From heas at shrubbery.net Thu Sep 1 05:26:47 2011 From: heas at shrubbery.net (Heasley) Date: Wed, 31 Aug 2011 22:26:47 -0700 Subject: [tac_plus] WLC In-Reply-To: <30b99ad676dd5c772f05e38c2921571a@mail.gmail.com> References: <00c5395907962a5a3c7721215dacbf0f@mail.gmail.com> <20110831155725.GJ16427@shrubbery.net> <20110831200627.GU16427@shrubbery.net> <30b99ad676dd5c772f05e38c2921571a@mail.gmail.com> Message-ID: On Aug 31, 2011, at 13:56, Daniel Schmidt wrote: > It doesn't make sense. Works fine without authentication script, how come > when you HAVE an authentication script passing the same pairs back, it > doesn't work? The logs say it sends the same info each way, but one > doesn't work Dont know. Share a pcap trace of each > -----Original Message----- > From: john heasley [mailto:heas at shrubbery.net]nt > Sent: Wednesday, August 31, 2011 2:06 PM > To: Daniel Schmidt > Cc: tac_plus at shrubbery.net > Subject: Re: [tac_plus] WLC > > is role1=monitor perhaps insufficient? all the examples i see online are > like here: > http://blog.photic.net/index.php/category/cisco/ > > or perhaps just for whatever version your wlc is running From heas at shrubbery.net Thu Sep 1 05:27:31 2011 From: heas at shrubbery.net (Heasley) Date: Wed, 31 Aug 2011 22:27:31 -0700 Subject: [tac_plus] WLC In-Reply-To: <30b99ad676dd5c772f05e38c2921571a@mail.gmail.com> References: <00c5395907962a5a3c7721215dacbf0f@mail.gmail.com> <20110831155725.GJ16427@shrubbery.net> <20110831200627.GU16427@shrubbery.net> <30b99ad676dd5c772f05e38c2921571a@mail.gmail.com> Message-ID: <7C6DB813-3CD5-4BB3-8C53-0412D5AE6C56@shrubbery.net> On Aug 31, 2011, at 13:56, Daniel Schmidt wrote: > It doesn't make sense. Works fine without authentication script, how come > when you HAVE an authentication script passing the same pairs back, it > doesn't work? The logs say it sends the same info each way, but one > doesn't work. > Perhaps italters the order > -----Original Message----- > From: john heasley [mailto:heas at shrubbery.net] > Sent: Wednesday, August 31, 2011 2:06 PM > To: Daniel Schmidt > Cc: tac_plus at shrubbery.net > Subject: Re: [tac_plus] WLC > > is role1=monitor perhaps insufficient? all the examples i see online are > like here: > http://blog.photic.net/index.php/category/cisco/ > > or perhaps just for whatever version your wlc is running From Andrew.KENDALL at everythingeverywhere.com Thu Sep 1 07:12:41 2011 From: Andrew.KENDALL at everythingeverywhere.com (Kendall, Andrew) Date: Thu, 1 Sep 2011 08:12:41 +0100 Subject: [tac_plus] WLC In-Reply-To: <00c5395907962a5a3c7721215dacbf0f@mail.gmail.com> References: <00c5395907962a5a3c7721215dacbf0f@mail.gmail.com> Message-ID: Gents, Not sure if this is what you are after: group = IPTECH-ADMIN { # IP Technologies Network Support Team default service = permit service = Wireless-WCS { role0 = Admin task0 = "Configure Guest Users" task0 = "Users and Groups" task1 = "Audit Trails" task2 = "TACACS+ Servers" task3 = "RADIUS Servers" task4 = "Logging" task5 = "License Center" (and further for all 63 entries!) } } Regards, Andy. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Daniel Schmidt Sent: 31 August 2011 16:54 To: tac_plus at shrubbery.net Subject: [tac_plus] WLC Has anybody successfully returned the av-pairs for a wireless controller? I get the following returned: service=ciscowlc protocol=common role1=ALL Echoing these back with an exit code of 2 does not work though. I can see the service possibly needing to be stripped, but no combination of the last one, two or all will work. Any help appreciated! -------------- next part -------------- An HTML attachment was scrubbed... URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus NOTICE AND DISCLAIMER This e-mail (including any attachments) is intended for the above-named person(s). If you are not the intended recipient, notify the sender immediately, delete this email from your system and do not disclose or use for any purpose. We may monitor all incoming and outgoing emails in line with current legislation. We have taken steps to ensure that this email and attachments are free from any virus, but it remains your responsibility to ensure that viruses do not adversely affect you. Everything Everywhere Limited Registered in England and Wales Company Registered Number: 02382161 Registered Office Address: Hatfield Business Park, Hatfield, Hertfordshire, AL10 9BW From dagmid_d at yahoo.com Thu Sep 1 07:45:40 2011 From: dagmid_d at yahoo.com (Dagia Dorjsuren) Date: Thu, 1 Sep 2011 00:45:40 -0700 (PDT) Subject: [tac_plus] about tacacs Message-ID: <1314863140.62178.YahooMailNeo@web33903.mail.mud.yahoo.com> Hello, I have a question. How to save the client's commands logs? ? ? I run my tacacs as following. tac_plus -C /etc/tacacs+/tac_plus.conf -d16 -l /var/log/tacacs.log ? And my tac_plus.conf file is below. ? ============================== key = secret ? accounting file = /var/log/tac_plus.acct ? user = dagia { ??????? login = des "hWrVIWe2VaUAM" ??????? member = admin } ? ? group = admin { ??????? default service = permit ??????? service = exec { ??????? priv-lvl = 15 }} ? ============================== ? ? I would like to save and collect that user "dagia" 's commands. Could you advise me please? ? ? ? Thanks, Dagia -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Thu Sep 1 22:24:06 2011 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Fri, 2 Sep 2011 00:24:06 +0200 Subject: [tac_plus] about tacacs In-Reply-To: <1314863140.62178.YahooMailNeo@web33903.mail.mud.yahoo.com> References: <1314863140.62178.YahooMailNeo@web33903.mail.mud.yahoo.com> Message-ID: <20110902002406.45085586@rohan> On Thu, 1 Sep 2011 00:45:40 -0700 (PDT) Dagia Dorjsuren wrote: > Hello, > > I have a question. > > How to save the client's commands logs? > ? > ? > I run my tacacs as following. tac_plus -C > /etc/tacacs+/tac_plus.conf -d16 -l /var/log/tacacs.log > ? > And my tac_plus.conf file is below. > ? > ============================== > key = secret > ? > accounting file = /var/log/tac_plus.acct > ? > user = dagia { > ??????? login = des > "hWrVIWe2VaUAM" > ??????? member = > admin > } > ? > ? > group = admin { > ??????? default > service = permit > ??????? service = > exec { > ??????? priv-lvl = > 15 > }} > ? > ============================== > ? > ? > I would like to save and collect that user > "dagia" 's commands. Could you advise me please? Enable tacacs accounting on the device, the commands appear in /var/log/tac_plus.acct per your config. It logs every command run by every user, but you can grep the user's name to find what you want. > ? > ? > ? > Thanks, > Dagia > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > _______________________________________________ tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus -- Alan McKinnnon Systems Engineer^W Technician Internet Solutions 011 575 7585 alan.mckinnon at is.co.za From dagmid_d at yahoo.com Fri Sep 2 10:22:09 2011 From: dagmid_d at yahoo.com (Dagia Dorjsuren) Date: Fri, 2 Sep 2011 03:22:09 -0700 (PDT) Subject: [tac_plus] about tacacs In-Reply-To: <20110902002406.45085586@rohan> References: <1314863140.62178.YahooMailNeo@web33903.mail.mud.yahoo.com> <20110902002406.45085586@rohan> Message-ID: <1314958929.81486.YahooMailNeo@web33904.mail.mud.yahoo.com> hi, ??? My device is Linksys SRW208 managed switch. so, how to enable that tacacs accounting on Linksys SRW208? ________________________________ From: Alan McKinnon To: "tac_plus at shrubbery.net" Sent: Friday, September 2, 2011 6:24 AM Subject: Re: [tac_plus] about tacacs On Thu, 1 Sep 2011 00:45:40 -0700 (PDT) Dagia Dorjsuren wrote: > Hello, > > I have a question. > > How to save the client's commands logs? > ? > ? > I run my tacacs as following. tac_plus -C > /etc/tacacs+/tac_plus.conf -d16 -l /var/log/tacacs.log > ? > And my tac_plus.conf file is below. > ? > ============================== > key = secret > ? > accounting file = /var/log/tac_plus.acct > ? > user = dagia { > ??????? login = des > "hWrVIWe2VaUAM" > ??????? member = > admin > } > ? > ? > group = admin { > ??????? default > service = permit > ??????? service = > exec { > ??????? priv-lvl = > 15 > }} > ? > ============================== > ? > ? > I would like to save and collect that user > "dagia" 's commands. Could you advise me