[tac_plus] Nexus

Daniel Schmidt daniel.schmidt at wyo.gov
Tue Nov 22 00:04:09 UTC 2011 

Ok, I get it.  It's an either/or for authorization, not both.  Either you
configure:

aaa authorization config-commands default group private
aaa authorization commands default group private

and do authorization on the tacacs server (with or without do_auth) OR you
do:

aaa authorization config-commands default local
aaa authorization commands default local

And do the groups.  (which happens to be the default and doesn't show up
in the config)  Know the difference - groups do absolutely nothing if
you've configured authorization via tacacs.

-----Original Message-----
From: Daniel Schmidt [mailto:daniel.schmidt at wyo.gov]
Sent: Wednesday, November 16, 2011 10:28 AM
To: tac_plus at shrubbery.net
Subject: RE: [tac_plus] Nexus

Ok, I got it working, I also have it set so it can find/replace pairs
based on groups.  Slight change to do_auth - you DO have to strip the
first 2 pairs just like ios, but they are not identical.  (cmd* vs cmd=)
Will post that change soon.  This would solve all Alan's problem, if Alan
could be convinced to try do_auth.  ;-)

The only thing I don't understand is why none of the default roles seem to
be restricted.  I could conf t & change an int desc with role-0 and
network-operator.  Are all the default roles useless or am I missing
something?  The only place I could see a role being "not cumbersome and
useless" was if you defined one for a VDC giving a user rights only to a
specific VDC.  THAT is the only thing I can't do easier with do_auth and
authorization.

[root at cwacs ~]# tail -n 11 log2.txt
service=shell
cmd=
shell:roles="network-operator"
idletime=3
timeout=15
Nexus pairs found
not len(the_command) > 0
Returning:shell:roles="priv-0"
Returning:idletime=3
Returning:timeout=15
2011-11-16 09:35:31: User 'tester' granted access to <yada yada>

5k# show user- tester
user:tester
        roles:priv-0
account created through REMOTE authentication Credentials such as ssh
server key will be cached temporarily only for this user account Local
login not possible

5k# show role name priv-0

Role: priv-0
  Description: This is a system defined privilege role.
  vsan policy: permit (default)
  Vlan policy: permit (default)
  Interface policy: permit (default)
  Vrf policy: permit (default)
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity
  -------------------------------------------------------------------
  10      permit  command                         traceroute6 *
  9       permit  command                         traceroute *
  8       permit  command                         telnet6 *
  7       permit  command                         telnet *
  6       permit  command                         ping6 *
  5       permit  command                         ping *
  4       permit  command                         ssh6 *
  3       permit  command                         ssh *
  2       permit  command                         enable *
  1       permit  read

-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net]
On Behalf Of Alan McKinnon
Sent: Wednesday, November 02, 2011 3:46 PM
To: tac_plus at shrubbery.net
Subject: Re: [tac_plus] Nexus

On Wed, 2 Nov 2011 12:55:21 -0600
Daniel Schmidt <daniel.schmidt at wyo.gov> wrote:

> I have updated the do_auth.py authentication script to handle nexus,
> thus it can provide the same multiple group authentication it
> provides on other Cisco devices.   (or at least provide an example)
> I have not been able to pass a role tac_pair successfully - please
> post if you have any progress with this.

tac_plus requires it in this form:

                shell:roles="\"level1\""

Yes, you see it right. Two levels of double quotes, inner pair escaped

Many brain cells died in agony to discover that one :-)

>
>
>
> I had success with the nexus with the following config: (Note that
> many of the commands you traditionally look for are available)
>
>
>
> !Command: show running-config aaa
>
> !Time: Wed Oct 26 18:28:46 2011
>
>
>
> version 5.0(3)N1(1c)
>
> aaa authentication login default group private
>
> aaa authorization config-commands default group private
>
> aaa authorization commands default group private
>
> aaa accounting default group private
>
>
>
> As was discussed previously, the nexus seems to authenticate pap.  No
> clue why Cisco did this; putting pap user names in the tac_plus.conf
> fixes login issues.   Also, the resulting accounting file is
> different so if you have written cgi scripts to parse your accounting
> log, be prepared to rewrite them.


--
Alan McKinnnon
alan.mckinnon at gmail.com
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
E-Mail to and from me, in connection with the transaction 
of public business,is subject to the Wyoming Public Records 
Act, and may be disclosed to third parties.

More information about the tac_plus mailing list