From my007ms at yahoo.com Sun Jan 2 22:19:27 2011 From: my007ms at yahoo.com (MSamir) Date: Sun, 02 Jan 2011 22:19:27 -0000 Subject: [tac_plus] tacacs+-F4.0.4.19 and skey-1.1.5 skeychalleng function difference in definition Message-ID: <177286.42439.qm@web110613.mail.gq1.yahoo.com> any one can help with this pleas ? --- On Thu, 12/30/10, MSamir wrote: > From: MSamir > Subject: tacacs+-F4.0.4.19 and skey-1.1.5 skeychalleng function difference in definition > To: tac_plus at shrubbery.net > Date: Thursday, December 30, 2010, 5:26 AM > Hello, > > I am trying to compile tacacs+ with skey support however > there is difference in definition of skeychalleng function. > > Tacacs+ try to pass 4 arg to the function > ===================================================================== > [root at TACACS tacacs+-F4.0.4.19]# grep skeychallenge > skey_fn.c > ??? ? ? if > (skeychallenge(&p->skey, name, skeyprompt, 80) == 0) > { > ===================================================================== > > while function definition expect only 3 arg > ===================================================================== > [root at TACACS skey-1.1.5]# grep skeychallenge *.h > skey.h:int skeychallenge(struct skey * mp, char *name, char > *ss); > ===================================================================== > > > > ? ? ? > From charanjitjassar at yahoo.com Mon Jan 24 23:47:34 2011 From: charanjitjassar at yahoo.com (charanjit singh) Date: Mon, 24 Jan 2011 15:47:34 -0800 (PST) Subject: [tac_plus] Info - Tacacs + Message-ID: <612738.31628.qm@web33904.mail.mud.yahoo.com> Hi Team, I am working as a Network Admin for a company. We are currently setting up a new Tacacs+ solution for AAA on our devices. I have a query -- We are running the Tacacs+ daemon on a Unix machine. The authentication is working fine on Cisco devices. Now i have added another group for WAN Accelerators , its just a Monitoring group Is it possible that a user can be a member of Cisco Admin group and WAN Accelerator Monitoring group As per my checks a user can belong to just one group in Tacacs+. Can i work towards a solution for my requirement by doing Nested Groups. Is it possible that i create a Composite Group and then add both the Admin and WAN Accelerator groups in it as Member Groups. Do you have a sample configuration > I tried it but i was unable to compile / save the Configuration file Any help would be appreciated. Regards, Charanjit Jassar -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Tue Jan 25 01:03:16 2011 From: heas at shrubbery.net (john heasley) Date: Tue, 25 Jan 2011 01:03:16 +0000 Subject: [tac_plus] Info - Tacacs + In-Reply-To: <612738.31628.qm@web33904.mail.mud.yahoo.com> References: <612738.31628.qm@web33904.mail.mud.yahoo.com> Message-ID: <20110125010316.GW25566@shrubbery.net> Mon, Jan 24, 2011 at 03:47:34PM -0800, charanjit singh: > Hi Team, > > > > I am working as a Network Admin for a company. We are currently setting up a new Tacacs+ solution for AAA on our devices. > > > > I have a query -- > > > > We are running the Tacacs+ daemon on a Unix machine. The authentication > is working fine on Cisco devices. Now i have added another group for WAN > Accelerators , its just a Monitoring group > > > > Is it possible that a user can be a member of Cisco Admin group and WAN Accelerator Monitoring group > no, essentially only one group. a patch was offered to add this and its being worked to import it into the tree with a rewrite of the configuration parser. search the maillist for the patch from Gabor. > > As per my checks a user can belong to just one group in Tacacs+. > > > > Can i work towards a solution for my requirement by doing Nested Groups. > > > > Is it possible that i create a Composite Group and then add both the Admin and WAN Accelerator groups in it as Member Groups. Do you have a sample configuration > > > > > I tried it but i was unable to compile / save the Configuration file > > > > Any help would be appreciated. > > > > Regards, > > Charanjit Jassar > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From kissg at ssg.ki.iif.hu Tue Jan 25 05:21:52 2011 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Tue, 25 Jan 2011 06:21:52 +0100 (CET) Subject: [tac_plus] Info - Tacacs + In-Reply-To: <612738.31628.qm@web33904.mail.mud.yahoo.com> References: <612738.31628.qm@web33904.mail.mud.yahoo.com> Message-ID: > Is it possible that a user can be a member of Cisco Admin group and WAN Accelerator Monitoring group > > > > As per my checks a user can belong to just one group in Tacacs+. > > > > Can i work towards a solution for my requirement by doing Nested Groups. http://bakacsin.ki.iif.hu/~kissg/pd/tac_plus/README Regards Gabor From emvergb at gmail.com Fri Jan 28 13:17:54 2011 From: emvergb at gmail.com (emvergb at gmail.com) Date: Fri, 28 Jan 2011 21:17:54 +0800 Subject: [tac_plus] Info - Tacacs + In-Reply-To: <612738.31628.qm@web33904.mail.mud.yahoo.com> References: <612738.31628.qm@web33904.mail.mud.yahoo.com> Message-ID: <825CC9F5C45E422BA6BE70542A44073A@WIN7ULT> Hi Charanjit, You don't need a nested group to achieve all your requirements. Learn how authorization scripts work. It's how I resolved all my requirements of having different privileges (rw, ro, no access) to every NAS plus command authorization from a single username. Regards, Emver -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of charanjit singh Sent: Tuesday, January 25, 2011 7:48 AM To: tac_plus at shrubbery.net Subject: [tac_plus] Info - Tacacs + Hi Team, I am working as a Network Admin for a company. We are currently setting up a new Tacacs+ solution for AAA on our devices. I have a query -- We are running the Tacacs+ daemon on a Unix machine. The authentication is working fine on Cisco devices. Now i have added another group for WAN Accelerators , its just a Monitoring group Is it possible that a user can be a member of Cisco Admin group and WAN Accelerator Monitoring group As per my checks a user can belong to just one group in Tacacs+. Can i work towards a solution for my requirement by doing Nested Groups. Is it possible that i create a Composite Group and then add both the Admin and WAN Accelerator groups in it as Member Groups. Do you have a sample configuration > I tried it but i was unable to compile / save the Configuration file Any help would be appreciated. Regards, Charanjit Jassar -------------- next part -------------- An HTML attachment was scrubbed... URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From dkfloyd at OneCommunications.com Thu Jan 27 17:43:25 2011 From: dkfloyd at OneCommunications.com (Floyd, Devin) Date: Thu, 27 Jan 2011 12:43:25 -0500 Subject: [tac_plus] regular expression for IP address Message-ID: Hello, I have Shrubbery TACACS+ F4.0.4.15 running on a Linux server. I am trying to setup an ACL for a group of users but am having trouble getting it to work. Your website says that the IP addresses need to be encoded in the config file using Regular Expressions, but I'm not having any luck with getting it to work. Example: allow access to IP 10.151.6.1 Following the rules for regular expressions, I'm thinking the IP should be encoded as: 10\.151\.6\.1 or even ^10\.151\.6\.1$ But neither work. ex: acl = ACL-test { permit = 10\.151\.6\.1 deny = .* } What should the regular expression be to allow that IP address? If I can get that one figured out, I can finish adding the rest of the IPs. Thanks for the help, Devin -------------- next part -------------- An HTML attachment was scrubbed... URL: From Jan.Krueger at qsc.de Fri Jan 28 11:17:43 2011 From: Jan.Krueger at qsc.de (=?iso-8859-1?Q?=22Kr=FCger=2C_Jan=22?=) Date: Fri, 28 Jan 2011 12:17:43 +0100 Subject: [tac_plus] tac_plus vs. MRV Communication Devices Message-ID: <7E22B79792CB4B4BB92EA60FB75B86131F681674DC@CGNMSG01.oc.qsc.de> Hi all, does anybody set up tac_plus server for MRV Devices like MR2228-S2C i.e. ? I would like to grant some users privilege level 15 on CLI, so the user doesn't enter the enable password. I ask google the whole morning, but i can't find any note. i've try: service = exec { priv-lvl=15 } But this only works on Cisco Switches. Also this one don't work: service = shell { priv-lvl=15 } Thanks for help! regards jan From alan.mckinnon at gmail.com Fri Jan 28 20:26:33 2011 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Fri, 28 Jan 2011 22:26:33 +0200 Subject: [tac_plus] regular expression for IP address In-Reply-To: References: Message-ID: <201101282226.33781.alan.mckinnon@gmail.com> Apparently, though unproven, at 19:43 on Thursday 27 January 2011, Floyd, Devin did opine thusly: > Hello, > > > > I have Shrubbery TACACS+ F4.0.4.15 running on a Linux server. I am > trying to setup an ACL for a group of users but am having trouble > getting it to work. Your website says that the IP addresses need to be > encoded in the config file using Regular Expressions, but I'm not having > any luck with getting it to work. > > > > Example: > > allow access to IP 10.151.6.1 > > > > Following the rules for regular expressions, I'm thinking the IP should > be encoded as: > > 10\.151\.6\.1 or even ^10\.151\.6\.1$ The second one works, it's what I use on 4.0.4.18 and 4.0.4.19 Syntax exactly the same as your example below. run tac_plus with -d8 -d16, the logged output should tell you why it's failing > > But neither work. > > > > > > ex: > > acl = ACL-test { > > permit = 10\.151\.6\.1 > > deny = .* > > } > > > > > > > > What should the regular expression be to allow that IP address? If I > can get that one figured out, I can finish adding the rest of the IPs. > > > > Thanks for the help, > > Devin > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > /attachment.html> _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus -- alan dot mckinnon at gmail dot com