please? Enable tacacs accounting on the device, the commands appear in /var/log/tac_plus.acct per your config. It logs every command run by every user, but you can grep the user's name to find what you want. > ? > ? > ? > Thanks, > Dagia > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > _______________________________________________ tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus -- Alan McKinnnon Systems Engineer^W Technician Internet Solutions 011 575 7585 alan.mckinnon at is.co.za _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Fri Sep 2 10:43:13 2011 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Fri, 2 Sep 2011 12:43:13 +0200 Subject: [tac_plus] about tacacs In-Reply-To: <1314958929.81486.YahooMailNeo@web33904.mail.mud.yahoo.com> References: <1314863140.62178.YahooMailNeo@web33903.mail.mud.yahoo.com> <20110902002406.45085586@rohan> <1314958929.81486.YahooMailNeo@web33904.mail.mud.yahoo.com> Message-ID: <20110902124313.79ceab41@rohan> On Fri, 2 Sep 2011 03:22:09 -0700 (PDT) Dagia Dorjsuren wrote: > hi, > > ??? My device is Linksys SRW208 managed switch. so, how to enable > that tacacs accounting on Linksys SRW208? I have no idea, that's not a tac_plus function. What does the device's documentation say? The other option is to enable daemon logging with tac_plus -d The logs get very verbose when you do this though, they are nowhere near as useful as proper accounting logs becuase daemon logs are designed to record what tac_plus is doing, not what the user is doing. > > > > ________________________________ > From: Alan McKinnon > To: "tac_plus at shrubbery.net" > Sent: Friday, September 2, 2011 6:24 AM > Subject: Re: [tac_plus] about tacacs > > On Thu, 1 Sep 2011 00:45:40 -0700 (PDT) > Dagia Dorjsuren wrote: > > > Hello, > > > > I have a question. > > > > How to save the client's commands logs? > > ? > > ? > > I run my tacacs as following. tac_plus -C > > /etc/tacacs+/tac_plus.conf -d16 -l /var/log/tacacs.log > > ? > > And my tac_plus.conf file is below. > > ? > > ============================== > > key = secret > > ? > > accounting file = /var/log/tac_plus.acct > > ? > > user = dagia { > > ??????? login = des > > "hWrVIWe2VaUAM" > > ??????? member = > > admin > > } > > ? > > ? > > group = admin { > > ??????? default > > service = permit > > ??????? service = > > exec { > > ??????? priv-lvl = > > 15 > > }} > > ? > > ============================== > > ? > > ? > > I would like to save and collect that user > > "dagia" 's commands. Could you advise me please? > > Enable tacacs accounting on the device, the commands appear > in /var/log/tac_plus.acct per your config. > > It logs every command run by every user, but you can grep the user's > name to find what you want. > > > > > ? > > ? > > ? > > Thanks, > > Dagia > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: > > > > _______________________________________________ tac_plus mailing > > list tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > -- Alan McKinnnon alan.mckinnon at gmail.com From Andrew.KENDALL at everythingeverywhere.com Thu Sep 29 10:20:18 2011 From: Andrew.KENDALL at everythingeverywhere.com (Kendall, Andrew) Date: Thu, 29 Sep 2011 11:20:18 +0100 Subject: [tac_plus] Re: support for user defined Login prompt Message-ID: Could someone please tell me the syntax for setting the NAS Username Prompt from the TACACS+ server? Thanks in anticipation, Andy. Andrew Kendall Senior IP Network Support Engineer everything everywhere PP77 St. James Court A Great Park Road Bradley Stoke Bristol South Gloucestershire BS32 4QJ Tel 07817 143916 Softphone 0870 376 8706 Juniper and Cisco please note: My normal working hours are 0800hrs to 1630hrs GMT/BST [cid:image001.png at 01CC7E99.B6995560] "Clearing faults from networks since 1980" NOTICE AND DISCLAIMER This e-mail (including any attachments) is intended for the above-named person(s). If you are not the intended recipient, notify the sender immediately, delete this email from your system and do not disclose or use for any purpose. We may monitor all incoming and outgoing emails in line with current legislation. We have taken steps to ensure