > Hello, > > I am trying to restrict the usage of the 'interface' command within > Cisco gear. I would like the users to have access to issue "interface Gi.*" > or "interface Fa.*". I do not want them to have the ability to issue > "interface Te.*". The configuration that I have in place now for this is: > > cmd = interface { > permit ".*Gi.*" > permit ".*Fa.*" > deny .* > } > > Should this work? If not, where's my error? make sure authorization is configured on the device, else enable tacacs authorization debugging to find-out why its not matching. _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From heas at shrubbery.net Tue Oct 20 17:13:38 2009 From: heas at shrubbery.net (john heasley) Date: Tue, 20 Oct 2009 10:13:38 -0700 Subject: [tac_plus] Re: Restricting Cisco 'interface' command In-Reply-To: References: <20091020160931.GA16284@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BCC7485C@che-exch-003.uplinkdata.com> <05CC562AFB5A9446A1BC3F66AD04A3BCC7485F@che-exch-003.uplinkdata.com> Message-ID: <20091020171337.GE16284@shrubbery.net> Tue, Oct 20, 2009 at 01:04:11PM -0400, dterry at dollartree.com: > aaa new-model > aaa authentication login default group tacacs+ local enable > aaa authentication enable default group tacacs+ enable none > aaa authentication ppp default if-needed group radius local > aaa authorization exec default group tacacs+ local none > aaa authorization commands 0 default group tacacs+ local none > aaa authorization commands 1 default group tacacs+ local none > aaa authorization commands 15 default group tacacs+ local none > aaa authorization network default group tacacs+ local none looks right. if it is connecting to the tacacs daemon for authorization, then you need to look closer at the debug output. the answer is in there. From dan.schmidt at uplinkdata.com Tue Oct 20 17:13:10 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Tue, 20 Oct 2009 11:13:10 -0600 Subject: [tac_plus] Re: Restricting Cisco 'interface' command In-Reply-To: References: <20091020160931.GA16284@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BCC7485C@che-exch-003.uplinkdata.com> <05CC562AFB5A9446A1BC3F66AD04A3BCC7485F@che-exch-003.uplinkdata.com> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BCC74861@che-exch-003.uplinkdata.com> Well, you modified the regular expression I gave you; what interfaces are you trying to forbid? -----Original Message----- From: dterry at dollartree.com [mailto:dterry at dollartree.com] Sent: Tuesday, October 20, 2009 11:04 AM To: Schmidt, Daniel Cc: john heasley; tac_plus at shrubbery.net Subject: RE: [tac_plus] Re: Restricting Cisco 'interface' command aaa new-model aaa authentication login default group tacacs+ local enable aaa authentication enable default group tacacs+ enable none aaa authentication ppp default if-needed group radius local aaa authorization exec default group tacacs+ local none aaa authorization commands 0 default group tacacs+ local none aaa authorization commands 1 default group tacacs+ local none aaa authorization commands 15 default group tacacs+ local none aaa authorization network default group tacacs+ local none aaa accounting delay-start aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting network default start-stop group tacacs+ aaa accounting connection default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ aaa session-id common ip tacacs source-interface Loopback0 tacacs-server host no tacacs-server directed-request tacacs-server key 7 "Schmidt, Daniel" To 10/20/2009 01:01 cc PM "john heasley" , Subject RE: [tac_plus] Re: Restricting Cisco 'interface' command post: sh run | inc tacacs|aaa -----Original Message----- From: dterry at dollartree.com [mailto:dterry at dollartree.com] Sent: Tuesday, October 20, 2009 10:54 AM To: Schmidt, Daniel Cc: john heasley; tac_plus at shrubbery.net Subject: RE: [tac_plus] Re: Restricting Cisco 'interface' command I have everything setup correctly on the Cisco side. I have tried your suggestion below and was unable to prevent a user from configuring interfaces other than Gi and Fa ports. Debugging tacacs authorization produced no helpful information. Further suggestions would be appreciative. "Schmidt, Daniel" To "john heasley" 10/20/2009 12:26 , PM cc Subject RE: [tac_plus] Re: Restricting Cisco 'interface' command default service = deny cmd = interface { permit [faFAgiGI].* } If you're looking for a simpler configuration, look at my authentication script on tacacs.org. However, the above should work for your purposes. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of john heasley Sent: Tuesday, October 20, 2009 10:10 AM To: dterry at dollartree.com Cc: tac_plus at shrubbery.net Subject: [tac_plus] Re: Restricting Cisco 'interface' command Tue, Oct 20, 2009 at 10:35:11AM -0400, dterry at dollartree.com: > > Hello, > > I am trying to restrict the usage of the 'interface' command within > Cisco gear. I would like the users to have access to issue "interface Gi.*" > or "interface Fa.*". I do not want them to have the ability to issue > "interface Te.*". The configuration that I have in place now for this is: > > cmd = interface { > permit ".*Gi.*" > permit ".*Fa.*" > deny .* > } > > Should this work? If not, where's my error? make sure authorization is configured on the device, else enable tacacs authorization debugging to find-out why its not matching. _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus