[tac_plus] Command authorization for IPv6

Daniel Schmidt daniel.schmidt at wyo.gov
Wed Jun 8 14:16:47 UTC 2011


You may try do_auth.py - the log tells you the exact commands sent as it's
sent to the after authorization script.  Then, you can use Pyreb or
something to come up with the perfect regular expressions to put in your
tac_plus.conf.  (or just put them in do_auth.py if you find that easier)

-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of john heasley
Sent: Tuesday, June 07, 2011 5:58 PM
To: John Payne
Cc: tac_plus at shrubbery.net
Subject: Re: [tac_plus] Command authorization for IPv6

Mon, Jun 06, 2011 at 04:30:36PM -0400, John Payne:
> Trying to authorize users to only configure neighbors and not
peer-groups (as an example).  This is highly simplified just to
demonstrate the problem:
>
>         cmd = neighbor {
>                 permit [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+.*
>                 permit ":.*"
>                 deny .*
>         }
>
>
> (config-router)#nei 1:2:3:4:5:6:7:9 remote-as 1
> Command authorization failed.
>
>
> Mon Jun  6 20:12:57 2011 [31045]: authorize_cmd: user=XXXX, cmd=neighbor
> Mon Jun  6 20:12:57 2011 [31045]: line 284 compare neighbor permit
'[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+.*' & 'remote-as 1 <cr>' no match
> Mon Jun  6 20:12:57 2011 [31045]: line 285 compare neighbor permit ':.*'
& 'remote-as 1 <cr>' no match

looks like the device is not sending the address.  i havent reviewed the
code,
but as i recall, it comes direct from (and is expanded to its canonical
form
by) the device.
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus


More information about the tac_plus mailing list