[tac_plus] Command authorization for IPv6
John Payne
john at sackheads.org
Mon Jun 6 20:30:36 UTC 2011
Trying to authorize users to only configure neighbors and not peer-groups (as an example). This is highly simplified just to demonstrate the problem:
cmd = neighbor {
permit [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+.*
permit ":.*"
deny .*
}
(config-router)#nei 1:2:3:4:5:6:7:9 remote-as 1
Command authorization failed.
Mon Jun 6 20:12:57 2011 [31045]: authorize_cmd: user=XXXX, cmd=neighbor
Mon Jun 6 20:12:57 2011 [31045]: line 284 compare neighbor permit '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+.*' & 'remote-as 1 <cr>' no match
Mon Jun 6 20:12:57 2011 [31045]: line 285 compare neighbor permit ':.*' & 'remote-as 1 <cr>' no match
Mon Jun 6 20:12:57 2011 [31045]: line 286 compare neighbor deny '.*' & 'remote-as 1 <cr>' match
Mon Jun 6 20:12:57 2011 [31045]: neighbor remote-as 1 <cr> denied by line 286
Mon Jun 6 20:12:57 2011 [31045]: authorization query for 'XXXX' tty1 from yyy.yyy.yyy.yyy rejected
Vs:
(config-router)#nei 1.2.3.4 remote-as 1
Mon Jun 6 20:13:50 2011 [31116]: authorize_cmd: user=XXXX, cmd=neighbor
Mon Jun 6 20:13:50 2011 [31116]: line 284 compare neighbor permit '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+.*' & '1.2.3.4 remote-as 1 <cr>' match
Mon Jun 6 20:13:50 2011 [31116]: neighbor 1.2.3.4 remote-as 1 <cr> permitted by line 284
Mon Jun 6 20:13:50 2011 [31116]: authorization query for 'XXXX' tty1 from yyy.yyy.yyy.yyy accepted
So it seems as though IPv6 addresses are not being passed through the authorization command. I have yet to determine as to whether or not this is between the router and tac_plus or internally to tac_plus. Before I go too deep, has anyone else run into this?
Thanks
John
More information about the tac_plus
mailing list