From DSchmi at wyo.gov Thu Mar 3 17:44:41 2011 From: DSchmi at wyo.gov (Schmidt, Daniel) Date: Thu, 3 Mar 2011 10:44:41 -0700 Subject: [tac_plus] Group access enable - possible bug Message-ID: <39E5005946A1ED418535F93C882A1C02B902B5E47A@006EX-MB1.wyo.gov> If a member explicitly put in a group, file enable password works. However, if that user a member of that group via user = DEFAULT, it does not work. As you can see from the debug, it checks do_auth_access, but does not return a value. Finding the specific user however, makes it suddenly work. This should not be so - the recurse group is the same for both. Comments? Tue Mar 1 15:18:05 2011 [27114]: cfg_get_value: name=dans isuser=1 attr=enableacl rec=1 Tue Mar 1 15:18:05 2011 [27114]: cfg_get_value: recurse group = do_auth_access Tue Mar 1 15:18:05 2011 [27114]: cfg_get_pvalue: returns NULL Tue Mar 1 15:18:05 2011 [27114]: cfg_get_value: name=dans isuser=1 attr=enable rec=1 Tue Mar 1 15:18:05 2011 [27114]: cfg_get_value: recurse group = do_auth_access Tue Mar 1 15:18:05 2011 [27114]: cfg_get_pvalue: returns file /etc/passwd Tue Mar 1 15:18:05 2011 [27114]: cfg_get_value: name=dans isuser=1 attr=expires rec=1 Tue Mar 1 15:18:05 2011 [27114]: cfg_get_value: recurse group = do_auth_access Tue Mar 1 15:18:05 2011 [27114]: cfg_get_pvalue: returns NULL Tue Mar 1 15:18:05 2011 [27114]: enable query for 'dans' tty322 from 159.238.233.20 accepted Defined user: (Should not be required) user = dans { member = do_auth_access } Default user: user = DEFAULT { member = do_auth_access } From adudek16 at gmail.com Fri Mar 11 16:02:21 2011 From: adudek16 at gmail.com (Aaron Dudek) Date: Fri, 11 Mar 2011 11:02:21 -0500 Subject: [tac_plus] Problems getting des support when compiling solaris 10 Message-ID: solaris 10 Not sure what setting I am missing. I've set ARAP_DES in as a define and predictably get the following error. default_fn.c:35:22: arap_des.h: No such file or directory It has been awhile since I've done (solaris 8) this but I cannot remember how I did it before. tia Aaron From dudepron at gmail.com Fri Mar 11 16:33:21 2011 From: dudepron at gmail.com (Aaron) Date: Fri, 11 Mar 2011 11:33:21 -0500 Subject: [tac_plus] tacacs with des compilation issues on solaris 10 Message-ID: solaris 10 Not sure what setting I am missing. I've set ARAP_DES in as a define and predictably get the following error. default_fn.c:35:22: arap_des.h: No such file or directory It has been awhile since I've done (solaris 8) this but I cannot remember how I did it before. tia Aaron -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Fri Mar 11 21:37:59 2011 From: heas at shrubbery.net (john heasley) Date: Fri, 11 Mar 2011 21:37:59 +0000 Subject: [tac_plus] tacacs with des compilation issues on solaris 10 In-Reply-To: References: Message-ID: <20110311213759.GD6279@shrubbery.net> Fri, Mar 11, 2011 at 11:33:21AM -0500, Aaron: > solaris 10 > Not sure what setting I am missing. > I've set ARAP_DES in as a define and predictably get the following error. > default_fn.c:35:22: arap_des.h: No such file or directory i'm not familiar with the arap stuff, but it requires a DES library with the functions des_init(0); des_setkey(secret); des_endes(r_chal); des_done(); if you have that, you can probably just remove that include. what hardware are you using that uses arap? > It has been awhile since I've done (solaris 8) this but I cannot > remember how I did it before. > > tia > > Aaron > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From dudepron at gmail.com Sat Mar 12 01:36:07 2011 From: dudepron at gmail.com (Aaron) Date: Fri, 11 Mar 2011 20:36:07 -0500 Subject: [tac_plus] tacacs with des compilation issues on solaris 10 In-Reply-To: <20110311213759.GD6279@shrubbery.net> References: <20110311213759.GD6279@shrubbery.net> Message-ID: Nothing really just thought that was how do it by reading the tac_plus.h file. I'm sure that the des library does support those functions. It is possible that I'm not linking the des to tac_plus.h file correctly by just removing the comments around the #define arap_des. Aaron On Fri, Mar 11, 2011 at 16:37, john heasley wrote: > Fri, Mar 11, 2011 at 11:33:21AM -0500, Aaron: > > solaris 10 > > Not sure what setting I am missing. > > I've set ARAP_DES in as a define and predictably get the following error. > > default_fn.c:35:22: arap_des.h: No such file or directory > > i'm not familiar with the arap stuff, but it requires a DES library with > the > functions > des_init(0); > des_setkey(secret); > des_endes(r_chal); > des_done(); > if you have that, you can probably just remove that include. > > what hardware are you using that uses arap? > > > It has been awhile since I've done (solaris 8) this but I cannot > > remember how I did it before. > > > > tia > > > > Aaron > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20110311/745e7227/attachment.html > > > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dudepron at gmail.com Tue Mar 15 18:55:14 2011 From: dudepron at gmail.com (Aaron) Date: Tue, 15 Mar 2011 14:55:14 -0400 Subject: [tac_plus] tacacs with des compilation issues on solaris 10 In-Reply-To: References: <20110311213759.GD6279@shrubbery.net> Message-ID: Hmm. Not sure why it was broken. just redid it and it seems fine. Aaron On Fri, Mar 11, 2011 at 20:36, Aaron wrote: > Nothing really just thought that was how do it by reading the tac_plus.h > file. > I'm sure that the des library does support those functions. It is possible > that I'm not linking the des to tac_plus.h file correctly by just removing > the comments around the #define arap_des. > > Aaron > > > > On Fri, Mar 11, 2011 at 16:37, john heasley wrote: > >> Fri, Mar 11, 2011 at 11:33:21AM -0500, Aaron: >> > solaris 10 >> > Not sure what setting I am missing. >> > I've set ARAP_DES in as a define and predictably get the following >> error. >> > default_fn.c:35:22: arap_des.h: No such file or directory >> >> i'm not familiar with the arap stuff, but it requires a DES library with >> the >> functions >> des_init(0); >> des_setkey(secret); >> des_endes(r_chal); >> des_done(); >> if you have that, you can probably just remove that include. >> >> what hardware are you using that uses arap? >> >> > It has been awhile since I've done (solaris 8) this but I cannot >> > remember how I did it before. >> > >> > tia >> > >> > Aaron >> > -------------- next part -------------- >> > An HTML attachment was scrubbed... >> > URL: < >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20110311/745e7227/attachment.html >> > >> > _______________________________________________ >> > tac_plus mailing list >> > tac_plus at shrubbery.net >> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dudepron at gmail.com Tue Mar 15 19:15:01 2011 From: dudepron at gmail.com (Aaron) Date: Tue, 15 Mar 2011 15:15:01 -0400 Subject: [tac_plus] tacacs with des compilation issues on solaris 10 In-Reply-To: References: <20110311213759.GD6279@shrubbery.net> Message-ID: Spoke too soon. Had the des part commented out. On Tue, Mar 15, 2011 at 14:55, Aaron wrote: > Hmm. Not sure why it was broken. just redid it and it seems fine. > > Aaron > > > On Fri, Mar 11, 2011 at 20:36, Aaron wrote: > >> Nothing really just thought that was how do it by reading the tac_plus.h >> file. >> I'm sure that the des library does support those functions. It is possible >> that I'm not linking the des to tac_plus.h file correctly by just removing >> the comments around the #define arap_des. >> >> Aaron >> >> >> >> On Fri, Mar 11, 2011 at 16:37, john heasley wrote: >> >>> Fri, Mar 11, 2011 at 11:33:21AM -0500, Aaron: >>> > solaris 10 >>> > Not sure what setting I am missing. >>> > I've set ARAP_DES in as a define and predictably get the following >>> error. >>> > default_fn.c:35:22: arap_des.h: No such file or directory >>> >>> i'm not familiar with the arap stuff, but it requires a DES library with >>> the >>> functions >>> des_init(0); >>> des_setkey(secret); >>> des_endes(r_chal); >>> des_done(); >>> if you have that, you can probably just remove that include. >>> >>> what hardware are you using that uses arap? >>> >>> > It has been awhile since I've done (solaris 8) this but I cannot >>> > remember how I did it before. >>> > >>> > tia >>> > >>> > Aaron >>> > -------------- next part -------------- >>> > An HTML attachment was scrubbed... >>> > URL: < >>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20110311/745e7227/attachment.html >>> > >>> > _______________________________________________ >>> > tac_plus mailing list >>> > tac_plus at shrubbery.net >>> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From DSchmi at wyo.gov Tue Mar 15 21:52:20 2011 From: DSchmi at wyo.gov (Schmidt, Daniel) Date: Tue, 15 Mar 2011 15:52:20 -0600 Subject: [tac_plus] Multiple Groups / Restricting Source IP Message-ID: <39E5005946A1ED418535F93C882A1C02B903DA4E29@006EX-MB1.wyo.gov> I notice this question got asked a couple times over the last year. I am hopeful that this title will enable this to be Googled so John does not have to explain "after authentication scripts" again as he and others did for me a year or two ago. (Thanks John/others) After authentication scripts can allow extended configuration for those who wish to do more than basic tacacs configuration. You can force user to connect only from 10.1.1.1 if that is what you require. Or, if you want to make sure user 'Homer' connected to device '10.1.1.1' can only do 'show users' when connecting from '192.168.1.1', you CAN do that. (Though "why" might be an appropriate question) It's simply a matter of matching strings. If you are unable to, due to time or knowledge, write an after authorization script, you may wish to try out the do_auth.py example which I wrote. It also allows you to assign multiple groups to users, and restrict those groups in just about any imaginable grouping of ip, command, and source IP. It's in the tarball, type 'python do_auth.py | less'. Examples are on tacacs.org, it's really quite trivial to use. Suggestions/questions welcome, job == networker; job != programmer, standard disclaimer - tacacs is a good way to lock yourself out if you aren't careful, yada yada. E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. From dudepron at gmail.com Wed Mar 16 01:23:15 2011 From: dudepron at gmail.com (Aaron) Date: Tue, 15 Mar 2011 21:23:15 -0400 Subject: [tac_plus] tacacs with des compilation issues on solaris 10 In-Reply-To: References: <20110311213759.GD6279@shrubbery.net> Message-ID: Figured it out. had global instead of login in the tac_plus.cfg file: On Tue, Mar 15, 2011 at 15:15, Aaron wrote: > Spoke too soon. Had the des part commented out. > > > On Tue, Mar 15, 2011 at 14:55, Aaron wrote: > >> Hmm. Not sure why it was broken. just redid it and it seems fine. >> >> Aaron >> >> >> On Fri, Mar 11, 2011 at 20:36, Aaron wrote: >> >>> Nothing really just thought that was how do it by reading the tac_plus.h >>> file. >>> I'm sure that the des library does support those functions. It is >>> possible that I'm not linking the des to tac_plus.h file correctly by just >>> removing the comments around the #define arap_des. >>> >>> Aaron >>> >>> >>> >>> On Fri, Mar 11, 2011 at 16:37, john heasley wrote: >>> >>>> Fri, Mar 11, 2011 at 11:33:21AM -0500, Aaron: >>>> > solaris 10 >>>> > Not sure what setting I am missing. >>>> > I've set ARAP_DES in as a define and predictably get the following >>>> error. >>>> > default_fn.c:35:22: arap_des.h: No such file or directory >>>> >>>> i'm not familiar with the arap stuff, but it requires a DES library with >>>> the >>>> functions >>>> des_init(0); >>>> des_setkey(secret); >>>> des_endes(r_chal); >>>> des_done(); >>>> if you have that, you can probably just remove that include. >>>> >>>> what hardware are you using that uses arap? >>>> >>>> > It has been awhile since I've done (solaris 8) this but I cannot >>>> > remember how I did it before. >>>> > >>>> > tia >>>> > >>>> > Aaron >>>> > -------------- next part -------------- >>>> > An HTML attachment was scrubbed... >>>> > URL: < >>>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20110311/745e7227/attachment.html >>>> > >>>> > _______________________________________________ >>>> > tac_plus mailing list >>>> > tac_plus at shrubbery.net >>>> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >>>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: