From asaykao at gmail.com Fri May 7 03:14:50 2010 From: asaykao at gmail.com (Andy Saykao) Date: Fri, 7 May 2010 13:14:50 +1000 Subject: [tac_plus] How to stop tacplus logging to /var/log/syslog? Message-ID: Hi All, Does anyone know how to stop tacplus logging to /var/log/syslog?? This is on a Ubuntu 8.04 box. I've just noticed it today when I tailed /var/log/syslog. May 7 13:11:58 tacplus-1 tac_plus[4718]: session.peerip is 203.17.101.x May 7 13:11:58 tacplus-1 tac_plus[25515]: connect from 203.17.101.x [203.17.101.x] May 7 13:11:58 tacplus-1 tac_plus[25515]: authorization query for 'netmon' tty2 from 203.17.101.x accepted May 7 13:11:58 tacplus-1 tac_plus[4718]: session.peerip is 203.17.101.x May 7 13:11:58 tacplus-1 tac_plus[25516]: connect from 203.17.101.x [203.17.101.x] May 7 13:11:58 tacplus-1 tac_plus[4718]: session.peerip is 203.17.101.x May 7 13:11:58 tacplus-1 tac_plus[25517]: connect from 203.17.101.x [203.17.101.x] May 7 13:11:58 tacplus-1 tac_plus[25517]: authorization query for 'netmon' tty2 from 203.17.101.x accepted Not exactly sure what I have to put in /etc/syslog.conf line below to ignore the tacplus entries. *.*;local0.info;auth,authpriv.none -/var/log/syslog Thanks. Andy From heas at shrubbery.net Fri May 7 04:17:52 2010 From: heas at shrubbery.net (john heasley) Date: Thu, 6 May 2010 21:17:52 -0700 Subject: [tac_plus] Re: How to stop tacplus logging to /var/log/syslog? In-Reply-To: References: Message-ID: <20100507041752.GF1029@shrubbery.net> Fri, May 07, 2010 at 01:14:50PM +1000, Andy Saykao: > Hi All, > > Does anyone know how to stop tacplus logging to /var/log/syslog?? > This is on a Ubuntu 8.04 box. > > I've just noticed it today when I tailed /var/log/syslog. > > May 7 13:11:58 tacplus-1 tac_plus[4718]: session.peerip is 203.17.101.x > May 7 13:11:58 tacplus-1 tac_plus[25515]: connect from 203.17.101.x > [203.17.101.x] > May 7 13:11:58 tacplus-1 tac_plus[25515]: authorization query for > 'netmon' tty2 from 203.17.101.x accepted > May 7 13:11:58 tacplus-1 tac_plus[4718]: session.peerip is 203.17.101.x > May 7 13:11:58 tacplus-1 tac_plus[25516]: connect from 203.17.101.x > [203.17.101.x] > May 7 13:11:58 tacplus-1 tac_plus[4718]: session.peerip is 203.17.101.x > May 7 13:11:58 tacplus-1 tac_plus[25517]: connect from 203.17.101.x > [203.17.101.x] > May 7 13:11:58 tacplus-1 tac_plus[25517]: authorization query for > 'netmon' tty2 from 203.17.101.x accepted > > > Not exactly sure what I have to put in /etc/syslog.conf line below to > ignore the tacplus entries. > > *.*;local0.info;auth,authpriv.none -/var/log/syslog it logs to daemon by default. change it to something like news in tac_plus.conf and use news.none in the syslog.conf line. but it always logs to syslog. From asaykao at gmail.com Fri May 7 06:19:58 2010 From: asaykao at gmail.com (Andy Saykao) Date: Fri, 7 May 2010 16:19:58 +1000 Subject: [tac_plus] Re: How to stop tacplus logging to /var/log/syslog? In-Reply-To: <20100507041752.GF1029@shrubbery.net> References: <20100507041752.GF1029@shrubbery.net> Message-ID: Sorry John, I don't see where to set this to in the tac_plus.conf file??? > it logs to daemon by default. ?change it to something like news in > tac_plus.conf and use news.none in the syslog.conf line. ?but it always > logs to syslog. > From heas at shrubbery.net Fri May 7 07:35:36 2010 From: heas at shrubbery.net (john heasley) Date: Fri, 7 May 2010 00:35:36 -0700 Subject: [tac_plus] Re: How to stop tacplus logging to /var/log/syslog? In-Reply-To: References: <20100507041752.GF1029@shrubbery.net> Message-ID: <20100507073536.GG1029@shrubbery.net> Fri, May 07, 2010 at 04:19:58PM +1000, Andy Saykao: > Sorry John, I don't see where to set this to in the tac_plus.conf file??? tac_plus.conf(5) logging Specifies the syslog(3) facility used. By default, logs are posted to the daemon facility. logging = > > it logs to daemon by default. ?change it to something like news in > > tac_plus.conf and use news.none in the syslog.conf line. ?but it always > > logs to syslog. > > From henry.nicolas at tourneur.be Tue May 11 16:54:59 2010 From: henry.nicolas at tourneur.be (Henry-Nicolas Tourneur) Date: Tue, 11 May 2010 18:54:59 +0200 Subject: [tac_plus] Authorization script and before authorization Message-ID: <255a864693b8187d696f8b2dfbfa4441@webmail.tourneur.be> Hi, I would like to build an authorization script and make every command like no interface ... to be checked by that script. So basically, I would like something like : ? cmd = no interface { ??? before authorization "/usr/local/bin/script $ip"; } ? The goal is that if the script return 0, then it's ok, overwise, 1 or 3 for a problem, the command is denied and won't be executed. Basically, I need 2 args, the ip of the device where we are trying to execute the command ($ip I guess) and the command itself. But I don't know how to get the full command as a variable for the script (same for the argument). ? Any idea ? ? Thanks and regards, -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20100511/52b75b04/attachment.html From kissg at ssg.ki.iif.hu Tue May 11 17:42:58 2010 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Tue, 11 May 2010 19:42:58 +0200 (CEST) Subject: [tac_plus] Re: Authorization script and before authorization In-Reply-To: <255a864693b8187d696f8b2dfbfa4441@webmail.tourneur.be> References: <255a864693b8187d696f8b2dfbfa4441@webmail.tourneur.be> Message-ID: > Basically, I need 2 args, the ip of the device where we are trying to > execute the command ($ip I guess) and the command itself. But I don't know > how to get the full command as a variable for the script (same for the > argument). > > > ? > > > Any idea ? I'm afraid it's not fully clear for me what do you want. Could you give an example? Gabor From henry.nicolas at tourneur.be Tue May 11 21:37:41 2010 From: henry.nicolas at tourneur.be (Tourneur Henry-Nicolas) Date: Tue, 11 May 2010 23:37:41 +0200 Subject: [tac_plus] Re: Authorization script and before authorization In-Reply-To: References: <255a864693b8187d696f8b2dfbfa4441@webmail.tourneur.be> Message-ID: <201005112337.41878.henry.nicolas@tourneur.be> On Tuesday 11 May 2010 19:42:58 Kiss Gabor (Bitman) wrote: > > Basically, I need 2 args, the ip of the device where we are trying to > > execute the command ($ip I guess) and the command itself. But I don't > > know how to get the full command as a variable for the script (same for > > the argument). > > > > > > > > > > > > Any idea ? > > I'm afraid it's not fully clear for me what do you want. > Could you give an example? > > Gabor > Yes of course :) Example scenario : 1? I login via telnet with my Tacacs+ credentials on a Cisco router. 2? I go in enable and then configure mode. 3? I enter the command no interface GigabitEthernet0/1.114 (for example) 4? When I enter the previous command, I would like to run an authorization script on the no interface command. The script will be on the same host than Tacacs and it should return 0 if the no interface command is allowed (therefore it will succedd) or 3 if the no interface command should be forbidden. In the forbidden case, I expect the IOS to not run the command. In order to do that, I did provide a sample of Tacacs+ config but parts are missing and I would like to get help to complete them. The example was : cmd = no interface { before authorization "/usr/local/bin/script $ip"; } Where $ip should be (I guess) the IP address of the Cisco router. With that sample, I'm still missing the whole command as an argument of my script (/usr/local/bin/script don't know what to check). Do you know how to pass the command as an argument to the script ? Thanks, From kissg at ssg.ki.iif.hu Wed May 12 04:34:24 2010 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Wed, 12 May 2010 06:34:24 +0200 (CEST) Subject: [tac_plus] Re: Authorization script and before authorization In-Reply-To: <201005112337.41878.henry.nicolas@tourneur.be> References: <255a864693b8187d696f8b2dfbfa4441@webmail.tourneur.be> <201005112337.41878.henry.nicolas@tourneur.be> Message-ID: > > > Basically, I need 2 args, the ip of the device where we are trying to > > > execute the command ($ip I guess) and the command itself. But I don't > 2? I go in enable and then configure mode. > 3? I enter the command no interface GigabitEthernet0/1.114 (for example) > 4? When I enter the previous command, I would like to run an authorization > script on the no interface command. The script will be on the same host than Oh I see. :-) "The command to be authorized". I guessed you mean a command to execute on TACACS+ server. > Where $ip should be (I guess) the IP address of the Cisco router. > With that sample, I'm still missing the whole command as an argument of my > script (/usr/local/bin/script don't know what to check). > > Do you know how to pass