From lql at hotmail.com Tue Feb 15 00:20:54 2011 From: lql at hotmail.com (LiQi Li) Date: Tue, 15 Feb 2011 08:20:54 +0800 Subject: [tac_plus] MSCHAP in Tac_plus Message-ID: Hi, FAQ says "F4.X contains mschap support. Mschap is configured the same way as chap, only using the 'mschap' keyword in place of the 'chap' keyword". However, I always got error message when runinng tac_plus . Please see below. # ./tac_plus -C tac_plus.conf -d 16 -g Reading config Unrecognised keyword mschap for user on line 13 Error: Unrecognised keyword mschap for user on line 13 My partial ac_plus.conf is: user = test { pap = cleartext "testpap" chap = cleartext "testchap" mschap = cleartext "testmschap" } I noticed the sentence in FAQ: To compile the daemon with MSCHAP support, uncomment the MSCHAP line in the Makefile. But I didn't see the MSCHAP line in the Makefile. So how can I make mschap works in tac_plus? My tac_plus version is tacacs+-F4.0.4.19. Thanks Richie -------------- next part -------------- An HTML attachment was scrubbed... URL: From kurgancito at gmail.com Mon Feb 21 14:52:07 2011 From: kurgancito at gmail.com (Francisco Fernandez) Date: Mon, 21 Feb 2011 15:52:07 +0100 Subject: [tac_plus] Tac_plus passwd expiration Message-ID: Hi there... The fisrt of all, sorry if this is not the apropiate method to ask you a question... If not, let me know. We are using tacacs+ on a linux server who provides authentication for many cisco routers with users defined in tacacs's linux operating system. Till now, validation was against /etc/passwd file. The problem we have is that when user's password expires in linux operating system, the same user can continue logging into the routers without any error. I've trying to avoid this using: /etc/shadow (but I get always "password has expired" even with active passwordas account) PAM we dont get any error and I can go telnet to our routers with our expired passwd. Ive tried several tacacs versions and compiled several times with diferent options... Do you know how can I deny access to our routers to users with password expired? Thanks a lot. -------------- next part -------------- An HTML attachment was scrubbed... URL: From aojea at retegal.es Tue Feb 22 07:20:40 2011 From: aojea at retegal.es (Antonio Ojea) Date: Mon, 21 Feb 2011 23:20:40 -0800 Subject: [tac_plus] command authorization Message-ID: <088F826EA78A1F49A6A2AB8722B138EC3614625E55@IE2RD2XVS171.red002.local> Hello, I want to use tac_plus to deny some commands in our routers. I have tried with do_auth script but I can't receive any av pairs to filter them. I paste the output from running tac_plus with debugging (-d 16) Tue Feb 22 08:13:58 2011 [30270]: login query for 'XXXX' tty1 from 172.31.5.50 accepted Tue Feb 22 08:13:58 2011 [30277]: connect from 172.31.5.50 [172.31.5.50] Tue Feb 22 08:13:58 2011 [30277]: Start authorization request Tue Feb 22 08:13:58 2011 [30277]: do_author: user='XXXX' Tue Feb 22 08:13:58 2011 [30277]: user 'XXXX' found Tue Feb 22 08:13:58 2011 [30277]: exec authorization request for XXXX Tue Feb 22 08:13:58 2011 [30277]: exec is explicitly permitted by line 45 Tue Feb 22 08:13:58 2011 [30277]: nas:service=shell (passed thru) Tue Feb 22 08:13:58 2011 [30277]: nas:cmd* (passed thru) Tue Feb 22 08:13:58 2011 [30277]: nas:absent, server:priv-lvl=15 -> add priv-lvl=15 (k) Tue Feb 22 08:13:58 2011 [30277]: nas:absent, server:idletime=30 -> add idletime=30 (k) Tue Feb 22 08:13:58 2011 [30277]: added 2 args Tue Feb 22 08:13:58 2011 [30277]: out_args[0] = service=shell input copy discarded Tue Feb 22 08:13:58 2011 [30277]: out_args[1] = cmd* input copy discarded Tue Feb 22 08:13:58 2011 [30277]: out_args[2] = priv-lvl=15 compacted to out_args[0] Tue Feb 22 08:13:58 2011 [30277]: out_args[3] = idletime=30 compacted to out_args[1] Tue Feb 22 08:13:58 2011 [30277]: 2 output args Tue Feb 22 08:13:58 2011 [30277]: authorization query for 'XXXX' tty1 from 172.31.5.50 accepted Tue Feb 22 08:13:58 2011 [30278]: connect from 172.31.5.50 [172.31.5.50] Tue Feb 22 08:14:04 2011 [30297]: connect from 172.31.5.50 [172.31.5.50] The last 2 statements happens when I type some commands in the router, but I think those are related to accounting. Thanks in advance -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Wed Feb 23 22:34:52 2011 From: heas at shrubbery.net (john heasley) Date: Wed, 23 Feb 2011 22:34:52 +0000 Subject: [tac_plus] Tac_plus passwd expiration In-Reply-To: References: Message-ID: <20110223223451.GC28757@shrubbery.net> Mon, Feb 21, 2011 at 03:52:07PM +0100, Francisco Fernandez: > Hi there... > > The fisrt of all, sorry if this is not the apropiate method to ask you a > question... If not, let me know. > > We are using tacacs+ on a linux server who provides authentication for many > cisco routers with users defined in tacacs's linux operating system. Till > now, validation was against /etc/passwd file. The problem we have is that > when user's password expires in linux operating system, the same user can > continue logging into the routers without any error. > > I've trying to avoid this using: > > /etc/shadow (but I get always "password has expired" even with active > passwordas account) > PAM we dont get any error and I can go telnet to our routers with our > expired passwd. > > Ive tried several tacacs versions and compiled several times with diferent > options... > > Do you know how can I deny access to our routers to users with password > expired? there are two ways if using PAM; 1) expire in tac_plus.conf 2) pam checks expire field and returns failure, which probably depends on your pam config and two if using a file like /etc/passwd (should deal w/ /etc/shadow automatically): 1) expire in tac_plus.conf 2) make the shell field empty or not begin with '/'; see expire.c From heas at shrubbery.net Wed Feb 23 22:46:48 2011 From: heas at shrubbery.net (john heasley) Date: Wed, 23 Feb 2011 22:46:48 +0000 Subject: [tac_plus] Tac_plus passwd expiration In-Reply-To: <20110223223451.GC28757@shrubbery.net> References: <20110223223451.GC28757@shrubbery.net> Message-ID: <20110223224648.GD28757@shrubbery.net> Wed, Feb 23, 2011 at 10:34:52PM +0000, john heasley: > and two if using a file like /etc/passwd (should deal w/ /etc/shadow > automatically): > 1) expire in tac_plus.conf > 2) make the shell field empty or not begin with '/'; see expire.c i mispoke; it ignores expire in tac_plus.conf for /etc/passwd. From heas at shrubbery.net Sat Feb 26 18:32:43 2011 From: heas at shrubbery.net (john heasley) Date: Sat, 26 Feb 2011 18:32:43 +0000 Subject: [tac_plus] command authorization In-Reply-To: <088F826EA78A1F49A6A2AB8722B138EC3614625E55@IE2RD2XVS171.red002.local> References: <088F826EA78A1F49A6A2AB8722B138EC3614625E55@IE2RD2XVS171.red002.local> Message-ID: <20110226183243.GA14611@shrubbery.net> Mon, Feb 21, 2011 at 11:20:40PM -0800, Antonio Ojea: > Hello, > > I want to use tac_plus to deny some commands in our routers. I have tried with do_auth script but I can't receive any av pairs to filter them. the avps are read from stdin. see the do_auth.py script that comes with tac_plus for an example. From aojea at retegal.es Sat Feb 26 19:59:22 2011 From: aojea at retegal.es (Antonio Ojea) Date: Sat, 26 Feb 2011 20:59:22 +0100 (CET) Subject: [tac_plus] command authorization In-Reply-To: <20110226183243.GA14611@shrubbery.net> Message-ID: <14788855.713.1298750361967.JavaMail.root@zimbra.retegal.es> there are no avps in stdin, that's the problem. Cisco devices log the commands to the accounting log files, but there is no avps in stdin to do_auyh.py. I have tacacs+-F4.0.4.19.tar.gz compiled in 64 bits architecture. I have other devices that don't show the commands in the accounting log, but that must be other problem. ----- Mensaje original ----- De: "john heasley" Para: "Antonio Ojea" CC: "tac_plus at shrubbery.net" Enviados: S?bado, 26 de Febrero 2011 19:32:43 Asunto: Re: [tac_plus] command authorization Mon, Feb 21, 2011 at 11:20:40PM -0800, Antonio Ojea: > Hello, > > I want to use tac_plus to deny some commands in our routers. I have tried with do_auth script but I can't receive any av pairs to filter them. the avps are read from stdin. see the do_auth.py script that comes with tac_plus for an example. From kissg at ssg.ki.iif.hu Sun Feb 27 06:54:01 2011 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Sun, 27 Feb 2011 07:54:01 +0100 (CET) Subject: [tac_plus] command authorization In-Reply-To: <14788855.713.1298750361967.JavaMail.root@zimbra.retegal.es> References: <14788855.713.1298750361967.JavaMail.root@zimbra.retegal.es> Message-ID: > there are no avps in stdin, that's the problem. > Cisco devices log the commands to the accounting log files, but there is no avps in stdin to do_auyh.py. I have tacacs+-F4.0.4.19.tar.gz compiled in 64 bits architecture. > > I have other devices that don't show the commands in the accounting log, but that must be other problem. Use the heavy artillery: strace. :-) Gabor -- A mug of beer, please. Shaken, not stirred. From aojea at retegal.es Mon Feb 28 07:19:55 2011 From: aojea at retegal.es (Antonio Ojea) Date: Mon, 28 Feb 2011 08:19:55 +0100 Subject: [tac_plus] command authorization In-Reply-To: References: <14788855.713.1298750361967.JavaMail.root@zimbra.retegal.es> Message-ID: <008901cbd717$e7f601f0$b7e205d0$@es> I have found my mistake. I can't see the avps due to some routers were not configure to sending it. Cisco: aaa authorization commands 15 default group tacacs+ local H3C: line vty 0 4 \\ authentication-mode scheme command-authorization Thanks for your help -----Mensaje original----- De: Kiss Gabor (Bitman) [mailto:kissg at ssg.ki.iif.hu] Enviado el: domingo, 27 de febrero de 2011 7:54 Para: Antonio Ojea CC: tac_plus at shrubbery.net Asunto: Re: [tac_plus] command authorization > there are no avps in stdin, that's the problem. > Cisco devices log the commands to the accounting log files, but there is no avps in stdin to do_auyh.py. I have tacacs+-F4.0.4.19.tar.gz compiled in 64 bits architecture. > > I have other devices that don't show the commands in the accounting log, but that must be other problem. Use the heavy artillery: strace. :-) Gabor -- A mug of beer, please. Shaken, not stirred. Nota: A informaci?n contida nesta mensaxe e os seus posibles documentos adxuntos ? privada e confidencial e est? dirixida unicamente ao seu destinatario/a. Se vostede non ? o/a destinatario/a orixinal desta mensaxe, por favor elim?nea. A distribuci?n ou copia desta mensaxe non est? autorizada. Nota: La informaci?n contenida en este mensaje y sus posibles documentos adjuntos es privada y confidencial y est? dirigida ?nicamente a su destinatario/a. Si usted no es el/la destinatario/a original de este mensaje, por favor elim?nelo. La distribuci?n o copia de este mensaje no est? autorizada. ?nase ao noso compromiso medioambiental: P?nseo 2 veces antes de imprimir este correo. ?nase a nuestro compromiso medioambiental: Pi?nselo 2 veces antes de imprimir este correo.