[tac_plus] host acl always denies
heasley
heas at shrubbery.net
Thu Jan 12 16:47:46 UTC 2012
Thu, Jan 12, 2012 at 10:17:23AM +0200, Ignas Kazlauskas:
> Hello,
> I have a simple tac_plus config with a host acl. The problem is I always
> get denied, even with ".*". Tried versions tacacs+-F4.0.4.20 and
> tacacs+-F5.0.0a1. What's wrong (Linux CentOS6, Debian6)?
>
> tac_plus.conf
> =============
>
> accounting file = /var/log/tacacs/acc.log
> key = testing123
>
> acl = alist {
> permit = .*
> permit = ^192.*
> permit = 192.168.111\.12$
> permit = 192.168.111.12
> permit = 192\.168\.111.*
> permit = ^192\.168\.111\.12$
> }
perhaps trailing whitespace or non-printable characters?
> user = fred {
> login = cleartext fred
> enable = cleartext enab15
> # I can connect when the following line is commented
> acl = alist
> service = exec { }
> }
>
> IOS
> ===
> !
> ip tacacs source-interface FastEthernet1/0
> !
> interface FastEthernet1/0
> ip address 192.168.111.12 255.255.255.0
> speed auto
> duplex auto
> !
>
> tac.log
> =======
>
> Wed Jan 11 10:36:55 2012 [19954]: Reading config
> Wed Jan 11 10:36:55 2012 [19954]: Version F5.0.0a1 Initialized 1
> Wed Jan 11 10:36:55 2012 [19954]: tac_plus server F5.0.0a1 starting
> Wed Jan 11 10:36:55 2012 [19954]: uid=0 euid=0 gid=0 egid=0 s=4
> Wed Jan 11 10:36:59 2012 [19954]: session.peerip is 192.168.111.12
> Wed Jan 11 10:36:59 2012 [19955]: connect from 192.168.111.12
> [192.168.111.12]
> Wed Jan 11 10:37:03 2012 [19955]: verify daemon fred == NAS fred
> Wed Jan 11 10:37:03 2012 [19955]: Password is correct
> Wed Jan 11 10:37:03 2012 [19955]: Password has not expired <no expiry
> date set>
> Wed Jan 11 10:37:03 2012 [19955]: cfg_acl_check(alist, 192.168.111.12)
> Wed Jan 11 10:37:03 2012 [19955]: ip 192.168.111.12 did not match in acl
> filter alist
> Wed Jan 11 10:37:03 2012 [19955]: host ACLs for user 'fred' deny
> Wed Jan 11 10:37:03 2012 [19955]: login query for 'fred' tty2 from
> 192.168.111.12 rejected
> Wed Jan 11 10:37:03 2012 [19955]: login failure: fred 192.168.111.12
> (192.168.111.12) tty2
>
>
> --
> Ignas K.
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
More information about the tac_plus
mailing list