the command as an argument to the script ? Actually I don't know such a possibility. However I think you are able to modify the source code quite easily in order to get a new dollar variable. Regards Gabor -- E-mail = m-mail * c-mail ^ 2 From heas at shrubbery.net Wed May 12 04:57:35 2010 From: heas at shrubbery.net (john heasley) Date: Tue, 11 May 2010 21:57:35 -0700 Subject: [tac_plus] Re: Authorization script and before authorization In-Reply-To: References: <255a864693b8187d696f8b2dfbfa4441@webmail.tourneur.be> <201005112337.41878.henry.nicolas@tourneur.be> Message-ID: <20100512045735.GB26330@shrubbery.net> Wed, May 12, 2010 at 06:34:24AM +0200, Kiss Gabor (Bitman): > > > > Basically, I need 2 args, the ip of the device where we are trying to > > > > execute the command ($ip I guess) and the command itself. But I don't > > > > 2? I go in enable and then configure mode. > > 3? I enter the command no interface GigabitEthernet0/1.114 (for example) > > 4? When I enter the previous command, I would like to run an authorization > > script on the no interface command. The script will be on the same host than > > Oh I see. :-) "The command to be authorized". > I guessed you mean a command to execute on TACACS+ server. > > > Where $ip should be (I guess) the IP address of the Cisco router. > > With that sample, I'm still missing the whole command as an argument of my > > script (/usr/local/bin/script don't know what to check). > > > > Do you know how to pass the command as an argument to the script ? > > Actually I don't know such a possibility. > However I think you are able to modify the source code quite easily > in order to get a new dollar variable. i think theyre passed on stdin as AVPs arg1...argN. > Regards > > Gabor > > -- > E-mail = m-mail * c-mail ^ 2 > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From henry.nicolas at tourneur.be Wed May 12 17:37:31 2010 From: henry.nicolas at tourneur.be (Tourneur Henry-Nicolas) Date: Wed, 12 May 2010 19:37:31 +0200 Subject: [tac_plus] Re: Authorization script and before authorization In-Reply-To: <20100512045735.GB26330@shrubbery.net> References: <255a864693b8187d696f8b2dfbfa4441@webmail.tourneur.be> <20100512045735.GB26330@shrubbery.net> Message-ID: <201005121937.31984.henry.nicolas@tourneur.be> On Wednesday 12 May 2010 06:57:35 john heasley wrote: > Wed, May 12, 2010 at 06:34:24AM +0200, Kiss Gabor (Bitman): > > > > > Basically, I need 2 args, the ip of the device where we are trying > > > > > to execute the command ($ip I guess) and the command itself. But I > > > > > don't > > > > > > 2? I go in enable and then configure mode. > > > 3? I enter the command no interface GigabitEthernet0/1.114 (for > > > example) 4? When I enter the previous command, I would like to run an > > > authorization script on the no interface command. The script will be on > > > the same host than > > > > Oh I see. :-) "The command to be authorized". > > I guessed you mean a command to execute on TACACS+ server. > > > > > Where $ip should be (I guess) the IP address of the Cisco router. > > > With that sample, I'm still missing the whole command as an argument of > > > my script (/usr/local/bin/script don't know what to check). > > > > > > Do you know how to pass the command as an argument to the script ? > > > > Actually I don't know such a possibility. > > However I think you are able to modify the source code quite easily > > in order to get a new dollar variable. > > i think theyre passed on stdin as AVPs arg1...argN. > > > Regards > > > > Gabor > Is there any available doc/example on how to use those AVPs arg1...argN ? Thanks for all your replies :) From heas at shrubbery.net Wed May 12 18:18:28 2010 From: heas at shrubbery.net (john heasley) Date: Wed, 12 May 2010 18:18:28 +0000 Subject: [tac_plus] Re: Authorization script and before authorization In-Reply-To: <201005121937.31984.henry.nicolas@tourneur.be> References: <255a864693b8187d696f8b2dfbfa4441@webmail.tourneur.be> <20100512045735.GB26330@shrubbery.net> <201005121937.31984.henry.nicolas@tourneur.be> Message-ID: <20100512181828.GC8727@shrubbery.net> Wed, May 12, 2010 at 07:37:31PM +0200, Tourneur Henry-Nicolas: > On Wednesday 12 May 2010 06:57:35 john heasley wrote: > > Wed, May 12, 2010 at 06:34:24AM +0200, Kiss Gabor (Bitman): > > > > > > Basically, I need 2 args, the ip of the device where we are trying > > > > > > to execute the command ($ip I guess) and the command itself. But I > > > > > > don't > > > > > > > > 2? I go in enable and then configure mode. > > > > 3? I enter the command no interface GigabitEthernet0/1.114 (for > > > > example) 4? When I enter the previous command, I would like to run an > > > > authorization script on the no interface command. The script will be on > > > > the same host than > > > > > > Oh I see. :-) "The command to be authorized". > > > I guessed you mean a command to execute on TACACS+ server. > > > > > > > Where $ip should be (I guess) the IP address of the Cisco router. > > > > With that sample, I'm still missing the whole command as an argument of > > > > my script (/usr/local/bin/script don't know what to check). > > > > > > > > Do you know how to pass the command as an argument to the script ? > > > > > > Actually I don't know such a possibility. > > > However I think you are able to modify the source code quite easily > > > in order to get a new dollar variable. > > > > i think theyre passed on stdin as AVPs arg1...argN. > > > > > Regards > > > > > > Gabor > > > > Is there any available doc/example on how to use those AVPs arg1...argN ? > only was is in the tac_plus.conf manapge. i dont use it; so i'd first test to see all of the AVPs passed from the device to scripts or even the daemon (-d debug knobs) for authorization. From asaykao at gmail.com Fri May 14 02:22:18 2010 From: asaykao at gmail.com (Andy Saykao) Date: Fri, 14 May 2010 12:22:18 +1000 Subject: [tac_plus] Re: How to stop tacplus logging to /var/log/syslog? In-Reply-To: <20100507073536.GG1029@shrubbery.net> References: <20100507041752.GF1029@shrubbery.net> <20100507073536.GG1029@shrubbery.net> Message-ID: Thanks for the man page John. I have a slight dilemma now. I did what you suggested and got tacplus to log to news (logging=news), but after having re-read your email and finding that no matter what I do, it will always continue to log to syslog, I removed the lines from tac_plus.conf and syslog.conf and reverted things back to the way it was originally. Now I am not getting any auth logs being sent to the tac_plus.log file??? I've restarted both the tac_plus and sysklogd daemon. All I see is in the tac_plus.log file is the daemon starting up... Fri May 14 12:10:29 2010 [4744]: Reading config Fri May 14 12:10:29 2010 [4744]: Version F4.0.4.19 Initialized 1 Fri May 14 12:10:29 2010 [4744]: tac_plus server F4.0.4.19 starting Fri May 14 12:10:29 2010 [4745]: Backgrounded root at tacplus-1# ps aux | grep tac tacplus 4746 0.2 0.0 2388 612 ? S 12:10 0:00 /tac_plus/bin/tac_plus -C /tac_plus/etc/tac_plus.conf -d 16 Any ideas why this is happening now and how to fix it? Thanks. Andy On Fri, May 7, 2010 at 5:35 PM, john heasley wrote: > Fri, May 07, 2010 at 04:19:58PM +1000, Andy Saykao: >> Sorry John, I don't see where to set this to in the tac_plus.conf file??? > > tac_plus.conf(5) > ? ? ? logging > ? ? ? ? ? ? ?Specifies the syslog(3) facility used. ? By ?default, ?logs ?are > ? ? ? ? ? ? ?posted to the daemon facility. > > ? ? ? ? ? ? ? ? ?logging = > >> > it logs to daemon by default. ?change it to something like news in >> > tac_plus.conf and use news.none in the syslog.conf line. ?but it always >> > logs to syslog. >> > > From heas at shrubbery.net Tue May 18 14:34:39 2010 From: heas at shrubbery.net (john heasley) Date: Tue, 18 May 2010 07:34:39 -0700 Subject: [tac_plus] Re: How to stop tacplus logging to /var/log/syslog? In-Reply-To: References: <20100507041752.GF1029@shrubbery.net> <20100507073536.GG1029@shrubbery.net> Message-ID: <20100518143439.GD28480@shrubbery.net> Fri, May 14, 2010 at 12:22:18PM +1000, Andy Saykao: > Thanks for the man page John. > > I have a slight dilemma now. I did what you suggested and got tacplus > to log to news (logging=news), but after having re-read your email and > finding that no matter what I do, it will always continue to log to > syslog, I removed the lines from tac_plus.conf and syslog.conf and > reverted things back to the way it was originally. Now I am not > getting any auth logs being sent to the tac_plus.log file??? I've > restarted both the tac_plus and sysklogd daemon. > > All I see is in the tac_plus.log file is the daemon starting up... > > Fri May 14 12:10:29 2010 [4744]: Reading config > Fri May 14 12:10:29 2010 [4744]: Version F4.0.4.19 Initialized 1 > Fri May 14 12:10:29 2010 [4744]: tac_plus server F4.0.4.19 starting > Fri May 14 12:10:29 2010 [4745]: Backgrounded > > root at tacplus-1# ps aux | grep tac > tacplus 4746 0.2 0.0 2388 612 ? S 12:10 0:00 > /tac_plus/bin/tac_plus -C /tac_plus/etc/tac_plus.conf -d 16 > > Any ideas why this is happening now and how to fix it? My guess would be permissions or file location. see config.log for the value of TACPLUS_LOGFILE or tac_plus.conf(5). its normally in /var/log. > Thanks. > > Andy > > On Fri, May 7, 2010 at 5:35 PM, john heasley wrote: > > Fri, May 07, 2010 at 04:19:58PM +1000, Andy Saykao: > >> Sorry John, I don't see where to set this to in the tac_plus.conf file??? > > > > tac_plus.conf(5) > > ? ? ? logging > > ? ? ? ? ? ? ?Specifies the syslog(3) facility used. ? By ?default, ?logs ?are > > ? ? ? ? ? ? ?posted to the daemon facility. > > > > ? ? ? ? ? ? ? ? ?logging = > > > >> > it logs to daemon by default. ?change it to something like news in > >> > tac_plus.conf and use news.none in the syslog.conf line. ?but it always > >> > logs to syslog. > >> > > > From asaykao at gmail.com Wed May 19 23:12:12 2010 From: asaykao at gmail.com (Andy Saykao) Date: Thu, 20 May 2010 09:12:12 +1000 Subject: [tac_plus] Re: How to stop tacplus logging to /var/log/syslog? In-Reply-To: <20100518143439.GD28480@shrubbery.net> References: <20100507041752.GF1029@shrubbery.net> <20100507073536.GG1029@shrubbery.net> <20100518143439.GD28480@shrubbery.net> Message-ID: Hi John, Looks like syslog changed the owner of tac_plus.log when I was playing around with it hence why logs stop going to tac_plus.log. root at tacplus-1:/var/log/tac_plus# ls -la tac_plus.log -rw-r--r-- 1 syslog adm 924 2010-05-20 09:04 tac_plus.log root at tacplus-1:/var/log/tac_plus# chown tacplus tac_plus.log root at tacplus-1:/var/log/tac_plus# ls -la tac_plus.log -rw-r--r-- 1 tacplus adm 2944 2010-05-20 09:08 tac_plus.log All good now... Thanks again. Andy On Wed, May 19, 2010 at 12:34 AM, john heasley wrote: > Fri, May 14, 2010 at 12:22:18PM +1000, Andy Saykao: >> Thanks for the man page John. >> >> I have a slight dilemma now. I did what you suggested and got tacplus >> to log to news (logging=news), but after having re-read your email and >> finding that no matter what I do, it will always continue to log to >> syslog, I removed the lines from tac_plus.conf and syslog.conf and >> reverted things back to the way it was originally. ?Now I am not >> getting any auth logs being sent to the tac_plus.log file??? I've >> restarted both the tac_plus and sysklogd daemon. >> >> All I see is in the tac_plus.log file is the daemon starting up... >> >> Fri May 14 12:10:29 2010 [4744]: Reading config >> Fri May 14 12:10:29 2010 [4744]: Version F4.0.4.19 Initialized 1 >> Fri May 14 12:10:29 2010 [4744]: tac_plus server F4.0.4.19 starting >> Fri May 14 12:10:29 2010 [4745]: Backgrounded >> >> root at tacplus-1# ps aux | grep tac >> tacplus ? 4746 ?0.2 ?0.0 ? 2388 ? 612 ? ? ? ? ?S ? ?12:10 ? 0:00 >> /tac_plus/bin/tac_plus -C /tac_plus/etc/tac_plus.conf -d 16 >> >> Any ideas why this is happening now and how to fix it? > > My guess would be permissions or file location. ?see config.log for the > value of TACPLUS_LOGFILE or tac_plus.conf(5). ?its normally in /var/log. > >> Thanks. >> >> Andy >> >> On Fri, May 7, 2010 at 5:35 PM, john heasley wrote: >> > Fri, May 07, 2010 at 04:19:58PM +1000, Andy Saykao: >> >> Sorry John, I don't see where to set this to in the tac_plus.conf file??? >> > >> > tac_plus.conf(5) >> > ? ? ? logging >> > ? ? ? ? ? ? ?Specifies the syslog(3) facility used. ? By ?default, ?logs ?are >> > ? ? ? ? ? ? ?posted to the daemon facility. >> > >> > ? ? ? ? ? ? ? ? ?logging = >> > >> >> > it logs to daemon by default. ?change it to something like news in >> >> > tac_plus.conf and use news.none in the syslog.conf line. ?but it always >> >> > logs to syslog. >> >> > >> > > From henry.nicolas at tourneur.be Thu May 20 19:17:05 2010 From: henry.nicolas at tourneur.be (Tourneur Henry-Nicolas) Date: Thu, 20 May 2010 21:17:05 +0200 Subject: [tac_plus] How to report bugs ? Message-ID: <201005202117.06063.henry.nicolas@tourneur.be> Hi, As I'm maintaining Tacacs+ for Debian, I would like to know how can I forward bugs to your team ? I didn't find any bug trackers or things like that. So, should I forward bugs to this ML ? Thanks and regards, From jnprbill at gmail.com Thu May 20 21:02:41 2010 From: jnprbill at gmail.com (jnprbill at