[tac_plus] Group Recursion with service=junos-exec

jnprbill at gmail.com jnprbill at gmail.com
Thu May 20 21:02:41 UTC 2010


Hello,

I have put up a tac_plus server in the lab to duplicate something
we're seeing in production.  We have a Junos router using the
service=junos-exec.  Everything works fine except group recursion or
inheritance.  Once the first group is processed for
service=junos-exec, I never see where the second group is processed.
Does anyone know if inheritance is NAS dependent for authorization?

Thanks in advance,

Bill

host = 192.168.100.5 {
	key = tacacs
}
user = billtest {
	login = cleartext "Juniper1"
	member = test
}
group = test {
	member=inherit-me
	service = junos-exec {
	local-user-name= remote
	user-permissions3 = "configure"
	allow-commands1 = "show .*"
	}
}
group = inherit-me {
	service = junos-exec {
	local-user-name = remote
	user-permissions99 = "all"
	}
}
group = another {
	service = junos-exec {
	user-permissions199 = "all"
	}
}


root at dmz:/var/tac/bin# ./tac_plus -C tacacs.conf -g -d8 -d128 -d256 -d16
Reading config
Version F4.0.4.19 Initialized 1
tac_plus server F4.0.4.19 starting
uid=0 euid=0 gid=0 egid=0 s=4
session.peerip is 192.168.100.5
session request from 192.168.100.5 sock=5
connect from 192.168.100.5 [192.168.100.5]
Waiting for packet
cfg_get_hvalue: name=192.168.100.5 attr=key
cfg_get_phvalue: returns tacacs
Read AUTHEN/START size=47
validation request from 192.168.100.5
PACKET: key=<NULL>
version 192 (0xc0), type 1, seq no 1, flags 0x1
session_id 1930530477 (0x73118ead), Data length 35 (0x23)
End header
type=AUTHEN/START, priv_lvl = 1
action=login
authen_type=ascii
service=login
user_len=8 port_len=5 (0x5), rem_addr_len=14 (0xe)
data_len=0
User:
billtest
port:
ttyp0
rem_addr:
192.168.100.22
data:
End packet
Authen Start request
cfg_get_value: name=billtest isuser=1 attr=login rec=1
cfg_get_pvalue: returns cleartext Juniper1
choose_authen chose default_fn
Calling authentication function
cfg_get_value: name=billtest isuser=1 attr=nopassword rec=1
cfg_get_value: recurse group = test
cfg_get_value: recurse group = inherit-me
cfg_get_intvalue: returns 0
cfg_get_value: name=billtest isuser=1 attr=login rec=1
cfg_get_pvalue: returns cleartext Juniper1
Writing AUTHEN/GETPASS size=28
PACKET: key=<NULL>
version 192 (0xc0), type 1, seq no 2, flags 0x1
session_id 1930530477 (0x73118ead), Data length 16 (0x10)
End header
type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
msg_len=10, data_len=0
msg:
Password:
data:
End packet
cfg_get_hvalue: name=192.168.100.5 attr=key
cfg_get_phvalue: returns tacacs
Waiting for packet
cfg_get_hvalue: name=192.168.100.5 attr=key
cfg_get_phvalue: returns tacacs
Read AUTHEN/CONT size=25
PACKET: key=<NULL>
version 192 (0xc0), type 1, seq no 3, flags 0x1
session_id 1930530477 (0x73118ead), Data length 13 (0xd)
End header
type=AUTHEN/CONT
user_msg_len 8 (0x8), user_data_len 0 (0x0)
flags=0x0
User msg:
Juniper1
User data:
End packet
cfg_get_value: name=billtest isuser=1 attr=login rec=1
cfg_get_pvalue: returns cleartext Juniper1
cfg_get_value: name=billtest isuser=1 attr=expires rec=1
cfg_get_value: recurse group = test
cfg_get_value: recurse group = inherit-me
cfg_get_pvalue: returns NULL
cfg_get_value: name=billtest isuser=1 attr=acl rec=1
cfg_get_value: recurse group = test
cfg_get_value: recurse group = inherit-me
cfg_get_pvalue: returns NULL
login query for 'billtest' ttyp0 from 192.168.100.5 accepted
Writing AUTHEN/SUCCEED size=18
PACKET: key=<NULL>
version 192 (0xc0), type 1, seq no 4, flags 0x1
session_id 1930530477 (0x73118ead), Data length 6 (0x6)
End header
type=AUTHEN status=1 (AUTHEN/SUCCEED) flags=0x0
msg_len=0, data_len=0
msg:
data:
End packet
cfg_get_hvalue: name=192.168.100.5 attr=key
cfg_get_phvalue: returns tacacs
192.168.100.5: disconnect
session.peerip is 192.168.100.5
session request from 192.168.100.5 sock=5
connect from 192.168.100.5 [192.168.100.5]
Waiting for packet
cfg_get_hvalue: name=192.168.100.5 attr=key
cfg_get_phvalue: returns tacacs
Read AUTHOR size=66
validation request from 192.168.100.5
PACKET: key=<NULL>
version 192 (0xc0), type 2, seq no 1, flags 0x1
session_id 3809865981 (0xe315f0fd), Data length 54 (0x36)
End header
type=AUTHOR, priv_lvl=1, authen=1
method=none
svc=0 user_len=8 port_len=5 rem_addr_len=14
arg_cnt=1
User:
billtest
port:
ttyp0
rem_addr:
192.168.100.22
arg[0]: size=18
service=junos-exec
End packet
Start authorization request
cfg_get_value: name=billtest isuser=1 attr=acl rec=1
cfg_get_value: recurse group = test
cfg_get_value: recurse group = inherit-me
cfg_get_pvalue: returns NULL
do_author: user='billtest'
cfg_get_value: name=billtest isuser=1 attr=before rec=1
cfg_get_value: recurse group = test
cfg_get_value: recurse group = inherit-me
cfg_get_pvalue: returns NULL
user 'billtest' found
cfg_get_svc_node: username=billtest N_svc proto= svcname=junos-exec rec=1
cfg_get_svc_node: recurse group = test
cfg_get_svc_node: found N_svc proto= svcname=junos-exec
nas:service=junos-exec (passed thru)
nas:absent, server:local-user-name=remote -> add local-user-name=remote (k)
nas:absent, server:user-permissions3=configure -> add
user-permissions3=configure (k)
nas:absent, server:allow-commands1=show .* -> add allow-commands1=show .* (k)
added 3 args
out_args[0] = service=junos-exec input copy discarded
out_args[1] = local-user-name=remote compacted to out_args[0]
out_args[2] = user-permissions3=configure compacted to out_args[1]
out_args[3] = allow-commands1=show .* compacted to out_args[2]
3 output args
cfg_get_value: name=billtest isuser=1 attr=after rec=1
cfg_get_value: recurse group = test
cfg_get_value: recurse group = inherit-me
cfg_get_pvalue: returns NULL
Writing AUTHOR/PASS_ADD size=93
PACKET: key=<NULL>
version 192 (0xc0), type 2, seq no 2, flags 0x1
session_id 3809865981 (0xe315f0fd), Data length 81 (0x51)
End header
type=AUTHOR/REPLY status=1 (AUTHOR/PASS_ADD)
msg_len=0, data_len=0 arg_cnt=3
msg:
data:
arg[0] size=22
local-user-name=remote
arg[1] size=27
user-permissions3=configure
arg[2] size=23
allow-commands1=show .*
End packet
cfg_get_hvalue: name=192.168.100.5 attr=key
cfg_get_phvalue: returns tacacs
authorization query for 'billtest' ttyp0 from 192.168.100.5 accepted
192.168.100.5: disconnect


More information about the tac_plus mailing list