[tac_plus] host acl always denies

heasley heas at shrubbery.net
Thu Jan 12 16:47:46 UTC 2012 

Thu, Jan 12, 2012 at 10:17:23AM +0200, Ignas Kazlauskas:
> Hello,
> I have a simple tac_plus config with a host acl. The problem is I always
> get denied, even with ".*". Tried versions tacacs+-F4.0.4.20 and
> tacacs+-F5.0.0a1. What's wrong (Linux CentOS6, Debian6)?
> 
> tac_plus.conf
> =============
> 
> accounting file = /var/log/tacacs/acc.log
> key = testing123
> 
> acl = alist {
>     permit = .*
>     permit = ^192.*
>     permit = 192.168.111\.12$
>     permit = 192.168.111.12
>     permit = 192\.168\.111.*
>     permit = ^192\.168\.111\.12$
> }

perhaps trailing whitespace or non-printable characters?

> user = fred {
>     login = cleartext fred
>     enable = cleartext enab15
>     # I can connect when the following line is commented
>     acl = alist
>     service = exec { }
> }
> 
> IOS
> ===
> !
> ip tacacs source-interface FastEthernet1/0
> !
> interface FastEthernet1/0
>  ip address 192.168.111.12 255.255.255.0
>  speed auto
>  duplex auto
> !
> 
> tac.log
> =======
> 
> Wed Jan 11 10:36:55 2012 [19954]: Reading config
> Wed Jan 11 10:36:55 2012 [19954]: Version F5.0.0a1 Initialized 1
> Wed Jan 11 10:36:55 2012 [19954]: tac_plus server F5.0.0a1 starting
> Wed Jan 11 10:36:55 2012 [19954]: uid=0 euid=0 gid=0 egid=0 s=4
> Wed Jan 11 10:36:59 2012 [19954]: session.peerip is 192.168.111.12
> Wed Jan 11 10:36:59 2012 [19955]: connect from 192.168.111.12
> [192.168.111.12]
> Wed Jan 11 10:37:03 2012 [19955]: verify daemon fred == NAS fred
> Wed Jan 11 10:37:03 2012 [19955]: Password is correct
> Wed Jan 11 10:37:03 2012 [19955]: Password has not expired <no expiry
> date set>
> Wed Jan 11 10:37:03 2012 [19955]: cfg_acl_check(alist, 192.168.111.12)
> Wed Jan 11 10:37:03 2012 [19955]: ip 192.168.111.12 did not match in acl
> filter alist
> Wed Jan 11 10:37:03 2012 [19955]: host ACLs for user 'fred' deny
> Wed Jan 11 10:37:03 2012 [19955]: login query for 'fred' tty2 from
> 192.168.111.12 rejected
> Wed Jan 11 10:37:03 2012 [19955]: login failure: fred 192.168.111.12
> (192.168.111.12) tty2
> 
> 
> -- 
> Ignas K.
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus

More information about the tac_plus mailing list