that this email and attachments are free from any virus, but it remains your responsibility to ensure that viruses do not adversely affect you. Everything Everywhere Limited Registered in England and Wales Company Registered Number: 02382161 Registered Office Address: Hatfield Business Park, Hatfield, Hertfordshire, AL10 9BW -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2186 bytes Desc: image001.png URL: From heas at shrubbery.net Thu Sep 29 15:41:29 2011 From: heas at shrubbery.net (john heasley) Date: Thu, 29 Sep 2011 15:41:29 +0000 Subject: [tac_plus] support for user defined Login prompt In-Reply-To: References: Message-ID: <20110929154128.GM14403@shrubbery.net> Thu, Sep 29, 2011 at 11:20:18AM +0100, Kendall, Andrew: > Could someone please tell me the syntax for setting the NAS Username Prompt from the TACACS+ server? search for prompt in tac_plus.conf(5). From Michael.Walters at sungard.com Thu Sep 29 22:15:14 2011 From: Michael.Walters at sungard.com (Michael.Walters at sungard.com) Date: Thu, 29 Sep 2011 22:15:14 +0000 Subject: [tac_plus] Problems compiling tac_plus F5.0.0a1 Message-ID: <45CFBA3647F55E4F8C50F154C06D1E310BCF03CE@us-voo-mb03.internal.sungard.corp> Hello, I think this problem has been reported before, but I'm wondering if there's a resolution? OS: CentOS 6.0 Make Error: /maxsessint.Tpo -c -o maxsessint.o maxsessint.c maxsessint.c: In function ?maxsess_check_count?: maxsessint.c:60: error: ?S_maxsess? undeclared (first use in this function) maxsessint.c:60: error: (Each undeclared identifier is reported only once maxsessint.c:60: error: for each function it appears in.) gmake[1]: *** [maxsessint.o] Error 1 gmake[1]: Leaving directory `/root/tacacs+-F5.0.0a1' make: *** [all] Error 2 Thanks, Michael -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Thu Sep 29 23:25:48 2011 From: heas at shrubbery.net (john heasley) Date: Thu, 29 Sep 2011 23:25:48 +0000 Subject: [tac_plus] Problems compiling tac_plus F5.0.0a1 In-Reply-To: <20110929232519.AE60824B638@guelah.shrubbery.net> <45CFBA3647F55E4F8C50F154C06D1E310BCF03CE@us-voo-mb03.internal.sungard.corp> Message-ID: <20110929232548.GB14403@shrubbery.net> Thu, Sep 29, 2011 at 10:15:14PM +0000, Michael.Walters at sungard.com: > Hello, > > I think this problem has been reported before, but I'm wondering if there's a resolution? > Index: maxsessint.c =================================================================== --- maxsessint.c (revision 3424) +++ maxsessint.c (revision 3426) @@ -48,6 +48,7 @@ /* * See if this user can have more sessions. */ +#ifdef MAXSESS int maxsess_check_count(char *user, struct author_data *data) { @@ -107,3 +108,4 @@ } return(0); } +#endif From Michael.Walters at sungard.com Fri Sep 30 00:27:23 2011 From: Michael.Walters at sungard.com (Michael.Walters at sungard.com) Date: Fri, 30 Sep 2011 00:27:23 +0000 Subject: [tac_plus] Problems compiling tac_plus F5.0.0a1 In-Reply-To: <20110929232548.GB14403@shrubbery.net> References: <20110929232519.AE60824B638@guelah.shrubbery.net> <45CFBA3647F55E4F8C50F154C06D1E310BCF03CE@us-voo-mb03.internal.sungard.corp> <20110929232548.GB14403@shrubbery.net> Message-ID: <45CFBA3647F55E4F8C50F154C06D1E310BCF04DA@us-voo-mb03.internal.sungard.corp> Got it to compile. Thanks. NOTES: * the "#endif" must go after the second "return(0);" in maxsessint.c (not the first, which is implied in the email) * I also had to check for the MAXESS declaration in the parse.c file: #ifdef MAXSESS declare("maxsess", S_maxsess); #endif -michael -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Thursday, September 29, 2011 7:26 PM To: Walters, Michael; heas at shrubbery.net Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] Problems compiling tac_plus F5.0.0a1 Thu, Sep 29, 2011 at 10:15:14PM +0000, Michael.Walters at sungard.com: > Hello, > > I think this problem has been reported before, but I'm wondering if there's a resolution? > Index: maxsessint.c =================================================================== --- maxsessint.c (revision 3424) +++ maxsessint.c (revision 3426) @@ -48,6 +48,7 @@ /* * See if this user can have more sessions. */ +#ifdef MAXSESS