gmail.com) Date: Thu, 20 May 2010 17:02:41 -0400 Subject: [tac_plus] Group Recursion with service=junos-exec Message-ID: Hello, I have put up a tac_plus server in the lab to duplicate something we're seeing in production. We have a Junos router using the service=junos-exec. Everything works fine except group recursion or inheritance. Once the first group is processed for service=junos-exec, I never see where the second group is processed. Does anyone know if inheritance is NAS dependent for authorization? Thanks in advance, Bill host = 192.168.100.5 { key = tacacs } user = billtest { login = cleartext "Juniper1" member = test } group = test { member=inherit-me service = junos-exec { local-user-name= remote user-permissions3 = "configure" allow-commands1 = "show .*" } } group = inherit-me { service = junos-exec { local-user-name = remote user-permissions99 = "all" } } group = another { service = junos-exec { user-permissions199 = "all" } } root at dmz:/var/tac/bin# ./tac_plus -C tacacs.conf -g -d8 -d128 -d256 -d16 Reading config Version F4.0.4.19 Initialized 1 tac_plus server F4.0.4.19 starting uid=0 euid=0 gid=0 egid=0 s=4 session.peerip is 192.168.100.5 session request from 192.168.100.5 sock=5 connect from 192.168.100.5 [192.168.100.5] Waiting for packet cfg_get_hvalue: name=192.168.100.5 attr=key cfg_get_phvalue: returns tacacs Read AUTHEN/START size=47 validation request from 192.168.100.5 PACKET: key= version 192 (0xc0), type 1, seq no 1, flags 0x1 session_id 1930530477 (0x73118ead), Data length 35 (0x23) End header type=AUTHEN/START, priv_lvl = 1 action=login authen_type=ascii service=login user_len=8 port_len=5 (0x5), rem_addr_len=14 (0xe) data_len=0 User: billtest port: ttyp0 rem_addr: 192.168.100.22 data: End packet Authen Start request cfg_get_value: name=billtest isuser=1 attr=login rec=1 cfg_get_pvalue: returns cleartext Juniper1 choose_authen chose default_fn Calling authentication function cfg_get_value: name=billtest isuser=1 attr=nopassword rec=1 cfg_get_value: recurse group = test cfg_get_value: recurse group = inherit-me cfg_get_intvalue: returns 0 cfg_get_value: name=billtest isuser=1 attr=login rec=1 cfg_get_pvalue: returns cleartext Juniper1 Writing AUTHEN/GETPASS size=28 PACKET: key= version 192 (0xc0), type 1, seq no 2, flags 0x1 session_id 1930530477 (0x73118ead), Data length 16 (0x10) End header type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1 msg_len=10, data_len=0 msg: Password: data: End packet cfg_get_hvalue: name=192.168.100.5 attr=key cfg_get_phvalue: returns tacacs Waiting for packet cfg_get_hvalue: name=192.168.100.5 attr=key cfg_get_phvalue: returns tacacs Read AUTHEN/CONT size=25 PACKET: key= version 192 (0xc0), type 1, seq no 3, flags 0x1 session_id 1930530477 (0x73118ead), Data length 13 (0xd) End header type=AUTHEN/CONT user_msg_len 8 (0x8), user_data_len 0 (0x0) flags=0x0 User msg: Juniper1 User data: End packet cfg_get_value: name=billtest isuser=1 attr=login rec=1 cfg_get_pvalue: returns cleartext Juniper1 cfg_get_value: name=billtest isuser=1 attr=expires rec=1 cfg_get_value: recurse group = test cfg_get_value: recurse group = inherit-me cfg_get_pvalue: returns NULL cfg_get_value: name=billtest isuser=1 attr=acl rec=1 cfg_get_value: recurse group = test cfg_get_value: recurse group = inherit-me cfg_get_pvalue: returns NULL login query for 'billtest' ttyp0 from 192.168.100.5 accepted Writing AUTHEN/SUCCEED size=18 PACKET: key= version 192 (0xc0), type 1, seq no 4, flags 0x1 session_id 1930530477 (0x73118ead), Data length 6 (0x6) End header type=AUTHEN status=1 (AUTHEN/SUCCEED) flags=0x0 msg_len=0, data_len=0 msg: data: End packet cfg_get_hvalue: name=192.168.100.5 attr=key cfg_get_phvalue: returns tacacs 192.168.100.5: disconnect session.peerip is 192.168.100.5 session request from 192.168.100.5 sock=5 connect from 192.168.100.5 [192.168.100.5] Waiting for packet cfg_get_hvalue: name=192.168.100.5 attr=key cfg_get_phvalue: returns tacacs Read AUTHOR size=66 validation request from 192.168.100.5 PACKET: key= version 192 (0xc0), type 2, seq no 1, flags 0x1 session_id 3809865981 (0xe315f0fd), Data length 54 (0x36) End header type=AUTHOR, priv_lvl=1, authen=1 method=none svc=0 user_len=8 port_len=5 rem_addr_len=14 arg_cnt=1 User: billtest port: ttyp0 rem_addr: 192.168.100.22 arg[0]: size=18 service=junos-exec End packet Start authorization request cfg_get_value: name=billtest isuser=1 