[tac_plus] Cisco & mandatory pairs/brocade-privlvl
Jathan McCollum
jathan at gmail.com
Tue Feb 21 22:17:50 UTC 2012
Sorry, I meant VDX, not MDX. Anyway...
On Tue, Feb 21, 2012 at 2:15 PM, Jathan McCollum <jathan at gmail.com> wrote:
> Very briefly on this topic:
>
> Brocade has admitted that on the MDX platform choosing to accept any AV
> pairs whether the device could process them or not was a design decision.
> This breaks TACACS+ and I've since asked them to fix this.
>
> In any case, the correct behavior according to the TACACS+ protocol when a
> device receives a mandatory attribute it cannot process is to FAIL
> authorization, thereby booting you from the device.
>
> At least you know that in some cases, the devices are behaving correctly
> by flat out denying you.
>
>
> On Tue, Feb 21, 2012 at 2:00 PM, Daniel Schmidt <daniel.schmidt at wyo.gov>wrote:
>
>> I previously reported that a Cisco, given the mandatory brocade-privlvl
>> (which it doesn’t understand), will simply default to disable. This
>> assertion appears to be incorrect. On some devices/versions it puts you
>> in disable, in some it puts you in enable, and on some it flat out denies
>> access telling you authorization failed. Serves me right, expecting
>> consistency when Heasley flat out warned me not to! Brocades new method
>> of
>> using optional av pairs will serve them better - one has to wonder if
>> Cisco
>> makes it work incorrect on purpose.
>>
>>
>>
>> Feb 21 21:30:32.346: AAA/AUTHOR (0x12B): Pick method list 'default' - FAIL
>>
>> Feb 21 21:30:32.390: AAA/AUTHOR/EXEC(0000012B): Authorization FAILED
>>
>> E-Mail to and from me, in connection with the transaction
>> of public business, is subject to the Wyoming Public Records
>> Act and may be disclosed to third parties.
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <
>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20120221/29fea2ab/attachment.html
>> >
>> _______________________________________________
>> tac_plus mailing list
>> tac_plus at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>>
>
>
>
> --
> Jathan.
> --
>
--
Jathan.
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20120221/06201e79/attachment.html>
More information about the tac_plus
mailing list