int maxsess_check_count(char *user, struct author_data *data) { @@ -107,3 +108,4 @@ } return(0); } +#endif From jathan at gmail.com Fri Sep 30 20:39:32 2011 From: jathan at gmail.com (Jathan McCollum) Date: Fri, 30 Sep 2011 13:39:32 -0700 Subject: [tac_plus] Configuring a/v pair expected by Brocade VDX switch Message-ID: Dear everybody- We just got these shiny new Brodade VDX units in our lab and they're running Network OS v2.0.1a with a very stripped down CLI. Apparently this platform used to be a SAN switch. I have basic authentication working via PAP, but that's only half the battle: aaa authentication login tacacs+ tacacs-server host HOST1 protocol pap key KEY timeout 1 tacacs-server host HOST2 protocol pap key KEY timeout 1 And on the server: group = admin { default service = permit service = exec { priv-lvl = 15 } } user = jathan { login = des [redacted] pap = des [redacted] member = 181 } The system uses a role model similar to that in JUNOS that designates what users can do. Commands are assigned to roles, and roles are assigned to users. I know that if I want to give a user superuser (read-write) I can assign them to the "admin" role (one of the 2 built-ins), The other built-in is "user", which is read-only. If a TACACS user doesn't receive a role from the server, it defaults to "user": % telnet myswitch myswitch login: jathan Password: User's role is unavailable, using default. Welcome to the Brocade Network Operating System Software jathan connected from 127.0.0.1 using console on myswitch myswitch# The documentation indicates the device is expecting the server to send an a/v pair that specifies the authenticated user's role. I assume the value would be "admin" in this case. The problem is that nowhere in the documentation so far have I seen what attribute the device is expecting. There may also be a unique service type (again similar to JUNOS' "junos-exec") that is being expected. So... After all that background, anyone had experience with this platform and gotten it working successfully w/ tac_plus? Thanks in advance! -- Jathan. -- -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Fri Sep 30 20:59:48 2011 From: heas at shrubbery.net (john heasley) Date: Fri, 30 Sep 2011 20:59:48 +0000 Subject: [tac_plus] Configuring a/v pair expected by Brocade VDX switch In-Reply-To: References: Message-ID: <20110930205948.GV9227@shrubbery.net> Fri, Sep 30, 2011 at 01:39:32PM -0700, Jathan McCollum: > The documentation indicates the device is expecting the server to send an > a/v pair that specifies the authenticated user's role. I assume the value > would be "admin" in this case. The problem is that nowhere in the > documentation so far have I seen what attribute the device is expecting. > There may also be a unique service type (again similar to JUNOS' > "junos-exec") that is being expected. > > So... After all that background, anyone had experience with this platform > and gotten it working successfully w/ tac_plus? none, but some devices send the av pairs they have when they perform authen and/or author. if you enable the appropriate debugging knobs, it might reveal it to you. or, take the image that you load on the box, uncompress it, unzip it or whatever their packaging method is, then run strings(1) on it and look for strings that might be related to authorization. then send a bomb to brocade offices. From jathan at gmail.com Fri Sep 30 21:14:03 2011 From: jathan at gmail.com (Jathan McCollum) Date: Fri, 30 Sep 2011 14:14:03 -0700 Subject: [tac_plus] Configuring a/v pair expected by Brocade VDX switch In-Reply-To: <20110930205948.GV9227@shrubbery.net> References: <20110930205948.GV9227@shrubbery.net> Message-ID: Hey John, thanks for the reply. That's a good suggestion that I'll tuck away for future reference. I actually tracked down access to the Brocade support knowledge base and found a document someone had posted using Cisco ASA. And it is: brcd-role = So my group config would be: group = admin { default service = permit service = exec { priv-lvl = 15 brcd-role = admin } } However, sharing that with Cisco devices causes them to be unhappy and fail authorization. I tried prepending the "optional" keyword e.g. "optional brcd-role = admin", which makes Cisco devices happy again, but breaks it on the Brocade. So... almost there, but still missing something. On Fri, Sep 30, 2011 at 1:59 PM, john heasley wrote: > Fri, Sep 30, 2011 at 01:39:32PM -0700, Jathan McCollum: > > The documentation indicates the device is expecting the server to send an > > a/v pair that specifies the authenticated user's role. I assume the value > > would be "admin" in this case. The problem is that nowhere in the > > documentation so far have I seen what attribute the device is expecting. > > There may also be a unique service type (again similar to JUNOS' > > "junos-exec") that is being expected. > > > > So... After all that background, anyone had experience with this platform > > and gotten it working successfully w/ tac_plus? > > none, but some devices send the av pairs they have when they perform > authen and/or author. if you enable the appropriate debugging knobs, it > might reveal it to you. > > or, take the image that you load on the box, uncompress it, unzip it or > whatever their packaging method is, then run strings(1) on it and look > for strings that might be related to authorization. then send a bomb to > brocade offices. > -- Jathan. -- -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Fri Sep 30 21:43:26 2011 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Fri, 30 Sep 2011 23:43:26 +0200 Subject: [tac_plus] Configuring a/v pair expected by Brocade VDX switch In-Reply-To: References: <20110930205948.GV9227@shrubbery.net> Message-ID: <20110930234326.278f529d@rohan.example.com> On Fri, 30 Sep 2011 14:14:03 -0700 Jathan McCollum wrote: > Hey John, thanks for the reply. That's a good suggestion that I'll > tuck away for future reference. > > I actually tracked down access to the Brocade support knowledge base > and found a document someone had posted using Cisco ASA. > > And it is: > > brcd-role = > > So my group config would be: > > group = admin { > default service = permit > service = exec { > priv-lvl = 15 > brcd-role = admin > } > } > > However, sharing that with Cisco devices causes them to be unhappy > and fail authorization. I tried prepending the "optional" keyword > e.g. "optional brcd-role = admin", which makes Cisco devices happy > again, but breaks it on the Brocade. > > So... almost there, but still missing something. Hi Jathan, I had a very similar issue getting my Cisco and Nexus kit to work together. Short answer is I couldn't get them to work together. The solution I opted for was to run two instances of tac_plus, the original on port 49 for Cisco and the second on port 50 for Nexus, and keep the configs entirely separate. This works for me and is probably more intuitive than trying to express the same thing in a single config file. One of the shortcomings of tac_plus in it's current form is how inflexible it can be. Users can be a member of only one group, which is a member of only one group etc. Freeradius has a concept of "vhosts" which would be insanely useful on tac_plus, but there is no comparable feature. You seem to have run into this. I'm not complaining (for the asking price of free tac_plus is a great product) and until I start submitting patches I have very little street-cred. In the meantime I accept that sometimes we have to do things in unusual ways (like run two daemons) to get what we want. > > On Fri, Sep 30, 2011 at 1:59 PM, john heasley > wrote: > > > Fri, Sep 30, 2011 at 01:39:32PM -0700, Jathan McCollum: > > > The documentation indicates the device is expecting the server to > > > send an a/v pair that specifies the authenticated user's role. I > > > assume the value would be "admin" in this case. The problem is > > > that nowhere in the documentation so far have I seen what > > > attribute the device is expecting. There may also be a unique > > > service type (again similar to JUNOS' "junos-exec") that is being > > > expected. > > > > > > So... After all that background, anyone had experience with this > > > platform and gotten it working successfully w/ tac_plus? > > > > none, but some devices