[tac_plus] Should optional A/V pair be sent?

Mon Jan 23 16:07:27 UTC 2012

Hi,

Thanks for the information but my specific question was regarding how
tac_plus deals with optional a/v pairs , in the following configuration
should the a/v pair " brcd-role*admin" be sent to NAS?

group = admin {
       default service = permit
       service = exec {
          priv-lvl = 15
          optional brcd-role = admin
    }
}

I have now tested this with Cisco ACS and TACACS.net both of which send the
optional a/v pair but tac_plus does not?

-----Original Message-----
From: Daniel Schmidt [mailto:daniel.schmidt at wyo.gov] 
Sent: 23 January 2012 15:34
To: Mick Day; tac_plus at shrubbery.net
Subject: RE: [tac_plus] Should optional A/V pair be sent?

I also have noted that if you send a Cisco switch/router anything other than
"priv-lvl", they do not work.  One workaround is to use do_auth.  The
following example is brocade's traditional privlvl, but the same concept
should work with the brcd-role you describe. (Note, this is more to fix a
Cisco bug than a Brocade)  Simply put: If you match a brocade device and
find something that says "priv-lvl" replace it with "brocade-privlvl=5"

[brocade_disable]
host_allow =
        .*
device_permit =
	<list of brocade devices>
command_permit =
        .*
av_pairs =
        priv-lvl,brocade-privlvl=5

-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Mick Day
Sent: Monday, January 23, 2012 4:31 AM
To: tac_plus at shrubbery.net
Subject: [tac_plus] Should optional A/V pair be sent?

Hi Everyone,

I am having a problem with sending optional a/v pair from tac_plus, this is
related to post
http://www.shrubbery.net/pipermail/tac_plus/2011-September/000978.html as it
now appears that the latest Brocade VDX code now supports optional a/v pairs
for 'brcd-role' the only problem is that when the NAS authenticates with the
server only the mandatory a/v pairs are being sent

My configuration is as follows:

group = admin {
       default service = permit
       service = exec {
          priv-lvl = 15
          optional brcd-role = admin
    }
}

The NAS only ever receives the a/v pair ' priv-lvl = 15' is this expected
behaviour?  If I reconfigure the 'brcd-role' to a mandatory it then sends
both 'priv-lvl' and 'brcd-role' but then this creates the same problem as
described in previous post
http://www.shrubbery.net/pipermail/tac_plus/2011-September/000978.html
where Cisco devices fail authorisation.

I have also tried the same with Cisco ACS and this sends both the mandatory
and optional a/v pairs allowing both devices to be able to login.

I am unclear as to whether it is expected behaviour for server to send
optional a/v pairs by default?

_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
E-Mail to and from me, in connection with the transaction of public
business,is subject to the Wyoming Public Records Act, and may be disclosed
to third parties.