attr=acl rec=1 cfg_get_value: recurse group = test cfg_get_value: recurse group = inherit-me cfg_get_pvalue: returns NULL do_author: user='billtest' cfg_get_value: name=billtest isuser=1 attr=before rec=1 cfg_get_value: recurse group = test cfg_get_value: recurse group = inherit-me cfg_get_pvalue: returns NULL user 'billtest' found cfg_get_svc_node: username=billtest N_svc proto= svcname=junos-exec rec=1 cfg_get_svc_node: recurse group = test cfg_get_svc_node: found N_svc proto= svcname=junos-exec nas:service=junos-exec (passed thru) nas:absent, server:local-user-name=remote -> add local-user-name=remote (k) nas:absent, server:user-permissions3=configure -> add user-permissions3=configure (k) nas:absent, server:allow-commands1=show .* -> add allow-commands1=show .* (k) added 3 args out_args[0] = service=junos-exec input copy discarded out_args[1] = local-user-name=remote compacted to out_args[0] out_args[2] = user-permissions3=configure compacted to out_args[1] out_args[3] = allow-commands1=show .* compacted to out_args[2] 3 output args cfg_get_value: name=billtest isuser=1 attr=after rec=1 cfg_get_value: recurse group = test cfg_get_value: recurse group = inherit-me cfg_get_pvalue: returns NULL Writing AUTHOR/PASS_ADD size=93 PACKET: key= version 192 (0xc0), type 2, seq no 2, flags 0x1 session_id 3809865981 (0xe315f0fd), Data length 81 (0x51) End header type=AUTHOR/REPLY status=1 (AUTHOR/PASS_ADD) msg_len=0, data_len=0 arg_cnt=3 msg: data: arg[0] size=22 local-user-name=remote arg[1] size=27 user-permissions3=configure arg[2] size=23 allow-commands1=show .* End packet cfg_get_hvalue: name=192.168.100.5 attr=key cfg_get_phvalue: returns tacacs authorization query for 'billtest' ttyp0 from 192.168.100.5 accepted 192.168.100.5: disconnect From ccoyette at Devanlay.fr Fri May 28 15:06:41 2010 From: ccoyette at Devanlay.fr (Charly COYETTE) Date: Fri, 28 May 2010 17:06:41 +0200 Subject: [tac_plus] Tac_plus authentication and Active Directory group Message-ID: Hello, I'm currently installing a TACACS+ Server with Tac_plus that authenticate users with an active directory. I need to give different rights to users regarding the different groups in the active directory. I don't know how to indicate this in the configuration file. Another question: Is there a way to do "default authentication = PAM"? I always have an error: "Error: expecting 'file' but found 'pam' on line 16" Here is the configuration file I currently use: key = ... accounting file = /var/log/tacacs/accounting group = admin { default service = permit login = PAM enable = des "..." } group = user { default service = deny login = PAM enable = des "..." cmd = enable { permit ".*" } cmd = show { permit "ip .*" deny ".*" } cmd = disable { permit ".*" } cmd = exit { permit ".*" } } user administrator { member = admin } user toto { member = user } Regards, Charly COYETTE | Network and System department Mail : ccoyette at devanlay.fr DEVANLAY SA : 19bis, rue des Gayettes - BP 503 - 10083 TROYES - FRANCE -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20100528/c349a8f2/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 1175 bytes Desc: image001.gif Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20100528/c349a8f2/attachment.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 2657 bytes Desc: image002.gif Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20100528/c349a8f2/attachment-0001.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 2645 bytes Desc: image003.gif Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20100528/c349a8f2/attachment-0002.gif From rui-f-meireles at telecom.pt Fri May 28 17:46:07 2010 From: rui-f-meireles at telecom.pt (Rui Vitor Figueiras Meireles) Date: Fri, 28 May 2010 18:46:07 +0100 Subject: [tac_plus] TACACS+ Proxy Redirect Message-ID: <39228668B1473247A5AC45D871ADDF743078D8@PTPTVDEX01.PTPortugal.corpPT.com> Hi. I have a question I would like to ask you. I'm using your TACAS+ Server on my network. I want to have some machines that authenticate some users Tacacs Server #1, and other users on Tacacs Server #2. Is this possible? Does this Tacacs Server Software support this - Proxy Redirect based on user, or realm... Thanks a lot. Regards, Rui Meireles -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20100528/5a301fc9/attachment.html From heas at shrubbery.net Fri May 28 21:36:56 2010 From: heas at shrubbery.net (john