From daniel.schmidt at wyo.gov Wed Nov 2 18:55:21 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Wed, 2 Nov 2011 12:55:21 -0600 Subject: [tac_plus] Nexus Message-ID: <5b66ec2b1eca835fc64a211ff2b7fc92@mail.gmail.com> I have updated the do_auth.py authentication script to handle nexus, thus it can provide the same multiple group authentication it provides on other Cisco devices. (or at least provide an example) I have not been able to pass a role tac_pair successfully ? please post if you have any progress with this. I had success with the nexus with the following config: (Note that many of the commands you traditionally look for are available) !Command: show running-config aaa !Time: Wed Oct 26 18:28:46 2011 version 5.0(3)N1(1c) aaa authentication login default group private aaa authorization config-commands default group private aaa authorization commands default group private aaa accounting default group private As was discussed previously, the nexus seems to authenticate pap. No clue why Cisco did this; putting pap user names in the tac_plus.conf fixes login issues. Also, the resulting accounting file is different so if you have written cgi scripts to parse your accounting log, be prepared to rewrite them. E-Mail to and from me, in connection with the transaction of public business,is subject to the Wyoming Public Records Act, and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Wed Nov 2 21:46:17 2011 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Wed, 2 Nov 2011 23:46:17 +0200 Subject: [tac_plus] Nexus In-Reply-To: <5b66ec2b1eca835fc64a211ff2b7fc92@mail.gmail.com> References: <5b66ec2b1eca835fc64a211ff2b7fc92@mail.gmail.com> Message-ID: <20111102234617.46e3762c@rohan.example.com> On Wed, 2 Nov 2011 12:55:21 -0600 Daniel Schmidt wrote: > I have updated the do_auth.py authentication script to handle nexus, > thus it can provide the same multiple group authentication it > provides on other Cisco devices. (or at least provide an example) > I have not been able to pass a role tac_pair successfully ? please > post if you have any progress with this. tac_plus requires it in this form: shell:roles="\"level1\"" Yes, you see it right. Two levels of double quotes, inner pair escaped Many brain cells died in agony to discover that one :-) > > > > I had success with the nexus with the following config: (Note that > many of the commands you traditionally look for are available) > > > > !Command: show running-config aaa > > !Time: Wed Oct 26 18:28:46 2011 > > > > version 5.0(3)N1(1c) > > aaa authentication login default group private > > aaa authorization config-commands default group private > > aaa authorization commands default group private > > aaa accounting default group private > > > > As was discussed previously, the nexus seems to authenticate pap. No > clue why Cisco did this; putting pap user names in the tac_plus.conf > fixes login issues. Also, the resulting accounting file is > different so if you have written cgi scripts to parse your accounting > log, be prepared to rewrite them. -- Alan McKinnnon alan.mckinnon at gmail.com From daniel.schmidt at wyo.gov Wed Nov 2 22:17:15 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Wed, 2 Nov 2011 16:17:15 -0600 Subject: [tac_plus] Nexus In-Reply-To: <20111102234617.46e3762c@rohan.example.com> References: <5b66ec2b1eca835fc64a211ff2b7fc92@mail.gmail.com> <20111102234617.46e3762c@rohan.example.com> Message-ID: <564b2a7b49c974abbe939935f14c3242@mail.gmail.com> Excellent, thanks! I will research find/replace on these pairs & report back. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon Sent: Wednesday, November 02, 2011 3:46 PM To: tac_plus at shrubbery.net Subject: Re: [tac_plus] Nexus On Wed, 2 Nov 2011 12:55:21 -0600 Daniel Schmidt wrote: > I have updated the do_auth.py authentication script to handle nexus, > thus it can provide the same multiple group authentication it > provides on other Cisco devices. (or at least provide an example) > I have not been able to pass a role tac_pair successfully ? please > post if you have any progress with this. tac_plus requires it in this form: shell:roles="\"level1\"" Yes, you see it right. Two levels of double quotes, inner pair escaped Many brain cells died in agony to discover that one :-) > > > > I had success with the nexus with the following config: (Note that > many of the commands you traditionally look for are available) > > > > !Command: show running-config aaa > > !Time: Wed Oct 26 18:28:46 2011 > > > > version 5.0(3)N1(1c) > > aaa authentication login default group private > > aaa authorization config-commands default group private > > aaa authorization commands default group private > > aaa accounting default group private > > > > As was discussed previously, the nexus seems to authenticate pap. No > clue why Cisco did this; putting pap user names in the tac_plus.conf > fixes login issues. Also, the resulting accounting file is > different so if you have written cgi scripts to parse your accounting > log, be prepared to rewrite them. -- Alan McKinnnon alan.mckinnon at gmail.com _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus E-Mail to and from me, in connection with the transaction of public business,is subject to the Wyoming Public Records Act, and may be disclosed to third parties. From lukaszs at gmail.com Sun Nov 6 19:11:12 2011 From: lukaszs at gmail.com (=?ISO-8859-2?Q?=A3ukasz_Sztukowski?=) Date: Sun, 6 Nov 2011 20:11:12 +0100 Subject: [tac_plus] Feature requst Message-ID: I would love to find out implemented one feature: Password change on first login from choosen user. Best Regards -- Pozdrawiam ?ukasz Sztukowski Zanim wydrukujesz, pomy?l o ?rodowisku -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Tue Nov 15 00:01:11 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Mon, 14 Nov 2011 17:01:11 -0700 Subject: [tac_plus] Feature requst In-Reply-To: References: Message-ID: <7c6e165ae5e0703e6f500aa87ba06a0b@mail.gmail.com> I think that was telnet only as I recall & not implemented in tac_plus. You could give your users local accounts on the unix box and make them change their password there, or you could throw up the cgi I threw together & make them give you a hash: http://pastie.org/2433995 Neither are as good, but they are solutions. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Lukasz Sztukowski Sent: Sunday, November 06, 2011 12:11 PM To: tac_plus at shrubbery.net Subject: [tac_plus] Feature requst I would love to find out implemented one feature: Password change on first login from choosen user. Best Regards -- Pozdrawiam ?ukasz Sztukowski Zanim wydrukujesz, pomy?l o ?rodowisku -------------- next part -------------- An HTML attachment was scrubbed... URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus E-Mail to and from me, in connection with the transaction of public business,is subject to the Wyoming Public Records Act, and may be disclosed to third parties. From daniel.schmidt at wyo.gov Wed Nov 16 17:28:28 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Wed, 16 Nov 2011 10:28:28 -0700 Subject: [tac_plus] Nexus In-Reply-To: <20111102234617.46e3762c@rohan.example.com> References: <5b66ec2b1eca835fc64a211ff2b7fc92@mail.gmail.com> <20111102234617.46e3762c@rohan.example.com> Message-ID: <693b443ba3b1751b92a657673ec5d366@mail.gmail.com> Ok, I got it working, I also have it set so it can find/replace pairs based on groups. Slight change to do_auth - you DO have to strip the first 2 pairs just like ios, but they are not identical. (cmd* vs cmd=) Will post that change soon. This would solve all Alan's problem, if Alan could be convinced to try do_auth. ;-) The only thing I don't understand is why none of the default roles seem to be restricted. I could conf t & change an int desc with role-0 and network-operator. Are all the default roles useless or am I missing something? The only place I could see a role being "not cumbersome and useless" was if you defined one for a VDC giving a user rights only to a specific VDC. THAT is the only thing I can't do easier with do_auth and authorization. [root at cwacs ~]# tail -n 11 log2.txt service=shell cmd= shell:roles="network-operator" idletime=3 timeout=15 Nexus pairs found not len(the_command) > 0 Returning:shell:roles="priv-0" Returning:idletime=3 Returning:timeout=15 2011-11-16 09:35:31: User 'tester' granted access to 5k# show user- tester user:tester roles:priv-0 account created through REMOTE authentication Credentials such as ssh server key will be cached temporarily only for this user account Local login not possible 5k# show role name priv-0 Role: priv-0 Description: This is a system defined privilege role. vsan policy: permit (default) Vlan policy: permit (default) Interface policy: permit (default) Vrf policy: permit (default) ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- 10 permit command traceroute6 * 9 permit command traceroute * 8 permit command telnet6 * 7 permit command telnet * 6 permit command ping6 * 5 permit command ping * 4 permit command ssh6 * 3 permit command ssh * 2 permit command enable * 1 permit read -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon Sent: Wednesday, November 02, 2011 3:46 PM To: tac_plus at shrubbery.net Subject: Re: [tac_plus] Nexus On Wed, 2 Nov 2011 12:55:21 -0600 Daniel Schmidt wrote: > I have updated the do_auth.py authentication script to handle nexus, > thus it can provide the same multiple group authentication it > provides on other Cisco devices. (or at least provide an example) > I have not been able to pass a role tac_pair successfully ? please > post if you have any progress with this. tac_plus requires it in this form: shell:roles="\"level1\"" Yes, you see it right. Two levels of double quotes, inner pair escaped Many brain cells died in agony to discover that one :-) > > > > I had success with the nexus with the following config: (Note that > many of the commands you traditionally look for are available) > > > > !Command: show running-config aaa > > !Time: Wed Oct 26 18:28:46 2011 > > > > version 5.0(3)N1(1c) > > aaa authentication login default group private > > aaa authorization config-commands default group private > > aaa authorization commands default group private > > aaa accounting default group private > > > > As was discussed previously, the nexus seems to authenticate pap. No > clue why Cisco did this; putting pap user names in the tac_plus.conf > fixes login issues. Also, the resulting accounting file is > different so if you have written cgi scripts to parse your accounting > log, be prepared to rewrite them. -- Alan McKinnnon alan.mckinnon at gmail.com _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus E-Mail to and from me, in connection with the transaction of public business,is subject to the Wyoming Public Records Act, and may be disclosed to third parties. From nicotine at warningg.com Thu Nov 17 14:44:57 2011 From: nicotine at warningg.com (Brandon Ewing) Date: Thu, 17 Nov 2011 08:44:57 -0600 Subject: [tac_plus] Examples of RBAC in do_auth.py? Message-ID: <20111117144457.GA2742@radiological.warningg.com> Does anyone have any examples of do_auth.py config files that could be adapted for Role-based Access control? I want to break it up so I have groups of commands (l2-only, l3-only, routing protocols, etc), and groups of network devices (core, CPE, PE, etc), and assign groups of commands on groups of network devices to specific users. I don't know if do_auth.py is setup to provide something like this, but if anyone has any examples or pointers on how to approach the above, it would be appreciated. -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From daniel.schmidt at wyo.gov Thu Nov 17 16:25:13 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Thu, 17 Nov 2011 09:25:13 -0700 Subject: [tac_plus] Examples of RBAC in do_auth.py? In-Reply-To: <20111117144457.GA2742@radiological.warningg.com> References: <20111117144457.GA2742@radiological.warningg.com> Message-ID: Um.... the short answer would be probably/do what now? Are you talking about plain vanilla cisco router/switches/no nexus? If this is the case, even if you were using nexus, I'd say you are trying to over-complicate your problem. Do you not use privilege levels - you only need to do that for Radius, it's much easier to manage if you forget they exist. (Managing levels requires touching every device each time you change something - the only way to match a privilege level to commands is locally on the router.) First, make a set of different rules on paper. Operator, admin, super-admin and the commands you want them to do. Then, devices: core, CPE, PE, ect. From those, you will have to make "groups" Then, you pair them together into groups. Use as many or as few as you want, just remember - one group cannot take away what another group grants. [admin_group] host_allow = command_permit = [operator_group] host_allow = host_deny = command_permit = >From there, you can assign a user to as many or as few of the groups that he needs. And, it can be changed on the fly very easily. (Good luck doing that on the Cisco ACS) [users] Homer = operator_group lisa = super_admin bart = operator_group admin another_operator_group NOW -- if you are bound and determined to use privilege levels, you CAN do that as well by replacing the priv-lvl tac_key, but I am loathe to show you how, as it is seems rather bass ackward and explaining it would certainly entail bribing me with free beer. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Brandon Ewing Sent: Thursday, November 17, 2011 7:45 AM To: tac_plus at shrubbery.net Subject: [tac_plus] Examples of RBAC in do_auth.py? Does anyone have any examples of do_auth.py config files that could be adapted for Role-based Access control? I want to break it up so I have groups of commands (l2-only, l3-only, routing protocols, etc), and groups of network devices (core, CPE, PE, etc), and assign groups of commands on groups of network devices to specific users. I don't know if do_auth.py is setup to provide something like this, but if anyone has any examples or pointers on how to approach the above, it would be appreciated. -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus E-Mail to and from me, in connection with the transaction of public business,is subject to the Wyoming Public Records Act, and may be disclosed to third parties. From mailing-lists at zcorum.com Thu Nov 17 19:56:49 2011 From: mailing-lists at zcorum.com (Brian Raaen) Date: Thu, 17 Nov 2011 14:56:49 -0500 Subject: [tac_plus] Examples of RBAC in do_auth.py? In-Reply-To: <20111117144457.GA2742@radiological.warningg.com> References: <20111117144457.GA2742@radiological.warningg.com> Message-ID: <20111117195649.GA28144@brian> This is an example I have [users] dhcpadm = architect admin = architect architect = architect nocUser = limitedAccessSite troubleshooter rancid = rancid_access [architect] host_allow = .* device_permit = .* command_permit = .* [troubleshooter] # Normal login for troublshooters host_allow = .* # Blacklist of hosts with special rules device_deny = #ListOfSpecialDevices device_permit = .* command_permit = .* [limitedAccessSite] host_allow = .* device_permit = #ListOfSpecialDevices command_permit = show .* clear cable modem .* clear counters [rancid_access] host_allow = #RancidAddress device_permit = .* command_permit = show.* dir.* more.* write t.* --- Brian Raaen Zcorum Network Arcitect On Thu, Nov 17, 2011 at 08:44:57AM -0600, Brandon Ewing wrote: > Does anyone have any examples of do_auth.py config files that could be > adapted for Role-based Access control? > > I want to break it up so I have groups of commands (l2-only, l3-only, > routing protocols, etc), and groups of network devices (core, CPE, PE, etc), > and assign groups of commands on groups of network devices to specific > users. > > I don't know if do_auth.py is setup to provide something like this, but if > anyone has any examples or pointers on how to approach the above, it would > be appreciated. > > -- > Brandon Ewing (nicotine at warningg.com) > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: not available > Type: application/pgp-signature > Size: 189 bytes > Desc: not available > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From daniel.schmidt at wyo.gov Thu Nov 17 20:58:54 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Thu, 17 Nov 2011 13:58:54 -0700 Subject: [tac_plus] Examples of RBAC in do_auth.py? In-Reply-To: <20111117195649.GA28144@brian> References: <20111117144457.GA2742@radiological.warningg.com> <20111117195649.GA28144@brian> Message-ID: <183e7b392adb4e1e8467df6d2ced82a6@mail.gmail.com> Good example, note that troubleshooter group - it essentially allowed full access to any device not in device_deny. I can't stress it enough, one group cannot take away what another group grants. The nocUser would have full access to any device except those in that device_deny, no matter what was put in limitedAccessSite. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Brian Raaen Sent: Thursday, November 17, 2011 12:57 PM To: tac_plus at shrubbery.net Subject: Re: [tac_plus] Examples of RBAC in do_auth.py? This is an example I have [users] dhcpadm = architect admin = architect architect = architect nocUser = limitedAccessSite troubleshooter rancid = rancid_access [architect] host_allow = .* device_permit = .* command_permit = .* [troubleshooter] # Normal login for troublshooters host_allow = .* # Blacklist of hosts with special rules device_deny = #ListOfSpecialDevices device_permit = .* command_permit = .* [limitedAccessSite] host_allow = .* device_permit = #ListOfSpecialDevices command_permit = show .* clear cable modem .* clear counters [rancid_access] host_allow = #RancidAddress device_permit = .* command_permit = show.* dir.* more.* write t.* --- Brian Raaen Zcorum Network Arcitect On Thu, Nov 17, 2011 at 08:44:57AM -0600, Brandon Ewing wrote: > Does anyone have any examples of do_auth.py config files that could be > adapted for Role-based Access control? > > I want to break it up so I have groups of commands (l2-only, l3-only, > routing protocols, etc), and groups of network devices (core, CPE, PE, > etc), and assign groups of commands on groups of network devices to > specific users. > > I don't know if do_auth.py is setup to provide something like this, > but if anyone has any examples or pointers on how to approach the > above, it would be appreciated. > > -- > Brandon Ewing (nicotine at warningg.com) > -------------- next part -------------- A non-text attachment was > scrubbed... > Name: not available > Type: application/pgp-signature > Size: 189 bytes > Desc: not available > URL: > 0bbd/attachment.bin> _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus E-Mail to and from me, in connection with the transaction of public business,is subject to the Wyoming Public Records Act, and may be disclosed to third parties. From servet.erkun at gmail.com Fri Nov 18 17:00:03 2011 From: servet.erkun at gmail.com (Servet Erkun) Date: Fri, 18 Nov 2011 19:00:03 +0200 Subject: [tac_plus] cmd-arg command authorization logging Message-ID: Hello I have a problem about author?zation commands on tac_plus I see cmd commands in tac_plus log file but i also want to see cmd-arg command, i tried many ways , but i failed. Could you explain that tac_plus can log the cmd-arg parameters? Cisco router says that i send all commands authorization messages, but tac_plus not log cmd-arg messages. Cisco debug output says; AAA/AUTHOR (0): user='servet' AAA/AUTHOR (0): send AV service=shell AAA/AUTHOR (0): send AV cmd=ip AAA/AUTHOR (0): send AV cmd-arg=ospf AAA/AUTHOR (0): send AV cmd-arg=cost AAA/AUTHOR (0): send AV cmd-arg=10000 AAA/AUTHOR (0): send AV cmd-arg= AAA/AUTHOR (226099858): Method=TACACS+ AAA/AUTHOR/TAC+ (226099858): user=servet AAA/AUTHOR/TAC+ (226099858): send AV service=shell AAA/AUTHOR/TAC+ (226099858): send AV cmd=ip AAA/AUTHOR/TAC+ (226099858): send AV cmd-arg=ospf AAA/AUTHOR/TAC+ (226099858): send AV cmd-arg=cost AAA/AUTHOR/TAC+ (226099858): send AV cmd-arg=10000 AAA/AUTHOR/TAC+ (226099858): send AV cmd-arg=end AAA/AUTHOR (226099858): Post authorization status = PASS_ADD AAA/AUTHOR (0): user='servet' AAA/AUTHOR (0): send AV service=shell AAA/AUTHOR (0): send AV cmd=end AAA/AUTHOR (0): send AV cmd-arg= AAA/AUTHOR (475071597): Method=TACACS+ AAA/AUTHOR/TAC+ (475071597): user=servet AAA/AUTHOR/TAC+ (475071597): send AV service=shell AAA/AUTHOR/TAC+ (475071597): send AV cmd=end AAA/AUTHOR/TAC+ (475071597): send AV cmd-arg= AAA/AUTHOR (475071597): Post authorization status = PASS_ADD %SYS-5-CONFIG_I: Configured from console by vty0 (212.58.13.41) tac_plus log file says; Fri Nov 18 19:04:11 2011 [59820]: connect from 1.1.1.1 [1.1.1.1] Fri Nov 18 19:04:11 2011 [59820]: Start authorization request Fri Nov 18 19:04:11 2011 [59820]: do_author: user='servet' Fri Nov 18 19:04:11 2011 [59820]: user 'servet' found Fri Nov 18 19:04:11 2011 [59820]: authorize_cmd: user=servet, cmd=configure Fri Nov 18 19:04:11 2011 [59820]: cmd configure does not exist, permitted by default Fri Nov 18 19:04:11 2011 [59820]: authorization query for 'servet' tty18 from 1.1.1.1 accepted Fri Nov 18 19:04:14 2011 [59821]: connect from 1.1.1.1 [1.1.1.1] Fri Nov 18 19:04:14 2011 [59821]: Start authorization request Fri Nov 18 19:04:14 2011 [59821]: do_author: user='servet' Fri Nov 18 19:04:14 2011 [59821]: user 'servet' found Fri Nov 18 19:04:14 2011 [59821]: authorize_cmd: user=servet, cmd=interface Fri Nov 18 19:04:14 2011 [59821]: cmd interface does not exist, permitted by default Fri Nov 18 19:04:14 2011 [59821]: authorization query for 'servet' tty18 from 1.1.1.1 accepted Fri Nov 18 19:04:22 2011 [59822]: connect from 1.1.1.1 [1.1.1.1] Fri Nov 18 19:04:22 2011 [59822]: Start authorization request Fri Nov 18 19:04:22 2011 [59822]: do_author: user='servet' Fri Nov 18 19:04:22 2011 [59822]: user 'servet' found Fri Nov 18 19:04:22 2011 [59822]: authorize_cmd: user=servet, cmd=ip Fri Nov 18 19:04:22 2011 [59822]: cmd ip does not exist, permitted by default Fri Nov 18 19:04:22 2011 [59822]: authorization query for 'servet' tty18 from 1.1.1.1 accepted Fri Nov 18 19:04:23 2011 [59823]: connect from 1.1.1.1 [1.1.1.1] Fri Nov 18 19:04:23 2011 [59823]: Start authorization request Fri Nov 18 19:04:23 2011 [59823]: do_author: user='servet' Fri Nov 18 19:04:23 2011 [59823]: user 'servet' found Fri Nov 18 19:04:23 2011 [59823]: authorize_cmd: user=servet, cmd=end Fri Nov 18 19:04:23 2011 [59823]: cmd end does not exist, permitted by default Fri Nov 18 19:04:23 2011 [59823]: authorization query for 'servet' tty18 from 1.1.1.1 accepted -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Fri Nov 18 22:36:57 2011 From: heas at shrubbery.net (john heasley) Date: Fri, 18 Nov 2011 22:36:57 +0000 Subject: [tac_plus] cmd-arg command authorization logging In-Reply-To: References: Message-ID: <20111118223657.GC2869@shrubbery.net> Fri, Nov 18, 2011 at 07:00:03PM +0200, Servet Erkun: > Hello > > I have a problem about author?zation commands on tac_plus > I see cmd commands in tac_plus log file but i also want to see cmd-arg > command, i tried many ways , but i failed. > Could you explain that tac_plus can log the cmd-arg parameters? Cisco > router says that i send all commands authorization messages, but tac_plus > not log cmd-arg messages. you can use tacacs command accounting on the device. From servet.erkun at gmail.com Sat Nov 19 12:36:19 2011 From: servet.erkun at gmail.com (Servet Erkun) Date: Sat, 19 Nov 2011 14:36:19 +0200 Subject: [tac_plus] cmd-arg command authorization logging In-Reply-To: <20111118223657.GC2869@shrubbery.net> References: <20111118223657.GC2869@shrubbery.net> Message-ID: Hi Folks I could not understand what do you mean exactly? There is no problem about accounting, Accounting is working i can see accounting start-stop messages in tac_plus accounting log. I see these logs on tac_plus log file, this means cisco