[tac_plus] multiple groups per user

Thu Mar 14 20:55:12 UTC 2013

On 14/03/2013 22:29, Daniel Schmidt wrote:
> Checkout do_auth.py.  Several people have reported it to be very useful.
> I've been meaning to do some more work on it and Jathan had some excellent
> ideas.
> 
> tacacs.org

Hear, hear.

Tom, go with Daniel's code. It's the correct approach.

tac_plus.conf is very simplistic and for good reason. There is a patche
around that supports multiple groups but AFAIK the patch was never merged.

Usually with multiple groups one wants to define commands that can be
run, and usually they are additive. But you want to separate behaviours
of different device types, that's different. No matter how you separate
it out, tac_plus is still going to try combine directives from both
groups into one big one, so you might as well define one big group in
the file anyway. I assume you tried that and found it doesn't work well.

I tried that with Junipers; regular IOS was OK with it but it broke the
GSRs. We fixed that with optional AV pairs but when we deployed Nexus...
let's just say I deployed a second tacacs system instead.

do_auth.py has enough information when called that you can make these
decisions dynamically and always do the right thing. tac_plus.conf has
to have it defined statically and can't do the right thing.

> 
> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net
> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Tom Murch
> Sent: Thursday, March 14, 2013 12:43 PM
> To: tac_plus at shrubbery.net
> Subject: [tac_plus] multiple groups per user
> 
> Hello I am trying to get this working. Reading the mailing list I was
> under the impression this was fixed. I am trying to have the same users
> admin both juniper and hp gear.
> 
> #
> # tacacs configuration file
> # xxxxx -
> # /etc/tac_plus.conf
> 
> # set the key
> key = xxxxx
> 
> accounting file = /var/log/tac_plus.acct
> 
> #group accounts
> 
> group = admins {
> ## cli service for junipers
>         service = junos-exec
> {
>         local-user-name = admins
>         allow-commands = "all"
>         allow-configuration = "all"
>         deny-commands = ""
>         deny-configuration = ""
> }
> }
> 
> group = admins2 {
>         default service = permit
>         service = exec {
>         priv-lvl = 15
> }
> }
> 
> # users accounts
> user = tom {
> 
>         member = admins
>         login = des "xxxxx"
>         enable = cleartext "xxxxx"
>         name = "Thomas Murch"
> }
> 
> user = tomhp {
>         member = admins2
>         login = des "xxxxxx"
>         enable = cleartext "xxxx"
>         name = "Thomas Murch"
> }
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <http://www.shrubbery.net/pipermail/tac_plus/attachments/20130314/2e757a13
> /attachment.html>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> 
> E-Mail to and from me, in connection with the transaction 
> of public business, is subject to the Wyoming Public Records 
> Act and may be disclosed to third parties.
> 
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> 

-- 
Alan McKinnon
alan.mckinnon at gmail.com