[tac_plus] multiple groups per user

Daniel Schmidt daniel.schmidt at wyo.gov
Thu Mar 14 21:29:39 UTC 2013 

Thanks Alan.  Note: I fixed Nexus - it modifies the pairs accordingly so
you can use tac_plus for all your devices.  Or, rather, I kluged a work
around that is far too ugly to be considered in the tac_plus code.  Do NOT
confuse my vendor specific workarounds as bugs in tac_plus - if vendors
(even Cisco) would standardize, I wouldn't have to write poor workarounds.

I can't remember - I don't think I ever finished testing Juniper.  If
anybody is interested in testing, please contact me.

-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon
Sent: Thursday, March 14, 2013 2:55 PM
To: tac_plus at shrubbery.net
Subject: Re: [tac_plus] multiple groups per user

On 14/03/2013 22:29, Daniel Schmidt wrote:
> Checkout do_auth.py.  Several people have reported it to be very useful.
> I've been meaning to do some more work on it and Jathan had some
> excellent ideas.
>
> tacacs.org

Hear, hear.

Tom, go with Daniel's code. It's the correct approach.

tac_plus.conf is very simplistic and for good reason. There is a patche
around that supports multiple groups but AFAIK the patch was never merged.

Usually with multiple groups one wants to define commands that can be run,
and usually they are additive. But you want to separate behaviours of
different device types, that's different. No matter how you separate it
out, tac_plus is still going to try combine directives from both groups
into one big one, so you might as well define one big group in the file
anyway. I assume you tried that and found it doesn't work well.

I tried that with Junipers; regular IOS was OK with it but it broke the
GSRs. We fixed that with optional AV pairs but when we deployed Nexus...
let's just say I deployed a second tacacs system instead.

do_auth.py has enough information when called that you can make these
decisions dynamically and always do the right thing. tac_plus.conf has to
have it defined statically and can't do the right thing.




>
> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net
> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Tom Murch
> Sent: Thursday, March 14, 2013 12:43 PM
> To: tac_plus at shrubbery.net
> Subject: [tac_plus] multiple groups per user
>
> Hello I am trying to get this working. Reading the mailing list I was
> under the impression this was fixed. I am trying to have the same
> users admin both juniper and hp gear.
>
> #
> # tacacs configuration file
> # xxxxx -
> # /etc/tac_plus.conf
>
> # set the key
> key = xxxxx
>
> accounting file = /var/log/tac_plus.acct
>
> #group accounts
>
> group = admins {
> ## cli service for junipers
>         service = junos-exec
> {
>         local-user-name = admins
>         allow-commands = "all"
>         allow-configuration = "all"
>         deny-commands = ""
>         deny-configuration = ""
> }
> }
>
> group = admins2 {
>         default service = permit
>         service = exec {
>         priv-lvl = 15
> }
> }
>
> # users accounts
> user = tom {
>
>         member = admins
>         login = des "xxxxx"
>         enable = cleartext "xxxxx"
>         name = "Thomas Murch"
> }
>
> user = tomhp {
>         member = admins2
>         login = des "xxxxxx"
>         enable = cleartext "xxxx"
>         name = "Thomas Murch"
> }
> -------------- next part -------------- An HTML attachment was
> scrubbed...
> URL:
> <http://www.shrubbery.net/pipermail/tac_plus/attachments/20130314/2e75
> 7a13
> /attachment.html>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>
> E-Mail to and from me, in connection with the transaction of public
> business, is subject to the Wyoming Public Records Act and may be
> disclosed to third parties.
>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>


--
Alan McKinnon
alan.mckinnon at gmail.com

_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus

E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.

More information about the tac_plus mailing list