[tac_plus] multiple groups per user

Daniel Schmidt daniel.schmidt at wyo.gov
Tue May 14 18:42:58 UTC 2013


Ask on list - probably somebody has used do_auth with Juniper


On Tue, May 14, 2013 at 11:15 AM, Tom Murch <tmurch at tommurch.com> wrote:

> Hi Daniel,
>
> any chance I could get an example config. I am not having much luck.
>
> Tom
>
>
> On Mon, May 13, 2013 at 6:08 PM, Daniel Schmidt <daniel.schmidt at wyo.gov>wrote:
>
>> junos-exec - you can send that in do_auth pairs
>>
>>
>> On Mon, May 13, 2013 at 3:21 PM, Tom Murch <tmurch at tommurch.com> wrote:
>>
>>> How do i pass the service = for two different things? In the
>>> tac-plus.conf or I. Think do-aurh.ini
>>> On May 13, 2013 4:57 PM, "Daniel Schmidt" <daniel.schmidt at wyo.gov>
>>> wrote:
>>>
>>>> Yeah, Cisco does NOT like to get pairs it doesn't understand.  If your
>>>> Juniper and Cisco networks are on different IP spaces, then it should be
>>>> possible by creating a group to match them by IP (device_permit/deny). If
>>>> not, well....
>>>>
>>>> I don't use a lot of Juniper - I think the tac pairs they send are same
>>>> - you can un-comment the part that says "for item in av_pairs:" and take a
>>>> look at the initial pairs they send.  If they are, in fact, different than
>>>> Juniper, I can kluge something to tell the difference like I did with Nexus.
>>>>
>>>> On a side note, I added '/' notation via netaddr to do_auth if anybody
>>>> wants to try it out.  Makes a lot more sense than the regular expressions,
>>>> but requires an egg.
>>>>
>>>>
>>>> On Mon, May 13, 2013 at 11:45 AM, Tom Murch <tmurch at tommurch.com>wrote:
>>>>
>>>>> Hi Daniel,
>>>>>
>>>>> This worked very well thank you. Is it possible to have multiple
>>>>> service entries? I am not sure how to get around that as I use both juniper
>>>>> and cisco gear I have an issue with auth using both.
>>>>>
>>>>> Tom
>>>>>
>>>>>
>>>>> On Thu, Mar 14, 2013 at 4:29 PM, Daniel Schmidt <
>>>>> daniel.schmidt at wyo.gov> wrote:
>>>>>
>>>>>> Checkout do_auth.py.  Several people have reported it to be very
>>>>>> useful.
>>>>>> I've been meaning to do some more work on it and Jathan had some
>>>>>> excellent
>>>>>> ideas.
>>>>>>
>>>>>> tacacs.org
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: tac_plus-bounces at shrubbery.net
>>>>>> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Tom Murch
>>>>>> Sent: Thursday, March 14, 2013 12:43 PM
>>>>>> To: tac_plus at shrubbery.net
>>>>>> Subject: [tac_plus] multiple groups per user
>>>>>>
>>>>>> Hello I am trying to get this working. Reading the mailing list I was
>>>>>> under the impression this was fixed. I am trying to have the same
>>>>>> users
>>>>>> admin both juniper and hp gear.
>>>>>>
>>>>>> #
>>>>>> # tacacs configuration file
>>>>>> # xxxxx -
>>>>>> # /etc/tac_plus.conf
>>>>>>
>>>>>> # set the key
>>>>>> key = xxxxx
>>>>>>
>>>>>> accounting file = /var/log/tac_plus.acct
>>>>>>
>>>>>> #group accounts
>>>>>>
>>>>>> group = admins {
>>>>>> ## cli service for junipers
>>>>>>         service = junos-exec
>>>>>> {
>>>>>>         local-user-name = admins
>>>>>>         allow-commands = "all"
>>>>>>         allow-configuration = "all"
>>>>>>         deny-commands = ""
>>>>>>         deny-configuration = ""
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> group = admins2 {
>>>>>>         default service = permit
>>>>>>         service = exec {
>>>>>>         priv-lvl = 15
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> # users accounts
>>>>>> user = tom {
>>>>>>
>>>>>>         member = admins
>>>>>>         login = des "xxxxx"
>>>>>>         enable = cleartext "xxxxx"
>>>>>>         name = "Thomas Murch"
>>>>>> }
>>>>>>
>>>>>> user = tomhp {
>>>>>>         member = admins2
>>>>>>         login = des "xxxxxx"
>>>>>>         enable = cleartext "xxxx"
>>>>>>         name = "Thomas Murch"
>>>>>> }
>>>>>> -------------- next part --------------
>>>>>> An HTML attachment was scrubbed...
>>>>>> URL:
>>>>>> <
>>>>>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20130314/2e757a13
>>>>>> /attachment.html<http://www.shrubbery.net/pipermail/tac_plus/attachments/20130314/2e757a13/attachment.html>
>>>>>> >
>>>>>> _______________________________________________
>>>>>> tac_plus mailing list
>>>>>> tac_plus at shrubbery.net
>>>>>> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>>>>>>
>>>>>> E-Mail to and from me, in connection with the transaction
>>>>>> of public business, is subject to the Wyoming Public Records
>>>>>> Act and may be disclosed to third parties.
>>>>>>
>>>>>>
>>>>>
>>>> E-Mail to and from me, in connection with the transaction
>>>> of public business, is subject to the Wyoming Public Records
>>>> Act and may be disclosed to third parties.
>>>>
>>>>
>>>>
>> E-Mail to and from me, in connection with the transaction
>> of public business, is subject to the Wyoming Public Records
>> Act and may be disclosed to third parties.
>>
>>
>>
>


E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20130514/55ee214a/attachment.html>


More information about the tac_plus mailing list