From daniel.schmidt at wyo.gov Thu Jun 6 22:45:00 2013 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Thu, 6 Jun 2013 16:45:00 -0600 Subject: [tac_plus] do_auth & TCL Message-ID: I've discovered an incompatibility between do_auth and TCL scripts and recommend that anybody authorizing on commands used in their TCL scripts NOT use do_auth without prior testing. And by "fixed," I really mean the usual: Find a work around for Cisco's lack of consistency in their Tacacs implementation. Short Technical: TCL commands auth with an ip of 'async', NO username, NO device name and that really confuses the #*@& out of getopt(). Maybe I'll have to finally get around to cobbling my own argv parser. (Volunteers welcome) Suggested workaround: Assign command to priv-lvl 1 & don't auth on priv-lvl 1. Ex: privilege exec level 1 show your_command E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From louis_lab at hotmail.com Thu Jun 13 10:04:07 2013 From: louis_lab at hotmail.com (louis labrosse) Date: Thu, 13 Jun 2013 10:04:07 +0000 Subject: [tac_plus] Tacacs+, pam & ldap Message-ID: Hey, I really need your help ! Firstly thank you for your complete website on tacacs+ ?shrubbery? http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.html I followed your tutorial above, but I still blocking, something is maybe missing but I don?t know what, when tacacs+ request my pam, and when my tac_plus in pam.d is configured to use local account it works, but when I ask to use pam_ldap.so, it doesn?t work! Well, my pam_ldap library is present in /lib/security. To debug I make a tcpdump, but no request to my AD are sent?. When I modify the nssswitch.conf for ldap, I see sent requests for local authentication, I guess here for tacacs we don?t need to touch this file..? But This way I see my ldap.conf is quite ok. I join you my actual configuration files, maybe you can find. A little help from your part would be very nice!!! Thank you very much to take a moment for me!!! :?( BR, Louis -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: tac_plus.txt URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ldap.conf.txt URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: tac_plus.conf.txt URL: From SG00123446 at TechMahindra.com Mon Jun 17 12:36:24 2013 From: SG00123446 at TechMahindra.com (Sachin.6.Gupta) Date: Mon, 17 Jun 2013 18:06:24 +0530 Subject: [tac_plus] T+ server not responding. What should one do? Message-ID: <7B9CC0301DE32F47AB6914E444497529195C31E875@SINNODMBX001.TechMahindra.com> Hi, While logging to a device, suppose the T+ server does not respond. What should be the default behavior? Can the user still login somehow in case its very critical? What are the options we have in such cases and what is the best way out? TIA Sachin ============================================================================================================================Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at http://www.techmahindra.com/Disclaimer.html externally and http://tim.techmahindra.com/tim/disclaimer.html internally within Tech Mahindra.============================================================================================================================ -------------- next part -------------- An HTML attachment was scrubbed... URL: From SG00123446 at TechMahindra.com Mon Jun 17 12:32:48 2013 From: SG00123446 at TechMahindra.com (Sachin.6.Gupta) Date: Mon, 17 Jun 2013 18:02:48 +0530 Subject: [tac_plus] tacacs+ integration with database or LDAP? Message-ID: <7B9CC0301DE32F47AB6914E444497529195C31E86D@SINNODMBX001.TechMahindra.com> Hi, Can someone compare and point out the pros and cons of integrating tacacs+ with database (postgres) and tacacs+ with LDAP? We need to decide which is the best feasible option in field deployments. Thanks in Advance Sachin ============================================================================================================================Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at http://www.techmahindra.com/Disclaimer.html externally and http://tim.techmahindra.com/tim/disclaimer.html internally within Tech Mahindra.============================================================================================================================ -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Mon Jun 17 12:54:46 2013 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Mon, 17 Jun 2013 14:54:46 +0200 Subject: [tac_plus] T+ server not responding. What should one do? In-Reply-To: <7B9CC0301DE32F47AB6914E444497529195C31E875@SINNODMBX001.TechMahindra.com> References: <7B9CC0301DE32F47AB6914E444497529195C31E875@SINNODMBX001.TechMahindra.com> Message-ID: <51BF0716.4010705@gmail.com> On 17/06/2013 14:36, Sachin.6.Gupta wrote: > Hi, > > While logging to a device, suppose the T+ server does not respond. > What should be the default behavior? Don't have 1 tacacs server. Have 2 or 3. Can the user still login somehow in case its very critical? Configure a local user that only you know the password for and use that in emergencies. It's rather pointless I feel to have backup local users for all your human users - what then is the point of tacacs? The user manual shipped with the tarbal has useful info in this section: CONFIGURING AUTHENTICATION ON THE NAS > > What are the options we have in such cases and what is the best way out? > > TIA > Sachin > > ============================================================================================================================Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at http://www.techmahindra.com/Disclaimer.html externally and http://tim.techmahindra.com/tim/disclaimer.html internally within Tech Mahindra.============================================================================================================================ > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -- Alan McKinnon alan.mckinnon at gmail.com From SG00123446 at TechMahindra.com Mon Jun 17 14:37:41 2013 From: SG00123446 at TechMahindra.com (Sachin.6.Gupta) Date: Mon, 17 Jun 2013 20:07:41 +0530 Subject: [tac_plus] T+ server not responding. What should one do? In-Reply-To: <51BF0716.4010705@gmail.com> References: <7B9CC0301DE32F47AB6914E444497529195C31E875@SINNODMBX001.TechMahindra.com>, <51BF0716.4010705@gmail.com> Message-ID: <7B9CC0301DE32F47AB6914E444497529195C43B399@SINNODMBX001.TechMahindra.com> Thanks Alan. This is quite helpful. Regards ________________________________________ From: tac_plus-bounces at shrubbery.net [tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon [alan.mckinnon at gmail.com] Sent: Monday, June 17, 2013 6:24 PM To: tac_plus at shrubbery.net Subject: Re: [tac_plus] T+ server not responding. What should one do? On 17/06/2013 14:36, Sachin.6.Gupta wrote: > Hi, > > While logging to a device, suppose the T+ server does not respond. > What should be the default behavior? Don't have 1 tacacs server. Have 2 or 3. Can the user still login somehow in case its very critical? Configure a local user that only you know the password for and use that in emergencies. It's rather pointless I feel to have backup local users for all your human users - what then is the point of tacacs? The user manual shipped with the tarbal has useful info in this section: CONFIGURING AUTHENTICATION ON THE NAS > > What are the options we have in such cases and what is the best way out? > > TIA > Sachin > > ============================================================================================================================Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at http://www.techmahindra.com/Disclaimer.html externally and http://tim.techmahindra.com/tim/disclaimer.html internally within Tech Mahindra.============================================================================================================================ > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -- Alan McKinnon alan.mckinnon at gmail.com _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus ============================================================================================================================Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at http://www.techmahindra.com/Disclaimer.html externally and http://tim.techmahindra.com/tim/disclaimer.html internally within Tech Mahindra.============================================================================================================================ From SG00123446 at TechMahindra.com Tue Jun 18 07:15:47 2013 From: SG00123446 at TechMahindra.com (Sachin.6.Gupta) Date: Tue, 18 Jun 2013 12:45:47 +0530 Subject: [tac_plus] Managing devices with and without tacacs+ support Message-ID: <7B9CC0301DE32F47AB6914E444497529195C4701CA@SINNODMBX001.TechMahindra.com> Hi, We are in process of implementing TACACS+ for all the devices in our lab. However, we have few critical devices also which don't have support for TACACS+. We are looking for a central solution where all the devices be AAA compliant, but with existence of these devices and with no option of replacing these, how do we implement AAA for them devices? Please suggest how we can provide a generic solution which caters to these devices also. Regards Sachin ============================================================================================================================Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at http://www.techmahindra.com/Disclaimer.html externally and http://tim.techmahindra.com/tim/disclaimer.html internally within Tech Mahindra.============================================================================================================================ -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Tue Jun 18 07:22:55 2013 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Tue, 18 Jun 2013 09:22:55 +0200 Subject: [tac_plus] Managing devices with and without tacacs+ support In-Reply-To: <7B9CC0301DE32F47AB6914E444497529195C4701CA@SINNODMBX001.TechMahindra.com> References: <7B9CC0301DE32F47AB6914E444497529195C4701CA@SINNODMBX001.TechMahindra.com> Message-ID: <51C00ACF.8070203@gmail.com> On 18/06/2013 09:15, Sachin.6.Gupta wrote: > Hi, > > We are in process of implementing TACACS+ for all the devices in our lab. > However, we have few critical devices also which don't have support for TACACS+. > > We are looking for a central solution where all the devices be AAA compliant, but with existence of these devices and with no option of replacing these, how do we implement AAA for them devices? > > Please suggest how we can provide a generic solution which caters to these devices also. There is no "generic solution", the only thing you have is whatever protocols and systems your devices support. If you have for example something that can only use ldap for authorization, then you have no choice - you must deploy an ldap server. Same with radius, diameter, AD etc You'll get better advice if you list what you have and what they support. I find that running tacacs and radius on the same server covers the majority of AAA needs -- Alan McKinnon alan.mckinnon at gmail.com From SG00123446 at TechMahindra.com Tue Jun 18 11:31:55 2013 From: SG00123446 at TechMahindra.com (Sachin.6.Gupta) Date: Tue, 18 Jun 2013 17:01:55 +0530 Subject: [tac_plus] Managing devices with and without tacacs+ support In-Reply-To: <51C00ACF.8070203@gmail.com> References: <7B9CC0301DE32F47AB6914E444497529195C4701CA@SINNODMBX001.TechMahindra.com> <51C00ACF.8070203@gmail.com> Message-ID: <7B9CC0301DE32F47AB6914E444497529195C4704CD@SINNODMBX001.TechMahindra.com> There are some Cisco devices (Support TACACS+) and some BelAir devices (support only RADIUS. No TACACS support). Hence the issue. Is it possible to run both RADIUS and TACACS+ on the same server? How will the user configuration be handled? Regards Sachin -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon Sent: Tuesday, June 18, 2013 12:53 PM To: tac_plus at shrubbery.net Subject: Re: [tac_plus] Managing devices with and without tacacs+ support On 18/06/2013 09:15, Sachin.6.Gupta wrote: > Hi, > > We are in process of implementing TACACS+ for all the devices in our lab. > However, we have few critical devices also which don't have support for TACACS+. > > We are looking for a central solution where all the devices be AAA compliant, but with existence of these devices and with no option of replacing these, how do we implement AAA for them devices? > > Please suggest how we can provide a generic solution which caters to these devices also. There is no "generic solution", the only thing you have is whatever protocols and systems your devices support. If you have for example something that can only use ldap for authorization, then you have no choice - you must deploy an ldap server. Same with radius, diameter, AD etc You'll get better advice if you list what you have and what they support. I find that running tacacs and radius on the same server covers the majority of AAA needs -- Alan McKinnon alan.mckinnon at gmail.com _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus ============================================================================================================================Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at http://www.techmahindra.com/Disclaimer.html externally and http://tim.techmahindra.com/tim/disclaimer.html internally within Tech Mahindra.============================================================================================================================ From alan.mckinnon at gmail.com Tue Jun 18 12:41:47 2013 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Tue, 18 Jun 2013 14:41:47 +0200 Subject: [tac_plus] Managing devices with and without tacacs+ support In-Reply-To: <7B9CC0301DE32F47AB6914E444497529195C4704CD@SINNODMBX001.TechMahindra.com> References: <7B9CC0301DE32F47AB6914E444497529195C4701CA@SINNODMBX001.TechMahindra.com> <51C00ACF.8070203@gmail.com> <7B9CC0301DE32F47AB6914E444497529195C4704CD@SINNODMBX001.TechMahindra.com> Message-ID: <51C0558B.4030909@gmail.com> On 18/06/2013 13:31, Sachin.6.Gupta wrote: > There are some Cisco devices (Support TACACS+) and some BelAir devices (support only RADIUS. No TACACS support). Hence the issue. > > Is it possible to run both RADIUS and TACACS+ on the same server? Yes. They do not interfere, they run on different ports and one is tcp the other udp. How will the user configuration be handled? I think you are missing information on how AAA services work. Tacacs and Radius have nothing to do with each other, they are different programs each with it's own configuration and how you get the user data into them is up to you. tac_plus typically uses a flat file configuration or can hook into the Unix PAM layer. Other methods exist too. FreeRadius supports many backend systems too, all documented on the site's webpage, including flat files, databases, ldap and more. Perhaps you should clearly define what it is that you want to achieve and how you intend to do it. This is not a case where the software dictates to you how things must be done - instead you tell the software how it will work. This of course means you need to make decisions. > > Regards > Sachin > > -----Original Message----- > From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon > Sent: Tuesday, June 18, 2013 12:53 PM > To: tac_plus at shrubbery.net > Subject: Re: [tac_plus] Managing devices with and without tacacs+ support > > On 18/06/2013 09:15, Sachin.6.Gupta wrote: >> Hi, >> >> We are in process of implementing TACACS+ for all the devices in our lab. >> However, we have few critical devices also which don't have support for TACACS+. >> >> We are looking for a central solution where all the devices be AAA compliant, but with existence of these devices and with no option of replacing these, how do we implement AAA for them devices? >> >> Please suggest how we can provide a generic solution which caters to these devices also. > > > There is no "generic solution", the only thing you have is whatever protocols and systems your devices support. If you have for example something that can only use ldap for authorization, then you have no choice - you must deploy an ldap server. Same with radius, diameter, AD etc > > You'll get better advice if you list what you have and what they support. > > I find that running tacacs and radius on the same server covers the majority of AAA needs > > > -- > Alan McKinnon > alan.mckinnon at gmail.com > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > ============================================================================================================================Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at http://www.techmahindra.com/Disclaimer.html externally and http://tim.techmahindra.com/tim/disclaimer.html internally within Tech Mahindra.============================================================================================================================ > -- Alan McKinnon alan.mckinnon at gmail.com