[tac_plus] Command authorization for IPv6

Daniel Schmidt daniel.schmidt at wyo.gov
Thu Jun 9 17:16:50 UTC 2011 

True that.  Just sayin' the log might make it easier to see that it isn't
sent.  What vendor, Cisco?  Good luck getting them to fix it, I don't
think they ever fixed tacacs single-connection.

-----Original Message-----
From: John Payne [mailto:john at sackheads.org]
Sent: Thursday, June 09, 2011 11:02 AM
To: Daniel Schmidt
Cc: tac_plus at shrubbery.net
Subject: Re: [tac_plus] Command authorization for IPv6


On Jun 8, 2011, at 10:16 AM, Daniel Schmidt wrote:

> You may try do_auth.py - the log tells you the exact commands sent as
it's
> sent to the after authorization script.  Then, you can use Pyreb or
> something to come up with the perfect regular expressions to put in your
> tac_plus.conf.  (or just put them in do_auth.py if you find that easier)

Thanks Daniel, but if the IP isn't being sent by the router, its not going
to make it into do_auth.py either :(

>
> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net
> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of john heasley
> Sent: Tuesday, June 07, 2011 5:58 PM
> To: John Payne
> Cc: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] Command authorization for IPv6
>
> Mon, Jun 06, 2011 at 04:30:36PM -0400, John Payne:
>> Trying to authorize users to only configure neighbors and not
> peer-groups (as an example).  This is highly simplified just to
> demonstrate the problem:
>>
>>        cmd = neighbor {
>>                permit [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+.*
>>                permit ":.*"
>>                deny .*
>>        }
>>
>>
>> (config-router)#nei 1:2:3:4:5:6:7:9 remote-as 1
>> Command authorization failed.
>>
>>
>> Mon Jun  6 20:12:57 2011 [31045]: authorize_cmd: user=XXXX,
cmd=neighbor
>> Mon Jun  6 20:12:57 2011 [31045]: line 284 compare neighbor permit
> '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+.*' & 'remote-as 1 <cr>' no match
>> Mon Jun  6 20:12:57 2011 [31045]: line 285 compare neighbor permit
':.*'
> & 'remote-as 1 <cr>' no match
>
> looks like the device is not sending the address.  i havent reviewed the
> code,
> but as i recall, it comes direct from (and is expanded to its canonical
> form
> by) the device.
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>

More information about the tac_plus mailing list