From CMullett at express-news.net Fri Jul 6 20:38:36 2012 From: CMullett at express-news.net (Mullett, Cynthia) Date: Fri, 6 Jul 2012 15:38:36 -0500 Subject: [tac_plus] help Message-ID: <2E1610A2C3656A40ADF73E1C2D6EF4B707A61D32@RHOUEVS03.resource.hearstcorp.com> Right now we use tac_plus with our existing Unix acct/passwd then login with the enable acct and pw to get into that mode. Is there a way to give enable mode privs to the unix accts without having to use an enable account in tac_plus? I'd like to skip this step if possible. currently running tac_plus F4.04.25 on linux redhat enterprise server release 6.2 -------------------------------------- Cynthia E. Mullett Publishing Systems Applications Specialist II San Antonio Express-News ======================================================== This e-mail message is intended only for the personal use of the recipient(s) named above. If you are not an intended recipient, you may not review, copy or distribute this message. If you have received this communication in error, please notify the sender immediately by e-mail and delete the original message. ======================================================== -------------- next part -------------- An HTML attachment was scrubbed... URL: From joe.moore at holidaycompanies.com Fri Jul 6 20:42:53 2012 From: joe.moore at holidaycompanies.com (Joe Moore) Date: Fri, 6 Jul 2012 20:42:53 +0000 Subject: [tac_plus] help In-Reply-To: <2E1610A2C3656A40ADF73E1C2D6EF4B707A61D32@RHOUEVS03.resource.hearstcorp.com> References: <2E1610A2C3656A40ADF73E1C2D6EF4B707A61D32@RHOUEVS03.resource.hearstcorp.com> Message-ID: <7DC5CF25DDD70D4A845DDC2F96E116B204D0AC79@HCEXCH02.holidaycompanies.com> I create a group with level 15 privs and make the users members of the group: group = netadmin { default service = permit service = exec { priv-lvl = 15 } } ...jgm -----Original Message----- From: Mullett, Cynthia [mailto:CMullett at express-news.net] Sent: Friday, July 06, 2012 3:39 PM To: tac_plus at shrubbery.net Subject: [tac_plus] help Right now we use tac_plus with our existing Unix acct/passwd then login with the enable acct and pw to get into that mode. Is there a way to give enable mode privs to the unix accts without having to use an enable account in tac_plus? I'd like to skip this step if possible. currently running tac_plus F4.04.25 on linux redhat enterprise server release 6.2 -------------------------------------- Cynthia E. Mullett Publishing Systems Applications Specialist II San Antonio Express-News ======================================================== This e-mail message is intended only for the personal use of the recipient(s) named above. If you are not an intended recipient, you may not review, copy or distribute this message. If you have received this communication in error, please notify the sender immediately by e-mail and delete the original message. ======================================================== -------------- next part -------------- An HTML attachment was scrubbed... URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From C.Lenting at triple-it.nl Thu Jul 12 15:09:24 2012 From: C.Lenting at triple-it.nl (Carlo Lenting) Date: Thu, 12 Jul 2012 15:09:24 +0000 Subject: [tac_plus] timezone tac_plus version F4.0.4.26 Message-ID: Hi there, I dont know if i am right at this email adres, if not please let me know. I am trying to get the date correct in the tacas_acc log file. I read on http://www.shrubbery.net/tac_plus/CHANGES that the localtime zone can be used. But how do i configure it ? I tried to add localtime to the tac_plus.conf , but then the error : Starting TACACS+ :Error: Unrecognised token localtime on line 3 shows up. Can u help me ? Or put me in the right direction ? Met vriendelijke groet, Carlo Lenting System-/Network Engineer Hosting Services