[tac_plus] Nexus

Daniel Schmidt daniel.schmidt at wyo.gov
Thu May 24 14:54:12 UTC 2012 

Yeah... that is a bit of a surprise.  ;-)

If you are worried, strip the long doc string & use do_auth.pyo.  Should
load slightly faster, when I did it, it was 23k before and 7.7k after.

$ python -OO
Python 2.4.3 (#1, Feb 22 2012, 16:05:45)
[GCC 4.1.2 20080704 (Red Hat 4.1.2-52)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import py_compile
>>> py_compile.compile("do_auth.py")
>>>
<hit ctrl-d>

As for Juniper, I had Jathan test it and I believe he said it worked.
However, there was some Juniper specific stuff I wanted to add.  I'll get
around to someday soon. Jathan also had some great ideas for cleaning up
my lazy variable names & logging that I wanted him to add if he can get
around to it someday. Also, I changed my mind on Nexus roles - see
tacacs.org for more on roles.

-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon
Sent: Wednesday, May 23, 2012 6:01 PM
To: tac_plus at shrubbery.net
Subject: Re: [tac_plus] Nexus

On Wed, 16 Nov 2011 10:28:28 -0700
Daniel Schmidt <daniel.schmidt at wyo.gov> wrote:

> Ok, I got it working, I also have it set so it can find/replace pairs
> based on groups.  Slight change to do_auth - you DO have to strip the
> first 2 pairs just like ios, but they are not identical.  (cmd* vs
> cmd=)  Will post that change soon.  This would solve all Alan's
> problem, if Alan could be convinced to try do_auth.  ;-)

Your wish has been granted and I am convinced to try do_auth.py :-)

It know this one goes back a while but it deserves a reply - my tacacs
setup has gotten so big, unwieldy and cumbersome that I just can't take it
any more.

I have the usual mixture so typical of a real-world ISP: at least one of
everything Cisco have ever made, a bunch of Nexus, couple of XR switches,
some Juniper and even a few weird firewalls that someone once bought
because they were cheap. And every skill level amongst users from knows
nothing to brilliant and it all needs to be contained. Sound familiar?

Let's see how it goes. I do have one question though:

Has anyone ever stress tested do_auth.py with lots of requests? On a busy
day we can achieve 1,000,000 requests (12 a second). tac_plus can deal
with that without breaking a sweat but I'd like to know if the .py script
has been tested to that level. Gut feel tells me it should be fine.

>
> The only thing I don't understand is why none of the default roles
> seem to be restricted.  I could conf t & change an int desc with
> role-0 and network-operator.  Are all the default roles useless or am
> I missing something?  The only place I could see a role being "not
> cumbersome and useless" was if you defined one for a VDC giving a user
> rights only to a specific VDC.  THAT is the only thing I can't do
> easier with do_auth and authorization.
>
> [root at cwacs ~]# tail -n 11 log2.txt
> service=shell
> cmd=
> shell:roles="network-operator"
> idletime=3
> timeout=15
> Nexus pairs found
> not len(the_command) > 0
> Returning:shell:roles="priv-0"
> Returning:idletime=3
> Returning:timeout=15
> 2011-11-16 09:35:31: User 'tester' granted access to <yada yada>
>
> 5k# show user- tester
> user:tester
>         roles:priv-0
> account created through REMOTE authentication Credentials such as ssh
> server key will be cached temporarily only for this user account Local
> login not possible
>
> 5k# show role name priv-0
>
> Role: priv-0
>   Description: This is a system defined privilege role.
>   vsan policy: permit (default)
>   Vlan policy: permit (default)
>   Interface policy: permit (default)
>   Vrf policy: permit (default)
>   -------------------------------------------------------------------
>   Rule    Perm    Type        Scope               Entity
>   -------------------------------------------------------------------
>   10      permit  command                         traceroute6 *
>   9       permit  command                         traceroute *
>   8       permit  command                         telnet6 *
>   7       permit  command                         telnet *
>   6       permit  command                         ping6 *
>   5       permit  command                         ping *
>   4       permit  command                         ssh6 *
>   3       permit  command                         ssh *
>   2       permit  command                         enable *
>   1       permit  read
>
> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net
> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon
> Sent: Wednesday, November 02, 2011 3:46 PM
> To: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] Nexus
>
> On Wed, 2 Nov 2011 12:55:21 -0600
> Daniel Schmidt <daniel.schmidt at wyo.gov> wrote:
>
> > I have updated the do_auth.py authentication script to handle nexus,
> > thus it can provide the same multiple group authentication it
> > provides on other Cisco devices.   (or at least provide an example)
> > I have not been able to pass a role tac_pair successfully - please
> > post if you have any progress with this.
>
> tac_plus requires it in this form:
>
>                 shell:roles="\"level1\""
>
> Yes, you see it right. Two levels of double quotes, inner pair escaped
>
> Many brain cells died in agony to discover that one :-)
>
> >
> >
> >
> > I had success with the nexus with the following config: (Note that
> > many of the commands you traditionally look for are available)
> >
> >
> >
> > !Command: show running-config aaa
> >
> > !Time: Wed Oct 26 18:28:46 2011
> >
> >
> >
> > version 5.0(3)N1(1c)
> >
> > aaa authentication login default group private
> >
> > aaa authorization config-commands default group private
> >
> > aaa authorization commands default group private
> >
> > aaa accounting default group private
> >
> >
> >
> > As was discussed previously, the nexus seems to authenticate pap.
> > No clue why Cisco did this; putting pap user names in the
> > tac_plus.conf fixes login issues.   Also, the resulting accounting
> > file is different so if you have written cgi scripts to parse your
> > accounting log, be prepared to rewrite them.
>
>
> --
> Alan McKinnnon
> alan.mckinnon at gmail.com
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> E-Mail to and from me, in connection with the transaction of public
> business,is subject to the Wyoming Public Records Act, and may be
> disclosed to third parties.
>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus



--
Alan McKinnnon
alan.mckinnon at gmail.com

_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.

More information about the tac_plus mailing list