send the av pairs they have when they perform > > authen and/or author. if you enable the appropriate debugging > > knobs, it might reveal it to you. > > > > or, take the image that you load on the box, uncompress it, unzip > > it or whatever their packaging method is, then run strings(1) on it > > and look for strings that might be related to authorization. then > > send a bomb to brocade offices. > > > > > -- Alan McKinnnon alan.mckinnon at gmail.com From jathan at gmail.com Fri Sep 30 22:27:52 2011 From: jathan at gmail.com (Jathan McCollum) Date: Fri, 30 Sep 2011 15:27:52 -0700 Subject: [tac_plus] Configuring a/v pair expected by Brocade VDX switch In-Reply-To: <20110930234326.278f529d@rohan.example.com> References: <20110930205948.GV9227@shrubbery.net> <20110930234326.278f529d@rohan.example.com> Message-ID: <1807471129643874731@unknownmsgid> Oh hell no! Brocade has been pretty good about support. I'll vomit blood until they add support for the "optional" keyword. jathan. On Sep 30, 2011, at 14:43, Alan McKinnon wrote: > On Fri, 30 Sep 2011 14:14:03 -0700 > Jathan McCollum wrote: > >> Hey John, thanks for the reply. That's a good suggestion that I'll >> tuck away for future reference. >> >> I actually tracked down access to the Brocade support knowledge base >> and found a document someone had posted using Cisco ASA. >> >> And it is: >> >> brcd-role = >> >> So my group config would be: >> >> group = admin { >> default service = permit >> service = exec { >> priv-lvl = 15 >> brcd-role = admin >> } >> } >> >> However, sharing that with Cisco devices causes them to be unhappy >> and fail authorization. I tried prepending the "optional" keyword >> e.g. "optional brcd-role = admin", which makes Cisco devices happy >> again, but breaks it on the Brocade. >> >> So... almost there, but still missing something. > > > Hi Jathan, > > I had a very similar issue getting my Cisco and Nexus kit to work > together. Short answer is I couldn't get them to work together. > > The solution I opted for was to run two instances of tac_plus, the > original on port 49 for Cisco and the second on port 50 for Nexus, and > keep the configs entirely separate. This works for me and is probably > more intuitive than trying to express the same thing in a single config > file. > > One of the shortcomings of tac_plus in it's current form is how > inflexible it can be. Users can be a member of only one group, which is > a member of only one group etc. Freeradius has a concept of "vhosts" > which would be insanely useful on tac_plus, but there is no comparable > feature. You seem to have run into this. > > I'm not complaining (for the asking price of free tac_plus is a great > product) and until I start submitting patches I have very little > street-cred. In the meantime I accept that sometimes we have to do > things in unusual ways (like run two daemons) to get what we want. > > > >> >> On Fri, Sep 30, 2011 at 1:59 PM, john heasley >> wrote: >> >>> Fri, Sep 30, 2011 at 01:39:32PM -0700, Jathan McCollum: >>>> The documentation indicates the device is expecting the server to >>>> send an a/v pair that specifies the authenticated user's role. I >>>> assume the value would be "admin" in this case. The problem is >>>> that nowhere in the documentation so far have I seen what >>>> attribute the device is expecting. There may also be a unique >>>> service type (again similar to JUNOS' "junos-exec") that is being >>>> expected. >>>> >>>> So... After all that background, anyone had experience with this >>>> platform and gotten it working successfully w/ tac_plus? >>> >>> none, but some devices send the av pairs they have when they perform >>> authen and/or author. if you enable the appropriate debugging >>> knobs, it might reveal it to you. >>> >>> or, take the image that you load on the box, uncompress it, unzip >>> it or whatever their packaging method is, then run strings(1) on it >>> and look for strings that might be related to authorization. then >>> send a bomb to brocade offices. >>> >> >> >> > > > > -- > Alan McKinnnon > alan.mckinnon at gmail.com > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus