[tac_plus] Nexus
Daniel Schmidt
daniel.schmidt at wyo.gov
Thu May 24 22:44:30 UTC 2012
As I recall, you ran a separate instance for your nexus. Use do_auth &
you can use the same instance. It's python; the code's pretty trivial. I
look forward to seeing your patches.
-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon
Sent: Thursday, May 24, 2012 2:43 PM
To: tac_plus at shrubbery.net
Subject: Re: [tac_plus] Nexus
On Thu, 24 May 2012 08:54:12 -0600
Daniel Schmidt <daniel.schmidt at wyo.gov> wrote:
> Yeah... that is a bit of a surprise. ;-)
>
> If you are worried, strip the long doc string & use do_auth.pyo.
> Should load slightly faster, when I did it, it was 23k before and 7.7k
> after.
Nice tip :-) thanks
> $ python -OO
> Python 2.4.3 (#1, Feb 22 2012, 16:05:45) [GCC 4.1.2 20080704 (Red Hat
> 4.1.2-52)] on linux2 Type "help", "copyright", "credits" or "license"
> for more information.
> >>> import py_compile
> >>> py_compile.compile("do_auth.py")
> >>>
> <hit ctrl-d>
>
> As for Juniper, I had Jathan test it and I believe he said it worked.
> However, there was some Juniper specific stuff I wanted to add. I'll
> get around to someday soon. Jathan also had some great ideas for
> cleaning up my lazy variable names & logging that I wanted him to add
> if he can get around to it someday. Also, I changed my mind on Nexus
> roles - see tacacs.org for more on roles.
I expect I'll end up doing a fair amount of patching to do-auth (that
being the nature of the work we all do) so I'll be happy to share the
results.
Nexus roles - that's the easy part for me. We use RBAC for that and just
send back the role as an av-pair. The NetOps guys reckon this works best
for how we do our Nexus stuff.
My main driver for testing do_auth is to get the notion of multiple
groups, everything else is bonus.
>
> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net
> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon
> Sent: Wednesday, May 23, 2012 6:01 PM
> To: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] Nexus
>
> On Wed, 16 Nov 2011 10:28:28 -0700
> Daniel Schmidt <daniel.schmidt at wyo.gov> wrote:
>
> > Ok, I got it working, I also have it set so it can find/replace
> > pairs based on groups. Slight change to do_auth - you DO have to
> > strip the first 2 pairs just like ios, but they are not identical.
> > (cmd* vs cmd=) Will post that change soon. This would solve all
> > Alan's problem, if Alan could be convinced to try do_auth. ;-)
>
> Your wish has been granted and I am convinced to try do_auth.py :-)
>
> It know this one goes back a while but it deserves a reply - my tacacs
> setup has gotten so big, unwieldy and cumbersome that I just can't
> take it any more.
>
> I have the usual mixture so typical of a real-world ISP: at least one
> of everything Cisco have ever made, a bunch of Nexus, couple of XR
> switches, some Juniper and even a few weird firewalls that someone
> once bought because they were cheap. And every skill level amongst
> users from knows nothing to brilliant and it all needs to be
> contained. Sound familiar?
>
> Let's see how it goes. I do have one question though:
>
> Has anyone ever stress tested do_auth.py with lots of requests? On a
> busy day we can achieve 1,000,000 requests (12 a second). tac_plus can
> deal with that without breaking a sweat but I'd like to know if the
> .py script has been tested to that level. Gut feel tells me it should
> be fine.
>
> >
> > The only thing I don't understand is why none of the default roles
> > seem to be restricted. I could conf t & change an int desc with
> > role-0 and network-operator. Are all the default roles useless or
> > am I missing something? The only place I could see a role being
> > "not cumbersome and useless" was if you defined one for a VDC giving
> > a user rights only to a specific VDC. THAT is the only thing I
> > can't do easier with do_auth and authorization.
> >
> > [root at cwacs ~]# tail -n 11 log2.txt
> > service=shell
> > cmd=
> > shell:roles="network-operator"
> > idletime=3
> > timeout=15
> > Nexus pairs found
> > not len(the_command) > 0
> > Returning:shell:roles="priv-0"
> > Returning:idletime=3
> > Returning:timeout=15
> > 2011-11-16 09:35:31: User 'tester' granted access to <yada yada>
> >
> > 5k# show user- tester
> > user:tester
> > roles:priv-0
> > account created through REMOTE authentication Credentials such as
> > ssh server key will be cached temporarily only for this user account
> > Local login not possible
> >
> > 5k# show role name priv-0
> >
> > Role: priv-0
> > Description: This is a system defined privilege role.
> > vsan policy: permit (default)
> > Vlan policy: permit (default)
> > Interface policy: permit (default)
> > Vrf policy: permit (default)
> > -------------------------------------------------------------------
> > Rule Perm Type Scope Entity
> > -------------------------------------------------------------------
> > 10 permit command traceroute6 *
> > 9 permit command traceroute *
> > 8 permit command telnet6 *
> > 7 permit command telnet *
> > 6 permit command ping6 *
> > 5 permit command ping *
> > 4 permit command ssh6 *
> > 3 permit command ssh *
> > 2 permit command enable *
> > 1 permit read
> >
> > -----Original Message-----
> > From: tac_plus-bounces at shrubbery.net
> > [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon
> > Sent: Wednesday, November 02, 2011 3:46 PM
> > To: tac_plus at shrubbery.net
> > Subject: Re: [tac_plus] Nexus
> >
> > On Wed, 2 Nov 2011 12:55:21 -0600
> > Daniel Schmidt <daniel.schmidt at wyo.gov> wrote:
> >
> > > I have updated the do_auth.py authentication script to handle
> > > nexus, thus it can provide the same multiple group authentication
> > > it provides on other Cisco devices. (or at least provide an
> > > example) I have not been able to pass a role tac_pair successfully
> > > - please post if you have any progress with this.
> >
> > tac_plus requires it in this form:
> >
> > shell:roles="\"level1\""
> >
> > Yes, you see it right. Two levels of double quotes, inner pair
> > escaped
> >
> > Many brain cells died in agony to discover that one :-)
> >
> > >
> > >
> > >
> > > I had success with the nexus with the following config: (Note that
> > > many of the commands you traditionally look for are available)
> > >
> > >
> > >
> > > !Command: show running-config aaa
> > >
> > > !Time: Wed Oct 26 18:28:46 2011
> > >
> > >
> > >
> > > version 5.0(3)N1(1c)
> > >
> > > aaa authentication login default group private
> > >
> > > aaa authorization config-commands default group private
> > >
> > > aaa authorization commands default group private
> > >
> > > aaa accounting default group private
> > >
> > >
> > >
> > > As was discussed previously, the nexus seems to authenticate pap.
> > > No clue why Cisco did this; putting pap user names in the
> > > tac_plus.conf fixes login issues. Also, the resulting accounting
> > > file is different so if you have written cgi scripts to parse your
> > > accounting log, be prepared to rewrite them.
> >
> >
> > --
> > Alan McKinnnon
> > alan.mckinnon at gmail.com
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> > E-Mail to and from me, in connection with the transaction of public
> > business,is subject to the Wyoming Public Records Act, and may be
> > disclosed to third parties.
> >
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>
>
>
> --
> Alan McKinnnon
> alan.mckinnon at gmail.com
>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> E-Mail to and from me, in connection with the transaction of public
> business, is subject to the Wyoming Public Records Act and may be
> disclosed to third parties.
>
--
Alan McKinnnon
alan.mckinnon at gmail.com
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.
More information about the tac_plus
mailing list