[tac_plus] HWTACACS with H3C and 3Com

Ojea García, Antonio antonio.ojea.garcia at retegal.es
Wed Nov 7 07:47:34 UTC 2012 

H3C equipment has only this levels: 0:Visit, 1:monitor, 2:System and 3:Manage.
I think I remember that if you select priv-lvl 0,1,2 and 3 in tac_plus.conf it assigns well the levels to the users, but this levels are not compatible with other vendors, due to this I will have to use the do_auth.py script to assign permissions.



----------------------------------------------------------------------------------------------------------------------------------------------
Nota: A información contida nesta mensaxe e os seus posibles documentos adxuntos é privada e confidencial e está dirixida unicamente ao seu destinatario/a. Se vostede non é o/a destinatario/a orixinal desta mensaxe, por favor elimínea. A distribución ou copia desta mensaxe non está autorizada.
Nota: La información contenida en este mensaje y sus posibles documentos adjuntos es privada y confidencial y está dirigida únicamente a su destinatario/a. Si usted no es el/la destinatario/a original de este mensaje, por favor elimínelo. La distribución o copia de este mensaje no está autorizada.
----------------------------------------------------------------------------------------------------------------------------------------------
Únase ao noso compromiso medioambiental: Pénseo 2 veces antes de imprimir este correo.
Únase a nuestro compromiso medioambiental: Piénselo 2 veces antes de imprimir este correo.

-----Mensaje original-----
De: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] En nombre de Daniel Schmidt
Enviado el: martes, 06 de noviembre de 2012 23:42
Para: Vetoll; tac_plus at shrubbery.net
Asunto: Re: [tac_plus] HWTACACS with H3C and 3Com

priv_lvl:VISIT?  Strange tac_pairs.  What tac_pairs do you recieve on tac_plus?

-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Vetoll
Sent: Sunday, November 04, 2012 7:32 AM
To: tac_plus at shrubbery.net
Subject: [tac_plus] HWTACACS with H3C and 3Com

Hi,

Here is my tac_plus config... How do I modify the privilege level on H3C?

user = vetoll {
        login = PAM
        member = lab
        maxsess = 10
}


#LAB Group
group = lab {
        default service = permit
        service = exec {
                        priv-lvl=15
                        }
}


This is my debug from the H3C switch... my user just fails to login.

*May  2 12:42:22:696 2000 H3C.Linux.Core TAC/7/Event:  Create HWTACACS authentication request packet success *May  2 12:42:22:698 2000 H3C.Linux.Core TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
*May  2 12:42:22:699 2000 H3C.Linux.Core TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
UserID=50  PacketType=3  AuthenType=1
AuthenService=1  PrivLevel=0  Version=c0  TemplateNum=0 UserName=vetoll at lab.test  PortName=vty1  RemAddress=10.0.0.5 UserMsg=  DataMsg=

*May  2 12:42:22:741 2000 H3C.Linux.Core TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
*May  2 12:42:22:743 2000 H3C.Linux.Core TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
UserID=50  PacketType=3  AuthenType=1
AuthenService=1  PrivLevel=0  Version=c0  TemplateNum=0 UserName=vetoll at lab.test  PortName=vty1  RemAddress=10.0.0.5 UserMsg=  DataMsg=

*May  2 12:42:22:744 2000 H3C.Linux.Core TAC/7/Event: Successfully found the FIB information for the server (Server IP: 10.200.159.251, VPN index:
0).
*May  2 12:42:22:745 2000 H3C.Linux.Core TAC/7/Event: Got nas-ip 10.0.0.3 and VPN 0 of server 10.200.159.251.
*May  2 12:42:22:746 2000 H3C.Linux.Core TAC/7/Event: Successfully set socket VPN attribute (VPN index: 0).
*May  2 12:42:22:748 2000 H3C.Linux.Core TAC/7/Event:
 hwtacacs create new session :
 session id: 24107, user id: 50, server ip: 10.200.159.251 *May  2 12:42:22:749 2000 H3C.Linux.Core TAC/7/Event:
version:c0  type:AUTHEN_REQUEST
seq_no:1  flag:ENCRYPTED_FLAG
session_id:5e2b  length:42
action:AUTHEN_LOGIN  priv_lvl:VISIT  authen_type:AUTHEN_TYPE_ASCII service:AUTHEN_SVC_LOGIN
user len:22      port len:4      rem_addr len:8  data len:0
user name:vetoll at lab.test  port:vty1  rem_addr:10.0.0.5  data:

*May  2 12:42:22:750 2000 H3C.Linux.Core TAC/7/Event: statistic: transmit flag:1, server flag: 0,packet flag:0xff *May  2 12:42:22:843 2000 H3C.Linux.Core TAC/7/Event:
 hwtacacs packet sending success!
 version:c0 type:01 sequence:01 flag:00 session id:24107 length:42 *May  2 12:42:22:844 2000 H3C.Linux.Core TAC/7/Event: Authentication sending(Result = 0) *May  2 12:42:23:145 2000 H3C.Linux.Core TAC/7/Event:
version:c0  type:AUTHEN_REPLY
seq_no:2  flag:ENCRYPTED_FLAG
session_id:5e2b  length:16
status:AUTHEN_STATUS_GETPASS  flag:REPLY_FLAG_NOECHO server_msg len:10  data len:0
server_msg:Password:   data:

*May  2 12:42:23:146 2000 H3C.Linux.Core TAC/7/Event: statistic: transmit flag:2, server flag: 0,packet flag:0x5 *May  2 12:42:23:147 2000 H3C.Linux.Core TAC/7/Event:
version:c0  type:AUTHEN_CONTINUE
seq_no:3  flag:ENCRYPTED_FLAG
session_id:5e2b  length:15
user_msg len:******  data len:0 flag:0
user_msg:******
data:

*May  2 12:42:23:148 2000 H3C.Linux.Core TAC/7/Event:
 hwtacacs packet sending success!
 version:c0 type:01 sequence:03 flag:00 session id:24107 length:15 *May  2 12:42:23:150 2000 H3C.Linux.Core TAC/7/Event: statistic: transmit flag:1, server flag: 0,packet flag:0xff *May  2 12:42:23:151 2000 H3C.Linux.Core TAC/7/Event: Authentication sending(Result = 0) *May  2 12:42:23:246 2000 H3C.Linux.Core TAC/7/Event:
version:c0  type:AUTHEN_REPLY
seq_no:4  flag:ENCRYPTED_FLAG
session_id:5e2b  length:6
status:AUTHEN_STATUS_FAIL  flag:REPLY_FLAG_ECHO server_msg len:0  data len:0
server_msg:  data:

*May  2 12:42:23:247 2000 H3C.Linux.Core TAC/7/Event:
TAC_MESSAGE for TAC->AAA:
*May  2 12:42:23:249 2000 H3C.Linux.Core TAC/7/Event:
TAC_MESSAGE for TAC->AAA:
ulUserID=50
ucTACTemplateNO=0
ucflag=2
Echo=0
ServerMsg=

*May  2 12:42:23:250 2000 H3C.Linux.Core TAC/7/Event: statistic: transmit flag:2, server flag: 0,packet flag:0x2 *May  2 12:42:23:251 2000 H3C.Linux.Core TAC/7/Event:
 hwtacacs session is deleted due to finishing session:
 session id: 24107, user id: 50, server ip: 10.200.159.251


Thanks!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.shrubbery.net/pipermail/tac_plus/attachments/20121104/eb83585c
/attachment.html>
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties.

_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus

More information about the tac_plus mailing list