router sends command authorization messages to tacacs and tacacs logged it. But tac_plus does not log all command authorization messaages , for example cisco sends "AAA/AUTHOR/TAC+ (226099858): send AV cmd=ip" message, and tac_plus logs that "Fri Nov 18 19:04:22 2011 [59822]: authorize_cmd: user=servet, cmd=ip" But cisco also sends "AAA/AUTHOR/TAC+ (226099858): send AV cmd-arg=ospf" but tac_plus can not log that message, I want to record all command authorization messages including "cmd-arg" . Not only "cmd" authorization messages, Servet On Sat, Nov 19, 2011 at 00:36, john heasley wrote: > Fri, Nov 18, 2011 at 07:00:03PM +0200, Servet Erkun: > > Hello > > > > I have a problem about author?zation commands on tac_plus > > I see cmd commands in tac_plus log file but i also want to see cmd-arg > > command, i tried many ways , but i failed. > > Could you explain that tac_plus can log the cmd-arg parameters? Cisco > > router says that i send all commands authorization messages, but tac_plus > > not log cmd-arg messages. > > you can use tacacs command accounting on the device. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Sat Nov 19 17:30:42 2011 From: heas at shrubbery.net (john heasley) Date: Sat, 19 Nov 2011 17:30:42 +0000 Subject: [tac_plus] cmd-arg command authorization logging In-Reply-To: References: <20111118223657.GC2869@shrubbery.net> Message-ID: <20111119173042.GA17098@shrubbery.net> Sat, Nov 19, 2011 at 02:36:19PM +0200, Servet Erkun: > I could not understand what do you mean exactly? There is no problem about > accounting, Accounting is working i can see accounting start-stop messages > in tac_plus accounting log. aaa accounting commands 15 start-stop tacacs+ From peter.mihalik at bonet.sk Mon Nov 21 14:47:19 2011 From: peter.mihalik at bonet.sk (Peter Mihalik) Date: Mon, 21 Nov 2011 15:47:19 +0100 Subject: [tac_plus] NOTICE: --enable-maxsess compilation error Message-ID: Hi, there is missing "#ifdef" statement in maxsessint.c in your latest version of tacacs server, i forgot to pass --enable-maxsess parameter to configure script, which leads to compilation error. i think you should for example add something like this: maxsessint.c:48 #ifdef MAXSESS and maxsessint.c:108 #endif Regards, -- Peter Mihalik BONET Systems, s.r.o. phone +421 903 930 568 email peter.mihalik at bonet.sk http://www.bonet.sk -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Tue Nov 22 00:04:09 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Mon, 21 Nov 2011 17:04:09 -0700 Subject: [tac_plus] Nexus In-Reply-To: <693b443ba3b1751b92a657673ec5d366@mail.gmail.com> References: <5b66ec2b1eca835fc64a211ff2b7fc92@mail.gmail.com> <20111102234617.46e3762c@rohan.example.com> <693b443ba3b1751b92a657673ec5d366@mail.gmail.com> Message-ID: Ok, I get it. It's an either/or for authorization, not both. Either you configure: aaa authorization config-commands default group private aaa authorization commands default group private and do authorization on the tacacs server (with or without do_auth) OR you do: aaa authorization config-commands default local aaa authorization commands default local And do the groups. (which happens to be the default and doesn't show up in the config) Know the difference - groups do absolutely nothing if you've configured authorization via tacacs. -----Original Message----- From: Daniel Schmidt [mailto:daniel.schmidt at wyo.gov] Sent: Wednesday, November 16, 2011 10:28 AM To: tac_plus at shrubbery.net Subject: RE: [tac_plus] Nexus Ok, I got it working, I also have it set so it can find/replace pairs based on groups. Slight change to do_auth - you DO have to strip the first 2 pairs just like ios, but they are not identical. (cmd* vs cmd=) Will post that change soon. This would solve all Alan's problem, if Alan could be convinced to try do_auth. ;-) The only thing I don't understand is why none of the default roles seem to be restricted. I could conf t & change an int desc with role-0 and network-operator. Are all the default roles useless or am I missing something? The only place I could see a role being "not cumbersome and useless" was if you defined one for a VDC giving a user rights only to a specific VDC. THAT is the only thing I can't do easier with do_auth and authorization. [root at cwacs ~]# tail -n 11 log2.txt service=shell cmd= shell:roles="network-operator" idletime=3 timeout=15 Nexus pairs found not len(the_command) > 0 Returning:shell:roles="priv-0" Returning:idletime=3 Returning:timeout=15 2011-11-16 09:35:31: User 'tester' granted access to 5k# show user- tester user:tester roles:priv-0 account created through REMOTE authentication Credentials such as ssh server key will be cached temporarily only for this user account Local login not possible 5k# show role name priv-0 Role: priv-0 Description: This is a system defined privilege role. vsan policy: permit (default) Vlan policy: permit (default) Interface policy: permit (default) Vrf policy: permit (default) ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- 10 permit command traceroute6 * 9 permit command traceroute * 8 permit command telnet6 * 7 permit command telnet * 6 permit command ping6 * 5 permit command ping * 4 permit command ssh6 * 3 permit command ssh * 2 permit command enable * 1 permit read -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon Sent: Wednesday, November 02, 2011 3:46 PM To: tac_plus at shrubbery.net Subject: Re: [tac_plus] Nexus On Wed, 2 Nov 2011 12:55:21 -0600 Daniel Schmidt wrote: > I have updated the do_auth.py authentication script to handle nexus, > thus it can provide the same multiple group authentication it > provides on other Cisco devices. (or at least provide an example) > I have not been able to pass a role tac_pair successfully - please > post if you have any progress with this. tac_plus requires it in this form: shell:roles="\"level1\"" Yes, you see it right. Two levels of double quotes, inner pair escaped Many brain cells died in agony to discover that one :-) > > > > I had