From antonio.ojea at retegal.es Tue Nov 2 21:32:44 2010 From: antonio.ojea at retegal.es (Antonio Ojea) Date: Tue, 2 Nov 2010 22:32:44 +0100 (CET) Subject: [tac_plus] Privilege level on hp,3com,h3c switches Message-ID: <16552042.657.1288733564393.JavaMail.root@zimbra.retegal.es> Hi, I have several (HP, 3com, h3) switches h3600 and routers MSR-20. I can configure the routers and the switches to authenticate against the tac_plus server, but the problem is with the user privilege level.I have configured the next statemens, and when I log in a router I have all privileges, but in the switches I have the lowest privileges. default service = permit service = exec { priv-lvl = 15 } I think that this is a H3C issue, but can I configure the tac_plus server to get all privileges when I log in the switch? Is it possible to run a script to change the level automatically? Thanks in advance From heas at shrubbery.net Wed Nov 3 02:19:17 2010 From: heas at shrubbery.net (john heasley) Date: Wed, 3 Nov 2010 02:19:17 +0000 Subject: [tac_plus] Privilege level on hp,3com,h3c switches In-Reply-To: <16552042.657.1288733564393.JavaMail.root@zimbra.retegal.es> References: <16552042.657.1288733564393.JavaMail.root@zimbra.retegal.es> Message-ID: <20101103021917.GI6939@shrubbery.net> Tue, Nov 02, 2010 at 10:32:44PM +0100, Antonio Ojea: > Hi, > > I have several (HP, 3com, h3) switches h3600 and routers MSR-20. > > I can configure the routers and the switches to authenticate against the tac_plus server, but the problem is with the user privilege level.I have configured the next statemens, and when I log in a router I have all privileges, but in the switches I have the lowest privileges. > > default service = permit > service = exec { > priv-lvl = 15 > } > > I think that this is a H3C issue, but can I configure the tac_plus server to get all privileges when I log in the switch? > Is it possible to run a script to change the level automatically? > if i understand what you want, try clogin from rancid; www.shrubbery.net/rancid/ else, the switches might use a different AVP for setting the priv level or might not be configured to perform authorization. From antonio.ojea at retegal.es Wed Nov 3 07:50:43 2010 From: antonio.ojea at retegal.es (Antonio Ojea) Date: Wed, 3 Nov 2010 08:50:43 +0100 Subject: [tac_plus] Privilege level on hp,3com,h3c switches In-Reply-To: <20101103021917.GI6939@shrubbery.net> References: <16552042.657.1288733564393.JavaMail.root@zimbra.retegal.es> <20101103021917.GI6939@shrubbery.net> Message-ID: <004901cb7b2b$d1cb4180$7561c480$@ojea@retegal.es> Thanks for your help, I have a problem with authorization. If I configure the switch to do authorization with the tacacs server, I can log in with admin privileges. However, if the switch can't reach the tacacs server I can't login because it hasn't an option to do local authorization. If I configure the switch to do only authentication with the tacacs server I log in with the lowest privileges due to I don't do authorization. -----Mensaje original----- De: john heasley [mailto:heas at shrubbery.net] Enviado el: mi?rcoles, 03 de noviembre de 2010 3:19 Para: Antonio Ojea CC: tac_plus at shrubbery.net Asunto: Re: [tac_plus] Privilege level on hp,3com,h3c switches Tue, Nov 02, 2010 at 10:32:44PM +0100, Antonio Ojea: > Hi, > > I have several (HP, 3com, h3) switches h3600 and routers MSR-20. > > I can configure the routers and the switches to authenticate against the tac_plus server, but the problem is with the user privilege level.I have configured the next statemens, and when I log in a router I have all privileges, but in the switches I have the lowest privileges. > > default service = permit > service = exec { > priv-lvl = 15 > } > > I think that this is a H3C issue, but can I configure the tac_plus server to get all privileges when I log in the switch? > Is it possible to run a script to change the level automatically? > if i understand what you want, try clogin from rancid; www.shrubbery.net/rancid/ else, the switches might use a different AVP for setting the priv level or might not be configured to perform authorization. From heas at shrubbery.net Wed Nov 3 15:37:29 2010 From: heas at shrubbery.net ('john heasley') Date: Wed, 3 Nov 2010 15:37:29 +0000 Subject: [tac_plus] Privilege level on hp,3com,h3c switches In-Reply-To: <004901cb7b2b$d1cb4180$7561c480$@ojea@retegal.es> References: <16552042.657.1288733564393.JavaMail.root@zimbra.retegal.es> <20101103021917.GI6939@shrubbery.net> <004901cb7b2b$d1cb4180$7561c480$@ojea@retegal.es> Message-ID: <20101103153729.GB2837@shrubbery.net> Wed, Nov 03, 2010 at 08:50:43AM +0100, Antonio Ojea: > > Thanks for your help, I have a problem with authorization. > > If I configure the switch to do authorization with the tacacs server, I can > log in with admin privileges. However, if the switch can't reach the tacacs > server I can't login because it hasn't an option to do local authorization. think you want something like the following to have a local login with privs. hp has never made management of their devices particularly easy. password manager password operator > If I configure the switch to do only authentication with the tacacs server I > log in with the lowest privileges due to I don't do authorization. > > > > > -----Mensaje original----- > De: john heasley [mailto:heas at shrubbery.net] > Enviado el: mi?rcoles, 03 de noviembre de 2010 3:19 > Para: Antonio Ojea > CC: tac_plus at shrubbery.net > Asunto: Re: [tac_plus] Privilege level on hp,3com,h3c switches > > Tue, Nov 02, 2010 at 10:32:44PM +0100, Antonio Ojea: > > Hi, > > > > I have several (HP, 3com, h3) switches h3600 and routers MSR-20. > > > > I can configure the routers and the switches to authenticate against the > tac_plus server, but the problem is with the user privilege level.I have > configured the next statemens, and when I log in a router I have all > privileges, but in the switches I have the lowest privileges. > > > > default service = permit > > service = exec { > > priv-lvl = 15 > > } > > > > I think that this is a H3C issue, but can I configure the tac_plus server > to get all privileges when I log in the switch? > > Is it possible to run a script to change the level automatically? > > > if i understand what you want, try clogin from rancid; > www.shrubbery.net/rancid/ > > else, the switches might use a different AVP for setting the priv level > or might not be configured to perform authorization. From antonio.ojea at retegal.es Wed Nov 3 22:30:40 2010 From: antonio.ojea at retegal.es (Antonio Ojea) Date: Wed, 3 Nov 2010 23:30:40 +0100 (CET) Subject: [tac_plus] Privilege level on hp,3com,h3c switches In-Reply-To: <9527217.667.1288822854431.JavaMail.root@zimbra.retegal.es> Message-ID: <5730352.669.1288823440506.JavaMail.root@zimbra.retegal.es> This is a H3C switch (model 3600-EI). H3C was acquired by hp when it bought 3com. I think that H3C was a Huawey and 3com mix, but not sure. I have a local user with admin privileges, but the problem is that this switch can only do authorization against tacacs server or none, but not both. I configure it without authorization and when I loging against tacacs it gives me no privileges. The tac_plus works perfectly, because If I configure authorization and authentication against tacacs server it gives me all privileges. The problem is that If the tacacs server goes down I can't login because it doesn't authorize the local user. I'll try to ask H3C support. Thanks to all ----- Mensaje original ----- De: "john heasley" Para: aojea at retegal.es CC: "john heasley" , "tac plus" Enviados: Mi?rcoles, 3 de Noviembre 2010 16:37:29 Asunto: Re: [tac_plus] Privilege level on hp,3com,h3c switches Wed, Nov 03, 2010 at 08:50:43AM +0100, Antonio Ojea: > > Thanks for your help, I have a problem with authorization. > > If I configure the switch to do authorization with the tacacs server, > I can > log in with admin privileges. However, if the switch can't reach the > tacacs server I can't login because it hasn't an option to do local > authorization. think you want something like the following to have a local login with privs. hp has never made management of their devices particularly easy. password manager password operator > If I configure the switch to do only authentication with the tacacs > server I > log in with the lowest privileges due to I don't do authorization. > > > > > -----Mensaje original----- > De: john heasley [mailto:heas at shrubbery.net] > Enviado el: mi?rcoles, 03 de noviembre de 2010 3:19 > Para: Antonio Ojea > CC: tac_plus at shrubbery.net > Asunto: Re: [tac_plus] Privilege level on hp,3com,h3c switches > > Tue, Nov 02, 2010 at 10:32:44PM +0100, Antonio Ojea: > > Hi, > > > > I have several (HP, 3com, h3) switches h3600 and routers MSR-20. > > > > I can configure the routers and the switches to authenticate against > > the > tac_plus server, but the problem is with the user privilege level.I > have configured the next statemens, and when I log in a router I have > all privileges, but in the switches I have the lowest privileges. > > > > default service = permit > > service = exec { > > priv-lvl = 15 > > } > > > > I think that this is a H3C issue, but can I configure the tac_plus > > server > to get all privileges when I log in the switch? > > Is it possible to run a script to change the level automatically? > > > if i understand what you want, try clogin from rancid; > www.shrubbery.net/rancid/ > > else, the switches might use a different AVP for setting the priv > level or might not be configured to perform authorization. From alan.mckinnon at gmail.com Thu Nov 11 15:23:17 2010 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Thu, 11 Nov 2010 17:23:17 +0200 Subject: [tac_plus] Nexus kit with NX-OS Message-ID: <201011111723.17284.alan.mckinnon@gmail.com> Our networks people are lab-testing new Nexus kit and are finding new interesting fascinating ways to do Tacacs differently. We already tripped over the pap/mschap thing discussed here: http://www.shrubbery.net/pipermail/tac_plus/2009-July/000469.html And I see the accounting logs look very different to what we're used to with good old Cisco kit. Has anyone gone further down this route than we have and maybe documented the major issues found on-line? -- alan dot mckinnon at gmail dot com From wiechman.lists at gmail.com Thu Nov 11 22:40:03 2010 From: wiechman.lists at gmail.com (Ben Wiechman) Date: Thu, 11 Nov 2010 16:40:03 -0600 Subject: [tac_plus] PAM and LDAP with non-root user In-Reply-To: <201011111723.17284.alan.mckinnon@gmail.com> References: <201011111723.17284.alan.mckinnon@gmail.com> Message-ID: <4cdc70b2.293f970a.12a9.188a@mx.google.com> Various threads document that when using PAM for authentication the tac_plus has to run as root due to requirements of the pam_unix.so module. Those threads maybe indicate that if LDAP was used the server could run as a non-root user. Is it possible to integrate with LDAP using PAM and run tac_plus as a non-root user or am I interpreting those threads incorrectly? Ben From heas at shrubbery.net Fri Nov 12 00:58:02 2010 From: heas at shrubbery.net (john heasley) Date: Fri, 12 Nov 2010 00:58:02 +0000 Subject: [tac_plus] PAM and LDAP with non-root user In-Reply-To: <4cdc70b2.293f970a.12a9.188a@mx.google.com> References: <201011111723.17284.alan.mckinnon@gmail.com> <4cdc70b2.293f970a.12a9.188a@mx.google.com> Message-ID: <20101112005802.GB14802@shrubbery.net> Thu, Nov 11, 2010 at 04:40:03PM -0600, Ben Wiechman: > Various threads document that when using PAM for authentication the tac_plus > has to run as root due to requirements of the pam_unix.so module. Those > threads maybe indicate that if LDAP was used the server could run as a > non-root user. Is it possible to integrate with LDAP using PAM and run > tac_plus as a non-root user or am I interpreting those threads incorrectly? that should be correct, though may be implementation-dependent. as long as the pam modules dont need to access a protected file or other protected resource, it should work. From wiechman.lists at gmail.com Wed Nov 17 22:57:13 2010 From: wiechman.lists at gmail.com (Ben Wiechman) Date: Wed, 17 Nov 2010 16:57:13 -0600 Subject: [tac_plus] Per Device Command Authorization Message-ID: <4ce45db8.04cfe70a.58ae.ffff835a@mx.google.com> Is it possible to configure a list of commands a user is authorized to execute that differs by device? In our case we'd like to allow certain users read only type access on most devices, but give more access on certain devices to do things like configure static NAT, etc. Firewall administrators need more permissions on the firewalls, but not on backbone routers as another example. I don't see any way to do this with the stock configuration, but I may be missing something. It looks like it might be possible with the multiple groups patch here (http://bakacsin.ki.iif.hu/~kissg/pd/tac_plus/), but I'm not entirely clear on that either. Ben From alan.mckinnon at gmail.com Thu Nov 18 01:14:50 2010 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Thu, 18 Nov 2010 03:14:50 +0200 Subject: [tac_plus] Per Device Command Authorization In-Reply-To: <4ce45db8.04cfe70a.58ae.ffff835a@mx.google.com> References: <4ce45db8.04cfe70a.58ae.ffff835a@mx.google.com> Message-ID: <201011180314.50328.alan.mckinnon@gmail.com> Apparently, though unproven, at 00:57 on Thursday 18 November 2010, Ben Wiechman did opine thusly: > Is it possible to configure a list of commands a user is authorized to > execute that differs by device? No. Well, not easily, and not without mangling the config in insane ways. A workaround is at the end, after I describe the problem :-) > In our case we'd like to allow certain users read only type access on most > devices, but give more access on certain devices to do things like > configure static NAT, etc. Firewall administrators need more permissions > on the firewalls, but not on backbone routers as another example. I have exactly the same issue. The problem is that the list of commands allowed for a user (or group) is applied universally. What you and I want is to be able to create groups of *devices* and then tie that to the allow/deny command list for the user. This will instantly explode the length and complexity of your config > I don't see any way to do this with the stock configuration, but I may be > missing something. > > It looks like it might be possible with the multiple groups patch here > (http://bakacsin.ki.iif.hu/~kissg/pd/tac_plus/), but I'm not entirely clear > on that either. I doubt that will work out well. The idea of multiple groups will work if each group has a config that does not conflict in any way with any other group, i.e. no two groups attempt to configure the same directive. Then the total config for a user is the union of all the groups. In real life, what you get is conflicts, and lots of them. How do you resolve that? Mathematics tells us it must involve some arbitrary priority process, and that is very hard to define. If you know C++ it's exactly the same thing as multiple inheritance and you know how insane that can get. There's more info on this in the list archives accessible through the web front-end - the question comes up a lot. The workaround is to use separate tacacs servers for each class of device you have, and configure each one separately with the access you want for each user/group on those devices. Configure your devices to use the appropriate server and port. You can run multiple tac_plus daemons on one host using different ports and devices can be configured as to the port to use. So there's no need to arrange for more machines to do this. -- alan dot mckinnon at gmail dot com From wiechman.lists at gmail.com Thu Nov 18 17:23:10 2010 From: wiechman.lists at gmail.com (Ben Wiechman) Date: Thu, 18 Nov 2010 11:23:10 -0600 Subject: [tac_plus] Per Device Command Authorization In-Reply-To: <201011180314.50328.alan.mckinnon@gmail.com> References: <4ce45db8.04cfe70a.58ae.ffff835a@mx.google.com> <201011180314.50328.alan.mckinnon@gmail.com> Message-ID: <4ce560ec.04cfe70a.448a.219c@mx.google.com> > > The problem is that the list of commands allowed for a user (or group) > is > applied universally. What you and I want is to be able to create groups > of > *devices* and then tie that to the allow/deny command list for the > user. Exactly. This > will instantly explode the length and complexity of your config > > > I don't see any way to do this with the stock configuration, but I > may be > > missing something. > > > > It looks like it might be possible with the multiple groups patch > here > > (http://bakacsin.ki.iif.hu/~kissg/pd/tac_plus/), but I'm not entirely > clear > > on that either. > > I doubt that will work out well. The idea of multiple groups will work > if each > group has a config that does not conflict in any way with any other > group, > i.e. no two groups attempt to configure the same directive. Then the > total > config for a user is the union of all the groups. In real life, what > you get > is conflicts, and lots of them. How do you resolve that? Mathematics > tells us > it must involve some arbitrary priority process, and that is very hard > to > define. If you know C++ it's exactly the same thing as multiple > inheritance > and you know how insane that can get. heh There's more info on this in the > list > archives accessible through the web front-end - the question comes up a > lot. That was more or less the conclusion I was reaching. I saw at one point as well that Gabor had posted a comment about possibly adding some kind of conditional group membership enhancements that would probably work as well. However it does not appear that anything like that ever materialized. > > The workaround is to use separate tacacs servers for each class of > device you > have, and configure each one separately with the access you want for > each > user/group on those devices. Configure your devices to use the > appropriate > server and port. > > You can run multiple tac_plus daemons on one host using different ports > and > devices can be configured as to the port to use. So there's no need to > arrange > for more machines to do this. > > I hadn't arrived at that, but that would be another choice. It sounds about