[tac_plus] Cisco & mandatory pairs/brocade-privlvl
Jathan McCollum
jathan at gmail.com
Tue Feb 21 22:15:13 UTC 2012
Very briefly on this topic:
Brocade has admitted that on the MDX platform choosing to accept any AV
pairs whether the device could process them or not was a design decision.
This breaks TACACS+ and I've since asked them to fix this.
In any case, the correct behavior according to the TACACS+ protocol when a
device receives a mandatory attribute it cannot process is to FAIL
authorization, thereby booting you from the device.
At least you know that in some cases, the devices are behaving correctly by
flat out denying you.
On Tue, Feb 21, 2012 at 2:00 PM, Daniel Schmidt <daniel.schmidt at wyo.gov>wrote:
> I previously reported that a Cisco, given the mandatory brocade-privlvl
> (which it doesn’t understand), will simply default to disable. This
> assertion appears to be incorrect. On some devices/versions it puts you
> in disable, in some it puts you in enable, and on some it flat out denies
> access telling you authorization failed. Serves me right, expecting
> consistency when Heasley flat out warned me not to! Brocades new method of
> using optional av pairs will serve them better - one has to wonder if Cisco
> makes it work incorrect on purpose.
>
>
>
> Feb 21 21:30:32.346: AAA/AUTHOR (0x12B): Pick method list 'default' - FAIL
>
> Feb 21 21:30:32.390: AAA/AUTHOR/EXEC(0000012B): Authorization FAILED
>
> E-Mail to and from me, in connection with the transaction
> of public business, is subject to the Wyoming Public Records
> Act and may be disclosed to third parties.
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20120221/29fea2ab/attachment.html
> >
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>
--
Jathan.
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20120221/87a0b918/attachment.html>
More information about the tac_plus
mailing list