From vadud3 at gmail.com Wed Jul 10 17:55:54 2013 From: vadud3 at gmail.com (Asif Iqbal) Date: Wed, 10 Jul 2013 13:55:54 -0400 Subject: [tac_plus] Two TACACS+ server and primary one is always busy Message-ID: Hi All We have two TACACS+ server and only one of them is heavily loaded. What is the best practice on balancing the load. Once in a while we need to restart tacacs+ since the CPU usage goes over 50%, on the primary server while the secondary one is almost idle. We are using x2270 servers and they are 4G each with 2 Intel 2.00GHz Quad-Core Xeon E5504 on each. I see about 31 tac_plus running on primary, while secondary one has just 1. Thanks -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Wed Jul 10 21:00:22 2013 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Wed, 10 Jul 2013 23:00:22 +0200 Subject: [tac_plus] Two TACACS+ server and primary one is always busy In-Reply-To: References: Message-ID: <51DDCB66.3000901@gmail.com> On 10/07/2013 19:55, Asif Iqbal wrote: > Hi All > > We have two TACACS+ server and only one of them is heavily loaded. > > What is the best practice on balancing the load. Once in a while we > need to restart tacacs+ since the CPU usage goes over 50%, on the primary > server > while the secondary one is almost idle. > > We are using x2270 servers and they are 4G each with 2 Intel 2.00GHz > Quad-Core Xeon E5504 > on each. > > I see about 31 tac_plus running on primary, while secondary one has just 1. > > > Thanks > Hi Asif, Before doing anything else, you need to sort out those cpu load numbers as they should not be anywhere near that level. For a point of reference, I have 3 main tacacs servers, they do about 1800 requests (login and command in total) a minute, and one of them takes about half that load. Occasionally the munin graph creeps above 1% or 2% and that's an oldish Dell dual core. 50% load on your hardware spells something badly wrong and in my experience that behaviour with tcp connections is almost always IO blocking. Do you do per-device controls in your tac_plus.conf somehow? Do you need to do DNS lookups for this, and is your DNS setup fast and reliable? What are the hash types you use for your passwords and is it a method that be hashed quickly by the OS Those would be the first thing I'd look at. Second is to post your tac_plus.conf. there aren't really any best practices as such for this, tac_plus is more than adequate to deal with just about any realistic scenario so the "best practice" is whatever works for you and gives *you* the control *you* need. -- Alan McKinnon alan.mckinnon at gmail.com From pmraz at emea.att.com Thu Jul 4 12:59:33 2013 From: pmraz at emea.att.com (Mraz, Peter) Date: Thu, 4 Jul 2013 14:59:33 +0200 Subject: [tac_plus] Aruba tacacas ...PAP issue Message-ID: <4D802C4079A49043A299A53593DCCF79A74688C6A2@skcbcmsx01.emea.att.com> Hello I'm using your script for cisco routers,switches, juniper routers/switches, cisco WLC. Last couple of days I'm trying to do the same for Aruba WLC. I'm in trouble with something, what I dont know fix. This works to me for Aruba user = pm7625 { login = file /etc/passwd member = admins pap = cleartext "aruba" } But I need something what I have for other devices : user = pm7625 { login = file /etc/passwd member = admins } so take password from file /etc/passwd ....but I tried all what I found and this is not working. this is specification of admins .... group = admins { default service = permit service = AMP { role = "AMP Administrator" } } aruba config : aaa authentication-server tacacs "135.76.4.10" host 135.76.4.10 key 037e87c987c2d34e6dedb5b58c544b7c9a01d699a0e07281 tcp-port 5049 session-authorization ! aaa server-group "MGMT_AUTH_SERVER" auth-server 135.76.4.10 ! aaa authentication mgmt server-group "MGMT_AUTH_SERVER" enable ! Is there a way how to take password from /etc/passwd ? I have around 300 users now ... I have ArubaOS (MODEL: Aruba620), Version 6.1.3.1 Thank you so much! Thank you and Best regards Peter Mraz CCNP CCDP CCIP CERTIFIED EVPN/AVPN Lead Engineer AT&T Global Network Services Slovakia EMEA Service Delivery Tel.: +421 (0)2 502 10498 E-mail: pmraz at emea.att.com Time Zone: European Time (CET) = EST+6 hours = UTC+1 hour Business hours: Mon - Fri 9am-5pm European Time (CET) = 3am-11am EST = 8am-4pm UTC "This e-mail and any files transmitted with it are AT&T property, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited." -------------- next part -------------- An HTML attachment was scrubbed... URL: From murali.krishna5 at wipro.com Thu Jul 11 08:55:36 2013 From: murali.krishna5 at wipro.com (murali.krishna5 at wipro.com) Date: Thu, 11 Jul 2013 08:55:36 +0000 Subject: [tac_plus] Tacacs over IPv6 Message-ID: <66E0DB0C584B6A42B1CCA90BCC967FD0F40FCA88@CHN-SNR-MBX-1.wipro.com> Hi, I have migrated my redhat Enterprise linux server 5.5 to ipv6 . Now I want to run tacacs+ for Ipv6. When I testing from my client, it return unable to connect to server for IPv6 address. But for Ipv4 it's working fine. Snapshot of Linux listening port: [root at ADA-Linux-Service-2 ~]# netstat -an | grep :49 tcp 0 0 0.0.0.0:49 0.0.0.0:* LISTEN And once the tacacs service is started, I tried using the bind option with IPv6 it returns following error. Reading config Version F4.0.4.26 Initialized 1 get_socket: bind 49 Address already in use I don't know how to make tacacs+ to listen on IPv6 address. Or is that I need to do any entries in tac_plus.cfg to listen for IPv6. Regards, MK Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From SG00123446 at TechMahindra.com Thu Jul 11 14:16:13 2013 From: SG00123446 at TechMahindra.com (Sachin.6.Gupta) Date: Thu, 11 Jul 2013 19:46:13 +0530 Subject: [tac_plus] How does the TACACS+ server know which authentication mechanism (PAP, CHAP, etc) to use? Message-ID: <251C71CF3919A942A3A12FDD3CC76101DC09BD30AB@SINNODMBX001.TechMahindra.com> Hi All, Its a pretty basic question answer to which i am not able to figure out yet. Hope some one could shed some light here. TACACS+ Server gives option of User Authentication by following methods: 1. ASCII 2. PAP 3. CHAP 4. MSCHAP 5. ARAP But how does the server know which one to use to authenticate? Went through the RFC and it seems that the AUTH Packet has a Authen_type field which decides this. Then i guess some configuration has to be done on the devices to enable either of these. But i failed to find any specific configuration commands to enable either of these. Debugged on a setup, it seems i was always getting ASCII. But never got PAP,CHAP,etc. Hope someone can provide some configuration commands for these. TIA Sachin ============================================================================================================================Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at http://www.techmahindra.com/Disclaimer.html externally and http://tim.techmahindra.com/tim/disclaimer.html internally within Tech Mahindra.============================================================================================================================ From heas at shrubbery.net Thu Jul 11 14:55:23 2013 From: heas at shrubbery.net (heasley) Date: Thu, 11 Jul 2013 14:55:23 +0000 Subject: [tac_plus] How does the TACACS+ server know which authentication mechanism (PAP, CHAP, etc) to use? In-Reply-To: <251C71CF3919A942A3A12FDD3CC76101DC09BD30AB@SINNODMBX001.TechMahindra.com> References: <251C71CF3919A942A3A12FDD3CC76101DC09BD30AB@SINNODMBX001.TechMahindra.com> Message-ID: <20130711145523.GC53525@shrubbery.net> Thu, Jul 11, 2013 at 07:46:13PM +0530, Sachin.6.Gupta: > Hi All, > > Its a pretty basic question answer to which i am not able to figure out yet. > > Hope some one could shed some light here. > > TACACS+ Server gives option of User Authentication by following methods: 1. ASCII 2. PAP 3. CHAP 4. MSCHAP 5. ARAP > > But how does the server know which one to use to authenticate? > > Went through the RFC and it seems that the AUTH Packet has a Authen_type field which decides this. > > Then i guess some configuration has to be done on the devices to enable either of these. But i failed to find any specific configuration commands to enable either of these. correct. authen_type The type of authentication that is being performed. Legal values are: TAC_PLUS_AUTHEN_TYPE_ASCII := 0x01 TAC_PLUS_AUTHEN_TYPE_PAP := 0x02 TAC_PLUS_AUTHEN_TYPE_CHAP := 0x03 TAC_PLUS_AUTHEN_TYPE_ARAP := 0x04 TAC_PLUS_AUTHEN_TYPE_MSCHAP := 0x05 From SG00123446 at TechMahindra.com Thu Jul 11 16:51:58 2013 From: SG00123446 at TechMahindra.com (Sachin.6.Gupta) Date: Thu, 11 Jul 2013 22:21:58 +0530 Subject: [tac_plus] How does the TACACS+ server know which authentication mechanism (PAP, CHAP, etc) to use? In-Reply-To: <20130711145523.GC53525@shrubbery.net> References: <251C71CF3919A942A3A12FDD3CC76101DC09BD30AB@SINNODMBX001.TechMahindra.com>, <20130711145523.GC53525@shrubbery.net> Message-ID: <251C71CF3919A942A3A12FDD3CC76101DC09BD30AC@SINNODMBX001.TechMahindra.com> I agree. Saw the same thing in the documentation. But where do i configure these? On the Device? Can you please point me to the right link for configuring these? Regards ________________________________________ From: heasley [heas at shrubbery.net] Sent: Thursday, July 11, 2013 8:25 PM To: Sachin.6.Gupta Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] How does the TACACS+ server know which authentication mechanism (PAP, CHAP, etc) to use? Thu, Jul 11, 2013 at 07:46:13PM +0530, Sachin.6.Gupta: > Hi All, > > Its a pretty basic question answer to which i am not able to figure out yet. > > Hope some one could shed some light here. > > TACACS+ Server gives option of User Authentication by following methods: 1. ASCII 2. PAP 3. CHAP 4. MSCHAP 5. ARAP > > But how does the server know which one to use to authenticate? > > Went through the RFC and it seems that the AUTH Packet has a Authen_type field which decides this. > > Then i guess some configuration has to be done on the devices to enable either of these. But i failed to find any specific configuration commands to enable either of these. correct. authen_type The type of authentication that is being performed. Legal values are: TAC_PLUS_AUTHEN_TYPE_ASCII := 0x01 TAC_PLUS_AUTHEN_TYPE_PAP := 0x02 TAC_PLUS_AUTHEN_TYPE_CHAP := 0x03 TAC_PLUS_AUTHEN_TYPE_ARAP := 0x04 TAC_PLUS_AUTHEN_TYPE_MSCHAP := 0x05 ============================================================================================================================Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at http://www.techmahindra.com/Disclaimer.html externally and http://tim.techmahindra.com/tim/disclaimer.html internally within Tech Mahindra.============================================================================================================================ From heas at shrubbery.net Thu Jul 11 17:10:43 2013 From: heas at shrubbery.net (heasley) Date: Thu, 11 Jul 2013 17:10:43 +0000 Subject: [tac_plus] How does the TACACS+ server know which authentication mechanism (PAP, CHAP, etc) to use? In-Reply-To: <251C71CF3919A942A3A12FDD3CC76101DC09BD30AC@SINNODMBX001.TechMahindra.com> References: <251C71CF3919A942A3A12FDD3CC76101DC09BD30AB@SINNODMBX001.TechMahindra.com> <20130711145523.GC53525@shrubbery.net> <251C71CF3919A942A3A12FDD3CC76101DC09BD30AC@SINNODMBX001.TechMahindra.com> Message-ID: <20130711171043.GA58943@shrubbery.net> Thu, Jul 11, 2013 at 10:21:58PM +0530, Sachin.6.Gupta: > I agree. Saw the same thing in the documentation. > > But where do i configure these? On the Device? > > Can you please point me to the right link for configuring these? generally you do not; the type is based on the service in use (cli, modem, etc). see your device's documentation or contact their TAC. > Regards > ________________________________________ > From: heasley [heas at shrubbery.net] > Sent: Thursday, July 11, 2013 8:25 PM > To: Sachin.6.Gupta > Cc: tac_plus at shrubbery.net > Subject: Re: [tac_plus] How does the TACACS+ server know which authentication mechanism (PAP, CHAP, etc) to use? > > Thu, Jul 11, 2013 at 07:46:13PM +0530, Sachin.6.Gupta: > > Hi All, > > > > Its a pretty basic question answer to which i am not able to figure out yet. > > > > Hope some one could shed some light here. > > > > TACACS+ Server gives option of User Authentication by following methods: 1. ASCII 2. PAP 3. CHAP 4. MSCHAP 5. ARAP > > > > But how does the server know which one to use to authenticate? > > > > Went through the RFC and it seems that the AUTH Packet has a Authen_type field which decides this. > > > > Then i guess some configuration has to be done on the devices to enable either of these. But i failed to find any specific configuration commands to enable either of these. > > correct. > > authen_type > > The type of authentication that is being performed. Legal values are: > > TAC_PLUS_AUTHEN_TYPE_ASCII := 0x01 > > TAC_PLUS_AUTHEN_TYPE_PAP := 0x02 > > TAC_PLUS_AUTHEN_TYPE_CHAP := 0x03 > > TAC_PLUS_AUTHEN_TYPE_ARAP := 0x04 > > TAC_PLUS_AUTHEN_TYPE_MSCHAP := 0x05 > > ============================================================================================================================Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at http://www.techmahindra.com/Disclaimer.html externally and http://tim.techmahindra.com/tim/disclaimer.html internally within Tech Mahindra.============================================================================================================================ From vadud3 at gmail.com Fri Jul 12 16:41:24 2013 From: vadud3 at gmail.com (Asif Iqbal) Date: Fri, 12 Jul 2013 12:41:24 -0400 Subject: [tac_plus] Two TACACS+ server and primary one is always busy In-Reply-To: <51DDCB66.3000901@gmail.com> References: <51DDCB66.3000901@gmail.com> Message-ID: On Wed, Jul 10, 2013 at 5:00 PM, Alan McKinnon wrote: > On 10/07/2013 19:55, Asif Iqbal wrote: > > Hi All > > > > We have two TACACS+ server and only one of them is heavily loaded. > > > > What is the best practice on balancing the load. Once in a while we > > need to restart tacacs+ since the CPU usage goes over 50%, on the primary > > server > > while the secondary one is almost idle. > > > > We are using x2270 servers and they are 4G each with 2 Intel 2.00GHz > > Quad-Core Xeon E5504 > > on each. > > > > I see about 31 tac_plus running on primary, while secondary one has just > 1. > > > > > > Thanks > > > > > Hi Asif, > > Before doing anything else, you need to sort out those cpu load numbers > as they should not be anywhere near that level. For a point of > reference, I have 3 main tacacs servers, they do about 1800 requests > (login and command in total) a minute, and one of them takes about half > that load. Occasionally the munin graph creeps above 1% or 2% and that's > an oldish Dell dual core. > > 50% load on your hardware spells something badly wrong and in my > experience that behaviour with tcp connections is almost always IO > blocking. > I usually restart the tac_plus and that fixes it immediately. That sounds like a memory leak. How to find out the total memory usage for tac_plus? VSZ or RSS count of 25 threads is not it. > Do you do per-device controls in your tac_plus.conf somehow? Do you need > to do DNS lookups for this, and is your DNS setup fast and reliable? > No per device config. Yes using the -L and DNS cache is running with dnscache for local lookup and that is fast. We need that to co-relate the events for cisco syslog and AAAs in splunk for reporting. > What are the hash types you use for your passwords and is it a method > that be hashed quickly by the OS > > using PAM -> AD. > Those would be the first thing I'd look at. Second is to post your > tac_plus.conf. there aren't really any best practices as such for this, > tac_plus is more than adequate to deal with just about any realistic > scenario so the "best practice" is whatever works for you and gives > *you* the control *you* need. > Need to sanitize a lot before posting it, but I have 31 group stanzas, 1325 user stanzas, 19 acl stanzas and some of those acls have about 130 permit lines. currently I have 24 tac_plus instance running like below $ ps -e -o pid,ppid,vsz,rss,cmd | grep tac_pl[u]s 4692 1 78296 53708 /usr/local/bin/tac_plus -L -B 192.168.6.20 -l /var/log/tacacs.daemon.log -C /etc/tacacs.conf 27276 4692 78296 53340 /usr/local/bin/tac_plus -L -B 192.168.6.20 -l /var/log/tacacs.daemon.log -C /etc/tacacs.conf > -- > Alan McKinnon > alan.mckinnon at gmail.com > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Fri Jul 12 16:55:36 2013 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Fri, 12 Jul 2013 18:55:36 +0200 Subject: [tac_plus] Two TACACS+ server and primary one is always busy In-Reply-To: References: <51DDCB66.3000901@gmail.com> Message-ID: <51E03508.2020607@gmail.com> On 12/07/2013 18:41, Asif Iqbal wrote: > What are the hash types you use for your passwords and is it a method > that be hashed quickly by the OS > > > using PAM -> AD. > > > > Those would be the first thing I'd look at. Second is to post your > tac_plus.conf. there aren't really any best practices as such for this, > tac_plus is more than adequate to deal with just about any realistic > scenario so the "best practice" is whatever works for you and gives > *you* the control *you* need. > > > > Need to sanitize a lot before posting it, but I have 31 group stanzas, > 1325 user stanzas, > 19 acl stanzas and some of those acls have about 130 permit lines. > > currently I have 24 tac_plus instance running like below > > $ ps -e -o pid,ppid,vsz,rss,cmd | grep tac_pl[u]s > 4692 1 78296 53708 /usr/local/bin/tac_plus -L -B 192.168.6.20 -l > /var/log/tacacs.daemon.log -C /etc/tacacs.conf > 27276 4692 78296 53340 /usr/local/bin/tac_plus -L -B 192.168.6.20 -l > /var/log/tacacs.daemon.log -C /etc/tacacs.conf > No need to post and sanitize your configs, the thing to investigate first is your PAM -> AD authen setup. I have a config similar to yours in terms of numbers and my setup works as expected. Most systems use a passwd file, one system has all the users directly in tac_plus.conf. I've run it on FreeBSD, Linux and Solaris and there's never been a hint of memory leaks at all. And no-one else here has posted about memory leaks as far as I can recall. All that seems to point towards tac_plus itself working correctly, so we should look at things you have that are different. And AD via PAM is one such thing :-) Using PAM for auth in tac_plus is poorly documented and most folks who ask about it end up experimenting a lot to get it right. Can you post how your setup works and what your PAM config is? -- Alan McKinnon alan.mckinnon at gmail.com From vadud3 at gmail.com Fri Jul 12 17:25:33 2013 From: vadud3 at gmail.com (Asif Iqbal) Date: Fri, 12 Jul 2013 13:25:33 -0400 Subject: [tac_plus] Two TACACS+ server and primary one is always busy In-Reply-To: <51E03508.2020607@gmail.com> References: <51DDCB66.3000901@gmail.com> <51E03508.2020607@gmail.com> Message-ID: On Fri, Jul 12, 2013 at 12:55 PM, Alan McKinnon wrote: > On 12/07/2013 18:41, Asif Iqbal wrote: > > What are the hash types you use for your passwords and is it a method > > that be hashed quickly by the OS > > > > > > using PAM -> AD. > > > > > > > > Those would be the first thing I'd look at. Second is to post your > > tac_plus.conf. there aren't really any best practices as such for > this, > > tac_plus is more than adequate to deal with just about any realistic > > scenario so the "best practice" is whatever works for you and gives > > *you* the control *you* need. > > > > > > > > Need to sanitize a lot before posting it, but I have 31 group stanzas, > > 1325 user stanzas, > > 19 acl stanzas and some of those acls have about 130 permit lines. > > > > currently I have 24 tac_plus instance running like below > > > > $ ps -e -o pid,ppid,vsz,rss,cmd | grep tac_pl[u]s > > 4692 1 78296 53708 /usr/local/bin/tac_plus -L -B 192.168.6.20 -l > > /var/log/tacacs.daemon.log -C /etc/tacacs.conf > > 27276 4692 78296 53340 /usr/local/bin/tac_plus -L -B 192.168.6.20 -l > > /var/log/tacacs.daemon.log -C /etc/tacacs.conf > > > > > No need to post and sanitize your configs, the thing to investigate > first is your PAM -> AD authen setup. > > I have a config similar to yours in terms of numbers and my setup works > as expected. Most systems use a passwd file, one system has all the > users directly in tac_plus.conf. I've run it on FreeBSD, Linux and > Solaris and there's never been a hint of memory leaks at all. And no-one > else here has posted about memory leaks as far as I can recall. > Not sure why restart of tac_plus fixes the slowness in working with router for almost a month until the next restart. > All that seems to point towards tac_plus itself working correctly, so we > should look at things you have that are different. > > And AD via PAM is one such thing :-) > Using PAM for auth in tac_plus is poorly documented and most folks who > ask about it end up experimenting a lot to get it right. > > Can you post how your setup works and what your PAM config is? > > $ cat /etc/pam.d/tac_plus auth required pam_ldap.so $ cat /etc/ldap/ldap.conf BASE ou=People,dc=example,dc=com URI ldaps://192.168.137.34:1636 ldaps://192.168.137.34:1636 TLS_CACERT /etc/ssl/certs/example.cer TLS_REQCERT never nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,landscape,libuuid,list,lp,mail,man,news,postfix,proxy,root,sshd,sync,sys,syslog,uucp,www-data using nslcd for caching $ sudo cat /etc/nslcd.conf uid nslcd gid nslcd uri ldaps://192.168.137.34:1636 ldaps://192.168.137.34:1636 base ou=People,dc=mnet,dc=example,dc=com filter passwd (objectclass=mnetperson) filter shadow (objectclass=mnetperson) binddn uid=binduid,ou=people,dc=example,dc=com bindpw secret tls_reqcert never tls_cacertfile /etc/ssl/certs/example.cer idle_timelimit 60 $ ldd /usr/local/bin/tac_plus linux-vdso.so.1 => (0x00007fffa03ff000) libwrap.so.0 => /lib/libwrap.so.0 (0x00007f316aac5000) libtacacs.so.1 => /usr/local/lib/libtacacs.so.1 (0x00007f316a86c000) libpam.so.0 => /lib/libpam.so.0 (0x00007f316a65e000) libnsl.so.1 => /lib/libnsl.so.1 (0x00007f316a444000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007f316a20b000) libpthread.so.0 => /lib/libpthread.so.0 (0x00007f3169fed000) libc.so.6 => /lib/libc.so.6 (0x00007f3169c67000) libdl.so.2 => /lib/libdl.so.2 (0x00007f3169a63000) /lib64/ld-linux-x86-64.so.2 (0x00007f316acd8000) > > -- > Alan McKinnon > alan.mckinnon at gmail.com > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From SG00123446 at TechMahindra.com Thu Jul 18 12:57:57 2013 From: SG00123446 at TechMahindra.com (Sachin.6.Gupta) Date: Thu, 18 Jul 2013 18:27:57 +0530 Subject: [tac_plus] TACACS+ Accounting Report Generation Message-ID: <251C71CF3919A942A3A12FDD3CC76101DC0A305619@SINNODMBX001.TechMahindra.com> Hi All, Is there a suitable framework for generating reports from accounting records? I think this might be needed for PCI compliance and user views. Please suggest. Regards Sachin ============================================================================================================================Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at http://www.techmahindra.com/Disclaimer.html externally and http://tim.techmahindra.com/tim/disclaimer.html internally within Tech Mahindra.============================================================================================================================ -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Thu Jul 18 19:13:36 2013 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Thu, 18 Jul 2013 13:13:36 -0600 Subject: [tac_plus] TACACS+ Accounting Report Generation In-Reply-To: <251C71CF3919A942A3A12FDD3CC76101DC0A305619@SINNODMBX001.TechMahindra.com> References: <251C71CF3919A942A3A12FDD3CC76101DC0A305619@SINNODMBX001.TechMahindra.com> Message-ID: I wrote a simple cgi in python so I could parse my logs to see who did what on what at what time. I'm not sure it's written well enough for me to admit to writing it. Job != programmer. On Thu, Jul 18, 2013 at 6:57 AM, Sachin.6.Gupta wrote: > Hi All, > > Is there a suitable framework for generating reports from accounting > records? > > I think this might be needed for PCI compliance and user views. > > Please suggest. > > Regards > Sachin > > ============================================================================================================================Disclaimer: > This message and the information contained herein is proprietary and > confidential and subject to the Tech Mahindra policy statement, you may > review the policy at http://www.techmahindra.com/Disclaimer.html externally and > http://tim.techmahindra.com/tim/disclaimer.html internally within > Tech > Mahindra.============================================================================================================================ > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20130718/e0a48182/attachment.html > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From vadud3 at gmail.com Fri Jul 19 15:05:05 2013 From: vadud3 at gmail.com (Asif Iqbal) Date: Fri, 19 Jul 2013 11:05:05 -0400 Subject: [tac_plus] TACACS+ Accounting Report Generation In-Reply-To: References: <251C71CF3919A942A3A12FDD3CC76101DC0A305619@SINNODMBX001.TechMahindra.com> Message-ID: On Thu, Jul 18, 2013 at 3:13 PM, Daniel Schmidt wrote: > I wrote a simple cgi in python so I could parse my logs to see who did what > on what at what time. I'm not sure it's written well enough for me to > admit to writing it. Job != programmer. > > we are using splunk for that which indexes the accounting logs. although I would be interested to see your code. > > On Thu, Jul 18, 2013 at 6:57 AM, Sachin.6.Gupta < > SG00123446 at techmahindra.com > > wrote: > > > Hi All, > > > > Is there a suitable framework for generating reports from accounting > > records? > > > > I think this might be needed for PCI compliance and user views. > > > > Please suggest. > > > > Regards > > Sachin > > > > > ============================================================================================================================Disclaimer: > > This message and the information contained herein is proprietary and > > confidential and subject to the Tech Mahindra policy statement, you may > > review the policy at http://www.techmahindra.com/Disclaimer.html externally and href=" > > http://tim.techmahindra.com/tim/disclaimer.html"> > > http://tim.techmahindra.com/tim/disclaimer.html internally within > > Tech > > > Mahindra.============================================================================================================================ > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: < > > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20130718/e0a48182/attachment.html > > > > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > > > E-Mail to and from me, in connection with the transaction > of public business, is subject to the Wyoming Public Records > Act and may be disclosed to third parties. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20130718/57277bab/attachment.html > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From aydinnmu at gmail.com Fri Jul 26 01:18:49 2013 From: aydinnmu at gmail.com (=?ISO-8859-9?Q?Musa_Ayd=FDn?=) Date: Fri, 26 Jul 2013 04:18:49 +0300 Subject: [tac_plus] tac_plus authorization capability Message-ID: Hi , i set up a tac_plus and i do basic configuration about authentication . yes it is working absolutely good. but while i want to use authorization process such as different privilege level of users it is not working properly. i search some kind of document about this feature but nothing. if is possible i misunderstand tac_plus authorization capability. if i set a custom privilege level . which side assign a custom commands network device or tac_plus server ? which one is working truely ? at tacacs+ server group = newbie { service =exec priv-lvl = 6 default service = deny cmd = show { permit *} cmd = ping ( permit *} user = test { member = newbie} or at router privilege level 6 show... privileve leve 6 ping... Briefly, Can i use tac_plus for speciifc commands authorization by assign specific privilege level completely tac_plus side ? Thanks a alot. -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Fri Jul 26 06:08:35 2013 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Fri, 26 Jul 2013 08:08:35 +0200 Subject: [tac_plus] tac_plus authorization capability In-Reply-To: References: Message-ID: <51F21263.1000104@gmail.com> On 26/07/2013 03:18, Musa Ayd?n wrote: > Hi , > > i set up a tac_plus and i do basic configuration about authentication . > yes it is working absolutely good. but while i want to use authorization > process such as different privilege level of users it is not working > properly. i search some kind of document about this feature but nothing. if > is possible i misunderstand tac_plus authorization capability. if i set a > custom privilege level . which side assign a custom commands network device > or tac_plus server ? which one is working truely ? > > at tacacs+ server > group = newbie { > service =exec > priv-lvl = 6 > default service = deny > cmd = show { permit *} > cmd = ping ( permit *} > > user = test > { member = newbie} > > or > > at router > > privilege level 6 show... > privileve leve 6 ping... > > Briefly, Can i use tac_plus for speciifc commands authorization by assign > specific privilege level completely tac_plus side ? Yes, but you must tell the router to use it with the "aaa authorization" configuration The router doesn't automatically use the tacacs server for authorization -- Alan McKinnon alan.mckinnon at gmail.com From daniel.schmidt at wyo.gov Sat Jul 27 01:10:55 2013 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Fri, 26 Jul 2013 21:10:55 -0400 Subject: [tac_plus] TACACS+ Accounting Report Generation In-Reply-To: References: <251C71CF3919A942A3A12FDD3CC76101DC0A305619@SINNODMBX001.TechMahindra.com> Message-ID: Splunk can do a better job than a simple Network Engineer with just a few minutes of free time. Nevertheless, when I get back to the office, I'll try to remember to post it. On Fri, Jul 19, 2013 at 11:05 AM, Asif Iqbal wrote: > > > > On Thu, Jul 18, 2013 at 3:13 PM, Daniel Schmidt wrote: > >> I wrote a simple cgi in python so I could parse my logs to see who did >> what >> on what at what time. I'm not sure it's written well enough for me to >> admit to writing it. Job != programmer. >> >> > we are using splunk for that which indexes the accounting logs. although I > would > be interested to see your code. > > > >> >> On Thu, Jul 18, 2013 at 6:57 AM, Sachin.6.Gupta < >> SG00123446 at techmahindra.com >> > wrote: >> >> > Hi All, >> > >> > Is there a suitable framework for generating reports from accounting >> > records? >> > >> > I think this might be needed for PCI compliance and user views. >> > >> > Please suggest. >> > >> > Regards >> > Sachin >> > >> > >> ============================================================================================================================Disclaimer: >> > This message and the information contained herein is proprietary and >> > confidential and subject to the Tech Mahindra policy statement, you may >> > review the policy at http://www.techmahindra.com/Disclaimer.html externally and > href=" >> > http://tim.techmahindra.com/tim/disclaimer.html"> >> > http://tim.techmahindra.com/tim/disclaimer.html internally within >> > Tech >> > >> Mahindra.============================================================================================================================ >> > -------------- next part -------------- >> > An HTML attachment was scrubbed... >> > URL: < >> > >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20130718/e0a48182/attachment.html >> > > >> > _______________________________________________ >> > tac_plus mailing list >> > tac_plus at shrubbery.net >> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >> > >> >> >> E-Mail to and from me, in connection with the transaction >> of public business, is subject to the Wyoming Public Records >> Act and may be disclosed to third parties. >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: < >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20130718/57277bab/attachment.html >> > >> >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >> > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > > E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Sat Jul 27 01:13:12 2013 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Fri, 26 Jul 2013 21:13:12 -0400 Subject: [tac_plus] tac_plus authorization capability In-Reply-To: <51F21263.1000104@gmail.com> References: <51F21263.1000104@gmail.com> Message-ID: I wrote up a bit about authorization on tacacs.org - you may wish to read there. On Fri, Jul 26, 2013 at 2:08 AM, Alan McKinnon wrote: > On 26/07/2013 03:18, Musa Ayd?n wrote: > > Hi , > > > > i set up a tac_plus and i do basic configuration about authentication . > > yes it is working absolutely good. but while i want to use authorization > > process such as different privilege level of users it is not working > > properly. i search some kind of document about this feature but nothing. > if > > is possible i misunderstand tac_plus authorization capability. if i set a > > custom privilege level . which side assign a custom commands network > device > > or tac_plus server ? which one is working truely ? > > > > at tacacs+ server > > group = newbie { > > service =exec > > priv-lvl = 6 > > default service = deny > > cmd = show { permit *} > > cmd = ping ( permit *} > > > > user = test > > { member = newbie} > > > > or > > > > at router > > > > privilege level 6 show... > > privileve leve 6 ping... > > > > Briefly, Can i use tac_plus for speciifc commands authorization by assign > > specific privilege level completely tac_plus side ? > > > Yes, but you must tell the router to use it with the > "aaa authorization" > configuration > > The router doesn't automatically use the tacacs server for authorization > > -- > Alan McKinnon > alan.mckinnon at gmail.com > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: