[tac_plus] WLC

Daniel Schmidt daniel.schmidt at wyo.gov
Wed Aug 31 19:34:55 UTC 2011 

If any experts may have a minute to assist, this is driving me nuts:

Here's a standard working session without authorization script:
Wed Aug 31 13:30:33 2011 [2091]: connect from 1.1.1.1 [1.1.1.1]
Wed Aug 31 13:30:33 2011 [2091]: Start authorization request
Wed Aug 31 13:30:33 2011 [2091]: do_author: user='tester'
Wed Aug 31 13:30:33 2011 [2091]: user 'tester' found
Wed Aug 31 13:30:33 2011 [2091]: nas:service=ciscowlc (passed thru)
Wed Aug 31 13:30:33 2011 [2091]: nas:protocol=common (passed thru)
Wed Aug 31 13:30:33 2011 [2091]: nas:absent, server:role1=ALL -> add
role1=ALL (k)
Wed Aug 31 13:30:33 2011 [2091]: added 1 args
Wed Aug 31 13:30:33 2011 [2091]: out_args[0] = service=ciscowlc input copy
discarded
Wed Aug 31 13:30:33 2011 [2091]: out_args[1] = protocol=common input copy
discarded
Wed Aug 31 13:30:33 2011 [2091]: out_args[2] = role1=ALL compacted to
out_args[0]
Wed Aug 31 13:30:33 2011 [2091]: 1 output args
Wed Aug 31 13:30:33 2011 [2091]: authorization query for 'tester' unknown
from 1.1.1.1 accepted

Here we have a standard session, where I return pairs, but exit(0) so it
doesn't care what I'm spitting back & tester logs in just fine.

279 Wed Aug 31 12:34:30 2011 [21710]: connect from 1.1.1.1 [1.1.1.1]
280 Wed Aug 31 12:34:30 2011 [21710]: login query for 'tester'
unknown-port from 1.1.1.1 accepted
281 Wed Aug 31 12:34:30 2011 [21711]: connect from 1.1.1.1 [1.1.1.1]
282 Wed Aug 31 12:34:30 2011 [21711]: Start authorization request
283 Wed Aug 31 12:34:30 2011 [21711]: do_author: user='tester'
284 Wed Aug 31 12:34:30 2011 [21711]: user 'tester' found
285 Wed Aug 31 12:34:30 2011 [21711]: nas:service=ciscowlc (passed thru)
286 Wed Aug 31 12:34:30 2011 [21711]: nas:protocol=common (passed thru)
287 Wed Aug 31 12:34:30 2011 [21711]: nas:absent, server:role1=ALL -> add
role1=ALL (k)
288 Wed Aug 31 12:34:30 2011 [21711]: added 1 args
289 Wed Aug 31 12:34:30 2011 [21711]: out_args[0] = service=ciscowlc input
copy discarded
290 Wed Aug 31 12:34:30 2011 [21711]: out_args[1] = protocol=common input
copy discarded
291 Wed Aug 31 12:34:30 2011 [21711]: out_args[2] = role1=ALL compacted to
out_args[0]
292 Wed Aug 31 12:34:30 2011 [21711]: 1 output args
293 Wed Aug 31 12:34:30 2011 [21711]: After authorization call:
/usr/bin/python /root/do_auth_beta.py -i $address -fix_crs_bug -u $user -d
$name -l /root/log2.txt -f /root/do_auth.ini
294 Wed Aug 31 12:34:30 2011 [21711]: substitute: /usr/bin/python
/root/do_auth_beta.py -i $address -fix_crs_bug -u $user -d $name -l
/root/log2.txt -f /root/do_auth.ini
295 Wed Aug 31 12:34:30 2011 [21711]: Dollar substitution: /usr/bin/python
/root/do_auth_beta.py -i 2.2.2.2 -fix_crs_bug -u tester -d 1.1.1.1 -l
/root/log2.txt -f /root/do_auth.ini
296 Wed Aug 31 12:34:30 2011 [21711]: input service=ciscowlc
297 Wed Aug 31 12:34:30 2011 [21711]: input protocol=common
298 Wed Aug 31 12:34:30 2011 [21711]: input role1=ALL
299 Wed Aug 31 12:34:30 2011 [21711]: output service=ciscowlc
300 Wed Aug 31 12:34:30 2011 [21711]: output protocol=common
301 Wed Aug 31 12:34:30 2011 [21711]: output role1=ALL
302 Wed Aug 31 12:34:30 2011 [21711]: pid 21712 child exited status 21712l
303 Wed Aug 31 12:34:30 2011 [21711]: cmd /usr/bin/python
/root/do_auth_beta.py -i $address -fix_crs_bug -u $user -d $name -l
/root/log2.txt -f /root/do_auth.ini returns 0 (no change)
304 Wed Aug 31 12:34:30 2011 [21711]: authorization query for 'tester'
unknown from 1.1.1.1 accepted

Here I exit(2) and try to modify the pairs.  It looks fine, but I don't
login the device:

267 Wed Aug 31 12:52:47 2011 [25965]: Start authorization request
268 Wed Aug 31 12:52:48 2011 [25965]: do_author: user='tester'
269 Wed Aug 31 12:52:48 2011 [25965]: user 'tester' found
270 Wed Aug 31 12:52:48 2011 [25965]: nas:service=ciscowlc (passed thru)
271 Wed Aug 31 12:52:48 2011 [25965]: nas:protocol=common (passed thru)
272 Wed Aug 31 12:52:48 2011 [25965]: nas:absent, server:role1=ALL -> add
role1=ALL (k)
273 Wed Aug 31 12:52:48 2011 [25965]: added 1 args
274 Wed Aug 31 12:52:48 2011 [25965]: out_args[0] = service=ciscowlc input
copy discarded
275 Wed Aug 31 12:52:48 2011 [25965]: out_args[1] = protocol=common input
copy discarded
276 Wed Aug 31 12:52:48 2011 [25965]: out_args[2] = role1=ALL compacted to
out_args[0]
277 Wed Aug 31 12:52:48 2011 [25965]: 1 output args
278 Wed Aug 31 12:52:48 2011 [25965]: After authorization call:
/usr/bin/python /root/do_auth_beta.py -i $address -fix_crs_bug -u $user -d
$name -l /root/log2.txt -f /root/do_auth.ini
279 Wed Aug 31 12:52:48 2011 [25965]: substitute: /usr/bin/python
/root/do_auth_beta.py -i $address -fix_crs_bug -u $user -d $name -l
/root/log2.txt -f /root/do_auth.ini
280 Wed Aug 31 12:52:48 2011 [25965]: Dollar substitution: /usr/bin/python
/root/do_auth_beta.py -i 2.2.2.2 -fix_crs_bug -u tester -d 1.1.1.1 -l
/root/log2.txt -f /root/do_auth.ini
281 Wed Aug 31 12:52:48 2011 [25965]: input service=ciscowlc
282 Wed Aug 31 12:52:48 2011 [25965]: input protocol=common
283 Wed Aug 31 12:52:48 2011 [25965]: input role1=ALL
284 Wed Aug 31 12:52:48 2011 [25965]: output service=ciscowlc
285 Wed Aug 31 12:52:48 2011 [25965]: output protocol=common
286 Wed Aug 31 12:52:48 2011 [25965]: output role1=MONITOR
287 Wed Aug 31 12:52:48 2011 [25965]: pid 25970 child exited status 25970l
288 Wed Aug 31 12:52:48 2011 [25965]: cmd /usr/bin/python
/root/do_auth_beta.py -i $address -fix_crs_bug -u $user -d $name -l
/root/log2.txt -f /root/do_auth.ini returns 2 (replace & continue)
289 Wed Aug 31 12:52:48 2011 [25965]: status is now
AUTHOR_STATUS_PASS_REPL
290 Wed Aug 31 12:52:48 2011 [25965]: authorization query for 'tester'
unknown from 1.1.1.1 accepted


The pairs are actually printed exactly as "Returning:" says in my debug:

545 Replacing pairs role1=MONITOR
546 2011-08-31 12:52:48: User 'tester' granted non-shell access to device
'1.1.1.1' in group 'no_conf_t' from '2.2.2.2'
547 Returning:service=ciscowlc
548 Returning:protocol=common
549 Returning:role1=MONITOR

Ideas?  If I don't modify the role1 but return 2, it acts the same.

FYI - I was successful at modifying priv-lvl, but this only seems to work
by chopping off service=shell & cmd*.  (not sure why) Chopping off
service=ciscowlc or chopping off service=wlc and service=common did not
appear to work when I last tried it.

The following is an example of priv-lvl being successfully changed by my
after authorization script:

295 Wed Aug 31 13:10:08 2011 [29892]: login query for 'tester' tty1 from
3.3.3.3 accepted
296 Wed Aug 31 13:10:08 2011 [29898]: connect from 3.3.3.3 [3.3.3.3]
297 Wed Aug 31 13:10:08 2011 [29898]: Start authorization request
298 Wed Aug 31 13:10:08 2011 [29898]: do_author: user='tester'
299 Wed Aug 31 13:10:08 2011 [29898]: user 'tester' found
300 Wed Aug 31 13:10:08 2011 [29898]: exec authorization request for
tester
301 Wed Aug 31 13:10:08 2011 [29898]: exec is explicitly permitted by line
191
302 Wed Aug 31 13:10:08 2011 [29898]: nas:service=shell (passed thru)
303 Wed Aug 31 13:10:08 2011 [29898]: nas:cmd* (passed thru)
304 Wed Aug 31 13:10:08 2011 [29898]: nas:absent, server:priv-lvl=15 ->
add priv-lvl=15 (k)
305 Wed Aug 31 13:10:08 2011 [29898]: nas:absent, server:idletime=10 ->
add idletime=10 (k)
306 Wed Aug 31 13:10:08 2011 [29898]: added 2 args
307 Wed Aug 31 13:10:08 2011 [29898]: out_args[0] = service=shell input
copy discarded
308 Wed Aug 31 13:10:09 2011 [29898]: out_args[1] = cmd* input copy
discarded
309 Wed Aug 31 13:10:09 2011 [29898]: out_args[2] = priv-lvl=15 compacted
to out_args[0]
310 Wed Aug 31 13:10:09 2011 [29898]: out_args[3] = idletime=10 compacted
to out_args[1]
311 Wed Aug 31 13:10:09 2011 [29898]: 2 output args
312 Wed Aug 31 13:10:09 2011 [29898]: After authorization call:
/usr/bin/python /root/do_auth_beta.py -i $address -fix_crs_bug -u $user -d
$name -l /root/log2.txt -f /root/do_auth.ini
313 Wed Aug 31 13:10:09 2011 [29898]: substitute: /usr/bin/python
/root/do_auth_beta.py -i $address -fix_crs_bug -u $user -d $name -l
/root/log2.txt -f /root/do_auth.ini
314 Wed Aug 31 13:10:09 2011 [29898]: Dollar substitution: /usr/bin/python
/root/do_auth_beta.py -i 2.2.2.2 -fix_crs_bug -u tester -d 3.3.3.3 -l
/root/log2.txt -f /root/do_auth.ini
315 Wed Aug 31 13:10:09 2011 [29898]: input service=shell
316 Wed Aug 31 13:10:09 2011 [29898]: input cmd*
317 Wed Aug 31 13:10:09 2011 [29898]: input priv-lvl=15
318 Wed Aug 31 13:10:09 2011 [29898]: input idletime=10
319 Wed Aug 31 13:10:09 2011 [29898]: output priv-lvl=1
320 Wed Aug 31 13:10:09 2011 [29898]: output idletime=10
321 Wed Aug 31 13:10:09 2011 [29898]: pid 29899 child exited status 29899l
322 Wed Aug 31 13:10:09 2011 [29898]: cmd /usr/bin/python
/root/do_auth_beta.py -i $address -fix_crs_bug -u $user -d $name -l
/root/log2.txt -f /root/do_auth.ini returns 2 (replace & continue)
323 Wed Aug 31 13:10:09 2011 [29898]: status is now
AUTHOR_STATUS_PASS_REPL
324 Wed Aug 31 13:10:09 2011 [29898]: authorization query for 'tester'
tty1 from 3.3.3.3 accepted

Last, but not least, I would have thought that only sending role1 would
work, but it didn't:

Wed Aug 31 13:22:44 2011 [32737]: connect from 1.1.1.1 [1.1.1.1]
Wed Aug 31 13:22:44 2011 [32737]: Start authorization request
Wed Aug 31 13:22:44 2011 [32737]: do_author: user='tester'
Wed Aug 31 13:22:44 2011 [32737]: user 'tester' found
Wed Aug 31 13:22:44 2011 [32737]: nas:service=ciscowlc (passed thru)
Wed Aug 31 13:22:44 2011 [32737]: nas:protocol=common (passed thru)
Wed Aug 31 13:22:44 2011 [32737]: nas:absent, server:role1=ALL -> add
role1=ALL (k)
Wed Aug 31 13:22:44 2011 [32737]: added 1 args
Wed Aug 31 13:22:44 2011 [32737]: out_args[0] = service=ciscowlc input
copy discarded
Wed Aug 31 13:22:44 2011 [32737]: out_args[1] = protocol=common input copy
discarded
Wed Aug 31 13:22:44 2011 [32737]: out_args[2] = role1=ALL compacted to
out_args[0]
Wed Aug 31 13:22:44 2011 [32737]: 1 output args
Wed Aug 31 13:22:44 2011 [32737]: After authorization call:
/usr/bin/python /root/do_auth_beta.py -i $address -fix_crs_bug -u $user -d
$name -l /root/log2.txt -f /root/do_auth.ini
Wed Aug 31 13:22:44 2011 [32737]: substitute: /usr/bin/python
/root/do_auth_beta.py -i $address -fix_crs_bug -u $user -d $name -l
/root/log2.txt -f /root/do_auth.ini
Wed Aug 31 13:22:44 2011 [32737]: Dollar substitution: /usr/bin/python
/root/do_auth_beta.py -i 2.2.2.2 -fix_crs_bug -u tester -d 1.1.1.1 -l
/root/log2.txt -f /root/do_auth.ini
Wed Aug 31 13:22:44 2011 [32737]: input service=ciscowlc
Wed Aug 31 13:22:44 2011 [32737]: input protocol=common
Wed Aug 31 13:22:44 2011 [32737]: input role1=ALL
Wed Aug 31 13:22:44 2011 [32737]: output role1=MONITOR
Wed Aug 31 13:22:44 2011 [32737]: pid 32739 child exited status 32739l
Wed Aug 31 13:22:44 2011 [32737]: cmd /usr/bin/python
/root/do_auth_beta.py -i $address -fix_crs_bug -u $user -d $name -l
/root/log2.txt -f /root/do_auth.ini returns 2 (replace & continue)
Wed Aug 31 13:22:44 2011 [32737]: status is now AUTHOR_STATUS_PASS_REPL
Wed Aug 31 13:22:45 2011 [32737]: authorization query for 'tester' unknown
from 1.1.1.1 accepted

Thanks.

-----Original Message-----
From: Daniel Schmidt [mailto:daniel.schmidt at wyo.gov]
Sent: Wednesday, August 31, 2011 10:16 AM
To: john heasley
Cc: tac_plus at shrubbery.net
Subject: RE: [tac_plus] WLC

Thanks for your reply John. The device does not seem to act on them.  I
know they receive them, because my script returns priv levels (1,15, ect)
to routers and that works just fine.  I try stripping off the service, I
try stripping off protocol and service - nothing works.



-----Original Message-----
From: john heasley [mailto:heas at shrubbery.net]
Sent: Wednesday, August 31, 2011 9:57 AM
To: Daniel Schmidt
Cc: tac_plus at shrubbery.net
Subject: Re: [tac_plus] WLC

Wed, Aug 31, 2011 at 09:54:01AM -0600, Daniel Schmidt:
> Has anybody successfully returned the av-pairs for a wireless
controller?  I
> get the following returned:
>
>
>
> service=ciscowlc
>
> protocol=common
>
> role1=ALL
>
>
>
> Echoing these back with an exit code of 2 does not work though.  I can
see
> the service possibly needing to be stripped, but no combination of the
last
> one, two or all  will work.  Any help appreciated!

desfine "no combinartion ... will work".  work in what manner?  meaning
that the daemon does not return them to the device or the device doesnt
act upon them?

More information about the tac_plus mailing list