heasley) Date: Fri, 28 May 2010 14:36:56 -0700 Subject: [tac_plus] Re: TACACS+ Proxy Redirect In-Reply-To: <39228668B1473247A5AC45D871ADDF743078D8@PTPTVDEX01.PTPortugal.corpPT.com> References: <39228668B1473247A5AC45D871ADDF743078D8@PTPTVDEX01.PTPortugal.corpPT.com> Message-ID: <20100528213656.GD7486@shrubbery.net> Fri, May 28, 2010 at 06:46:07PM +0100, Rui Vitor Figueiras Meireles: > Hi. I have a question I would like to ask you. > > I'm using your TACAS+ Server on my network. > I want to have some machines that authenticate some users Tacacs Server #1, and other users on Tacacs Server #2. > Is this possible? Does this Tacacs Server Software support this - Proxy Redirect based on user, or realm... no. you probably want to use ldap via pam to do that sort of thing. > Thanks a lot. > > Regards, > Rui Meireles > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20100528/5a301fc9/attachment.html > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From heas at shrubbery.net Fri May 28 22:21:06 2010 From: heas at shrubbery.net (john heasley) Date: Fri, 28 May 2010 15:21:06 -0700 Subject: [tac_plus] Re: Tac_plus authentication and Active Directory group In-Reply-To: References: Message-ID: <20100528222106.GH7486@shrubbery.net> Fri, May 28, 2010 at 05:06:41PM +0200, Charly COYETTE: > Hello, > > > > I'm currently installing a TACACS+ Server with Tac_plus that > authenticate users with an active directory. > > > > I need to give different rights to users regarding the different groups > in the active directory. > > I don't know how to indicate this in the configuration file. sorry, i dont understand the question. > Another question: Is there a way to do "default authentication = PAM"? I > always have an error: "Error: expecting 'file' but found 'pam' on line > 16" > user = DEFAULT { login = PAM } From kissg at ssg.ki.iif.hu Sat May 29 05:15:07 2010 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Sat, 29 May 2010 07:15:07 +0200 (CEST) Subject: [tac_plus] Re: TACACS+ Proxy Redirect In-Reply-To: <20100528213656.GD7486@shrubbery.net> References: <39228668B1473247A5AC45D871ADDF743078D8@PTPTVDEX01.PTPortugal.corpPT.com> <20100528213656.GD7486@shrubbery.net> Message-ID: > I'm using your TACAS+ Server on my network. > I want to have some machines that authenticate some users Tacacs Server #1, and other users on Tacacs Server #2. > Is this possible? Does this Tacacs Server Software support this - Proxy Redirect based on user, or realm... In the mid '90s I patched xtacacs to do this. Two group of users shared a modem pool. They were administered on two TACACS servers. I don't remember the details but I used some redirection that allowed in the TACACS+ protocol. A fast solution for you: user may enter login name in username at tac-server1.exemple.com In this case the router knows which TACACS server to use. (Of course you have to configure in multiple tacacs+ servers.) Gabor From rui-f-meireles at telecom.pt Mon May 31 11:10:06 2010 From: rui-f-meireles at telecom.pt (Rui Vitor Figueiras Meireles) Date: Mon, 31 May 2010 12:10:06 +0100 Subject: [tac_plus] Re: TACACS+ Proxy Redirect In-Reply-To: References: <39228668B1473247A5AC45D871ADDF743078D8@PTPTVDEX01.PTPortugal.corpPT.com> <20100528213656.GD7486@shrubbery.net> Message-ID: <39228668B1473247A5AC45D871ADDF74351494@PTPTVDEX01.PTPortugal.corpPT.com> I'll try that fast solution. With a proper DNS working I may be able to do what I want. Thanks a lot! Regards, Rui -----Original Message----- From: Kiss Gabor (Bitman) [mailto:kissg at ssg.ki.iif.hu] Sent: s?bado, 29 de Maio de 2010 6:15 To: Rui Vitor Figueiras Meireles Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] Re: TACACS+ Proxy Redirect > I'm using your TACAS+ Server on my network. > I want to have some machines that authenticate some users Tacacs Server #1, and other users on Tacacs Server #2. > Is this possible? Does this Tacacs Server Software support this - Proxy Redirect based on user, or realm... In the mid '90s I patched xtacacs to do this. Two group of users shared a modem pool. They were administered on two TACACS servers. I don't remember the details but I used some redirection that allowed in the TACACS+ protocol. A fast solution for you: user may enter login name in username at tac-server1.exemple.com In this case the router knows which TACACS server to use. (Of course you have to configure in multiple tacacs+ servers.) Gabor