[tac_plus] multiple groups per user
Alan McKinnon
alan.mckinnon at gmail.com
Tue May 14 19:03:36 UTC 2013
Tom,
I haven't gotten around to getting my Junipers to work with tac-plus
yet, but here's a snippet you might find useful. In my tac_plus.conf:
service = exec {
optional task =
"r:interface,r:ipv4,r:bgp,r:ospf,r:route-policy,r:static,r:logging"
idletime = 30
timeout = 720
}
service = junos-exec {
local-user-name = level3
}
IOW, IOS and Juniper can at least co-exist on some level :-)
I've long since forgotten what that junos-exec stanza is for or how it
works, but now that I look at it again, I'd say our Junipers do
on-device authorization, much like what you have to do to a Nexus to get
that beast to work.
Hope this helps, or at least gives you a hint :-)
On 14/05/2013 20:42, Daniel Schmidt wrote:
> Ask on list - probably somebody has used do_auth with Juniper
>
>
> On Tue, May 14, 2013 at 11:15 AM, Tom Murch <tmurch at tommurch.com> wrote:
>
>> Hi Daniel,
>>
>> any chance I could get an example config. I am not having much luck.
>>
>> Tom
>>
>>
>> On Mon, May 13, 2013 at 6:08 PM, Daniel Schmidt <daniel.schmidt at wyo.gov>wrote:
>>
>>> junos-exec - you can send that in do_auth pairs
>>>
>>>
>>> On Mon, May 13, 2013 at 3:21 PM, Tom Murch <tmurch at tommurch.com> wrote:
>>>
>>>> How do i pass the service = for two different things? In the
>>>> tac-plus.conf or I. Think do-aurh.ini
>>>> On May 13, 2013 4:57 PM, "Daniel Schmidt" <daniel.schmidt at wyo.gov>
>>>> wrote:
>>>>
>>>>> Yeah, Cisco does NOT like to get pairs it doesn't understand. If your
>>>>> Juniper and Cisco networks are on different IP spaces, then it should be
>>>>> possible by creating a group to match them by IP (device_permit/deny). If
>>>>> not, well....
>>>>>
>>>>> I don't use a lot of Juniper - I think the tac pairs they send are same
>>>>> - you can un-comment the part that says "for item in av_pairs:" and take a
>>>>> look at the initial pairs they send. If they are, in fact, different than
>>>>> Juniper, I can kluge something to tell the difference like I did with Nexus.
>>>>>
>>>>> On a side note, I added '/' notation via netaddr to do_auth if anybody
>>>>> wants to try it out. Makes a lot more sense than the regular expressions,
>>>>> but requires an egg.
>>>>>
>>>>>
>>>>> On Mon, May 13, 2013 at 11:45 AM, Tom Murch <tmurch at tommurch.com>wrote:
>>>>>
>>>>>> Hi Daniel,
>>>>>>
>>>>>> This worked very well thank you. Is it possible to have multiple
>>>>>> service entries? I am not sure how to get around that as I use both juniper
>>>>>> and cisco gear I have an issue with auth using both.
>>>>>>
>>>>>> Tom
>>>>>>
>>>>>>
>>>>>> On Thu, Mar 14, 2013 at 4:29 PM, Daniel Schmidt <
>>>>>> daniel.schmidt at wyo.gov> wrote:
>>>>>>
>>>>>>> Checkout do_auth.py. Several people have reported it to be very
>>>>>>> useful.
>>>>>>> I've been meaning to do some more work on it and Jathan had some
>>>>>>> excellent
>>>>>>> ideas.
>>>>>>>
>>>>>>> tacacs.org
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: tac_plus-bounces at shrubbery.net
>>>>>>> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Tom Murch
>>>>>>> Sent: Thursday, March 14, 2013 12:43 PM
>>>>>>> To: tac_plus at shrubbery.net
>>>>>>> Subject: [tac_plus] multiple groups per user
>>>>>>>
>>>>>>> Hello I am trying to get this working. Reading the mailing list I was
>>>>>>> under the impression this was fixed. I am trying to have the same
>>>>>>> users
>>>>>>> admin both juniper and hp gear.
>>>>>>>
>>>>>>> #
>>>>>>> # tacacs configuration file
>>>>>>> # xxxxx -
>>>>>>> # /etc/tac_plus.conf
>>>>>>>
>>>>>>> # set the key
>>>>>>> key = xxxxx
>>>>>>>
>>>>>>> accounting file = /var/log/tac_plus.acct
>>>>>>>
>>>>>>> #group accounts
>>>>>>>
>>>>>>> group = admins {
>>>>>>> ## cli service for junipers
>>>>>>> service = junos-exec
>>>>>>> {
>>>>>>> local-user-name = admins
>>>>>>> allow-commands = "all"
>>>>>>> allow-configuration = "all"
>>>>>>> deny-commands = ""
>>>>>>> deny-configuration = ""
>>>>>>> }
>>>>>>> }
>>>>>>>
>>>>>>> group = admins2 {
>>>>>>> default service = permit
>>>>>>> service = exec {
>>>>>>> priv-lvl = 15
>>>>>>> }
>>>>>>> }
>>>>>>>
>>>>>>> # users accounts
>>>>>>> user = tom {
>>>>>>>
>>>>>>> member = admins
>>>>>>> login = des "xxxxx"
>>>>>>> enable = cleartext "xxxxx"
>>>>>>> name = "Thomas Murch"
>>>>>>> }
>>>>>>>
>>>>>>> user = tomhp {
>>>>>>> member = admins2
>>>>>>> login = des "xxxxxx"
>>>>>>> enable = cleartext "xxxx"
>>>>>>> name = "Thomas Murch"
>>>>>>> }
>>>>>>> -------------- next part --------------
>>>>>>> An HTML attachment was scrubbed...
>>>>>>> URL:
>>>>>>> <
>>>>>>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20130314/2e757a13
>>>>>>> /attachment.html<http://www.shrubbery.net/pipermail/tac_plus/attachments/20130314/2e757a13/attachment.html>
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> tac_plus mailing list
>>>>>>> tac_plus at shrubbery.net
>>>>>>> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>>>>>>>
>>>>>>> E-Mail to and from me, in connection with the transaction
>>>>>>> of public business, is subject to the Wyoming Public Records
>>>>>>> Act and may be disclosed to third parties.
>>>>>>>
>>>>>>>
>>>>>>
>>>>> E-Mail to and from me, in connection with the transaction
>>>>> of public business, is subject to the Wyoming Public Records
>>>>> Act and may be disclosed to third parties.
>>>>>
>>>>>
>>>>>
>>> E-Mail to and from me, in connection with the transaction
>>> of public business, is subject to the Wyoming Public Records
>>> Act and may be disclosed to third parties.
>>>
>>>
>>>
>>
>
>
> E-Mail to and from me, in connection with the transaction
> of public business, is subject to the Wyoming Public Records
> Act and may be disclosed to third parties.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20130514/55ee214a/attachment.html>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>
--
Alan McKinnon
alan.mckinnon at gmail.com
More information about the tac_plus
mailing list