From henry.nicolas at tourneur.be  Sat Jan 16 11:32:26 2010
From: henry.nicolas at tourneur.be (Tourneur Henry-Nicolas)
Date: Sat, 16 Jan 2010 12:32:26 +0100
Subject: [tac_plus]  User DEFAULT with PAM
Message-ID: <201001161232.26734.henry.nicolas@tourneur.be>

Hello everybody,

Could someone explain me why if use something like :

  7 user = hnt {
  8         login = PAM
  9         service = ppp protocol = ip {}
 10 }

Then PAM auth works, but if I use something like :

  7 user = DEFAULT {
  8         login = PAM
  9         service = ppp protocol = ip {}
 10 }

Then the PAM auth won't work.
Please also note that the map between the hnt logon and DEFAULT works :


From lists at carels.info  Mon Jan 18 13:10:10 2010
From: lists at carels.info (Maarten Carels)
Date: Mon, 18 Jan 2010 14:10:10 +0100
Subject: [tac_plus]  pap authentication  from file
Message-ID: <53F42BBC-94AF-48BB-9231-808363532078@carels.info>

Hi list,

I tried to have PAP authentication with the password data in a file (as I use for login and enable), but the tac_plus daemon didn't like it.

That's something I understand for chap stuff, and for outgoing PAP, but for incoming?

I patched the tac_plus source to allow it, and it seems to be running nicely. And it helps to keep my tacacs config file clean of passwords, which gives a cleaner interface (for a password change routine for example).

Attached is the patch (run against tacacs+-F4.0.4.18)

--maarten
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pap-file.patch
Type: application/octet-stream
Size: 1214 bytes
Desc: not available
Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20100118/df73b025/attachment.obj 
-------------- next part --------------




From jathan at gmail.com  Thu Jan 28 01:24:41 2010
From: jathan at gmail.com (jathan.)
Date: Wed, 27 Jan 2010 17:24:41 -0800
Subject: [tac_plus] Please help with implementing "auto-enable" on Cisco
	Catalyst switches running CatOS
Message-ID: <4e0e47491001271724t733ed4c6u3b152c9d96666e9@mail.gmail.com>

Hello-

I just inherited a handful of crusty Cisco Catalyst 4006 switches running
CatOS, and I need to integrate them into my support tools. Part of this
requirement is automatically enabling users upon login, as we do not like
the enable being known by humans except in the event of maintenance or
emergencies (or maintenance emergencies!), so we use privilege escalation on
the server-side to do this.

I have managed authentication for many thousands of device of various
vendors, shapes, and sizes over the years, but this is the first time I've
ever wrangled with CatOS and also the first time I've ever had a problem
making auto-enable work with little trouble.

What I have in the server config is this:

## Production Engineers
## priv-lvl = 15
group = engineers {
        default service = permit
        service = exec {
                priv-lvl = 15
        }
}

So what we normally see with Cisco devices is something like this:

...
User Access Verification

Username: jathan
Password: ********

cisco-router#
...

So far I have been unable to get this Catalyst switch to automatically
enable me. In perusing the Cisco support forums it seems to be fully
supported, but of course all of the "help" there-in refers to Cisco's ACS,
and so really isn't too helpful.

Here is what is configured on the switch (non-tacacs stuff ommitted):

#tacacs+
set tacacs server 1.2.3.4 primary
set tacacs server 2.4.6.8
set tacacs attempts 3
set tacacs directedrequest disable
set tacacs key abc123
set tacacs timeout 5

#authentication
set authentication login tacacs enable console primary
set authentication login tacacs enable telnet primary
set authentication enable tacacs disable console
set authentication enable tacacs disable telnet
set authentication enable local enable console
set authentication enable local enable telnet

#accounting
set accounting exec enable start-stop tacacs+
set accounting connect enable start-stop tacacs+
set accounting system enable start-stop tacacs+
set accounting commands enable all start-stop tacacs+
set accounting suppress null-username disable

#authorization
set authorization exec enable tacacs+ none console
set authorization exec enable tacacs+ none telnet
set authorization enable disable console
set authorization enable disable telnet
set authorization commands disable console
set authorization commands disable telnet

I am curious if anyone else has conquered this challenge and what
combination of device commands and tac_plus configuration tweaks are
necessary to make it work.

Thanks in advance for any help on this matter!

-- 
Jathan.
-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20100127/b3be445d/attachment.html