[tac_plus] Should optional A/V pair be sent?

Mick Day mick at mickday.com
Mon Jan 23 16:07:27 UTC 2012


Hi,

Thanks for the information but my specific question was regarding how
tac_plus deals with optional a/v pairs , in the following configuration
should the a/v pair " brcd-role*admin" be sent to NAS?

group = admin {
       default service = permit
       service = exec {
          priv-lvl = 15
          optional brcd-role = admin
    }
}

I have now tested this with Cisco ACS and TACACS.net both of which send the
optional a/v pair but tac_plus does not?
 
-----Original Message-----
From: Daniel Schmidt [mailto:daniel.schmidt at wyo.gov] 
Sent: 23 January 2012 15:34
To: Mick Day; tac_plus at shrubbery.net
Subject: RE: [tac_plus] Should optional A/V pair be sent?

I also have noted that if you send a Cisco switch/router anything other than
"priv-lvl", they do not work.  One workaround is to use do_auth.  The
following example is brocade's traditional privlvl, but the same concept
should work with the brcd-role you describe. (Note, this is more to fix a
Cisco bug than a Brocade)  Simply put: If you match a brocade device and
find something that says "priv-lvl" replace it with "brocade-privlvl=5"

[brocade_disable]
host_allow =
        .*
device_permit =
	<list of brocade devices>
command_permit =
        .*
av_pairs =
        priv-lvl,brocade-privlvl=5

-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Mick Day
Sent: Monday, January 23, 2012 4:31 AM
To: tac_plus at shrubbery.net
Subject: [tac_plus] Should optional A/V pair be sent?

Hi Everyone,

I am having a problem with sending optional a/v pair from tac_plus, this is
related to post
http://www.shrubbery.net/pipermail/tac_plus/2011-September/000978.html as it
now appears that the latest Brocade VDX code now supports optional a/v pairs
for 'brcd-role' the only problem is that when the NAS authenticates with the
server only the mandatory a/v pairs are being sent

My configuration is as follows:

group = admin {
       default service = permit
       service = exec {
          priv-lvl = 15
          optional brcd-role = admin
    }
}

The NAS only ever receives the a/v pair ' priv-lvl = 15' is this expected
behaviour?  If I reconfigure the 'brcd-role' to a mandatory it then sends
both 'priv-lvl' and 'brcd-role' but then this creates the same problem as
described in previous post
http://www.shrubbery.net/pipermail/tac_plus/2011-September/000978.html
where Cisco devices fail authorisation.

I have also tried the same with Cisco ACS and this sends both the mandatory
and optional a/v pairs allowing both devices to be able to login.

I am unclear as to whether it is expected behaviour for server to send
optional a/v pairs by default?

_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
E-Mail to and from me, in connection with the transaction of public
business,is subject to the Wyoming Public Records Act, and may be disclosed
to third parties.



More information about the tac_plus mailing list