[tac_plus] multiple groups per user

Alan McKinnon alan.mckinnon at gmail.com
Fri Mar 15 12:13:31 UTC 2013 

I can help with testing Juniper. I have to support it anyway, along with

IOS
XR
ASR
GSR
Nexus
A few Junipers
Audiocode
and a grab-bag collection of weird and wonderful firewalls that were
once bought from $DEITY only knows who

IOW, pretty much your standard real world network :-)



On 14/03/2013 23:29, Daniel Schmidt wrote:
> Thanks Alan.  Note: I fixed Nexus - it modifies the pairs accordingly so
> you can use tac_plus for all your devices.  Or, rather, I kluged a work
> around that is far too ugly to be considered in the tac_plus code.  Do NOT
> confuse my vendor specific workarounds as bugs in tac_plus - if vendors
> (even Cisco) would standardize, I wouldn't have to write poor workarounds.
> 
> I can't remember - I don't think I ever finished testing Juniper.  If
> anybody is interested in testing, please contact me.
> 
> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net
> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon
> Sent: Thursday, March 14, 2013 2:55 PM
> To: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] multiple groups per user
> 
> On 14/03/2013 22:29, Daniel Schmidt wrote:
>> Checkout do_auth.py.  Several people have reported it to be very useful.
>> I've been meaning to do some more work on it and Jathan had some
>> excellent ideas.
>>
>> tacacs.org
> 
> Hear, hear.
> 
> Tom, go with Daniel's code. It's the correct approach.
> 
> tac_plus.conf is very simplistic and for good reason. There is a patche
> around that supports multiple groups but AFAIK the patch was never merged.
> 
> Usually with multiple groups one wants to define commands that can be run,
> and usually they are additive. But you want to separate behaviours of
> different device types, that's different. No matter how you separate it
> out, tac_plus is still going to try combine directives from both groups
> into one big one, so you might as well define one big group in the file
> anyway. I assume you tried that and found it doesn't work well.
> 
> I tried that with Junipers; regular IOS was OK with it but it broke the
> GSRs. We fixed that with optional AV pairs but when we deployed Nexus...
> let's just say I deployed a second tacacs system instead.
> 
> do_auth.py has enough information when called that you can make these
> decisions dynamically and always do the right thing. tac_plus.conf has to
> have it defined statically and can't do the right thing.
> 
> 
> 
> 
>>
>> -----Original Message-----
>> From: tac_plus-bounces at shrubbery.net
>> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Tom Murch
>> Sent: Thursday, March 14, 2013 12:43 PM
>> To: tac_plus at shrubbery.net
>> Subject: [tac_plus] multiple groups per user
>>
>> Hello I am trying to get this working. Reading the mailing list I was
>> under the impression this was fixed. I am trying to have the same
>> users admin both juniper and hp gear.
>>
>> #
>> # tacacs configuration file
>> # xxxxx -
>> # /etc/tac_plus.conf
>>
>> # set the key
>> key = xxxxx
>>
>> accounting file = /var/log/tac_plus.acct
>>
>> #group accounts
>>
>> group = admins {
>> ## cli service for junipers
>>         service = junos-exec
>> {
>>         local-user-name = admins
>>         allow-commands = "all"
>>         allow-configuration = "all"
>>         deny-commands = ""
>>         deny-configuration = ""
>> }
>> }
>>
>> group = admins2 {
>>         default service = permit
>>         service = exec {
>>         priv-lvl = 15
>> }
>> }
>>
>> # users accounts
>> user = tom {
>>
>>         member = admins
>>         login = des "xxxxx"
>>         enable = cleartext "xxxxx"
>>         name = "Thomas Murch"
>> }
>>
>> user = tomhp {
>>         member = admins2
>>         login = des "xxxxxx"
>>         enable = cleartext "xxxx"
>>         name = "Thomas Murch"
>> }
>> -------------- next part -------------- An HTML attachment was
>> scrubbed...
>> URL:
>> <http://www.shrubbery.net/pipermail/tac_plus/attachments/20130314/2e75
>> 7a13
>> /attachment.html>
>> _______________________________________________
>> tac_plus mailing list
>> tac_plus at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>>
>> E-Mail to and from me, in connection with the transaction of public
>> business, is subject to the Wyoming Public Records Act and may be
>> disclosed to third parties.
>>
>> _______________________________________________
>> tac_plus mailing list
>> tac_plus at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>>
> 
> 
> --
> Alan McKinnon
> alan.mckinnon at gmail.com
> 
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> 
> E-Mail to and from me, in connection with the transaction 
> of public business, is subject to the Wyoming Public Records 
> Act and may be disclosed to third parties.
> 


-- 
Alan McKinnon
alan.mckinnon at gmail.com

More information about the tac_plus mailing list