[tac_plus] Cisco WLC

Daniel Schmidt daniel.schmidt at wyo.gov
Tue Jan 31 15:43:14 UTC 2012 

I give up, the Cisco WLC just doesn’t seem to like authorization replacing
the pairs.  Wouldn’t be the only platform that has difficulty.



# egrep 6079 tac_log.txt

Mon Jan 30 16:54:48 2012 [6079]: connect from 192.168.0.1 [192.168.0.1]

Mon Jan 30 16:54:48 2012 [6079]: Waiting for packet

Mon Jan 30 16:54:48 2012 [6079]: cfg_get_hvalue: name=192.168.0.1 attr=key

Mon Jan 30 16:54:48 2012 [6079]: cfg_get_hvalue: no host named 192.168.0.1

Mon Jan 30 16:54:48 2012 [6079]: cfg_get_phvalue: returns NULL

Mon Jan 30 16:54:48 2012 [6079]: Read AUTHOR size=71

Mon Jan 30 16:54:48 2012 [6079]: validation request from 192.168.0.1

Mon Jan 30 16:54:48 2012 [6079]: PACKET: key=my_key

Mon Jan 30 16:54:48 2012 [6079]: version 192 (0xc0), type 2, seq no 1,
flags 0x1

Mon Jan 30 16:54:48 2012 [6079]: session_id 2378080596 (0x8dbea154), Data
length 59 (0x3b)

Mon Jan 30 16:54:48 2012 [6079]: End header

Mon Jan 30 16:54:49 2012 [6079]: type=AUTHOR, priv_lvl=1, authen=1

Mon Jan 30 16:54:49 2012 [6079]: method=tacacs+

Mon Jan 30 16:54:49 2012 [6079]: svc=1 user_len=4 port_len=0 rem_addr_len=14

Mon Jan 30 16:54:49 2012 [6079]: arg_cnt=2

Mon Jan 30 16:54:49 2012 [6079]: User:

Mon Jan 30 16:54:49 2012 [6079]: stupid_user

Mon Jan 30 16:54:49 2012 [6079]: port:

Mon Jan 30 16:54:49 2012 [6079]: rem_addr:

Mon Jan 30 16:54:49 2012 [6079]: 10.0.0.1

Mon Jan 30 16:54:49 2012 [6079]: arg[0]: size=16

Mon Jan 30 16:54:49 2012 [6079]: service=ciscowlc

Mon Jan 30 16:54:49 2012 [6079]: arg[1]: size=15

Mon Jan 30 16:54:49 2012 [6079]: protocol=common

Mon Jan 30 16:54:49 2012 [6079]: End packet

Mon Jan 30 16:54:49 2012 [6079]: Start authorization request

Mon Jan 30 16:54:49 2012 [6079]: cfg_get_value: name=stupid_user isuser=1
attr=acl rec=1

Mon Jan 30 16:54:49 2012 [6079]: cfg_get_value: recurse group =
do_auth_access

Mon Jan 30 16:54:49 2012 [6079]: cfg_get_pvalue: returns NULL

Mon Jan 30 16:54:49 2012 [6079]: do_author: user='stupid_user'

Mon Jan 30 16:54:49 2012 [6079]: cfg_get_value: name=stupid_user isuser=1
attr=before rec=1

Mon Jan 30 16:54:49 2012 [6079]: cfg_get_value: recurse group =
do_auth_access

Mon Jan 30 16:54:49 2012 [6079]: cfg_get_pvalue: returns NULL

Mon Jan 30 16:54:49 2012 [6079]: user 'stupid_user' found

Mon Jan 30 16:54:49 2012 [6079]: cfg_get_svc_node: username=stupid_user
N_svc proto= svcname=ciscowlc rec=1

Mon Jan 30 16:54:49 2012 [6079]: cfg_get_svc_node: found N_svc proto=
svcname=ciscowlc

Mon Jan 30 16:54:49 2012 [6079]: nas:service=ciscowlc (passed thru)

Mon Jan 30 16:54:49 2012 [6079]: nas:protocol=common (passed thru)

Mon Jan 30 16:54:49 2012 [6079]: nas:absent, server:role1=ALL -> add
role1=ALL (k)

Mon Jan 30 16:54:49 2012 [6079]: added 1 args

Mon Jan 30 16:54:49 2012 [6079]: out_args[0] = service=ciscowlc input copy
discarded

Mon Jan 30 16:54:49 2012 [6079]: out_args[1] = protocol=common input copy
discarded

Mon Jan 30 16:54:49 2012 [6079]: out_args[2] = role1=ALL compacted to
out_args[0]

Mon Jan 30 16:54:49 2012 [6079]: 1 output args

Mon Jan 30 16:54:49 2012 [6079]: cfg_get_value: name=stupid_user isuser=1
attr=after rec=1

Mon Jan 30 16:54:49 2012 [6079]: cfg_get_value: recurse group =
do_auth_access

Mon Jan 30 16:54:49 2012 [6079]: cfg_get_pvalue: returns /usr/bin/python
/root/do_auth.pyo -i $address -fix_crs_bug -u $user -d $name -l
/root/log.txt -f /root/do_auth.ini

Mon Jan 30 16:54:49 2012 [6079]: After authorization call: /usr/bin/python
/root/do_auth.pyo -i $address -fix_crs_bug -u $user -d $name -l
/root/log.txt -f /root/do_auth.ini

Mon Jan 30 16:54:49 2012 [6079]: substitute: /usr/bin/python
/root/do_auth.pyo -i $address -fix_crs_bug -u $user -d $name -l
/root/log.txt -f /root/do_auth.ini

Mon Jan 30 16:54:49 2012 [6079]: Dollar substitution: /usr/bin/python
/root/do_auth.pyo -i 10.0.0.1 -fix_crs_bug -u stupid_user -d 192.168.0.1 -l
/root/log.txt -f /root/do_auth.ini

Mon Jan 30 16:54:49 2012 [6079]: input service=ciscowlc

Mon Jan 30 16:54:49 2012 [6079]: input protocol=common

Mon Jan 30 16:54:49 2012 [6079]: input role1=ALL

Mon Jan 30 16:54:49 2012 [6079]: output role1=MONITOR

Mon Jan 30 16:54:49 2012 [6079]: pid 6080 child exited status 6080l

Mon Jan 30 16:54:49 2012 [6079]: cmd /usr/bin/python /root/do_auth.pyo -i
$address -fix_crs_bug -u $user -d $name -l /root/log.txt -f
/root/do_auth.ini returns 2 (replace & continue)

Mon Jan 30 16:54:49 2012 [6079]: status is now AUTHOR_STATUS_PASS_REPL

Mon Jan 30 16:54:49 2012 [6079]: Writing AUTHOR/PASS_REPL size=32

Mon Jan 30 16:54:49 2012 [6079]: PACKET: key=my_key

Mon Jan 30 16:54:49 2012 [6079]: version 192 (0xc0), type 2, seq no 2,
flags 0x1

Mon Jan 30 16:54:49 2012 [6079]: session_id 2378080596 (0x8dbea154), Data
length 20 (0x14)

Mon Jan 30 16:54:49 2012 [6079]: End header

Mon Jan 30 16:54:49 2012 [6079]: type=AUTHOR/REPLY status=2
(AUTHOR/PASS_REPL)

Mon Jan 30 16:54:49 2012 [6079]: msg_len=0, data_len=0 arg_cnt=1

Mon Jan 30 16:54:49 2012 [6079]: msg:

Mon Jan 30 16:54:49 2012 [6079]: data:

Mon Jan 30 16:54:49 2012 [6079]: arg[0] size=13

Mon Jan 30 16:54:49 2012 [6079]: role1=MONITOR

Mon Jan 30 16:54:49 2012 [6079]: End packet

Mon Jan 30 16:54:49 2012 [6079]: cfg_get_hvalue: name=192.168.0.1 attr=key

Mon Jan 30 16:54:49 2012 [6079]: cfg_get_hvalue: no host named 192.168.0.1

Mon Jan 30 16:54:49 2012 [6079]: cfg_get_phvalue: returns NULL

Mon Jan 30 16:54:49 2012 [6079]: authorization query for 'stupid_user'
unknown from 192.168.0.1 accepted

Mon Jan 30 16:54:49 2012 [6079]: 192.168.0.1: disconnect

E-Mail to and from me, in connection with the transaction 
of public business,is subject to the Wyoming Public Records 
Act, and may be disclosed to third parties.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20120131/3fceacda/attachment.html>

More information about the tac_plus mailing list