[tac_plus] Command authorization for IPv6

[John Payne]

On Jun 8, 2011, at 10:16 AM, Daniel Schmidt wrote:

> You may try do_auth.py - the log tells you the exact commands sent as it's
> sent to the after authorization script.  Then, you can use Pyreb or
> something to come up with the perfect regular expressions to put in your
> tac_plus.conf.  (or just put them in do_auth.py if you find that easier)

Thanks Daniel, but if the IP isn't being sent by the router, its not going to make it into do_auth.py either :(

> 
> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net
> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of john heasley
> Sent: Tuesday, June 07, 2011 5:58 PM
> To: John Payne
> Cc: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] Command authorization for IPv6
> 
> Mon, Jun 06, 2011 at 04:30:36PM -0400, John Payne:
>> Trying to authorize users to only configure neighbors and not
> peer-groups (as an example).  This is highly simplified just to
> demonstrate the problem:
>> 
>>        cmd = neighbor {
>>                permit [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+.*
>>                permit ":.*"
>>                deny .*
>>        }
>> 
>> 
>> (config-router)#nei 1:2:3:4:5:6:7:9 remote-as 1
>> Command authorization failed.
>> 
>> 
>> Mon Jun  6 20:12:57 2011 [31045]: authorize_cmd: user=XXXX, cmd=neighbor
>> Mon Jun  6 20:12:57 2011 [31045]: line 284 compare neighbor permit
> '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+.*' & 'remote-as 1 <cr>' no match
>> Mon Jun  6 20:12:57 2011 [31045]: line 285 compare neighbor permit ':.*'
> & 'remote-as 1 <cr>' no match
> 
> looks like the device is not sending the address.  i havent reviewed the
> code,
> but as i recall, it comes direct from (and is expanded to its canonical
> form
> by) the device.
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>