Triple IT Keesomstraat 10e 1821 BS Alkmaar, The Netherlands T:+31 72 5129 516 F:+31 72 5129 520 E-mail: c.lenting at triple-it.nl -------------- next part -------------- An HTML attachment was scrubbed... URL: From C.Lenting at triple-it.nl Thu Jul 12 15:16:12 2012 From: C.Lenting at triple-it.nl (Carlo Lenting) Date: Thu, 12 Jul 2012 15:16:12 +0000 Subject: [tac_plus] timezone tac_plus version F4.0.4.26 Message-ID: Hi there (again) :) ignore my email : it is showing the correct local time now. grzt Met vriendelijke groet, Carlo Lenting System-/Network Engineer Hosting Services Triple IT Keesomstraat 10e 1821 BS Alkmaar, The Netherlands T:+31 72 5129 516 F:+31 72 5129 520 E-mail: c.lenting at triple-it.nl From: Carlo Lenting Sent: donderdag 12 juli 2012 17:09 To: 'tac_plus at shrubbery.net' Subject: timezone tac_plus version F4.0.4.26 Hi there, I dont know if i am right at this email adres, if not please let me know. I am trying to get the date correct in the tacas_acc log file. I read on http://www.shrubbery.net/tac_plus/CHANGES that the localtime zone can be used. But how do i configure it ? I tried to add localtime to the tac_plus.conf , but then the error : Starting TACACS+ :Error: Unrecognised token localtime on line 3 shows up. Can u help me ? Or put me in the right direction ? Met vriendelijke groet, Carlo Lenting System-/Network Engineer Hosting Services Triple IT Keesomstraat 10e 1821 BS Alkmaar, The Netherlands T:+31 72 5129 516 F:+31 72 5129 520 E-mail: c.lenting at triple-it.nl -------------- next part -------------- An HTML attachment was scrubbed... URL: From joe.moore at holidaycompanies.com Wed Jul 25 14:25:33 2012 From: joe.moore at holidaycompanies.com (Joe Moore) Date: Wed, 25 Jul 2012 14:25:33 +0000 Subject: [tac_plus] multiple patches? Message-ID: <7DC5CF25DDD70D4A845DDC2F96E116B204D17441@hcexch01.holidaycompanies.com> I have been running tac_plus 4.0.4.19 with the auth-fail-lock patch as required by our security assessor. I recently added some Nexus 5500 series switches to the network so now I have to deal with PAP authentication requests. Keeping plain text passwords in the tac_plus.conf file is not an option. I'm thinking about using the PAP/PAM patch for that. Can I apply both patches to the source code or do I have to choose one or the other? Thanks in advance! -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Thu Jul 26 05:32:21 2012 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Thu, 26 Jul 2012 07:32:21 +0200 Subject: [tac_plus] multiple patches? In-Reply-To: <7DC5CF25DDD70D4A845DDC2F96E116B204D17441@hcexch01.holidaycompanies.com> References: <7DC5CF25DDD70D4A845DDC2F96E116B204D17441@hcexch01.holidaycompanies.com> Message-ID: <20120726073221.2b279010@khamul.example.com> On Wed, 25 Jul 2012 14:25:33 +0000 Joe Moore wrote: > I have been running tac_plus 4.0.4.19 with the auth-fail-lock patch > as required by our security assessor. > > I recently added some Nexus 5500 series switches to the network so > now I have to deal with PAP authentication requests. Keeping plain > text passwords in the tac_plus.conf file is not an option. I'm > thinking about using the PAP/PAM patch for that. > > Can I apply both patches to the source code or do I have to choose > one or the other? The PAP passwords do not have to be plain-text, you can put the hashes in tac_plus.conf just like for regular login and enable. Simply copy the "login" line and do an s/login/pap/ We have a substantial Nexus infrastructure here and that works just fine for us. No other authn changes were required. [As for authz - now that's a whole different story, that one took some work] -- Alan McKinnon alan.mckinnon at gmail.com From daniel.schmidt at wyo.gov Fri Jul 27 04:23:48 2012 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Thu, 26 Jul 2012 22:23:48 -0600 Subject: [tac_plus] multiple patches? In-Reply-To: <20120726073221.2b279010@khamul.example.com> References: <7DC5CF25DDD70D4A845DDC2F96E116B204D17441@hcexch01.holidaycompanies.com> <20120726073221.2b279010@khamul.example.com> Message-ID: Nexus does things a bit different. I wrote some on tacacs.org. You can use authorization OR the new roles - your choice. On Wed, Jul 25, 2012 at 11:32 PM, Alan McKinnon wrote: > On Wed, 25 Jul 2012 14:25:33 +0000 > Joe Moore wrote: > > > I have been running tac_plus 4.0.4.19 with the auth-fail-lock patch > > as required by our security assessor. > > > > I recently added some Nexus 5500 series switches to the network so > > now I have to deal with PAP authentication requests. Keeping plain > > text passwords in the tac_plus.conf file is not an option. I'm > > thinking about using the PAP/PAM patch for that. > > > > Can I apply both patches to the source code or do I have to choose > > one or the other? > > The PAP passwords do not have to be plain-text, you can put the hashes in > tac_plus.conf just like for regular login and enable. > > Simply copy the "login" line and do an s/login/pap/ > > We have a substantial Nexus infrastructure here and that works just fine > for us. No other authn changes were required. [As for authz - now that's a > whole different story, that one took some work] > > > -- > Alan McKinnon > alan.mckinnon at gmail.com > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From brconflict at gmail.com Fri Jul 27 15:31:56 2012 From: brconflict at gmail.com (brain conflict) Date: Fri, 27 Jul 2012 10:31:56 -0500 Subject: [tac_plus] make install error In-Reply-To: References: Message-ID: Sorry for leaving this out. This error is only in the new 5.x version. 4.0.26 is fine. Thanks!! Brian On Fri, Jul 27, 2012 at 10:29 AM, brain conflict wrote: > Hello, > On Ubuntu 8.04, I'm getting the following when doing a "make > install" for tac_plus. Just checking to see if you know what this is > off the top of your head. Trying an older version now.... Thanks! > > ========================= > > /bin/bash ./libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. > -I/usr/local/include -g -O2 -pthread -g -O2 -pthread -MT > libtacacs_la-fdes.lo -MD -MP -MF .deps/libtacacs_la-fdes.Tpo -c -o > libtacacs_la-fdes.lo `test -f 'fdes.c' || echo './'`fdes.c > libtool: compile: gcc -DHAVE_CONFIG_H -I. -I/usr/local/include -g -O2 > -pthread -g -O2 -pthread -MT libtacacs_la-fdes.lo -MD -MP -MF > .deps/libtacacs_la-fdes.Tpo -c fdes.c -fPIC -DPIC -o > .libs/libtacacs_la-fdes.o > In file included from config.h:330, > from fdes.c:25: > /usr/include/unistd.h:275: error: two or more data types in > declaration specifiers > make: *** [libtacacs_la-fdes.lo] Error 1 > > ========================= > > Brian From brconflict at gmail.com Fri Jul 27 15:29:13 2012 From: brconflict at gmail.com (brain conflict) Date: Fri, 27 Jul 2012 10:29:13 -0500 Subject: [tac_plus] make install error Message-ID: Hello, On Ubuntu 8.04, I'm getting the following when doing a "make install" for tac_plus. Just checking to see if you know what this is off the top of your head. Trying an older version now.... Thanks! ========================= /bin/bash ./libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I/usr/local/include -g -O2 -pthread -g -O2 -pthread -MT libtacacs_la-fdes.lo -MD -MP -MF .deps/libtacacs_la-fdes.Tpo -c -o libtacacs_la-fdes.lo `test -f 'fdes.c' || echo './'`fdes.