as exciting as maintaining separate user names for different devices/device groups and providing different access based on the unique usernames. I just wanted to make sure I wasn't missing anything. Neither of the two solutions is entirely palatable, but your suggestion has the benefit of being transparent to the end user, if a bit more troublesome to maintain and configure. Thanks. Ben From alan.mckinnon at gmail.com Thu Nov 18 18:32:21 2010 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Thu, 18 Nov 2010 20:32:21 +0200 Subject: [tac_plus] Per Device Command Authorization In-Reply-To: <4ce560ec.04cfe70a.448a.219c@mx.google.com> References: <4ce45db8.04cfe70a.58ae.ffff835a@mx.google.com> <201011180314.50328.alan.mckinnon@gmail.com> <4ce560ec.04cfe70a.448a.219c@mx.google.com> Message-ID: <201011182032.22034.alan.mckinnon@gmail.com> Apparently, though unproven, at 19:23 on Thursday 18 November 2010, Ben Wiechman did opine thusly: > > The workaround is to use separate tacacs servers for each class of > > device you > > have, and configure each one separately with the access you want for > > each > > user/group on those devices. Configure your devices to use the > > appropriate > > server and port. > > > > > > > > You can run multiple tac_plus daemons on one host using different ports > > and > > devices can be configured as to the port to use. So there's no need to > > arrange > > for more machines to do this. > > > > > > > > I hadn't arrived at that, but that would be another choice. It sounds about > as exciting as maintaining separate user names for different devices/device > groups and providing different access based on the unique usernames. I just > wanted to make sure I wasn't missing anything. Neither of the two solutions > is entirely palatable, but your suggestion has the benefit of being > transparent to the end user, if a bit more troublesome to maintain and > configure. Last I heard, Gabor ran into configuration conflicts, and John wanted to fix the config parser before looking further into it. It's not an easy problem to solve - I have a team of devs and mathematicians (real ones with Masters) who haven't come up with a good config resolver yet. I use a modified version of multiple servers - each division has it's won Tacacs server(s) and all share the same authentication credentials. Authorization rules are done per-division. Sometimes I need different rules within a division like firewall people don't get access to core routers. I can't solve this, so I use the BOFH rule: If I can't trust the firewall people to keep their paws off the core, then they get no access at all to anything. Thus far, no-one has done anything to endanger that trust relationship - they know their access depends on it. Sometimes the best solution is not found in technology :-) -- alan dot mckinnon at gmail dot com From kissg at ssg.ki.iif.hu Thu Nov 18 19:35:32 2010 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Thu, 18 Nov 2010 20:35:32 +0100 (CET) Subject: [tac_plus] Per Device Command Authorization In-Reply-To: <4ce45db8.04cfe70a.58ae.ffff835a@mx.google.com> References: <4ce45db8.04cfe70a.58ae.ffff835a@mx.google.com> Message-ID: > In our case we'd like to allow certain users read only type access on most > devices, but give more access on certain devices to do things like configure > static NAT, etc. Firewall administrators need more permissions on the > firewalls, but not on backbone routers as another example. > > I don't see any way to do this with the stock configuration, but I may be > missing something. > > It looks like it might be possible with the multiple groups patch here > (http://bakacsin.ki.iif.hu/~kissg/pd/tac_plus/), but I'm not entirely clear > on that either. I'm afraid also that it can't solve your problem. ACLs are for exec authorization only, not for commands. However I found a quick a dirty solution: Firewall admins might have two accounts on some hosts. E.g. user 'bill' may login into all routers but has few permissions. Meanwhile 'bill_fw' has more rights but can log in on very few NASs. Regards Gabor From wiechman.lists at gmail.com Fri Nov 19 16:54:05 2010 From: wiechman.lists at gmail.com (Ben Wiechman) Date: Fri, 19 Nov 2010 10:54:05 -0600 Subject: [tac_plus] Per Device Command Authorization In-Reply-To: References: <4ce45db8.04cfe70a.58ae.ffff835a@mx.google.com> Message-ID: <4ce6ab9a.2749960a.6cf1.ffffc858@mx.google.com> At this point we are just going to go with giving the firewall admins full access to the core as well... since that dept is... me. :) And if I can't trust myself, no one can. Thanks for all the comments. Ben > -----Original Message----- > From: Kiss Gabor (Bitman) [mailto:kissg at ssg.ki.iif.hu] > Sent: Thursday, November 18, 2010 1:36 PM > To: Ben Wiechman > Cc: tac_plus at shrubbery.net > Subject: Re: [tac_plus] Per Device Command Authorization > > > In our case we'd like to allow certain users read only type access on > most > > devices, but give more access on certain devices to do things like > configure > > static NAT, etc. Firewall administrators need more permissions on the > > firewalls, but not on backbone routers as another example. > > > > I don't see any way to do this with the stock configuration, but I > may be > > missing something. > > > > It looks like it might be possible with the multiple groups patch > here > > (http://bakacsin.ki.iif.hu/~kissg/pd/tac_plus/), but I'm not entirely > clear > > on that either. > > I'm afraid also that it can't solve your problem. > ACLs are for exec authorization only, not for commands. > > However I found a quick a dirty solution: > Firewall admins might have two accounts on some hosts. > E.g. user 'bill' may login into all routers but has few permissions. > Meanwhile 'bill_fw' has more rights but can log in on very few NASs. > > Regards > > Gabor From m_danu_wiyoto at yahoo.com Mon Nov 22 10:43:27 2010 From: m_danu_wiyoto at yahoo.com (mdanu wiyoto) Date: Mon, 22 Nov 2010 02:43:27 -0800 (PST) Subject: [tac_plus] tacacs+ using ldap Message-ID: <547352.913.qm@web31604.mail.mud.yahoo.com> hi, i want create tacas+ using ldap for authentication, my ldap server using zentyal server for tacacs+ with authentication using cleartext and /etc/passwd i successed, but when using ldap i confuse, pls assist me. i promote tacacs+ shrubbery in my blog http://danuwi.wordpress.com in bahasa indonesia language :) Salam, Danu -------------- next part -------------- An HTML attachment was scrubbed... URL: From prozaconstilts at gmail.com Tue Nov 23 01:49:13 2010 From: prozaconstilts at gmail.com (Adam) Date: Mon, 22 Nov 2010 20:49:13 -0500 Subject: [tac_plus] tacacs+ using ldap In-Reply-To: <547352.913.qm@web31604.mail.mud.yahoo.com> References: <547352.913.qm@web31604.mail.mud.yahoo.com> Message-ID: <4CEB1D99.2030109@gmail.com> On 11/22/2010 5:43 AM, mdanu wiyoto wrote: > hi, > > i want create tacas+ using ldap for authentication, my ldap server using zentyal > server > for tacacs+ with authentication using cleartext and /etc/passwd i successed, but > when using ldap i confuse, pls assist me. > i promote tacacs+ shrubbery in my blog http://danuwi.wordpress.com in bahasa > indonesia language :) > Salam, > Danu > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus Try starting here: http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.html These instructions are for RHEL5 in particular, but should mostly apply for GNU/Linux variant. Adam From sgoto at hawaii.edu Mon Nov 29 18:32:12 2010 From: sgoto at hawaii.edu (Steven Goto) Date: Mon, 29 Nov 2010 08:32:12 -1000 Subject: [tac_plus] TACACS+ with Aruba Wireless Controller Message-ID: <4CF3F1AC.8080607@hawaii.edu> Hi tac_plus, I've been trying to get our Aruba wireless controller running ArubaOS 3.4.2.5 to work with the Shrubbery Networks TACACS+ server for a number of weeks now; I've been going back and forth with Aruba Support but I think I've gone as far as I can go with them since they have no solution. TACACS+ accounting works but the authentication doesn't; Wireshark captures show the authentication failing and there are no service names or role definitions (like for AirWave AMP from tacacs.org, which we are successfully using) that Aruba is aware of. Are there any tips you may have for getting TACACS+ authentication to work with the Aruba wireless controller? Thanks! Steve. Steven Goto University of Hawaii Information Technology Services From heas at shrubbery.net Mon Nov 29 19:21:13 2010 From: heas at shrubbery.net (john heasley) Date: Mon, 29 Nov 2010 19:21:13 +0000 Subject: [tac_plus] TACACS+ with Aruba Wireless Controller In-Reply-To: <4CF3F1AC.8080607@hawaii.edu> References: <4CF3F1AC.8080607@hawaii.edu> Message-ID: <20101129192113.GE11309@shrubbery.net> Mon, Nov 29, 2010 at 08:32:12AM -1000, Steven Goto: > Hi tac_plus, > > I've been trying to get our Aruba wireless controller running ArubaOS > 3.4.2.5 to work with the Shrubbery Networks TACACS+ server for a number > of weeks now; I've been going back and forth with Aruba Support but I > think I've gone as far as I can go with them since they have no > solution. TACACS+ accounting works but the authentication doesn't; > Wireshark captures show the authentication failing and there are no > service names or role definitions (like for AirWave AMP from tacacs.org, > which we are successfully using) that Aruba is aware of. Are there any > tips you may have for getting TACACS+ authentication to work with the > Aruba wireless controller? Thanks! try with -d 16 #define DEBUG_PARSE_FLAG 2 #define DEBUG_FORK_FLAG 4 #define DEBUG_AUTHOR_FLAG 8 #define DEBUG_AUTHEN_FLAG 16 #define DEBUG_PASSWD_FLAG 32 #define DEBUG_ACCT_FLAG 64 #define DEBUG_CONFIG_FLAG 128 #define DEBUG_PACKET_FLAG 256 #define DEBUG_HEX_FLAG 512 #define DEBUG_MD5_HASH_FLAG 1024 #define DEBUG_XOR_FLAG 2048 #define DEBUG_CLEAN_FLAG 4096 #define DEBUG_SUBST_FLAG 8192 #define DEBUG_PROXY_FLAG 16384 #define DEBUG_MAXSESS_FLAG 32768 #define DEBUG_LOCK_FLAG 65536 > Steve. > > Steven Goto > University of Hawaii pay for me to come over to help debug? From john at sackheads.org Tue Nov 30 04:52:16 2010 From: john at sackheads.org (John Payne) Date: Mon, 29 Nov 2010 23:52:16 -0500 Subject: [tac_plus] TACACS+ with Aruba Wireless Controller In-Reply-To: <4CF3F1AC.8080607@hawaii.edu> References: <4CF3F1AC.8080607@hawaii.edu> Message-ID: On Nov 29, 2010, at 1:32 PM, Steven Goto wrote: > Hi tac_plus, > > I've been trying to get our Aruba wireless controller running ArubaOS 3.4.2.5 to work with the Shrubbery Networks TACACS+ server for a number of weeks now; I've been going back and forth with Aruba Support but I think I've gone as far as I can go with them since they have no solution. TACACS+ accounting works but the authentication doesn't; Wireshark captures show the authentication failing and there are no service names or role definitions (like for AirWave AMP from tacacs.org, which we are successfully using) that Aruba is aware of. Are there any tips you may have for getting TACACS+ authentication to work with the Aruba wireless controller? Thanks! Authentication works for me, but not straight to enable mode :( I have a number of Aruba WCs on different versions, but none on 3.4.2.5 :) The closest is 3.4.2.0: aaa tacacs-accounting server-group TACACS mode enable command all aaa authentication-server tacacs "server1" host 10.1.2.3 key foo aaa server-group "TACACS" auth-server server1 aaa authentication mgmt server-group "TACACS" enable From sgoto at hawaii.edu Tue Nov 30 16:45:17 2010 From: sgoto at hawaii.edu (Steven Goto) Date: Tue, 30 Nov 2010 06:45:17 -1000 Subject: [tac_plus] TACACS+ with Aruba Wireless Controller In-Reply-To: References: <4CF3F1AC.8080607@hawaii.edu> Message-ID: <4CF52A1D.5050306@hawaii.edu> John P., Thanks for sending your Aruba config; your ArubaOS version is pretty close to ours and our config matches yours, so there must be something else we are doing in between the controller & TACACS+ that is preventing the authentication from working. I've checked all the obvious things (ACLs, etc.) so I'll need to try the debug that John H. suggested and perhaps triple-check things again. The main thing is that you have it working, which is great to know--thanks again! Steve. On 11/29/10 6:52 PM, John Payne wrote: > On Nov 29, 2010, at 1:32 PM, Steven Goto wrote: > >> Hi tac_plus, >> >> I've been trying to get our Aruba wireless controller running ArubaOS 3.4.2.5 to work with the Shrubbery Networks TACACS+ server for a number of weeks now; I've been going back and forth with Aruba Support but I think I've gone as far as I can go with them since they have no solution. TACACS+ accounting works but the authentication doesn't; Wireshark captures show the authentication failing and there are no service names or role definitions (like for AirWave AMP from tacacs.org, which we are successfully using) that Aruba is aware of. Are there any tips you may have for getting TACACS+ authentication to work with the Aruba wireless controller? Thanks! > Authentication works for me, but not straight to enable mode :( > > I have a number of Aruba WCs on different versions, but none on 3.4.2.5 :) The closest is 3.4.2.0: > > > aaa tacacs-accounting server-group TACACS mode enable command all > > aaa authentication-server tacacs "server1" > host 10.1.2.3 > key foo > > aaa server-group "TACACS" > auth-server server1 > > aaa authentication mgmt > server-group "TACACS" > enable > From sgoto at hawaii.edu Tue Nov 30 16:31:30 2010 From: sgoto at hawaii.edu (Steven Goto) Date: Tue, 30 Nov 2010 06:31:30 -1000 Subject: [tac_plus] TACACS+ with Aruba Wireless Controller In-Reply-To: <20101129192113.GE11309@shrubbery.net> References: <4CF3F1AC.8080607@hawaii.edu> <20101129192113.GE11309@shrubbery.net> Message-ID: <4CF526E2.3060400@hawaii.edu> John H., Thanks for the debug tip-I'll be sure to try that. At this point, I'm grateful to have anything to be able to try :-). I've learned a lot about TACACS+, but based on the amount of time I've spent so far, I wish I was able to pay for you to come over and help debug! Thanks again! Steve. On 11/29/10 9:21 AM, john heasley wrote: > Mon, Nov 29, 2010 at 08:32:12AM -1000, Steven Goto: >> Hi tac_plus, >> >> I've been trying to get our Aruba wireless controller running ArubaOS >> 3.4.2.5 to work with the Shrubbery Networks TACACS+ server for a number >> of weeks now; I've been going back and forth with Aruba Support but I >> think I've gone as far as I can go with them since they have no >> solution. TACACS+ accounting works but the authentication doesn't; >> Wireshark captures show the authentication failing and there are no >> service names or role definitions (like for AirWave AMP from tacacs.org, >> which we are successfully using) that Aruba is aware of. Are there any >> tips you may have for getting TACACS+ authentication to work with the >> Aruba wireless controller? Thanks! > try with -d 16 > > #define DEBUG_PARSE_FLAG 2 > #define DEBUG_FORK_FLAG 4 > #define DEBUG_AUTHOR_FLAG 8 > #define DEBUG_AUTHEN_FLAG 16 > #define DEBUG_PASSWD_FLAG 32 > #define DEBUG_ACCT_FLAG 64 > #define DEBUG_CONFIG_FLAG 128 > #define DEBUG_PACKET_FLAG 256 > #define DEBUG_HEX_FLAG 512 > #define DEBUG_MD5_HASH_FLAG 1024 > #define DEBUG_XOR_FLAG 2048 > #define DEBUG_CLEAN_FLAG 4096 > #define DEBUG_SUBST_FLAG 8192 > #define DEBUG_PROXY_FLAG 16384 > #define DEBUG_MAXSESS_FLAG 32768 > #define DEBUG_LOCK_FLAG 65536 > >> Steve. >> >> Steven Goto >> University of Hawaii > pay for me to come over to help debug? From alan.mckinnon at gmail.com Tue Nov 30 21:59:54 2010 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Tue, 30 Nov 2010 23:59:54 +0200 Subject: [tac_plus] TACACS+ with Aruba Wireless Controller In-Reply-To: <20101129192113.GE11309@shrubbery.net> References: <4CF3F1AC.8080607@hawaii.edu> <20101129192113.GE11309@shrubbery.net> Message-ID: <201011302359.54675.alan.mckinnon@gmail.com> Apparently, though unproven, at 21:21 on Monday 29 November 2010, john heasley did opine thusly: > Mon, Nov 29, 2010 at 08:32:12AM -1000, Steven Goto: > > Hi tac_plus, > > > > I've been trying to get our Aruba wireless controller running ArubaOS > > 3.4.2.5 to work with the Shrubbery Networks TACACS+ server for a number > > of weeks now; I've been going back and forth with Aruba Support but I > > think I've gone as far as I can go with them since they have no > > solution. TACACS+ accounting works but the authentication doesn't; > > Wireshark captures show the authentication failing and there are no > > service names or role definitions (like for AirWave AMP from tacacs.org, > > which we are successfully using) that Aruba is aware of. Are there any > > tips you may have for getting TACACS+ authentication to work with the > > Aruba wireless controller? Thanks! > > try with -d 16 > > #define DEBUG_PARSE_FLAG 2 > #define DEBUG_FORK_FLAG 4 > #define DEBUG_AUTHOR_FLAG 8 > #define DEBUG_AUTHEN_FLAG 16 > #define DEBUG_PASSWD_FLAG 32 > #define DEBUG_ACCT_FLAG 64 > #define DEBUG_CONFIG_FLAG 128 > #define DEBUG_PACKET_FLAG 256 > #define DEBUG_HEX_FLAG 512 > #define DEBUG_MD5_HASH_FLAG 1024 > #define DEBUG_XOR_FLAG 2048 > #define DEBUG_CLEAN_FLAG 4096 > #define DEBUG_SUBST_FLAG 8192 > #define DEBUG_PROXY_FLAG 16384 > #define DEBUG_MAXSESS_FLAG 32768 > #define DEBUG_LOCK_FLAG 65536 This list is good info. Can it be added to the next man page in the next release please? The current man page has only a subset, (or maybe it's the subset of values that are actually useful, I'm not sure which) -- alan dot mckinnon at gmail dot com From heas at shrubbery.net Tue Nov 30 23:02:24 2010 From: heas at shrubbery.net (john heasley) Date: Tue, 30 Nov 2010 23:02:24 +0000 Subject: [tac_plus] TACACS+ with Aruba Wireless Controller In-Reply-To: <201011302359.54675.alan.mckinnon@gmail.com> References: <4CF3F1AC.8080607@hawaii.edu> <20101129192113.GE11309@shrubbery.net> <201011302359.54675.alan.mckinnon@gmail.com> Message-ID: <20101130230223.GM9994@shrubbery.net> Tue, Nov 30, 2010 at 11:59:54PM +0200, Alan McKinnon: > This list is good info. Can it be added to the next man page in the next > release please? The current man page has only a subset, (or maybe it's the > subset of values that are actually useful, I'm not sure which) > its already there.