[tac_plus] Nexus
Alan McKinnon
alan.mckinnon at gmail.com
Thu May 24 00:01:15 UTC 2012
On Wed, 16 Nov 2011 10:28:28 -0700
Daniel Schmidt <daniel.schmidt at wyo.gov> wrote:
> Ok, I got it working, I also have it set so it can find/replace pairs
> based on groups. Slight change to do_auth - you DO have to strip the
> first 2 pairs just like ios, but they are not identical. (cmd* vs
> cmd=) Will post that change soon. This would solve all Alan's
> problem, if Alan could be convinced to try do_auth. ;-)
Your wish has been granted and I am convinced to try do_auth.py :-)
It know this one goes back a while but it deserves a reply - my tacacs
setup has gotten so big, unwieldy and cumbersome that I just can't take
it any more.
I have the usual mixture so typical of a real-world ISP: at least one
of everything Cisco have ever made, a bunch of Nexus, couple of XR
switches, some Juniper and even a few weird firewalls that someone once
bought because they were cheap. And every skill level amongst users
from knows nothing to brilliant and it all needs to be contained. Sound
familiar?
Let's see how it goes. I do have one question though:
Has anyone ever stress tested do_auth.py with lots of requests? On a
busy day we can achieve 1,000,000 requests (12 a second). tac_plus can
deal with that without breaking a sweat but I'd like to know if the .py
script has been tested to that level. Gut feel tells me it should be
fine.
>
> The only thing I don't understand is why none of the default roles
> seem to be restricted. I could conf t & change an int desc with
> role-0 and network-operator. Are all the default roles useless or am
> I missing something? The only place I could see a role being "not
> cumbersome and useless" was if you defined one for a VDC giving a
> user rights only to a specific VDC. THAT is the only thing I can't
> do easier with do_auth and authorization.
>
> [root at cwacs ~]# tail -n 11 log2.txt
> service=shell
> cmd=
> shell:roles="network-operator"
> idletime=3
> timeout=15
> Nexus pairs found
> not len(the_command) > 0
> Returning:shell:roles="priv-0"
> Returning:idletime=3
> Returning:timeout=15
> 2011-11-16 09:35:31: User 'tester' granted access to <yada yada>
>
> 5k# show user- tester
> user:tester
> roles:priv-0
> account created through REMOTE authentication
> Credentials such as ssh server key will be cached temporarily only
> for this user account
> Local login not possible
>
> 5k# show role name priv-0
>
> Role: priv-0
> Description: This is a system defined privilege role.
> vsan policy: permit (default)
> Vlan policy: permit (default)
> Interface policy: permit (default)
> Vrf policy: permit (default)
> -------------------------------------------------------------------
> Rule Perm Type Scope Entity
> -------------------------------------------------------------------
> 10 permit command traceroute6 *
> 9 permit command traceroute *
> 8 permit command telnet6 *
> 7 permit command telnet *
> 6 permit command ping6 *
> 5 permit command ping *
> 4 permit command ssh6 *
> 3 permit command ssh *
> 2 permit command enable *
> 1 permit read
>
> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net
> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon
> Sent: Wednesday, November 02, 2011 3:46 PM
> To: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] Nexus
>
> On Wed, 2 Nov 2011 12:55:21 -0600
> Daniel Schmidt <daniel.schmidt at wyo.gov> wrote:
>
> > I have updated the do_auth.py authentication script to handle nexus,
> > thus it can provide the same multiple group authentication it
> > provides on other Cisco devices. (or at least provide an example)
> > I have not been able to pass a role tac_pair successfully – please
> > post if you have any progress with this.
>
> tac_plus requires it in this form:
>
> shell:roles="\"level1\""
>
> Yes, you see it right. Two levels of double quotes, inner pair escaped
>
> Many brain cells died in agony to discover that one :-)
>
> >
> >
> >
> > I had success with the nexus with the following config: (Note that
> > many of the commands you traditionally look for are available)
> >
> >
> >
> > !Command: show running-config aaa
> >
> > !Time: Wed Oct 26 18:28:46 2011
> >
> >
> >
> > version 5.0(3)N1(1c)
> >
> > aaa authentication login default group private
> >
> > aaa authorization config-commands default group private
> >
> > aaa authorization commands default group private
> >
> > aaa accounting default group private
> >
> >
> >
> > As was discussed previously, the nexus seems to authenticate pap.
> > No clue why Cisco did this; putting pap user names in the
> > tac_plus.conf fixes login issues. Also, the resulting accounting
> > file is different so if you have written cgi scripts to parse your
> > accounting log, be prepared to rewrite them.
>
>
> --
> Alan McKinnnon
> alan.mckinnon at gmail.com
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> E-Mail to and from me, in connection with the transaction
> of public business,is subject to the Wyoming Public Records
> Act, and may be disclosed to third parties.
>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
--
Alan McKinnnon
alan.mckinnon at gmail.com
More information about the tac_plus
mailing list