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I/usr/local/include -g -O2 -pthread -g -O2 -pthread -MT libtacacs_la-fdes.lo -MD -MP -MF .deps/libtacacs_la-fdes.Tpo -c fdes.c -fPIC -DPIC -o .libs/libtacacs_la-fdes.o In file included from config.h:330, from fdes.c:25: /usr/include/unistd.h:275: error: two or more data types in declaration specifiers make: *** [libtacacs_la-fdes.lo] Error 1 ========================= Brian From heas at shrubbery.net Fri Jul 27 15:42:14 2012 From: heas at shrubbery.net (heasley) Date: Fri, 27 Jul 2012 08:42:14 -0700 Subject: [tac_plus] make install error In-Reply-To: References: Message-ID: <20120727154214.GB55270@shrubbery.net> Fri, Jul 27, 2012 at 10:31:56AM -0500, brain conflict: > Sorry for leaving this out. This error is only in the new 5.x version. > 4.0.26 is fine. Thanks!! please stick with 4; the 5 version is an alpha version to which i am working to improve the parser and its not up-to-date with patches that have been applied to 4. From joe.moore at holidaycompanies.com Fri Jul 27 15:51:11 2012 From: joe.moore at holidaycompanies.com (Joe Moore) Date: Fri, 27 Jul 2012 15:51:11 +0000 Subject: [tac_plus] multiple patches? In-Reply-To: <20120726171545.50f0bca4@khamul.example.com> References: <7DC5CF25DDD70D4A845DDC2F96E116B204D17441@hcexch01.holidaycompanies.com> <20120726073221.2b279010@khamul.example.com> <7DC5CF25DDD70D4A845DDC2F96E116B204D1DABA@hcexch01.holidaycompanies.com> <20120726171545.50f0bca4@khamul.example.com> Message-ID: <7DC5CF25DDD70D4A845DDC2F96E116B204D1E17F@hcexch01.holidaycompanies.com> -----Original Message----- From: Alan McKinnon [mailto:alan.mckinnon at gmail.com] Sent: Thursday, July 26, 2012 10:16 AM To: Joe Moore Subject: Re: [tac_plus] multiple patches? On Thu, 26 Jul 2012 14:42:34 +0000 Joe Moore wrote: > -----Original Message----- > From: Alan McKinnon [mailto:alan.mckinnon at gmail.com] > Sent: Thursday, July 26, 2012 12:32 AM > Cc: tac_plus at shrubbery.net > Subject: Re: [tac_plus] multiple patches? > > On Wed, 25 Jul 2012 14:25:33 +0000 > Joe Moore wrote: > > > I have been running tac_plus 4.0.4.19 with the auth-fail-lock patch > > as required by our security assessor. > > > > I recently added some Nexus 5500 series switches to the network so > > now I have to deal with PAP authentication requests. Keeping plain > > text passwords in the tac_plus.conf file is not an option. I'm > > thinking about using the PAP/PAM patch for that. > > > > Can I apply both patches to the source code or do I have to choose > > one or the other? > > The PAP passwords do not have to be plain-text, you can put the hashes > in tac_plus.conf just like for regular login and enable. > > Simply copy the "login" line and do an s/login/pap/ > > We have a substantial Nexus infrastructure here and that works just > fine for us. No other authn changes were required. [As for authz - now > that's a whole different story, that one took some work] > > > -- > Alan McKinnon > alan.mckinnon at gmail.com > > > Alan, > > Thanks for the reply. > > I failed to mention that another goal is to use the *nix system > passwords. That's what gets used when I log in to any of the 1000+ > non-nexus devices I have that aren't using PAP. I can do that with > either '/etc/passwd' or pam. > > I have an automated process in place that synchronizes the *nix system > passwords whenever a user changes their active directory password. I'd > like to avoid having to manually generate des crypts just for the > nexus stuff, and our security assessor (for other > reasons) won't like that either. > > Based on the 'tac_plus -P' results I get with test config files, it > looks like my current build will only allow the 'cleartext' or > 'des'keywords after 'pap='. Joe, I see what you mean. My infrastructure works differently - we generate the tacacs passwords and store only the hashes so it's trivial for me to write them out to tac_plus.conf. Your needs are different though. I don't have experience with either of the patches you mention, so I can't be of much further help other than to ask "Do both patches apply cleanly?" -- Alan McKinnon alan.mckinnon at gmail.com Alan, I'll try applying both patches early next week and see what happens... ...jgm From joe.moore at holidaycompanies.com Fri Jul 27 15:59:48 2012 From: joe.moore at holidaycompanies.com (Joe Moore) Date: Fri, 27 Jul 2012 15:59:48 +0000 Subject: [tac_plus] multiple patches? In-Reply-To: References: <7DC5CF25DDD70D4A845DDC2F96E116B204D17441@hcexch01.holidaycompanies.com> <20120726073221.2b279010@khamul.example.com> Message-ID: <7DC5CF25DDD70D4A845DDC2F96E116B204D1E19D@hcexch01.holidaycompanies.com> Thanks for the reply Daniel! I'm hoping to avoid dealing with authorization on the Nexus stuff. Only two people have access to core switches and routers (which includes the Nexus stuff), and they need full privileges. I am also hoping to avoid making any tac_plus changes that will affect the way the aaa works with my IOS devices. ...jgm -----Original Message----- From: Daniel Schmidt [mailto:daniel.schmidt at wyo.gov] Sent: Thursday, July 26, 2012 11:24 PM To: tac_plus at shrubbery.net Subject: Re: [tac_plus] multiple patches? Nexus does things a bit different. I wrote some on tacacs.org. You can use authorization OR the new roles - your choice. On Wed, Jul 25, 2012 at 11:32 PM, Alan McKinnon wrote: > On Wed, 25 Jul 2012 14:25:33 +0000 > Joe Moore wrote: > > > I have been running tac_plus 4.0.4.19 with the auth-fail-lock patch > > as required by our security assessor. > > > > I recently added some Nexus 5500 series switches to the network so > > now I have to deal with PAP authentication requests. Keeping plain > > text passwords in the tac_plus.conf file is not an option. I'm > > thinking about using the PAP/PAM patch for that. > > > > Can I apply both patches to the source code or do I have to choose > > one or the other? > > The PAP passwords do not have to be plain-text, you can put the hashes > in tac_plus.conf just like for regular login and enable. > > Simply copy the "login" line and do an s/login/pap/ > > We have a substantial Nexus infrastructure here and that works just > fine for us. No other authn changes were required. [As for authz - now > that's a whole different story, that one took some work] > > > -- > Alan McKinnon > alan.mckinnon at gmail.com > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From alan.mckinnon at gmail.com Fri Jul 27 20:17:26 2012 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Fri, 27 Jul 2012 22:17:26 +0200 Subject: [tac_plus] multiple patches? In-Reply-To: References: <7DC5CF25DDD70D4A845DDC2F96E116B204D17441@hcexch01.holidaycompanies.com> <20120726073221.2b279010@khamul.example.com> Message-ID: <20120727221726.38856f8c@khamul.example.com> On Thu, 26 Jul 2012 22:23:48 -0600 Daniel Schmidt wrote: > Nexus does things a bit different. I wrote some on tacacs.org. You > can use authorization OR the new roles - your choice. Based only on my own experience, I recommend one go with roles defined on the Nexus and give the logged in user that role by sending back AV pairs. We tried hard to define permit/deny commands for our Nexus kit but eventually NetOps gave up and did it locally. Maybe things have changed since we did this 18 months ago but we simply couldn't get it to work nicely in a mixed Cisco/Nexus environment > > On Wed, Jul 25, 2012 at 11:32 PM, Alan McKinnon > wrote: > > > On Wed, 25 Jul 2012 14:25:33 +0000 > > Joe Moore wrote: > > > > > I have been running tac_plus 4.0.4.19 with the auth-fail-lock > > > patch as required by our security assessor. > > > > > > I recently added some Nexus 5500 series switches to the network so > > > now I have to deal with PAP authentication requests. Keeping plain > > > text passwords in the tac_plus.conf file is not an option. I'm > > > thinking about using the PAP/PAM patch for that. > > > > > > Can I apply both patches to the source code or do I have to choose > > > one or the other? > > > > The PAP passwords do not have to be plain-text, you can put the > > hashes in tac_plus.conf just like for regular login and enable. > > > > Simply copy the "login" line and do an s/login/pap/ > > > > We have a substantial Nexus infrastructure here and that works just > > fine for us. No other authn changes were required. [As for authz - > > now that's a whole different story, that one took some work] > > > > > > -- > > Alan McKinnon > > alan.mckinnon at gmail.com > > > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > > E-Mail to and from me, in connection with the transaction > of public business, is subject to the Wyoming Public Records > Act and may be disclosed to third parties. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > _______________________________________________ tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus -- Alan McKinnon alan.mckinnon at gmail.com From daniel.schmidt at wyo.gov Fri Jul 27 20:24:44 2012 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Fri, 27 Jul 2012 14:24:44 -0600 Subject: [tac_plus] multiple patches? In-Reply-To: <20120727221726.38856f8c@khamul.example.com> References: <7DC5CF25DDD70D4A845DDC2F96E116B204D17441@hcexch01.holidaycompanies.com> <20120726073221.2b279010@khamul.example.com> <20120727221726.38856f8c@khamul.example.com> Message-ID: Authorization works - I've done it in do_auth. But, the roles work so well it's not worth the bother. -----Original Message----- From: Alan McKinnon [mailto:alan.mckinnon at gmail.com] Sent: Friday, July 27, 2012 2:17 PM To: Daniel Schmidt Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] multiple patches? On Thu, 26 Jul 2012 22:23:48 -0600 Daniel Schmidt wrote: > Nexus does things a bit different. I wrote some on tacacs.org. You > can use authorization OR the new roles - your choice. Based only on my own experience, I recommend one go with roles defined on the Nexus and give the logged in user that role by sending back AV pairs. We tried hard to define permit/deny commands for our Nexus kit but eventually NetOps gave up and did it locally. Maybe things have changed since we did this 18 months ago but we simply couldn't get it to work nicely in a mixed Cisco/Nexus environment > > On Wed, Jul 25, 2012 at 11:32 PM, Alan McKinnon > wrote: > > > On Wed, 25 Jul 2012 14:25:33 +0000 > > Joe Moore wrote: > > > > > I have been running tac_plus 4.0.4.19 with the auth-fail-lock > > > patch as required by our security assessor. > > > > > > I recently added some Nexus 5500 series switches to the network so > > > now I have to deal with PAP authentication requests. Keeping plain > > > text passwords in the tac_plus.conf file is not an option. I'm > > > thinking about using the PAP/PAM patch for that. > > > > > > Can I apply both patches to the source code or do I have to choose > > > one or the other? > > > > The PAP passwords do not have to be plain-text, you can put the > > hashes in tac_plus.conf just like for regular login and enable. > > > > Simply copy the "login" line and do an s/login/pap/ > > > > We have a substantial Nexus infrastructure here and that works just > > fine for us. No other authn changes were required. [As for authz - > > now that's a whole different story, that one took some work] > > > > > > -- > > Alan McKinnon > > alan.mckinnon at gmail.com > > > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > > E-Mail to and from me, in connection with the transaction of public > business, is subject to the Wyoming Public Records Act and may be > disclosed to third parties. > -------------- next part -------------- An HTML attachment was > scrubbed... > URL: > 017d/attachment.html> _______________________________________________ > tac_plus mailing list tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus -- Alan McKinnon alan.mckinnon at gmail.com E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties.