From mailfuerklaus at googlemail.com Tue Aug 2 16:53:33 2011 From: mailfuerklaus at googlemail.com (Klaus) Date: Tue, 2 Aug 2011 18:53:33 +0200 Subject: [tac_plus] Problems compiling tac_plus 5.0.0a1 Message-ID: Hi, i just want to report a compile error: i tried to compile tac_plus 5.0.0a1 on Freebsd 8.2. When running "make install", that process ends up with the following error message: c -DHAVE_CONFIG_H -I. -g -O2 -D_THREAD_SAFE -pthread -MT encrypt.o -MD -MP -MF .deps/encrypt.Tpo -c -o encrypt.o encrypt.c mv -f .deps/encrypt.Tpo .deps/encrypt.Po gcc -DHAVE_CONFIG_H -I. -g -O2 -D_THREAD_SAFE -pthread -MT expire.o -MD -MP -MF .deps/expire.Tpo -c -o expire.o expire.c mv -f .deps/expire.Tpo .deps/expire.Po gcc -DHAVE_CONFIG_H -I. -g -O2 -D_THREAD_SAFE -pthread -MT hash.o -MD -MP -MF .deps/hash.Tpo -c -o hash.o hash.c mv -f .deps/hash.Tpo .deps/hash.Po gcc -DHAVE_CONFIG_H -I. -g -O2 -D_THREAD_SAFE -pthread -MT maxsessint.o -MD -MP -MF .deps/maxsessint.Tpo -c -o maxsessint.o maxsessint.c maxsessint.c: In function 'maxsess_check_count': maxsessint.c:60: error: 'S_maxsess' undeclared (first use in this function) maxsessint.c:60: error: (Each undeclared identifier is reported only once maxsessint.c:60: error: for each function it appears in.) *** Error code 1 Stop in /usr/home/netadmin1/_storage/tacacs+-F5.0.0a1. [netadmin1 at bsdmon ~/_storage/tacacs+-F5.0.0a1]$ Best regards Klaus -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Mon Aug 8 19:22:38 2011 From: heas at shrubbery.net (john heasley) Date: Mon, 8 Aug 2011 19:22:38 +0000 Subject: [tac_plus] Problems compiling tac_plus 5.0.0a1 In-Reply-To: References: Message-ID: <20110808192238.GN11565@shrubbery.net> Tue, Aug 02, 2011 at 06:53:33PM +0200, Klaus: > Hi, > i just want to report a compile error: > > i tried to compile tac_plus 5.0.0a1 on Freebsd 8.2. When running "make > install", that process ends up with the following error message: thanks Index: maxsessint.c =================================================================== --- maxsessint.c (revision 3424) +++ maxsessint.c (working copy) @@ -48,6 +48,7 @@ /* * See if this user can have more sessions. */ +#ifdef MAXSESS int maxsess_check_count(char *user, struct author_data *data) { @@ -107,3 +108,4 @@ } return(0); } +#endif From ozgurumutvurgun at gmail.com Mon Aug 8 08:31:06 2011 From: ozgurumutvurgun at gmail.com (=?ISO-8859-1?Q?=F6zg=FCr_umut_vurgun?=) Date: Mon, 8 Aug 2011 11:31:06 +0300 Subject: [tac_plus] Ftp not working Message-ID: Hi , I'd like to downlod tac_plus but FTP server not working . How can I download ? Please Can you send link for download ? Thenks... ?zg?r... -------------- next part -------------- An HTML attachment was scrubbed... URL: From johns at idsno.net Mon Aug 15 17:02:29 2011 From: johns at idsno.net (John Souvestre) Date: Mon, 15 Aug 2011 12:02:29 -0500 Subject: [tac_plus] FW: Undeliverable mail: RE: confirm 726d7d86cb03aaf42133e177afa7a79721dc475b In-Reply-To: References: Message-ID: <00c301cc5b6d$1dd939c0$598bad40$@idsno.net> Hi. There seems to be a problem when subscribing to the 'tac_plus-announce-request at shrubbery.net' list. Regards, John John Souvestre - Integrated Data Systems - (504) 355-0609 -----Original Message----- From: MAILER-DAEMON at mail.idsno.net [mailto:MAILER-DAEMON at mail.idsno.net] Sent: Monday, August 15, 2011 11:53 am To: johns at idsno.net Subject: Undeliverable mail: RE: confirm 726d7d86cb03aaf42133e177afa7a79721dc475b Failed to deliver to 'tac_plus-announce-request at shrubbery.net' SMTP module(domain @206.41.40.247|shrubbery.net) reports: host guelah.shrubbery.net says: 550 5.1.1 : Recipient address rejected: User unknown in local recipient table -------------- next part -------------- An embedded message was scrubbed... From: "John Souvestre" Subject: RE: confirm 726d7d86cb03aaf42133e177afa7a79721dc475b Date: Mon, 15 Aug 2011 11:42:46 -0500 Size: 2412 URL: From alan.mckinnon at gmail.com Mon Aug 15 18:08:04 2011 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Mon, 15 Aug 2011 20:08:04 +0200 Subject: [tac_plus] Ftp not working In-Reply-To: References: Message-ID: <3601089.ZezSvyp1uK@nazgul> On Mon 08 August 2011 11:31:06 ?zg?r umut vurgun did opine thusly: > Hi , > > I'd like to downlod tac_plus but FTP server not working . How can I > download ? Please Can you send link for download ? Feel free to grab a copy from my mirror: ftp://ftp.is.co.za/mirror/gentoo.org/distfiles/tacacs+- F4.0.4.19.tar.gz Gentoo and FreeBSD distfiles are often the easiest way to find sources on mirrors :-) Adapt the version numbers to suit the one you want, 14 through 19 should all be there (according to portage) -- alan dot mckinnon at gmail dot com From mkeselman at m5net.com Thu Aug 18 16:22:42 2011 From: mkeselman at m5net.com (Mike Keselman) Date: Thu, 18 Aug 2011 12:22:42 -0400 Subject: [tac_plus] question Message-ID: Hi, I am running tacacs+ version tacacs+-F4.0.4.19-1 in my envelopment. I am having issues configuring Cisco commands with in the daemon. Currently my cisco gear has privilege 5 permission configured for a subset of commands. I have to move those commands to a central place as opposed to having them on each device. Any help would be appreciated. Sample of what is configured is below group = test { # description: test group default service = deny service = exec { priv-lvl = 5 } } user = tactest { login = cleartext tac member = test cmd = configure { permit terminal } cmd = show { permit .* } } Thanks, -- *Mike Keselman* **M5 Networks, Inc. Phone: (646)747-1632 www.m5net.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Thu Aug 18 19:09:34 2011 From: heas at shrubbery.net (john heasley) Date: Thu, 18 Aug 2011 19:09:34 +0000 Subject: [tac_plus] question In-Reply-To: References: Message-ID: <20110818190934.GA29724@shrubbery.net> Thu, Aug 18, 2011 at 12:22:42PM -0400, Mike Keselman: > Hi, > > I am running tacacs+ version tacacs+-F4.0.4.19-1 in my envelopment. I am > having issues configuring Cisco commands with in the daemon. Currently my > cisco gear has privilege 5 permission configured for a subset of commands. I > have to move those commands to a central place as opposed to having them on > each device. Any help would be appreciated. > > Sample of what is configured is below > > > group = test { > # description: test group > default service = deny > service = exec { > priv-lvl = 5 > } > } > > user = tactest { > login = cleartext tac > > member = test > > cmd = configure { permit terminal } > cmd = show { > permit .* } > } i dont know if those commands will work with level 5. but suspect your problem is the authorization configuration on the router. eg: # group = RO { # service = exec { # priv-lvl=15 # } # cmd = show { # permit run # permit version # permit install # permit env # permit gsr # permit boot # permit bootvar # permit flash # permit controllers # permit controllers # permit diagbus # permit diag # permit c7200 # deny .* # } # cmd = write { # permit term # deny .* # } # cmd = dir { # permit /all # deny .* # } # } From mkeselman at m5net.com Thu Aug 18 19:22:06 2011 From: mkeselman at m5net.com (Mike Keselman) Date: Thu, 18 Aug 2011 15:22:06 -0400 Subject: [tac_plus] question In-Reply-To: <20110818190934.GA29724@shrubbery.net> References: <20110818190934.GA29724@shrubbery.net> Message-ID: John, Thanks you for the reply. The following is configured on my router, can you tell me if anything is incorrect aaa group server tacacs+ tacServers server 10.10.10.10 ! aaa authentication banner ^CCUnauthorized Access Prohibited^C aaa authentication fail-message ^CCFailed login. Try again.^C aaa authentication login default group tacServers enable aaa authorization console aaa authorization exec default group tacServers if-authenticated aaa authorization exec console group tacServers if-authenticated aaa accounting exec default start-stop group tacServers aaa accounting commands 1 default start-stop group tacServers aaa accounting commands 2 default start-stop group tacServers aaa accounting commands 5 default start-stop group tacServers aaa accounting commands 15 default start-stop group tacServers On Thu, Aug 18, 2011 at 3:09 PM, john heasley wrote: > Thu, Aug 18, 2011 at 12:22:42PM -0400, Mike Keselman: > > Hi, > > > > I am running tacacs+ version tacacs+-F4.0.4.19-1 in my envelopment. I am > > having issues configuring Cisco commands with in the daemon. Currently my > > cisco gear has privilege 5 permission configured for a subset of > commands. I > > have to move those commands to a central place as opposed to having them > on > > each device. Any help would be appreciated. > > > > Sample of what is configured is below > > > > > > group = test { > > # description: test group > > default service = deny > > service = exec { > > priv-lvl = 5 > > } > > } > > > > user = tactest { > > login = cleartext tac > > > > member = test > > > > cmd = configure { permit terminal } > > cmd = show { > > permit .* } > > } > > i dont know if those commands will work with level 5. > > but suspect your problem is the authorization configuration on the router. > > eg: > # group = RO { > # service = exec { > # priv-lvl=15 > # } > # cmd = show { > # permit run > # permit version > # permit install > # permit env > # permit gsr > # permit boot > # permit bootvar > # permit flash > # permit controllers > # permit controllers > # permit diagbus > # permit diag > # permit c7200 > # deny .* > # } > # cmd = write { > # permit term > # deny .* > # } > # cmd = dir { > # permit /all > # deny .* > # } > # } > > -- *Mike Keselman* **M5 Networks, Inc. Phone: (646)747-1632 www.m5net.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Thu Aug 18 21:56:17 2011 From: heas at shrubbery.net (john heasley) Date: Thu, 18 Aug 2011 21:56:17 +0000 Subject: [tac_plus] question In-Reply-To: References: <20110818190934.GA29724@shrubbery.net> Message-ID: <20110818215616.GL29724@shrubbery.net> Thu, Aug 18, 2011 at 03:22:06PM -0400, Mike Keselman: > John, > > Thanks you for the reply. The following is configured on my router, can you > tell me if anything is incorrect looks ok. enable the debug (-d) in tacacs for authorization to debug the problem. see the manpage From daniel.schmidt at wyo.gov Thu Aug 18 22:29:35 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Thu, 18 Aug 2011 16:29:35 -0600 Subject: [tac_plus] question In-Reply-To: References: Message-ID: Use authorization and configure all the commands on the tac_plus server, not on the router with privilege levels. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Mike Keselman Sent: Thursday, August 18, 2011 10:23 AM To: tac_plus at shrubbery.net Subject: [tac_plus] question Hi, I am running tacacs+ version tacacs+-F4.0.4.19-1 in my envelopment. I am having issues configuring Cisco commands with in the daemon. Currently my cisco gear has privilege 5 permission configured for a subset of commands. I have to move those commands to a central place as opposed to having them on each device. Any help would be appreciated. Sample of what is configured is below group = test { # description: test group default service = deny service = exec { priv-lvl = 5 } } user = tactest { login = cleartext tac member = test cmd = configure { permit terminal } cmd = show { permit .* } } Thanks, -- *Mike Keselman* **M5 Networks, Inc. Phone: (646)747-1632 www.m5net.com -------------- next part -------------- An HTML attachment was scrubbed... URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From ozgurumutvurgun at gmail.com Mon Aug 22 14:48:14 2011 From: ozgurumutvurgun at gmail.com (=?ISO-8859-1?Q?=F6zg=FCr_umut_vurgun?=) Date: Mon, 22 Aug 2011 17:48:14 +0300 Subject: [tac_plus] TACACS+ Installation Problem Message-ID: Hi All, I am a newbie and I am looking detail documents of Tacacs+ . I couldn't install tac_plus. I have read pam_guide.txtbut I couldn't find tac_plus configuration file. I am waiting helps. Thanks Ozgur.... -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Mon Aug 22 14:56:38 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Mon, 22 Aug 2011 08:56:38 -0600 Subject: [tac_plus] TACACS+ Installation Problem In-Reply-To: References: Message-ID: There are some examples here http://www.shrubbery.net/tac_plus/ and here http://tacacs.org/ -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of ?zg?r umut vurgun Sent: Monday, August 22, 2011 8:48 AM To: tac_plus at shrubbery.net Subject: [tac_plus] TACACS+ Installation Problem Hi All, I am a newbie and I am looking detail documents of Tacacs+ . I couldn't install tac_plus. I have read pam_guide.txtbut I couldn't find tac_plus configuration file. I am waiting helps. Thanks Ozgur.... -------------- next part -------------- An HTML attachment was scrubbed... URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From morty+tac_plus at frakir.org Tue Aug 30 16:42:35 2011 From: morty+tac_plus at frakir.org (Morty Abzug) Date: Tue, 30 Aug 2011 12:42:35 -0400 Subject: [tac_plus] tac_plus configuration based on source IP Message-ID: <20110830164235.GE3199@red-sonja> I have a variety of Cisco devices that require mutually incompatible values in a certain TACACS+ attribute, Cisco-AVPair. The way I have dealt with this in the RADIUS world is with huntgroups -- I assign our engineer group on huntgroup1 to have Cisco-AVPair set to shell:roles=network-admin, while by default, the engineer group gets shell:priv-lvl=15. Unfortunately, my usual RADIUS solution isn't working. We also have tac_plus, so I fired that up, and realized that I had a similar problem -- we already have one Cisco device type that requires a conflicting attribute. With tac_plus, I have no idea at all of how to workaround this, i.e. what the tac_plus equivalent of a huntgroup is. I tried this: group = engineer { pap = PAM service = exec { shell:roles="network-admin" acl = 1010_application } service = exec { shell:roles="admin" acl = fabric_interconnect } } No joy. Each of those stanzas works individually, but the two together cause unhappiness. Is there a solution? Thanks. - Morty From heas at shrubbery.net Tue Aug 30 17:18:53 2011 From: heas at shrubbery.net (john heasley) Date: Tue, 30 Aug 2011 17:18:53 +0000 Subject: [tac_plus] tac_plus configuration based on source IP In-Reply-To: <20110830164235.GE3199@red-sonja> References: <20110830164235.GE3199@red-sonja> Message-ID: <20110830171853.GG13391@shrubbery.net> Tue, Aug 30, 2011 at 12:42:35PM -0400, Morty Abzug: > I have a variety of Cisco devices that require mutually incompatible > values in a certain TACACS+ attribute, Cisco-AVPair. The way I have > dealt with this in the RADIUS world is with huntgroups -- I assign our > engineer group on huntgroup1 to have Cisco-AVPair set to > shell:roles=network-admin, while by default, the engineer group gets > shell:priv-lvl=15. Unfortunately, my usual RADIUS solution isn't > working. We also have tac_plus, so I fired that up, and realized that > I had a similar problem -- we already have one Cisco device type that > requires a conflicting attribute. With tac_plus, I have no idea at > all of how to workaround this, i.e. what the tac_plus equivalent of a > huntgroup is. I tried this: I think that you ought to be able to do this with a before authorization script. See Daniel's example python script. > group = engineer { > pap = PAM > service = exec { > shell:roles="network-admin" > acl = 1010_application > } > service = exec { > shell:roles="admin" > acl = fabric_interconnect > } > } > > No joy. Each of those stanzas works individually, but the two > together cause unhappiness. Is there a solution? > > Thanks. > > - Morty > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From daniel.schmidt at wyo.gov Tue Aug 30 17:55:51 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Tue, 30 Aug 2011 11:55:51 -0600 Subject: [tac_plus] tac_plus configuration based on source IP In-Reply-To: <20110830171853.GG13391@shrubbery.net> References: <20110830164235.GE3199@red-sonja> <20110830171853.GG13391@shrubbery.net> Message-ID: <4adb343f1f92db50ae915e4db5c0abde@mail.gmail.com> Example doesn't currently do what you want. That said, I have often thought about adding something exactly like this to append or modify the pairs. (Even listed in "TO DO" section) I messed around with a wireless controller but, even when returning the pairs unaltered, it seemed to be unhappy on a exit code 2 so I got frustrated and gave up. It shouldn't be too hard to add if you uncomment the "print tac pairs" section and send me the log file results for each. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of john heasley Sent: Tuesday, August 30, 2011 11:19 AM To: Morty Abzug Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] tac_plus configuration based on source IP Tue, Aug 30, 2011 at 12:42:35PM -0400, Morty Abzug: > I have a variety of Cisco devices that require mutually incompatible > values in a certain TACACS+ attribute, Cisco-AVPair. The way I have > dealt with this in the RADIUS world is with huntgroups -- I assign our > engineer group on huntgroup1 to have Cisco-AVPair set to > shell:roles=network-admin, while by default, the engineer group gets > shell:priv-lvl=15. Unfortunately, my usual RADIUS solution isn't > working. We also have tac_plus, so I fired that up, and realized that > I had a similar problem -- we already have one Cisco device type that > requires a conflicting attribute. With tac_plus, I have no idea at > all of how to workaround this, i.e. what the tac_plus equivalent of a > huntgroup is. I tried this: I think that you ought to be able to do this with a before authorization script. See Daniel's example python script. > group = engineer { > pap = PAM > service = exec { > shell:roles="network-admin" > acl = 1010_application > } > service = exec { > shell:roles="admin" > acl = fabric_interconnect > } > } > > No joy. Each of those stanzas works individually, but the two > together cause unhappiness. Is there a solution? > > Thanks. > > - Morty > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From morty+tac_plus at frakir.org Wed Aug 31 11:52:10 2011 From: morty+tac_plus at frakir.org (Morty Abzug) Date: Wed, 31 Aug 2011 07:52:10 -0400 Subject: [tac_plus] tac_plus configuration based on source IP In-Reply-To: <4adb343f1f92db50ae915e4db5c0abde@mail.gmail.com> References: <20110830164235.GE3199@red-sonja> <20110830171853.GG13391@shrubbery.net> <4adb343f1f92db50ae915e4db5c0abde@mail.gmail.com> Message-ID: <20110831115210.GF3199@red-sonja> On Tue, Aug 30, 2011 at 11:55:51AM -0600, Daniel Schmidt wrote: > Example doesn't currently do what you want. That said, I have often > thought about adding something exactly like this to append or modify the > pairs. (Even listed in "TO DO" section) I messed around with a wireless > controller but, even when returning the pairs unaltered, it seemed to be > unhappy on a exit code 2 so I got frustrated and gave up. It shouldn't be > too hard to add if you uncomment the "print tac pairs" section and send me > the log file results for each. Thanks. What is the most recent version of this script? The one I find via google is at: http://www.pastie.org/2420212 Is that the one I should use? - Morty From heas at shrubbery.net Wed Aug 31 15:30:44 2011 From: heas at shrubbery.net (john heasley) Date: Wed, 31 Aug 2011 15:30:44 +0000 Subject: [tac_plus] tac_plus configuration based on source IP In-Reply-To: <20110831115210.GF3199@red-sonja> References: <20110830164235.GE3199@red-sonja> <20110830171853.GG13391@shrubbery.net> <4adb343f1f92db50ae915e4db5c0abde@mail.gmail.com> <20110831115210.GF3199@red-sonja> Message-ID: <20110831153044.GC16427@shrubbery.net> Wed, Aug 31, 2011 at 07:52:10AM -0400, Morty Abzug: > What is the most recent version of this script? The one I find via afaik, the attached. -------------- next part -------------- #!/usr/bin/python # Program I threw together to do the things tac_plus won't # It will allow very granular control. More examples on tacacs.org # History: # Version 1.1 # Simple typo - a stray 's' botched a deny statement # Version 1.2 # Did you know a firewall doesn't end it's commands with a ? # Version 1.3 # Needs a default user. If most of your users have the same access, # and you have a default access in tac_plus.conf, you need it here as # well. # Version 1.4 # CRS doesn't send $address when in conf t # Added -fix_crs_bug as as simple/stupid workaround # Version 1.5 # Mistake in the example, thanks to aojea # Version 1.6 # Added support for other services besides service=shell # (ie - they work, but they match on IP/Source only. If you have # examples of pairs other than cmd to match on, please bring them # to my attention) # TO DO (If anybody bothers to request them) # Possible web front end - simple cgi shouldn't be too hard to write # Option to replace or append returned tac_pairs might be nice # Write a better option parser to ignore options not sent (See CRS Bug) ''' do_auth.py [-options] Version 1.6 do_auth is a python program I wrote to work as an authorization script for tacacs to allow greater flexability in tacacs authentication. It allows a user to be part of many predefined groups that can allow different access to different devices based on ip, user, and source address. Do not play with do_auth untill you have a firm grasp on tac_plus! -u Username. Mandatory. $user -i Ip address of user. Optional. If not specified, all host_ entries are ignored and can be omitted. $address **Note: If you use IOS-XR, you MUST add -fix_crs_bug after $address due to a bug in IOS-XR -d Device address. Optional. If not specified, all device_ entries are ignored and can be omitted. $name -f Config Filename. Default is do_auth.ini. -l Logfile. Default is log.txt. -D Debug mode. Allows you to call the program without reading from stdin. Useful to test your configuration before going live. Sets a default command of "show users wides". Groups are assigned to users in the [users] section. A user must be assigned to one or more groups, one per line. Groups are defined in brackets, but can be any name. Each group can have up to 6 options as defined below. host_deny Deny any user coming from this host. Optional. host_allow Allow users from this range. Mandatory if -i is specified. device_deny Deny any device with this IP. Optional. device_permit Allow this range. Mandatory if -d is specified command_deny Deny these commands. Optional. command_permit Allow these commands. Mandatory. The options are parsed in order till a match is found. Obviously, for login, the commands section is not parsed. If a match is not found, or a deny is found, we move on to the next group. At the end, we have an implicit deny if no groups match. All tacacs keys passed on login to do_auth are returned. (except cmd*) It is possible to modify them, but I haven't implemented this yet as I don't need it. Future versions may have an av_pair & append_av_pair option. An simple example is as follows. [users] homer = simpson_group television_group stimpy = television_group [simpson_group] host_deny = 1.1.1.1 1.1.1.2 host_allow = 1.1.1.* device_permit = 10.1.1.* command_permit = .* [television_group] host_allow = .* device_permit = .* command_permit = show.* Example tacacs line: after authorization "/usr/bin/python /root/do_auth.pyc -i $address -fix_crs_bug -u $user -d $name -l /root/log.txt -f /root/do_auth.ini" (that's one line) BUGS: You must know your regular expressions. If you enter a bad expression, such as *. instead of .*, python re will freak out and not evaluate the expression. CAVEATS: One group can not take away what another group grants. If a match is not found, it will go on to the next group. If a deny is matched, it will go on to the next group. Order is crucial - the groups should go from more specific to less specific. In the above example, if television_group was put before simpson_group, simpson_group would never be called because televsion_group catches everything in device_permit. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 3 or any later version as published by the Free Software Foundation, http://www.gnu.org/ This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. Written by Dan Schmidt ''' import sys,re,getopt,ConfigParser from time import strftime # I really don't want to deal with these exceptions more than once # filename is only used in log statements def get_attribute(config, the_section, the_option, log_file, filename): if not config.has_section(the_section): log_file.write(strftime("%Y-%m-%d %H:%M:%S: ") + "Error: Section '%s' does not exist in %s\n" % (the_section, filename)) sys.exit(1) if not config.has_option(the_section, the_option): log_file.write(strftime("%Y-%m-%d %H:%M:%S: ") + "Error: Option '%s' does not exist in section %s in file %s\n" % (the_option, the_section, filename)) sys.exit(1) #Should not have any exceptions - BUT, just in case try: attributes = config.get(the_section, the_option) except ConfigParser.NoSectionError: log_file.write(strftime("%Y-%m-%d %H:%M:%S: ") + "Error: Section '%s' Doesn't Exist!\n" % (the_section)) sys.exit(1) except ConfigParser.DuplicateSectionError: log_file.write(strftime("%Y-%m-%d %H:%M:%S: ") + "Error: Duplicate section '%s'\n" % (the_section)) sys.exit(1) except ConfigParser.NoOptionError: log_file.write(strftime("%Y-%m-%d %H:%M:%S: ") + "Error: '%s' not found in section '%s\n'" % (the_option, the_section)) sys.exit(1) #To do: finish exceptions. except ConfigParser.ParsingError: log_file.write(strftime("%Y-%m-%d %H:%M:%S: ") + "Error: Can't parse file '%s'! (You got me)\n" % (filename)) sys.exit(1) attributes = attributes.split('\n') #Strip empty lines attributes2 = [] for line in attributes: if line: attributes2.append(line) return attributes2 # Can't make it part of get_attribute... oh well... # We need someway to check to see if a username exists with out exit(1) def check_username(config, log_file, user_name): if not config.has_section('users'): log_file.write(strftime("%Y-%m-%d %H:%M:%S: ") + "Error: users section doesn't exist!") sys.exit(1) if config.has_option('users', user_name): return True else: return False # If match item in our_list, true, else false # Example - if deny section has a match for 10.1.1.1, # return True, else False # If the section doesn't exist, we assume an # impicity deny/false def match_it(the_section, the_option, match_item, config, log_file, filename): if config.has_option(the_section,the_option): our_list = get_attribute(config, the_section, the_option, log_file, filename) for item in our_list: #p = re.compile(item) Not necessary - we're only using it once if re.match(item,match_item): return True return False def main(): #Defaults filename = "do_auth.ini" log_name = "log.txt" user_name = "" ip_addr = "" device = "" is_debug = False argv = sys.argv try: optlist, args = getopt.getopt(sys.argv[1:], 'i:u:f:l:d:?:D', ['fix_crs_bug','?', '-?', 'help', 'Help']) except getopt.GetoptError, err: print str(err) # will print something like "option -a not recognized" print __doc__ sys.exit(1) for (i, j) in optlist: if i == '-i': ip_addr = j elif i == '-u': user_name = j elif i == '-f': filename = j elif i == '-l': log_name = j elif i == '-d': device = j elif i in ('?', '-?', 'help', 'Help'): print __doc__ sys.exit(1) elif i == '-D': is_debug = True else: print 'Unknown option:', i sys.exit(1) if len(argv) < 7: print __doc__ sys.exit(1) log_file = open (log_name, "a") #DEBUG! We at least got CALLED # log_file.write('Hello World!' + '\n') #read AV pairs av_pairs = [] if not (is_debug): for line in sys.stdin: av_pairs.append(line) else: #Default Debug command is "show users wide" #Later versions will allow this to be set av_pairs.append("service=shell\n") av_pairs.append("cmd=show\n") av_pairs.append("cmd-arg=users\n") av_pairs.append("cmd-arg=wide\n") av_pairs.append("cmd-arg=\n") #DEBUG - print tac pairs # for item in av_pairs: # log_file.write(item) # Function to make cmd's readable # Not very good, but will do for now # I don't use any other service other than shell to test! the_command = "" return_pairs = "" if (av_pairs[0] == "service=shell\n"): #Commands - Concatenate to a readable command if av_pairs[1].startswith("cmd="): our_command = av_pairs[1].split("=") the_command = our_command[1].strip('\n') if len(av_pairs) > 2: i = 2 our_command = av_pairs[i].split("=") while not (our_command[1] == "\n"): the_command = the_command + " " + our_command[1].strip('\n') i = i + 1 if i == len(av_pairs): # Firewalls don't give a !! break our_command = av_pairs[i].split("=") #DEBUG - We got the command #log_file.write(the_command + '\n') #Login - Get av_pairs to pass back to tac_plus if av_pairs[1].startswith("cmd*"): #Anybody know why it's "cmd*"? if len(av_pairs) > 2: return_pairs = av_pairs[2:] #You have to strip the "cmd*" av-pair else: return_pairs = av_pairs if not user_name: log_file.write(strftime("%Y-%m-%d %H:%M:%S: ") + "Error: No username entered!\n") sys.exit(1) config = ConfigParser.SafeConfigParser() if not (filename in config.read(filename)): log_file.write(strftime("%Y-%m-%d %H:%M:%S: ") + "Error: Can't open/parse '%s'\n" % (filename)) sys.exit(1) the_section = "users" # If the user doesn't exist, just use the default settings # Kind of a hack, but it works because we only get_attribute on user_name once. # We have the : in there which we can use to split if required if not check_username(config, log_file, user_name): user_name = (user_name + ":(default)") groups = get_attribute(config, "users", "default", log_file, filename) else: groups = get_attribute(config, "users", user_name, log_file, filename) for this_group in groups: if ip_addr: if match_it(this_group, "host_deny", ip_addr, config, log_file, filename): if this_group == groups[-1]: log_file.write(strftime("%Y-%m-%d %H:%M:%S: ") + "User '%s' denied from source '%s' in '%s'->'%s'\n" % (user_name, ip_addr, this_group, "host_deny")) sys.exit(1) else: # HUM... afterthought. We need it to continue if more groups exist continue if not match_it(this_group, "host_allow", ip_addr, config, log_file, filename): #Stupid IOS-XR if ip_addr == "-fix_crs_bug": pass elif this_group == groups[-1]: log_file.write(strftime("%Y-%m-%d %H:%M:%S: ") + "User '%s' not allowed from source '%s' in '%s'->'%s'\n" % (user_name, ip_addr, this_group, "host_allow")) sys.exit(1) else: continue if device: if match_it(this_group, "device_deny", device, config, log_file, filename): if this_group == groups[-1]: log_file.write(strftime("%Y-%m-%d %H:%M:%S: ") + "User '%s' denied access to device '%s' in '%s'->'%s'\n" % (user_name, device, this_group, "device_deny")) sys.exit(1) else: continue if not match_it(this_group, "device_permit", device, config, log_file, filename): if this_group == groups[-1]: log_file.write(strftime("%Y-%m-%d %H:%M:%S: ") + "User '%s' not allowed access to device '%s' in '%s'->'%s'\n" % (user_name, device, this_group, "device_permit")) sys.exit(1) else: continue # The previous 4 statements are to deny, it we passed them, proceed # If we are logging in, return pairs, if not, go no to check the command # Yes, simply printing them is how you return them # First, let's make sure we're doing service = shell. If not, just # allow it. I currently have no knowledge of cmd's sent by other # services. if return_pairs: splt = return_pairs[0].split('=') if len(splt) > 1: if not splt[1].strip() == 'shell': log_file.write(strftime("%Y-%m-%d %H:%M:%S: ") + "User '%s' granted non-shell access to device '%s' in group '%s' from '%s'\n" % (user_name, device, this_group, ip_addr)) sys.exit(0) # Don't even TRY to mess with the tac pairs #Proceed with shell stuff if not len(the_command) > 0: for item in return_pairs: print item.strip('\n') log_file.write(strftime("%Y-%m-%d %H:%M:%S: ") + "User '%s' granted access to device '%s' in group '%s' from '%s'\n" % (user_name, device, this_group, ip_addr)) sys.exit(2) else: # Check command if match_it(this_group, "command_deny", the_command, config, log_file, filename): if this_group == groups[-1]: log_file.write(strftime("%Y-%m-%d %H:%M:%S: ") + "User '%s' denied command '%s' to device '%s' in '%s'->'%s'\n" % (user_name, the_command, device, this_group, "command_deny")) sys.exit(1) else: continue elif match_it(this_group, "command_permit", the_command, config, log_file, filename): log_file.write(strftime("%Y-%m-%d %H:%M:%S: ") + "User '%s' allowed command '%s' to device '%s' in '%s'->'%s'\n" % (user_name, the_command, device, this_group, "command_permit")) sys.exit(0) else: #exit & log if last group if this_group == groups[-1]: log_file.write(strftime("%Y-%m-%d %H:%M:%S: ") + "User '%s' not allowed command '%s' to device '%s' in any group\n" % (user_name, the_command, device)) #Hum... this only works if it's the last group/only group. sys.exit(1) else: continue #implicit deny at the end log_file.write(strftime("%Y-%m-%d %H:%M:%S: ") + "User '%s' not allowed access to device '%s' from '%s' in any group\n" % (user_name, device, ip_addr)) sys.exit(1) if __name__ == "__main__": main() From dagmid_d at yahoo.com Wed Aug 31 06:56:02 2011 From: dagmid_d at yahoo.com (Dagia Dorjsuren) Date: Tue, 30 Aug 2011 23:56:02 -0700 (PDT) Subject: [tac_plus] about tacacs+ Message-ID: <1314773762.60899.YahooMailNeo@web33906.mail.mud.yahoo.com> Hello, ? I installed tac_plus on freebsd 8.1. But, my tacacs server can't write log to log file. Could you advise me? Best wishes, Dagia -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Wed Aug 31 15:35:25 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Wed, 31 Aug 2011 09:35:25 -0600 Subject: [tac_plus] tac_plus configuration based on source IP In-Reply-To: <20110831115210.GF3199@red-sonja> References: <20110830164235.GE3199@red-sonja> <20110830171853.GG13391@shrubbery.net> <4adb343f1f92db50ae915e4db5c0abde@mail.gmail.com> <20110831115210.GF3199@red-sonja> Message-ID: <0f11c363ee4aff6f768948e89669f886@mail.gmail.com> Yeah, that's it. I usually try to keep it updated on tacacs.org, and John Heasley kindly keeps it updated in the tarball. Been meaning to add this functionality before now, but I didn't need it and few else use it. See line 267/268 about printing those tac pairs. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Morty Abzug Sent: Wednesday, August 31, 2011 5:52 AM To: tac_plus at shrubbery.net Subject: Re: [tac_plus] tac_plus configuration based on source IP On Tue, Aug 30, 2011 at 11:55:51AM -0600, Daniel Schmidt wrote: > Example doesn't currently do what you want. That said, I have often > thought about adding something exactly like this to append or modify the > pairs. (Even listed in "TO DO" section) I messed around with a wireless > controller but, even when returning the pairs unaltered, it seemed to be > unhappy on a exit code 2 so I got frustrated and gave up. It shouldn't be > too hard to add if you uncomment the "print tac pairs" section and send me > the log file results for each. Thanks. What is the most recent version of this script? The one I find via google is at: http://www.pastie.org/2420212 Is that the one I should use? - Morty _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From daniel.schmidt at wyo.gov Wed Aug 31 15:54:01 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Wed, 31 Aug 2011 09:54:01 -0600 Subject: [tac_plus] WLC Message-ID: <00c5395907962a5a3c7721215dacbf0f@mail.gmail.com> Has anybody successfully returned the av-pairs for a wireless controller? I get the following returned: service=ciscowlc protocol=common role1=ALL Echoing these back with an exit code of 2 does not work though. I can see the service possibly needing to be stripped, but no combination of the last one, two or all will work. Any help appreciated! -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Wed Aug 31 15:57:25 2011 From: heas at shrubbery.net (john heasley) Date: Wed, 31 Aug 2011 15:57:25 +0000 Subject: [tac_plus] WLC In-Reply-To: <00c5395907962a5a3c7721215dacbf0f@mail.gmail.com> References: <00c5395907962a5a3c7721215dacbf0f@mail.gmail.com> Message-ID: <20110831155725.GJ16427@shrubbery.net> Wed, Aug 31, 2011 at 09:54:01AM -0600, Daniel Schmidt: > Has anybody successfully returned the av-pairs for a wireless controller? I > get the following returned: > > > > service=ciscowlc > > protocol=common > > role1=ALL > > > > Echoing these back with an exit code of 2 does not work though. I can see > the service possibly needing to be stripped, but no combination of the last > one, two or all will work. Any help appreciated! desfine "no combinartion ... will work". work in what manner? meaning that the daemon does not return them to the device or the device doesnt act upon them? From daniel.schmidt at wyo.gov Wed Aug 31 16:15:41 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Wed, 31 Aug 2011 10:15:41 -0600 Subject: [tac_plus] WLC In-Reply-To: <20110831155725.GJ16427@shrubbery.net> References: <00c5395907962a5a3c7721215dacbf0f@mail.gmail.com> <20110831155725.GJ16427@shrubbery.net> Message-ID: Thanks for your reply John. The device does not seem to act on them. I know they receive them, because my script returns priv levels (1,15, ect) to routers and that works just fine. I try stripping off the service, I try stripping off protocol and service - nothing works. -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Wednesday, August 31, 2011 9:57 AM To: Daniel Schmidt Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] WLC Wed, Aug 31, 2011 at 09:54:01AM -0600, Daniel Schmidt: > Has anybody successfully returned the av-pairs for a wireless controller? I > get the following returned: > > > > service=ciscowlc > > protocol=common > > role1=ALL > > > > Echoing these back with an exit code of 2 does not work though. I can see > the service possibly needing to be stripped, but no combination of the last > one, two or all will work. Any help appreciated! desfine "no combinartion ... will work". work in what manner? meaning that the daemon does not return them to the device or the device doesnt act upon them? From daniel.schmidt at wyo.gov Wed Aug 31 19:34:55 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Wed, 31 Aug 2011 13:34:55 -0600 Subject: [tac_plus] WLC In-Reply-To: References: <00c5395907962a5a3c7721215dacbf0f@mail.gmail.com> <20110831155725.GJ16427@shrubbery.net> Message-ID: If any experts may have a minute to assist, this is driving me nuts: Here's a standard working session without authorization script: Wed Aug 31 13:30:33 2011 [2091]: connect from 1.1.1.1 [1.1.1.1] Wed Aug 31 13:30:33 2011 [2091]: Start authorization request Wed Aug 31 13:30:33 2011 [2091]: do_author: user='tester' Wed Aug 31 13:30:33 2011 [2091]: user 'tester' found Wed Aug 31 13:30:33 2011 [2091]: nas:service=ciscowlc (passed thru) Wed Aug 31 13:30:33 2011 [2091]: nas:protocol=common (passed thru) Wed Aug 31 13:30:33 2011 [2091]: nas:absent, server:role1=ALL -> add role1=ALL (k) Wed Aug 31 13:30:33 2011 [2091]: added 1 args Wed Aug 31 13:30:33 2011 [2091]: out_args[0] = service=ciscowlc input copy discarded Wed Aug 31 13:30:33 2011 [2091]: out_args[1] = protocol=common input copy discarded Wed Aug 31 13:30:33 2011 [2091]: out_args[2] = role1=ALL compacted to out_args[0] Wed Aug 31 13:30:33 2011 [2091]: 1 output args Wed Aug 31 13:30:33 2011 [2091]: authorization query for 'tester' unknown from 1.1.1.1 accepted Here we have a standard session, where I return pairs, but exit(0) so it doesn't care what I'm spitting back & tester logs in just fine. 279 Wed Aug 31 12:34:30 2011 [21710]: connect from 1.1.1.1 [1.1.1.1] 280 Wed Aug 31 12:34:30 2011 [21710]: login query for 'tester' unknown-port from 1.1.1.1 accepted 281 Wed Aug 31 12:34:30 2011 [21711]: connect from 1.1.1.1 [1.1.1.1] 282 Wed Aug 31 12:34:30 2011 [21711]: Start authorization request 283 Wed Aug 31 12:34:30 2011 [21711]: do_author: user='tester' 284 Wed Aug 31 12:34:30 2011 [21711]: user 'tester' found 285 Wed Aug 31 12:34:30 2011 [21711]: nas:service=ciscowlc (passed thru) 286 Wed Aug 31 12:34:30 2011 [21711]: nas:protocol=common (passed thru) 287 Wed Aug 31 12:34:30 2011 [21711]: nas:absent, server:role1=ALL -> add role1=ALL (k) 288 Wed Aug 31 12:34:30 2011 [21711]: added 1 args 289 Wed Aug 31 12:34:30 2011 [21711]: out_args[0] = service=ciscowlc input copy discarded 290 Wed Aug 31 12:34:30 2011 [21711]: out_args[1] = protocol=common input copy discarded 291 Wed Aug 31 12:34:30 2011 [21711]: out_args[2] = role1=ALL compacted to out_args[0] 292 Wed Aug 31 12:34:30 2011 [21711]: 1 output args 293 Wed Aug 31 12:34:30 2011 [21711]: After authorization call: /usr/bin/python /root/do_auth_beta.py -i $address -fix_crs_bug -u $user -d $name -l /root/log2.txt -f /root/do_auth.ini 294 Wed Aug 31 12:34:30 2011 [21711]: substitute: /usr/bin/python /root/do_auth_beta.py -i $address -fix_crs_bug -u $user -d $name -l /root/log2.txt -f /root/do_auth.ini 295 Wed Aug 31 12:34:30 2011 [21711]: Dollar substitution: /usr/bin/python /root/do_auth_beta.py -i 2.2.2.2 -fix_crs_bug -u tester -d 1.1.1.1 -l /root/log2.txt -f /root/do_auth.ini 296 Wed Aug 31 12:34:30 2011 [21711]: input service=ciscowlc 297 Wed Aug 31 12:34:30 2011 [21711]: input protocol=common 298 Wed Aug 31 12:34:30 2011 [21711]: input role1=ALL 299 Wed Aug 31 12:34:30 2011 [21711]: output service=ciscowlc 300 Wed Aug 31 12:34:30 2011 [21711]: output protocol=common 301 Wed Aug 31 12:34:30 2011 [21711]: output role1=ALL 302 Wed Aug 31 12:34:30 2011 [21711]: pid 21712 child exited status 21712l 303 Wed Aug 31 12:34:30 2011 [21711]: cmd /usr/bin/python /root/do_auth_beta.py -i $address -fix_crs_bug -u $user -d $name -l /root/log2.txt -f /root/do_auth.ini returns 0 (no change) 304 Wed Aug 31 12:34:30 2011 [21711]: authorization query for 'tester' unknown from 1.1.1.1 accepted Here I exit(2) and try to modify the pairs. It looks fine, but I don't login the device: 267 Wed Aug 31 12:52:47 2011 [25965]: Start authorization request 268 Wed Aug 31 12:52:48 2011 [25965]: do_author: user='tester' 269 Wed Aug 31 12:52:48 2011 [25965]: user 'tester' found 270 Wed Aug 31 12:52:48 2011 [25965]: nas:service=ciscowlc (passed thru) 271 Wed Aug 31 12:52:48 2011 [25965]: nas:protocol=common (passed thru) 272 Wed Aug 31 12:52:48 2011 [25965]: nas:absent, server:role1=ALL -> add role1=ALL (k) 273 Wed Aug 31 12:52:48 2011 [25965]: added 1 args 274 Wed Aug 31 12:52:48 2011 [25965]: out_args[0] = service=ciscowlc input copy discarded 275 Wed Aug 31 12:52:48 2011 [25965]: out_args[1] = protocol=common input copy discarded 276 Wed Aug 31 12:52:48 2011 [25965]: out_args[2] = role1=ALL compacted to out_args[0] 277 Wed Aug 31 12:52:48 2011 [25965]: 1 output args 278 Wed Aug 31 12:52:48 2011 [25965]: After authorization call: /usr/bin/python /root/do_auth_beta.py -i $address -fix_crs_bug -u $user -d $name -l /root/log2.txt -f /root/do_auth.ini 279 Wed Aug 31 12:52:48 2011 [25965]: substitute: /usr/bin/python /root/do_auth_beta.py -i $address -fix_crs_bug -u $user -d $name -l /root/log2.txt -f /root/do_auth.ini 280 Wed Aug 31 12:52:48 2011 [25965]: Dollar substitution: /usr/bin/python /root/do_auth_beta.py -i 2.2.2.2 -fix_crs_bug -u tester -d 1.1.1.1 -l /root/log2.txt -f /root/do_auth.ini 281 Wed Aug 31 12:52:48 2011 [25965]: input service=ciscowlc 282 Wed Aug 31 12:52:48 2011 [25965]: input protocol=common 283 Wed Aug 31 12:52:48 2011 [25965]: input role1=ALL 284 Wed Aug 31 12:52:48 2011 [25965]: output service=ciscowlc 285 Wed Aug 31 12:52:48 2011 [25965]: output protocol=common 286 Wed Aug 31 12:52:48 2011 [25965]: output role1=MONITOR 287 Wed Aug 31 12:52:48 2011 [25965]: pid 25970 child exited status 25970l 288 Wed Aug 31 12:52:48 2011 [25965]: cmd /usr/bin/python /root/do_auth_beta.py -i $address -fix_crs_bug -u $user -d $name -l /root/log2.txt -f /root/do_auth.ini returns 2 (replace & continue) 289 Wed Aug 31 12:52:48 2011 [25965]: status is now AUTHOR_STATUS_PASS_REPL 290 Wed Aug 31 12:52:48 2011 [25965]: authorization query for 'tester' unknown from 1.1.1.1 accepted The pairs are actually printed exactly as "Returning:" says in my debug: 545 Replacing pairs role1=MONITOR 546 2011-08-31 12:52:48: User 'tester' granted non-shell access to device '1.1.1.1' in group 'no_conf_t' from '2.2.2.2' 547 Returning:service=ciscowlc 548 Returning:protocol=common 549 Returning:role1=MONITOR Ideas? If I don't modify the role1 but return 2, it acts the same. FYI - I was successful at modifying priv-lvl, but this only seems to work by chopping off service=shell & cmd*. (not sure why) Chopping off service=ciscowlc or chopping off service=wlc and service=common did not appear to work when I last tried it. The following is an example of priv-lvl being successfully changed by my after authorization script: 295 Wed Aug 31 13:10:08 2011 [29892]: login query for 'tester' tty1 from 3.3.3.3 accepted 296 Wed Aug 31 13:10:08 2011 [29898]: connect from 3.3.3.3 [3.3.3.3] 297 Wed Aug 31 13:10:08 2011 [29898]: Start authorization request 298 Wed Aug 31 13:10:08 2011 [29898]: do_author: user='tester' 299 Wed Aug 31 13:10:08 2011 [29898]: user 'tester' found 300 Wed Aug 31 13:10:08 2011 [29898]: exec authorization request for tester 301 Wed Aug 31 13:10:08 2011 [29898]: exec is explicitly permitted by line 191 302 Wed Aug 31 13:10:08 2011 [29898]: nas:service=shell (passed thru) 303 Wed Aug 31 13:10:08 2011 [29898]: nas:cmd* (passed thru) 304 Wed Aug 31 13:10:08 2011 [29898]: nas:absent, server:priv-lvl=15 -> add priv-lvl=15 (k) 305 Wed Aug 31 13:10:08 2011 [29898]: nas:absent, server:idletime=10 -> add idletime=10 (k) 306 Wed Aug 31 13:10:08 2011 [29898]: added 2 args 307 Wed Aug 31 13:10:08 2011 [29898]: out_args[0] = service=shell input copy discarded 308 Wed Aug 31 13:10:09 2011 [29898]: out_args[1] = cmd* input copy discarded 309 Wed Aug 31 13:10:09 2011 [29898]: out_args[2] = priv-lvl=15 compacted to out_args[0] 310 Wed Aug 31 13:10:09 2011 [29898]: out_args[3] = idletime=10 compacted to out_args[1] 311 Wed Aug 31 13:10:09 2011 [29898]: 2 output args 312 Wed Aug 31 13:10:09 2011 [29898]: After authorization call: /usr/bin/python /root/do_auth_beta.py -i $address -fix_crs_bug -u $user -d $name -l /root/log2.txt -f /root/do_auth.ini 313 Wed Aug 31 13:10:09 2011 [29898]: substitute: /usr/bin/python /root/do_auth_beta.py -i $address -fix_crs_bug -u $user -d $name -l /root/log2.txt -f /root/do_auth.ini 314 Wed Aug 31 13:10:09 2011 [29898]: Dollar substitution: /usr/bin/python /root/do_auth_beta.py -i 2.2.2.2 -fix_crs_bug -u tester -d 3.3.3.3 -l /root/log2.txt -f /root/do_auth.ini 315 Wed Aug 31 13:10:09 2011 [29898]: input service=shell 316 Wed Aug 31 13:10:09 2011 [29898]: input cmd* 317 Wed Aug 31 13:10:09 2011 [29898]: input priv-lvl=15 318 Wed Aug 31 13:10:09 2011 [29898]: input idletime=10 319 Wed Aug 31 13:10:09 2011 [29898]: output priv-lvl=1 320 Wed Aug 31 13:10:09 2011 [29898]: output idletime=10 321 Wed Aug 31 13:10:09 2011 [29898]: pid 29899 child exited status 29899l 322 Wed Aug 31 13:10:09 2011 [29898]: cmd /usr/bin/python /root/do_auth_beta.py -i $address -fix_crs_bug -u $user -d $name -l /root/log2.txt -f /root/do_auth.ini returns 2 (replace & continue) 323 Wed Aug 31 13:10:09 2011 [29898]: status is now AUTHOR_STATUS_PASS_REPL 324 Wed Aug 31 13:10:09 2011 [29898]: authorization query for 'tester' tty1 from 3.3.3.3 accepted Last, but not least, I would have thought that only sending role1 would work, but it didn't: Wed Aug 31 13:22:44 2011 [32737]: connect from 1.1.1.1 [1.1.1.1] Wed Aug 31 13:22:44 2011 [32737]: Start authorization request Wed Aug 31 13:22:44 2011 [32737]: do_author: user='tester' Wed Aug 31 13:22:44 2011 [32737]: user 'tester' found Wed Aug 31 13:22:44 2011 [32737]: nas:service=ciscowlc (passed thru) Wed Aug 31 13:22:44 2011 [32737]: nas:protocol=common (passed thru) Wed Aug 31 13:22:44 2011 [32737]: nas:absent, server:role1=ALL -> add role1=ALL (k) Wed Aug 31 13:22:44 2011 [32737]: added 1 args Wed Aug 31 13:22:44 2011 [32737]: out_args[0] = service=ciscowlc input copy discarded Wed Aug 31 13:22:44 2011 [32737]: out_args[1] = protocol=common input copy discarded Wed Aug 31 13:22:44 2011 [32737]: out_args[2] = role1=ALL compacted to out_args[0] Wed Aug 31 13:22:44 2011 [32737]: 1 output args Wed Aug 31 13:22:44 2011 [32737]: After authorization call: /usr/bin/python /root/do_auth_beta.py -i $address -fix_crs_bug -u $user -d $name -l /root/log2.txt -f /root/do_auth.ini Wed Aug 31 13:22:44 2011 [32737]: substitute: /usr/bin/python /root/do_auth_beta.py -i $address -fix_crs_bug -u $user -d $name -l /root/log2.txt -f /root/do_auth.ini Wed Aug 31 13:22:44 2011 [32737]: Dollar substitution: /usr/bin/python /root/do_auth_beta.py -i 2.2.2.2 -fix_crs_bug -u tester -d 1.1.1.1 -l /root/log2.txt -f /root/do_auth.ini Wed Aug 31 13:22:44 2011 [32737]: input service=ciscowlc Wed Aug 31 13:22:44 2011 [32737]: input protocol=common Wed Aug 31 13:22:44 2011 [32737]: input role1=ALL Wed Aug 31 13:22:44 2011 [32737]: output role1=MONITOR Wed Aug 31 13:22:44 2011 [32737]: pid 32739 child exited status 32739l Wed Aug 31 13:22:44 2011 [32737]: cmd /usr/bin/python /root/do_auth_beta.py -i $address -fix_crs_bug -u $user -d $name -l /root/log2.txt -f /root/do_auth.ini returns 2 (replace & continue) Wed Aug 31 13:22:44 2011 [32737]: status is now AUTHOR_STATUS_PASS_REPL Wed Aug 31 13:22:45 2011 [32737]: authorization query for 'tester' unknown from 1.1.1.1 accepted Thanks. -----Original Message----- From: Daniel Schmidt [mailto:daniel.schmidt at wyo.gov] Sent: Wednesday, August 31, 2011 10:16 AM To: john heasley Cc: tac_plus at shrubbery.net Subject: RE: [tac_plus] WLC Thanks for your reply John. The device does not seem to act on them. I know they receive them, because my script returns priv levels (1,15, ect) to routers and that works just fine. I try stripping off the service, I try stripping off protocol and service - nothing works. -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Wednesday, August 31, 2011 9:57 AM To: Daniel Schmidt Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] WLC Wed, Aug 31, 2011 at 09:54:01AM -0600, Daniel Schmidt: > Has anybody successfully returned the av-pairs for a wireless controller? I > get the following returned: > > > > service=ciscowlc > > protocol=common > > role1=ALL > > > > Echoing these back with an exit code of 2 does not work though. I can see > the service possibly needing to be stripped, but no combination of the last > one, two or all will work. Any help appreciated! desfine "no combinartion ... will work". work in what manner? meaning that the daemon does not return them to the device or the device doesnt act upon them? From heas at shrubbery.net Wed Aug 31 20:06:27 2011 From: heas at shrubbery.net (john heasley) Date: Wed, 31 Aug 2011 20:06:27 +0000 Subject: [tac_plus] WLC In-Reply-To: References: <00c5395907962a5a3c7721215dacbf0f@mail.gmail.com> <20110831155725.GJ16427@shrubbery.net> Message-ID: <20110831200627.GU16427@shrubbery.net> is role1=monitor perhaps insufficient? all the examples i see online are like here: http://blog.photic.net/index.php/category/cisco/ or perhaps just for whatever version your wlc is running From daniel.schmidt at wyo.gov Wed Aug 31 20:56:22 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Wed, 31 Aug 2011 14:56:22 -0600 Subject: [tac_plus] WLC In-Reply-To: <20110831200627.GU16427@shrubbery.net> References: <00c5395907962a5a3c7721215dacbf0f@mail.gmail.com> <20110831155725.GJ16427@shrubbery.net> <20110831200627.GU16427@shrubbery.net> Message-ID: <30b99ad676dd5c772f05e38c2921571a@mail.gmail.com> It doesn't make sense. Works fine without authentication script, how come when you HAVE an authentication script passing the same pairs back, it doesn't work? The logs say it sends the same info each way, but one doesn't work. -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Wednesday, August 31, 2011 2:06 PM To: Daniel Schmidt Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] WLC is role1=monitor perhaps insufficient? all the examples i see online are like here: http://blog.photic.net/index.php/category/cisco/ or perhaps just for whatever version your wlc is running