success with the nexus with the following config: (Note that > many of the commands you traditionally look for are available) > > > > !Command: show running-config aaa > > !Time: Wed Oct 26 18:28:46 2011 > > > > version 5.0(3)N1(1c) > > aaa authentication login default group private > > aaa authorization config-commands default group private > > aaa authorization commands default group private > > aaa accounting default group private > > > > As was discussed previously, the nexus seems to authenticate pap. No > clue why Cisco did this; putting pap user names in the tac_plus.conf > fixes login issues. Also, the resulting accounting file is > different so if you have written cgi scripts to parse your accounting > log, be prepared to rewrite them. -- Alan McKinnnon alan.mckinnon at gmail.com _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus E-Mail to and from me, in connection with the transaction of public business,is subject to the Wyoming Public Records Act, and may be disclosed to third parties. From daniel.schmidt at wyo.gov Tue Nov 22 21:28:03 2011 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Tue, 22 Nov 2011 14:28:03 -0700 Subject: [tac_plus] More on Nexus/do_auth Message-ID: <135442ce4cadb27716d0a2d25c5cecbe@mail.gmail.com> I?ve modified do_auth to discriminate between the nexus and Cisco (or Brocade which acts a lot like Cisco). A basic configuration would be: user = tester { default service = permit login = cleartext "test_me" enable = cleartext "test_me" pap = cleartext "test_me" service = exec { priv-lvl = 1 shell:roles="network-operator" idletime = 3 timeout = 15 } after authorization "/usr/bin/python /root/do_auth_beta.py -i $address -fix_crs_bug -u $user -d $name -l /root/log2.txt -f /root/do_auth.ini" } Do_auth will send shell:roles to the nexus, but filter it from the Cisco?s/Brocades. (Sending both seems to confuse other Cisco devices) You can also replace those pairs in do_auth by group, giving network-operator based on device to some and network-admin to others. It works quite well. If anybody is interested in testing it, drop me a line, else I?ll get to posting it when I get to posting it. E-Mail to and from me, in connection with the transaction of public business,is subject to the Wyoming Public Records Act, and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pettai at nordu.net Thu Nov 24 14:53:02 2011 From: pettai at nordu.net (Fredrik Pettai) Date: Thu, 24 Nov 2011 15:53:02 +0100 Subject: [tac_plus] Problems getting tac_plus work with PAM auth on NetBSD Message-ID: <1DD0809F-DCCE-4745-9607-40CE82340F23@nordu.net> Hi, I don't get the PAM authentication going on NetBSD 5. It always reject the PAM requests. Ordinary auth from the tac_plus.conf works fine, and the pam conf works fine with for example ssh... I don't see any compilation errors for tacacs-shrubbery either. (compiled from pkgsrc-wip) Host: NetBSD guineapig 5.1_RC3 NetBSD 5.1_RC3 (GENERIC) #1: Sun Jul 4 01:38:35 CEST 2010 root at guineapig:/usr/obj/sys/arch/amd64/compile/GENERIC amd64 --- tac_plus conf: user = tug1 { login = PAM name = "Training account 1" member = staff expires = "Dec 17 2011" } --- Pam conf: # $NetBSD: system,v 1.8 2008/03/26 11:31:17 lukem Exp $ # # System-wide defaults # # auth auth required pam_nologin.so no_warn auth required pam_unix.so no_warn try_first_pass nullok # account account required pam_login_access.so account required pam_unix.so # session session required pam_permit.so #session required pam_lastlog.so no_fail no_nested # password password required pam_unix.so no_warn try_first_pass --- The log, (tac_plus running with -d4088) Nov 24 09:35:15 guineapig tac_plus[22386]: Reading config Nov 24 09:35:15 guineapig tac_plus[22386]: Version F4.0.4.19 Initialized 1 Nov 24 09:38:52 guineapig tac_plus[1351]: session.peerip is 193.10.255.73 Nov 24 09:38:52 guineapig tac_plus[7542]: connect from 193.10.255.73 [193.10.255.73] Nov 24 09:38:52 guineapig tac_plus[7542]: Error 193.10.255.73 unknown-port: PAM_PROMPT_ECHO_OFF Nov 24 09:38:52 guineapig tac_plus[7542]: login query for 'tug1' unknown-port from 193.10.255.73 rejected Nov 24 09:38:52 guineapig tac_plus[7542]: login failure: tug1 193.10.255.73 (193.10.255.73) unknown-port Any Ideas what might be wrong? Does the tac_plus server have insufficient credentials running as a non-root user to perform pam lookups? Regards, /P From pettai at nordu.net Thu Nov 24 15:11:25 2011 From: pettai at nordu.net (Fredrik Pettai) Date: Thu, 24 Nov 2011 16:11:25 +0100 Subject: [tac_plus] Problems getting tac_plus work with PAM auth on NetBSD In-Reply-To: <1DD0809F-DCCE-4745-9607-40CE82340F23@nordu.net> References: <1DD0809F-DCCE-4745-9607-40CE82340F23@nordu.net> Message-ID: <0A75AB48-A150-4F96-B486-549CCB5A70D4@nordu.net> Hi, I can't get the PAM authentication going on NetBSD 5 (amd64). It rejects all PAM requests. Ordinary auth from the tac_plus.conf works fine, and the pam conf works fine with for example ssh... I don't see any compilation errors for tacacs-shrubbery either. (compiled from pkgsrc-wip) Host: NetBSD guineapig 5.1_RC3 NetBSD 5.1_RC3 (GENERIC) #1: Sun Jul 4 01:38:35 CEST 2010 root at guineapig:/usr/obj/sys/arch/amd64/compile/GENERIC amd64 --- tac_plus conf: user = tug1 { login = PAM name = "Training account 1" member = staff expires = "Dec 17 2011" } --- Pam conf: # auth auth required pam_nologin.so no_warn auth required pam_unix.so no_warn try_first_pass nullok # account #account required pam_login_access.so account required pam_unix.so # session session required pam_permit.so #session required pam_lastlog.so no_fail no_nested # password password required pam_unix.so no_warn try_first_pass --- The log, (tac_plus running with -d4088) Nov 24 09:35:15 guineapig tac_plus[22386]: Reading config Nov 24 09:35:15 guineapig tac_plus[22386]: Version F4.0.4.19 Initialized 1 Nov 24 09:38:52 guineapig tac_plus[1351]: session.peerip is 193.10.255.xx Nov 24 09:38:52 guineapig tac_plus[7542]: connect from 193.10.255.xx [193.10.255.xx] Nov 24 09:38:52 guineapig tac_plus[7542]: Error 193.10.255.xx unknown-port: PAM_PROMPT_ECHO_OFF Nov 24 09:38:52 guineapig tac_plus[7542]: login query for 'tug1' unknown-port from 193.10.255.xx rejected Nov 24 09:38:52 guineapig tac_plus[7542]: login failure: tug1 193.10.255.xx (193.10.255.xx) unknown-port Any Ideas what might be wrong? Does the tac_plus server have insufficient credentials running as a non-root user to perform pam lookups? Regards, /P From heas at shrubbery.net Thu Nov 24 17:14:28 2011 From: heas at shrubbery.net (john heasley) Date: Thu, 24 Nov 2011 17:14:28 +0000 Subject: [tac_plus] Problems getting tac_plus work with PAM auth on NetBSD In-Reply-To: <0A75AB48-A150-4F96-B486-549CCB5A70D4@nordu.net> References: <1DD0809F-DCCE-4745-9607-40CE82340F23@nordu.net> <0A75AB48-A150-4F96-B486-549CCB5A70D4@nordu.net> Message-ID: <20111124171427.GA17749@shrubbery.net> Thu, Nov 24, 2011 at 04:11:25PM +0100, Fredrik Pettai: > Pam conf: is this file /etc/pam.d/tac_plus? > The log, (tac_plus running with -d4088) > > Nov 24 09:35:15 guineapig tac_plus[22386]: Reading config > Nov 24 09:35:15 guineapig tac_plus[22386]: Version F4.0.4.19 Initialized 1 > > Nov 24 09:38:52 guineapig tac_plus[1351]: session.peerip is 193.10.255.xx > Nov 24 09:38:52 guineapig tac_plus[7542]: connect from 193.10.255.xx [193.10.255.xx] > Nov 24 09:38:52 guineapig tac_plus[7542]: Error 193.10.255.xx unknown-port: PAM_PROMPT_ECHO_OFF > Nov 24 09:38:52 guineapig tac_plus[7542]: login query for 'tug1' unknown-port from 193.10.255.xx rejected > Nov 24 09:38:52 guineapig tac_plus[7542]: login failure: tug1 193.10.255.xx (193.10.255.xx) unknown-port > > Any Ideas what might be wrong? try tac_plus' authentication debug option and see the individual pam module's man pages for options for debugging info. > Does the tac_plus server have insufficient credentials running as a non-root user to perform pam lookups? i'm not sure that it does; it would need to be able to read /etc/master.passwd. From pettai at nordu.net Thu Nov 24 22:39:25 2011 From: pettai at nordu.net (Fredrik Pettai) Date: Thu, 24 Nov 2011 23:39:25 +0100 Subject: [tac_plus] Problems getting tac_plus work with PAM auth on NetBSD In-Reply-To: <20111124171427.GA17749@shrubbery.net> References: <1DD0809F-DCCE-4745-9607-40CE82340F23@nordu.net> <0A75AB48-A150-4F96-B486-549CCB5A70D4@nordu.net> <20111124171427.GA17749@shrubbery.net> Message-ID: <0AD1C315-20DE-41AF-9841-B0DA958CCF3D@nordu.net> On Nov 24, 2011, at 18:14 , john heasley wrote: > Thu, Nov 24, 2011 at 04:11:25PM +0100, Fredrik Pettai: >> Pam conf: > > is this file /etc/pam.d/tac_plus? Yup >> The log, (tac_plus running with -d4088) >> >> Nov 24 09:35:15 guineapig tac_plus[22386]: Reading config >> Nov 24 09:35:15 guineapig tac_plus[22386]: Version F4.0.4.19 Initialized 1 >> >> Nov 24 09:38:52 guineapig tac_plus[1351]: session.peerip is 193.10.255.xx >> Nov 24 09:38:52 guineapig tac_plus[7542]: connect from 193.10.255.xx [193.10.255.xx] >> Nov 24 09:38:52 guineapig tac_plus[7542]: Error 193.10.255.xx unknown-port: PAM_PROMPT_ECHO_OFF >> Nov 24 09:38:52 guineapig tac_plus[7542]: login query for 'tug1' unknown-port from 193.10.255.xx rejected >> Nov 24 09:38:52 guineapig tac_plus[7542]: login failure: tug1 193.10.255.xx (193.10.255.xx) unknown-port >> >> Any Ideas what might be wrong? > > try tac_plus' authentication debug option and see the individual pam module's > man pages for options for debugging info. Ok, that gave me a lot of output which I can't parse... >> Does the tac_plus server have insufficient credentials running as a non-root user to perform pam lookups? > > i'm not sure that it does; it would need to be able to read /etc/master.passwd. I'll try running it as root, to see if that works better... Re, /P From pettai at nordu.net Fri Nov 25 09:42:22 2011 From: pettai at nordu.net (Fredrik Pettai) Date: Fri, 25 Nov 2011 10:42:22 +0100 Subject: [tac_plus] Problems getting tac_plus work with PAM auth on NetBSD In-Reply-To: <20111124171427.GA17749@shrubbery.net> References: <1DD0809F-DCCE-4745-9607-40CE82340F23@nordu.net> <0A75AB48-A150-4F96-B486-549CCB5A70D4@nordu.net> <20111124171427.GA17749@shrubbery.net> Message-ID: On Nov 24, 2011, at 18:14 , john heasley wrote: > Thu, Nov 24, 2011 at 04:11:25PM +0100, Fredrik Pettai: > >> Does the tac_plus server have insufficient credentials running as a non-root user to perform pam lookups? > > i'm not sure that it does; it would need to be able to read /etc/master.passwd. The problem was that the dropped root privileges. After recompiling without this option, it works fine. Another thing with dropping the root privileges, is that the daemon can't reload the configuration after receiving SIGUSR1 if it runs with dropped root privileges and the configuration file ownership isn't correct. You won't notice this while tac_plus is starting, as it has root privileges while reading the configuration file first, and drops those later. Maybe you can add something like this to the tac_plus.8 man page: --- tac_plus.8.in.orig 2011-11-25 10:18:14.000000000 +0100 +++ tac_plus.8.in 2011-11-25 10:26:28.000000000 +0100 @@ -235,8 +235,9 @@ If the daemon is receives a SIGHUP or SIGUSR1, it will reinitialize itself and re-read its configuration file. .sp -Note: if an error is encountered in the configuration file, the daemon -will die. +Note: if an error is encountered in the configuration file or the running +tac_plus daemon hasn't sufficient rights to read it (if root privileges +are dropped), the daemon will die. .\" .SH "LOG MESSAGES" .B tac_plus From alan.mckinnon at gmail.com Fri Nov 25 10:28:47 2011 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Fri, 25 Nov 2011 12:28:47 +0200 Subject: [tac_plus] Problems getting tac_plus work with PAM auth on NetBSD In-Reply-To: References: <1DD0809F-DCCE-4745-9607-40CE82340F23@nordu.net> <0A75AB48-A150-4F96-B486-549CCB5A70D4@nordu.net> <20111124171427.GA17749@shrubbery.net> Message-ID: <20111125122847.2023eb73@rohan.example.com> On Fri, 25 Nov 2011 10:42:22 +0100 Fredrik Pettai wrote: > On Nov 24, 2011, at 18:14 , john heasley wrote: > > Thu, Nov 24, 2011 at 04:11:25PM +0100, Fredrik Pettai: > > > >> Does the tac_plus server have insufficient credentials running as > >> a non-root user to perform pam lookups? > > > > i'm not sure that it does; it would need to be able to > > read /etc/master.passwd. > > The problem was that the dropped root privileges. After recompiling > without this option, it works fine. > > Another thing with dropping the root privileges, is that the daemon > can't reload the configuration after receiving SIGUSR1 if it runs > with dropped root privileges and the configuration file ownership > isn't correct. You won't notice this while tac_plus is starting, as > it has root privileges while reading the configuration file first, > and drops those later. A similar issue crops us with the daemon's log file. If logrotate creates a new file and doesn't chown/chmod it correctly, the daemon silently stops working. Also, if the log file doesn't exist, tac_plus creates it as root then drops privileges, effectively preventing itself from working. > Maybe you can add something like this to the > tac_plus.8 man page: > > --- tac_plus.8.in.orig 2011-11-25 10:18:14.000000000 +0100 > +++ tac_plus.8.in 2011-11-25 10:26:28.000000000 +0100 > @@ -235,8 +235,9 @@ > If the daemon is receives a SIGHUP or SIGUSR1, it will reinitialize > itself and re-read its configuration file. > .sp > -Note: if an error is encountered in the configuration file, the > daemon -will die. > +Note: if an error is encountered in the configuration file or the > running +tac_plus daemon hasn't sufficient rights to read it (if root > privileges +are dropped), the daemon will die. > .\" > .SH "LOG MESSAGES" > .B tac_plus > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus -- Alan McKinnnon alan.mckinnon at gmail.com From pettai at nordu.net Fri Nov 25 12:39:40 2011 From: pettai at nordu.net (Fredrik Pettai) Date: Fri, 25 Nov 2011 13:39:40 +0100 Subject: [tac_plus] Problems getting tac_plus work with PAM auth on NetBSD In-Reply-To: <20111125122847.2023eb73@rohan.example.com> References: <1DD0809F-DCCE-4745-9607-40CE82340F23@nordu.net> <0A75AB48-A150-4F96-B486-549CCB5A70D4@nordu.net> <20111124171427.GA17749@shrubbery.net> <20111125122847.2023eb73@rohan.example.com> Message-ID: On Nov 25, 2011, at 11:28 , Alan McKinnon wrote: > On Fri, 25 Nov 2011 10:42:22 +0100 > Fredrik Pettai wrote: >> On Nov 24, 2011, at 18:14 , john heasley wrote: >>> Thu, Nov 24, 2011 at 04:11:25PM +0100, Fredrik Pettai: >>> >>>> Does the tac_plus server have insufficient credentials running as >>>> a non-root user to perform pam lookups? >>> >>> i'm not sure that it does; it would need to be able to >>> read /etc/master.passwd. >> >> The problem was that the dropped root privileges. After recompiling >> without this option, it works fine. >> >> Another thing with dropping the root privileges, is that the daemon >> can't reload the configuration after receiving SIGUSR1 if it runs >> with dropped root privileges and the configuration file ownership >> isn't correct. You won't notice this while tac_plus is starting, as >> it has root privileges while reading the configuration file first, >> and drops those later. > > A similar issue crops us with the daemon's log file. If logrotate > creates a new file and doesn't chown/chmod it correctly, the daemon > silently stops working. Also, if the log file doesn't exist, tac_plus > creates it as root then drops privileges, effectively preventing itself > from working. Ok, we never tripped on that one since we use syslog for logging. Re, /P From rz.bangka at yahoo.com Mon Nov 28 04:58:15 2011 From: rz.bangka at yahoo.com (Ricki Z) Date: Sun, 27 Nov 2011 20:58:15 -0800 (PST) Subject: [tac_plus] tac_plus login and enable password issue In-Reply-To: <1322110257.16367.YahooMailNeo@web111502.mail.gq1.yahoo.com> References: <1321612519.74908.YahooMailNeo@web111513.mail.gq1.yahoo.com> <1322013998.4733.YahooMailNeo@web111510.mail.gq1.yahoo.com> <1322014057.54309.YahooMailNeo@web111511.mail.gq1.yahoo.com> <20111123195456.GJ13553@shrubbery.net> <1322110257.16367.YahooMailNeo@web111502.mail.gq1.yahoo.com> Message-ID: <1322456295.35789.YahooMailNeo@web111510.mail.gq1.yahoo.com> Hi All, I have issue when i using enable password per user (not on global config with user $enab15$ etc.) and every user using different password for cisco enable on tac_plus server. Refer to the config that i send before i can using AAA for cisco devices with tac_plus but if i login using user1, then i can use password "user1" or "enauser1" and after login success, i can enter privilege mode using password "user1" or "enauser1" and same for user2. In normal condition should be i just can login using user1 with password "user1" (failed if using password "enauser1" and i just can enter priviledge mode using password "enauser1" (failed if using "user1"). user = user1 { ??? ??? ??? ??? default service = permit ??? ??? ??? ??? login = cleartext user1 ??? ??? ??? ??? enable = cleartext enauser1 } user = user2 { ??? ??? ??? ??? default service = permit ??? ??? ??? ??? login = cleartext user2 ??? ??? ??? ??? enable = cleartext enauser2 } And if i configure enable password per user and every user using the same enable password (like config below), all working like suppose to be it mean if i login using user1 i just can using password "user1" (can't using password "enapwd") and i just can enter priviledge mode using password "enauser" (can't using password "user1"). user = user1 { ??? ??? ??? ??? default service = permit ??? ??? ??? ??? login = cleartext user1 ??? ??? ??? ??? enable = cleartext enauser } user = user2 { ??? ??? ??? ??? default service = permit ??? ??? ??? ??? login = cleartext user2 ??? ??? ??? ??? enable = cleartext enauser } Need your advice for solve this issue. Tx, Ricki -------------- next part -------------- An HTML attachment was scrubbed... URL: