From mkouhei at gmail.com  Fri Nov  1 01:02:07 2013
From: mkouhei at gmail.com (Kouhei Maeda)
Date: Fri, 1 Nov 2013 10:02:07 +0900
Subject: [tac_plus] Extend "default authentication" using "PAM"
In-Reply-To: <20131031194150.GD5792@radiological.warningg.com>
References: <CAKoLHBdGbQTvUX=_qbWepafcXbVx=62EmvA5Qk2Gf25oH+ZD6Q@mail.gmail.com>
 <20131031194150.GD5792@radiological.warningg.com>
Message-ID: <CAKoLHBdE0wseJt1LaR2SfiUU5ZdW3eXxWAqzXP1oqVerdz7D0w@mail.gmail.com>

2013/11/1 Brandon Ewing <nicotine at warningg.com <javascript:;>>:
> On Thu, Oct 31, 2013 at 02:10:52AM +0900, Kouhei Maeda wrote:
>> Hi,
>>
>> I customised tacplus related "default authentication" top level
>> directive to enable to use PAM.
>>
>
> Does this patch cover enable authentication as well?  Cisco ASA doesn't
like
> priviledge assignment from TACACS, IIRC.

I have understood your question that the "enable authentication" is the
authentication when  changeing to enable mode.
If so, it is No.
My patch covers the authentication of login network devices, etc. only.
That does not support changing to enable mode.

Best regard,
--
Kouhei Maeda <mkouhei at gmail.com | palmtb.net>
 KeyID 4096R/7E37CE41


-- 
--
Kouhei Maeda <mkouhei at gmail.com>
 KeyID 4096R/7E37CE41
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20131101/d2f5d23d/attachment.html>

From daniel.schmidt at wyo.gov  Sun Nov  3 18:02:14 2013
From: daniel.schmidt at wyo.gov (Daniel Schmidt)
Date: Sun, 3 Nov 2013 11:02:14 -0700
Subject: [tac_plus] Extend "default authentication" using "PAM"
In-Reply-To: <CAKoLHBdE0wseJt1LaR2SfiUU5ZdW3eXxWAqzXP1oqVerdz7D0w@mail.gmail.com>
References: <CAKoLHBdGbQTvUX=_qbWepafcXbVx=62EmvA5Qk2Gf25oH+ZD6Q@mail.gmail.com>
 <20131031194150.GD5792@radiological.warningg.com>
 <CAKoLHBdE0wseJt1LaR2SfiUU5ZdW3eXxWAqzXP1oqVerdz7D0w@mail.gmail.com>
Message-ID: <CAOyMAKk3sZY-xBFQn-kbpqd5c1J5cfpRMf9JqO4gyRE_smyUFw@mail.gmail.com>

Does enable even send a username?


On Thu, Oct 31, 2013 at 7:02 PM, Kouhei Maeda <mkouhei at gmail.com> wrote:

> 2013/11/1 Brandon Ewing <nicotine at warningg.com <javascript:;>>:
> > On Thu, Oct 31, 2013 at 02:10:52AM +0900, Kouhei Maeda wrote:
> >> Hi,
> >>
> >> I customised tacplus related "default authentication" top level
> >> directive to enable to use PAM.
> >>
> >
> > Does this patch cover enable authentication as well?  Cisco ASA doesn't
> like
> > priviledge assignment from TACACS, IIRC.
>
> I have understood your question that the "enable authentication" is the
> authentication when  changeing to enable mode.
> If so, it is No.
> My patch covers the authentication of login network devices, etc. only.
> That does not support changing to enable mode.
>
> Best regard,
> --
> Kouhei Maeda <mkouhei at gmail.com | palmtb.net>
>  KeyID 4096R/7E37CE41
>
>
> --
> --
> Kouhei Maeda <mkouhei at gmail.com>
>  KeyID 4096R/7E37CE41
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20131101/d2f5d23d/attachment.html
> >
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>


E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20131103/1fb8091f/attachment.html>

From krux at thcnet.net  Sun Nov  3 18:13:39 2013
From: krux at thcnet.net (krux at thcnet.net)
Date: Sun, 3 Nov 2013 10:13:39 -0800 (PST)
Subject: [tac_plus] Extend "default authentication" using "PAM"
In-Reply-To: <CAOyMAKk3sZY-xBFQn-kbpqd5c1J5cfpRMf9JqO4gyRE_smyUFw@mail.gmail.com>
References: <CAKoLHBdGbQTvUX=_qbWepafcXbVx=62EmvA5Qk2Gf25oH+ZD6Q@mail.gmail.com>
 <20131031194150.GD5792@radiological.warningg.com>
 <CAKoLHBdE0wseJt1LaR2SfiUU5ZdW3eXxWAqzXP1oqVerdz7D0w@mail.gmail.com>
 <CAOyMAKk3sZY-xBFQn-kbpqd5c1J5cfpRMf9JqO4gyRE_smyUFw@mail.gmail.com>
Message-ID: <alpine.LNX.2.00.1311031004160.27239@blacksun.thcnet.net>

I know under tac_plus you can setup per user enable authentication "enable = "
But setting it to PAM isn't an option.  You're stuck with DES, cleartext, or a
file.  Cisco ASAs are really only where this is a problem, since they
don't let you set the privilege level (by design) from TACACS.

Of course you have your value in is it really any more secure if you have to
enter your PAM password twice?  At that point you could just specify "enable =
nopassword", since you've already proven who you are once.

> Does enable even send a username?
>
>
> On Thu, Oct 31, 2013 at 7:02 PM, Kouhei Maeda <mkouhei at gmail.com> wrote:
>
> > 2013/11/1 Brandon Ewing <nicotine at warningg.com <javascript:;>>:
> > > On Thu, Oct 31, 2013 at 02:10:52AM +0900, Kouhei Maeda wrote:
> > >> Hi,
> > >>
> > >> I customised tacplus related "default authentication" top level
> > >> directive to enable to use PAM.
> > >>
> > >
> > > Does this patch cover enable authentication as well?  Cisco ASA doesn't
> > like
> > > priviledge assignment from TACACS, IIRC.
> >
> > I have understood your question that the "enable authentication" is the
> > authentication when  changeing to enable mode.
> > If so, it is No.
> > My patch covers the authentication of login network devices, etc. only.
> > That does not support changing to enable mode.
> >
> > Best regard,
> > --
> > Kouhei Maeda <mkouhei at gmail.com | palmtb.net>
> >  KeyID 4096R/7E37CE41
> >
> >
> > --
> > --
> > Kouhei Maeda <mkouhei at gmail.com>
> >  KeyID 4096R/7E37CE41
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: <
> > http://www.shrubbery.net/pipermail/tac_plus/attachments/20131101/d2f5d23d/attachment.html
> > >
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo/tac_plus
> >
>
>
> E-Mail to and from me, in connection with the transaction
> of public business, is subject to the Wyoming Public Records
> Act and may be disclosed to third parties.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20131103/1fb8091f/attachment.html>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>

perl -e 's==UBER?=+y[:-o]}(;->\n{q-yp-y+k}?print:??;-p#)'


From daniel.schmidt at wyo.gov  Mon Nov  4 23:28:11 2013
From: daniel.schmidt at wyo.gov (Daniel Schmidt)
Date: Mon, 4 Nov 2013 16:28:11 -0700
Subject: [tac_plus] Extend "default authentication" using "PAM"
In-Reply-To: <alpine.LNX.2.00.1311031004160.27239@blacksun.thcnet.net>
References: <CAKoLHBdGbQTvUX=_qbWepafcXbVx=62EmvA5Qk2Gf25oH+ZD6Q@mail.gmail.com>
 <20131031194150.GD5792@radiological.warningg.com>
 <CAKoLHBdE0wseJt1LaR2SfiUU5ZdW3eXxWAqzXP1oqVerdz7D0w@mail.gmail.com>
 <CAOyMAKk3sZY-xBFQn-kbpqd5c1J5cfpRMf9JqO4gyRE_smyUFw@mail.gmail.com>
 <alpine.LNX.2.00.1311031004160.27239@blacksun.thcnet.net>
Message-ID: <CAOyMAKniesVUjjf9qB-wNLZPbUUuhfnaJ=PXUQjcnMKv-h=n1g@mail.gmail.com>

Ah, yes, I remember this.  I tried to fix it once and failed miserably
because I'm not any good at C.

Can you hard set the priv_lvl to 15 on an asa line the way you can on a
router?  Seriously, why does an asa even have a disable - it's useless.


On Sun, Nov 3, 2013 at 11:13 AM, <krux at thcnet.net> wrote:

> I know under tac_plus you can setup per user enable authentication "enable
> = "
> But setting it to PAM isn't an option.  You're stuck with DES, cleartext,
> or a
> file.  Cisco ASAs are really only where this is a problem, since they
> don't let you set the privilege level (by design) from TACACS.
>
> Of course you have your value in is it really any more secure if you have
> to
> enter your PAM password twice?  At that point you could just specify
> "enable =
> nopassword", since you've already proven who you are once.
>
> > Does enable even send a username?
> >
> >
> > On Thu, Oct 31, 2013 at 7:02 PM, Kouhei Maeda <mkouhei at gmail.com> wrote:
> >
> > > 2013/11/1 Brandon Ewing <nicotine at warningg.com <javascript:;>>:
> > > > On Thu, Oct 31, 2013 at 02:10:52AM +0900, Kouhei Maeda wrote:
> > > >> Hi,
> > > >>
> > > >> I customised tacplus related "default authentication" top level
> > > >> directive to enable to use PAM.
> > > >>
> > > >
> > > > Does this patch cover enable authentication as well?  Cisco ASA
> doesn't
> > > like
> > > > priviledge assignment from TACACS, IIRC.
> > >
> > > I have understood your question that the "enable authentication" is the
> > > authentication when  changeing to enable mode.
> > > If so, it is No.
> > > My patch covers the authentication of login network devices, etc. only.
> > > That does not support changing to enable mode.
> > >
> > > Best regard,
> > > --
> > > Kouhei Maeda <mkouhei at gmail.com | palmtb.net>
> > >  KeyID 4096R/7E37CE41
> > >
> > >
> > > --
> > > --
> > > Kouhei Maeda <mkouhei at gmail.com>
> > >  KeyID 4096R/7E37CE41
> > > -------------- next part --------------
> > > An HTML attachment was scrubbed...
> > > URL: <
> > >
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20131101/d2f5d23d/attachment.html
> > > >
> > > _______________________________________________
> > > tac_plus mailing list
> > > tac_plus at shrubbery.net
> > > http://www.shrubbery.net/mailman/listinfo/tac_plus
> > >
> >
> >
> > E-Mail to and from me, in connection with the transaction
> > of public business, is subject to the Wyoming Public Records
> > Act and may be disclosed to third parties.
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: <
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20131103/1fb8091f/attachment.html
> >
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo/tac_plus
> >
>
> perl -e 's==UBER?=+y[:-o]}(;->\n{q-yp-y+k}?print:??;-p#)'
>
>


E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20131104/88e8becd/attachment.html>

From robert.kristin1979 at gmail.com  Tue Nov  5 14:50:43 2013
From: robert.kristin1979 at gmail.com (Robert Kristin)
Date: Tue, 5 Nov 2013 15:50:43 +0100
Subject: [tac_plus] Multi-key or per-device separetly tacacs key
Message-ID: <CACKKEWj1JGNabwacFW-YSxL2-obMcCTpMyBYa_8pU+CgZioeDg@mail.gmail.com>

Hi staff,

I am beginner in linux, but like open source project.

I use Tacacs+  downloaded from Homepage: http://www.shrubbery.net/tac_plus/

?tac_plus version F4.0.4.26?

All stuff is  runnig OK with one shared secret tacacs key. But my task is
running tacacs+ server with multi-key.

I want configure on each my Cisco device unique key. Or another option
should be create groups of devices by the location ( for example 3 group
EAST, WEST, MIDDLE) and give them different keys.



I try to use parameter ?host? but tacacs+ displayed error message:



/etc/init.d/tac_plus start

Starting Tacacs+ server: Error: Unrecognised keyword address for host World
on line 31



host = World {

        welcome banner = ?Hello n\n"

        key = QaWsEdRfTgY

        address = 0.0.0.0/0

    }



When I tried add additional key into /etc/tacacs/tac_plus.conf file:



Key = example123

Key = pokus123



Tacacs+ displayed error message:



/etc/init.d/tac_plus start

Starting Tacacs+ server: Error: multiply defined key on lines 8 and 9

tac_plus.





Thanks for your ASAP reply.



Yours sincerely,



Robert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20131105/40df5328/attachment.html>

From heas at shrubbery.net  Tue Nov  5 17:47:07 2013
From: heas at shrubbery.net (heasley)
Date: Tue, 5 Nov 2013 17:47:07 +0000
Subject: [tac_plus] Multi-key or per-device separetly tacacs key
In-Reply-To: <CACKKEWj1JGNabwacFW-YSxL2-obMcCTpMyBYa_8pU+CgZioeDg@mail.gmail.com>
References: <CACKKEWj1JGNabwacFW-YSxL2-obMcCTpMyBYa_8pU+CgZioeDg@mail.gmail.com>
Message-ID: <20131105174707.GE52893@shrubbery.net>

Tue, Nov 05, 2013 at 03:50:43PM +0100, Robert Kristin:
> ?tac_plus version F4.0.4.26?
> 
> All stuff is  runnig OK with one shared secret tacacs key. But my task is
> running tacacs+ server with multi-key.
> 
> I want configure on each my Cisco device unique key. Or another option
> should be create groups of devices by the location ( for example 3 group
> EAST, WEST, MIDDLE) and give them different keys.
> 
> 
> 
> I try to use parameter ?host? but tacacs+ displayed error message:
> 
> 
> 
> /etc/init.d/tac_plus start
> 
> Starting Tacacs+ server: Error: Unrecognised keyword address for host World
> on line 31
> 
> 
> 
> host = World {
> 
>         welcome banner = ?Hello n\n"
> 
>         key = QaWsEdRfTgY
> 
>         address = 0.0.0.0/0
> 
>     }

there is no such keyword welcome or address.


From SG00123446 at TechMahindra.com  Wed Nov  6 05:32:46 2013
From: SG00123446 at TechMahindra.com (Sachin.6.Gupta)
Date: Wed, 6 Nov 2013 11:02:46 +0530
Subject: [tac_plus] TACACS+ Authorization via LDAP
Message-ID: <251C71CF3919A942A3A12FDD3CC76101DC11CE0597@SINNODMBX001.TechMahindra.com>

Hi All,

Is it possible to do TACACS+ Authorization via LDAP?
I know that Authentication can be done via LDAP, but is TACACS+ authorization also possible?

Please suggest some configuration examples if possible.

Regards

============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20131106/bf4200fe/attachment.html>

From heas at shrubbery.net  Wed Nov  6 06:35:22 2013
From: heas at shrubbery.net (heasley)
Date: Wed, 6 Nov 2013 06:35:22 +0000
Subject: [tac_plus] TACACS+ Authorization via LDAP
In-Reply-To: <251C71CF3919A942A3A12FDD3CC76101DC11CE0597@SINNODMBX001.TechMahindra.com>
References: <251C71CF3919A942A3A12FDD3CC76101DC11CE0597@SINNODMBX001.TechMahindra.com>
Message-ID: <20131106063521.GA78952@shrubbery.net>

Wed, Nov 06, 2013 at 11:02:46AM +0530, Sachin.6.Gupta:
> Hi All,
> 
> Is it possible to do TACACS+ Authorization via LDAP?
> I know that Authentication can be done via LDAP, but is TACACS+ authorization also possible?

yes, via PAM.

From SG00123446 at TechMahindra.com  Wed Nov  6 06:37:12 2013
From: SG00123446 at TechMahindra.com (Sachin.6.Gupta)
Date: Wed, 6 Nov 2013 12:07:12 +0530
Subject: [tac_plus] TACACS+ Authorization via LDAP
In-Reply-To: <20131106063521.GA78952@shrubbery.net>
References: <251C71CF3919A942A3A12FDD3CC76101DC11CE0597@SINNODMBX001.TechMahindra.com>
 <20131106063521.GA78952@shrubbery.net>
Message-ID: <251C71CF3919A942A3A12FDD3CC76101DC11CE06C9@SINNODMBX001.TechMahindra.com>

Thanks. Can you please provide more details on using PAM (LDAP) for Authorization?
Any links or mails would be helpful.

-----Original Message-----
From: heasley [mailto:heas at shrubbery.net] 
Sent: Wednesday, November 06, 2013 12:05 PM
To: Sachin.6.Gupta
Cc: tac_plus at shrubbery.net
Subject: Re: [tac_plus] TACACS+ Authorization via LDAP

Wed, Nov 06, 2013 at 11:02:46AM +0530, Sachin.6.Gupta:
> Hi All,
> 
> Is it possible to do TACACS+ Authorization via LDAP?
> I know that Authentication can be done via LDAP, but is TACACS+ authorization also possible?

yes, via PAM.

============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================

From SG00123446 at TechMahindra.com  Wed Nov  6 06:42:22 2013
From: SG00123446 at TechMahindra.com (Sachin.6.Gupta)
Date: Wed, 6 Nov 2013 12:12:22 +0530
Subject: [tac_plus] TACACS+ Authorization via LDAP
In-Reply-To: <251C71CF3919A942A3A12FDD3CC76101DC11CE06C9@SINNODMBX001.TechMahindra.com>
References: <251C71CF3919A942A3A12FDD3CC76101DC11CE0597@SINNODMBX001.TechMahindra.com>
 <20131106063521.GA78952@shrubbery.net>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE06C9@SINNODMBX001.TechMahindra.com>
Message-ID: <251C71CF3919A942A3A12FDD3CC76101DC11CE06E6@SINNODMBX001.TechMahindra.com>

I found one link which states that Authorization via LDAP is not possible.
http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.html

Quote:
"Currently, tac_plus only allows authentication using pam (since pam is only used for authentication anyway). Authorizations are still configured within the conf file, no ldap groups allowed :("

Regards

-----Original Message-----
From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Sachin.6.Gupta
Sent: Wednesday, November 06, 2013 12:07 PM
To: heasley
Cc: tac_plus at shrubbery.net
Subject: Re: [tac_plus] TACACS+ Authorization via LDAP

Thanks. Can you please provide more details on using PAM (LDAP) for Authorization?
Any links or mails would be helpful.

-----Original Message-----
From: heasley [mailto:heas at shrubbery.net] 
Sent: Wednesday, November 06, 2013 12:05 PM
To: Sachin.6.Gupta
Cc: tac_plus at shrubbery.net
Subject: Re: [tac_plus] TACACS+ Authorization via LDAP

Wed, Nov 06, 2013 at 11:02:46AM +0530, Sachin.6.Gupta:
> Hi All,
> 
> Is it possible to do TACACS+ Authorization via LDAP?
> I know that Authentication can be done via LDAP, but is TACACS+ authorization also possible?

yes, via PAM.

============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo/tac_plus

============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================

From heas at shrubbery.net  Wed Nov  6 17:08:41 2013
From: heas at shrubbery.net (heasley)
Date: Wed, 6 Nov 2013 17:08:41 +0000
Subject: [tac_plus] TACACS+ Authorization via LDAP
In-Reply-To: <251C71CF3919A942A3A12FDD3CC76101DC11CE06E6@SINNODMBX001.TechMahindra.com>
References: <251C71CF3919A942A3A12FDD3CC76101DC11CE0597@SINNODMBX001.TechMahindra.com>
 <20131106063521.GA78952@shrubbery.net>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE06C9@SINNODMBX001.TechMahindra.com>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE06E6@SINNODMBX001.TechMahindra.com>
Message-ID: <20131106170841.GD98326@shrubbery.net>

Wed, Nov 06, 2013 at 12:12:22PM +0530, Sachin.6.Gupta:
> I found one link which states that Authorization via LDAP is not possible.
> http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.html
> 
> Quote:
> "Currently, tac_plus only allows authentication using pam (since pam is only used for authentication anyway). Authorizations are still configured within the conf file, no ldap groups allowed :("

sorry, i misread it - there is no facility for authorization via pam (or ldap).

> Regards
> 
> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Sachin.6.Gupta
> Sent: Wednesday, November 06, 2013 12:07 PM
> To: heasley
> Cc: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] TACACS+ Authorization via LDAP
> 
> Thanks. Can you please provide more details on using PAM (LDAP) for Authorization?
> Any links or mails would be helpful.
> 
> -----Original Message-----
> From: heasley [mailto:heas at shrubbery.net] 
> Sent: Wednesday, November 06, 2013 12:05 PM
> To: Sachin.6.Gupta
> Cc: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] TACACS+ Authorization via LDAP
> 
> Wed, Nov 06, 2013 at 11:02:46AM +0530, Sachin.6.Gupta:
> > Hi All,
> > 
> > Is it possible to do TACACS+ Authorization via LDAP?
> > I know that Authentication can be done via LDAP, but is TACACS+ authorization also possible?
> 
> yes, via PAM.
> 
> ============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
> 
> ============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================

From SG00123446 at TechMahindra.com  Thu Nov  7 03:54:04 2013
From: SG00123446 at TechMahindra.com (Sachin.6.Gupta)
Date: Thu, 7 Nov 2013 09:24:04 +0530
Subject: [tac_plus] TACACS+ Authorization via LDAP
In-Reply-To: <20131106170841.GD98326@shrubbery.net>
References: <251C71CF3919A942A3A12FDD3CC76101DC11CE0597@SINNODMBX001.TechMahindra.com>
 <20131106063521.GA78952@shrubbery.net>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE06C9@SINNODMBX001.TechMahindra.com>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE06E6@SINNODMBX001.TechMahindra.com>
 <20131106170841.GD98326@shrubbery.net>
Message-ID: <251C71CF3919A942A3A12FDD3CC76101DC11CE122A@SINNODMBX001.TechMahindra.com>

Thanks Heas for clarifying.

However, I need to the following: Authentication via LDAP (using PAM I guess) and Authorization and Accounting as it happens.
But for Authorization how would I configure Users and Groups in TACACS+ when the same would be configured in LDAP.

Is there a how to link for this? Authentication via LDAP and Authorization also?

TIA

-----Original Message-----
From: heasley [mailto:heas at shrubbery.net] 
Sent: Wednesday, November 06, 2013 10:39 PM
To: Sachin.6.Gupta
Cc: heasley; tac_plus at shrubbery.net
Subject: Re: [tac_plus] TACACS+ Authorization via LDAP

Wed, Nov 06, 2013 at 12:12:22PM +0530, Sachin.6.Gupta:
> I found one link which states that Authorization via LDAP is not possible.
> http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.html
> 
> Quote:
> "Currently, tac_plus only allows authentication using pam (since pam is only used for authentication anyway). Authorizations are still configured within the conf file, no ldap groups allowed :("

sorry, i misread it - there is no facility for authorization via pam (or ldap).

> Regards
> 
> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Sachin.6.Gupta
> Sent: Wednesday, November 06, 2013 12:07 PM
> To: heasley
> Cc: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] TACACS+ Authorization via LDAP
> 
> Thanks. Can you please provide more details on using PAM (LDAP) for Authorization?
> Any links or mails would be helpful.
> 
> -----Original Message-----
> From: heasley [mailto:heas at shrubbery.net] 
> Sent: Wednesday, November 06, 2013 12:05 PM
> To: Sachin.6.Gupta
> Cc: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] TACACS+ Authorization via LDAP
> 
> Wed, Nov 06, 2013 at 11:02:46AM +0530, Sachin.6.Gupta:
> > Hi All,
> > 
> > Is it possible to do TACACS+ Authorization via LDAP?
> > I know that Authentication can be done via LDAP, but is TACACS+ authorization also possible?
> 
> yes, via PAM.
> 
> ============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
> 
> ============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================

============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================

From daniel.schmidt at wyo.gov  Thu Nov  7 15:52:56 2013
From: daniel.schmidt at wyo.gov (Daniel Schmidt)
Date: Thu, 7 Nov 2013 08:52:56 -0700
Subject: [tac_plus] TACACS+ Authorization via LDAP
In-Reply-To: <251C71CF3919A942A3A12FDD3CC76101DC11CE122A@SINNODMBX001.TechMahindra.com>
References: <251C71CF3919A942A3A12FDD3CC76101DC11CE0597@SINNODMBX001.TechMahindra.com>
 <20131106063521.GA78952@shrubbery.net>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE06C9@SINNODMBX001.TechMahindra.com>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE06E6@SINNODMBX001.TechMahindra.com>
 <20131106170841.GD98326@shrubbery.net>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE122A@SINNODMBX001.TechMahindra.com>
Message-ID: <CAOyMAKnuFY7wBJRSqZTj-uH0xD1yzmxUt9KpUjkBBTy3R+ZMWQ@mail.gmail.com>

What would you authorize on?  Privilege level or commands?  I'm trying to
imagine how ldap authorization would work.


On Wed, Nov 6, 2013 at 8:54 PM, Sachin.6.Gupta
<SG00123446 at techmahindra.com>wrote:

> Thanks Heas for clarifying.
>
> However, I need to the following: Authentication via LDAP (using PAM I
> guess) and Authorization and Accounting as it happens.
> But for Authorization how would I configure Users and Groups in TACACS+
> when the same would be configured in LDAP.
>
> Is there a how to link for this? Authentication via LDAP and Authorization
> also?
>
> TIA
>
> -----Original Message-----
> From: heasley [mailto:heas at shrubbery.net]
> Sent: Wednesday, November 06, 2013 10:39 PM
> To: Sachin.6.Gupta
> Cc: heasley; tac_plus at shrubbery.net
> Subject: Re: [tac_plus] TACACS+ Authorization via LDAP
>
> Wed, Nov 06, 2013 at 12:12:22PM +0530, Sachin.6.Gupta:
> > I found one link which states that Authorization via LDAP is not
> possible.
> > http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.html
> >
> > Quote:
> > "Currently, tac_plus only allows authentication using pam (since pam is
> only used for authentication anyway). Authorizations are still configured
> within the conf file, no ldap groups allowed :("
>
> sorry, i misread it - there is no facility for authorization via pam (or
> ldap).
>
> > Regards
> >
> > -----Original Message-----
> > From: tac_plus-bounces at shrubbery.net [mailto:
> tac_plus-bounces at shrubbery.net] On Behalf Of Sachin.6.Gupta
> > Sent: Wednesday, November 06, 2013 12:07 PM
> > To: heasley
> > Cc: tac_plus at shrubbery.net
> > Subject: Re: [tac_plus] TACACS+ Authorization via LDAP
> >
> > Thanks. Can you please provide more details on using PAM (LDAP) for
> Authorization?
> > Any links or mails would be helpful.
> >
> > -----Original Message-----
> > From: heasley [mailto:heas at shrubbery.net]
> > Sent: Wednesday, November 06, 2013 12:05 PM
> > To: Sachin.6.Gupta
> > Cc: tac_plus at shrubbery.net
> > Subject: Re: [tac_plus] TACACS+ Authorization via LDAP
> >
> > Wed, Nov 06, 2013 at 11:02:46AM +0530, Sachin.6.Gupta:
> > > Hi All,
> > >
> > > Is it possible to do TACACS+ Authorization via LDAP?
> > > I know that Authentication can be done via LDAP, but is TACACS+
> authorization also possible?
> >
> > yes, via PAM.
> >
> >
> ============================================================================================================================Disclaimer:
>  This message and the information contained herein is proprietary and
> confidential and subject to the Tech Mahindra policy statement, you may
> review the policy at <a href="http://www.techmahindra.com/Disclaimer.html
> ">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="
> http://tim.techmahindra.com/tim/disclaimer.html">
> http://tim.techmahindra.com/tim/disclaimer.html</a> internally within
> Tech
> Mahindra.============================================================================================================================
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo/tac_plus
> >
> >
> ============================================================================================================================Disclaimer:
>  This message and the information contained herein is proprietary and
> confidential and subject to the Tech Mahindra policy statement, you may
> review the policy at <a href="http://www.techmahindra.com/Disclaimer.html
> ">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="
> http://tim.techmahindra.com/tim/disclaimer.html">
> http://tim.techmahindra.com/tim/disclaimer.html</a> internally within
> Tech
> Mahindra.============================================================================================================================
>
> ============================================================================================================================Disclaimer:
>  This message and the information contained herein is proprietary and
> confidential and subject to the Tech Mahindra policy statement, you may
> review the policy at <a href="http://www.techmahindra.com/Disclaimer.html
> ">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="
> http://tim.techmahindra.com/tim/disclaimer.html">
> http://tim.techmahindra.com/tim/disclaimer.html</a> internally within
> Tech
> Mahindra.============================================================================================================================
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>


E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20131107/f29433aa/attachment.html>

From SG00123446 at TechMahindra.com  Thu Nov  7 17:25:57 2013
From: SG00123446 at TechMahindra.com (Sachin.6.Gupta)
Date: Thu, 7 Nov 2013 22:55:57 +0530
Subject: [tac_plus] TACACS+ Authorization via LDAP
In-Reply-To: <CAOyMAKnuFY7wBJRSqZTj-uH0xD1yzmxUt9KpUjkBBTy3R+ZMWQ@mail.gmail.com>
References: <251C71CF3919A942A3A12FDD3CC76101DC11CE0597@SINNODMBX001.TechMahindra.com>
 <20131106063521.GA78952@shrubbery.net>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE06C9@SINNODMBX001.TechMahindra.com>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE06E6@SINNODMBX001.TechMahindra.com>
 <20131106170841.GD98326@shrubbery.net>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE122A@SINNODMBX001.TechMahindra.com>,
 <CAOyMAKnuFY7wBJRSqZTj-uH0xD1yzmxUt9KpUjkBBTy3R+ZMWQ@mail.gmail.com>
Message-ID: <251C71CF3919A942A3A12FDD3CC76101DC11BBDD67@SINNODMBX001.TechMahindra.com>

Hi Daniel,

I guess it would be privilidge levels, groups, services, and maybe commands also.
Commands would require vendor specific information also, i guess. So Vendor information would also be required somewhere. :~

What is confusing to me is that if suppose i somehow manage to authenticate my users with LDAP (not even sure currently how LDAP auth will work), TACACS+ still requires each and ever user to be mentioned in the tacacs.conf file. rt? Same would go with groups also. rt?

Heas mentioned that using PAM LDAP authentication works. Does the current TACACS+ package support this or i need some module to be integrated with TACACS+ also?

Regards



________________________________________
From: Daniel Schmidt [daniel.schmidt at wyo.gov]
Sent: Thursday, November 07, 2013 9:22 PM
To: Sachin.6.Gupta
Cc: heasley; tac_plus at shrubbery.net
Subject: Re: [tac_plus] TACACS+ Authorization via LDAP

What would you authorize on?  Privilege level or commands?  I'm trying to imagine how ldap authorization would work.


On Wed, Nov 6, 2013 at 8:54 PM, Sachin.6.Gupta <SG00123446 at techmahindra.com<mailto:SG00123446 at techmahindra.com>> wrote:
Thanks Heas for clarifying.

However, I need to the following: Authentication via LDAP (using PAM I guess) and Authorization and Accounting as it happens.
But for Authorization how would I configure Users and Groups in TACACS+ when the same would be configured in LDAP.

Is there a how to link for this? Authentication via LDAP and Authorization also?

TIA

-----Original Message-----
From: heasley [mailto:heas at shrubbery.net<mailto:heas at shrubbery.net>]
Sent: Wednesday, November 06, 2013 10:39 PM
To: Sachin.6.Gupta
Cc: heasley; tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>
Subject: Re: [tac_plus] TACACS+ Authorization via LDAP

Wed, Nov 06, 2013 at 12:12:22PM +0530, Sachin.6.Gupta:
> I found one link which states that Authorization via LDAP is not possible.
> http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.html
>
> Quote:
> "Currently, tac_plus only allows authentication using pam (since pam is only used for authentication anyway). Authorizations are still configured within the conf file, no ldap groups allowed :("

sorry, i misread it - there is no facility for authorization via pam (or ldap).

> Regards
>
> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net<mailto:tac_plus-bounces at shrubbery.net> [mailto:tac_plus-bounces at shrubbery.net<mailto:tac_plus-bounces at shrubbery.net>] On Behalf Of Sachin.6.Gupta
> Sent: Wednesday, November 06, 2013 12:07 PM
> To: heasley
> Cc: tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>
> Subject: Re: [tac_plus] TACACS+ Authorization via LDAP
>
> Thanks. Can you please provide more details on using PAM (LDAP) for Authorization?
> Any links or mails would be helpful.
>
> -----Original Message-----
> From: heasley [mailto:heas at shrubbery.net<mailto:heas at shrubbery.net>]
> Sent: Wednesday, November 06, 2013 12:05 PM
> To: Sachin.6.Gupta
> Cc: tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>
> Subject: Re: [tac_plus] TACACS+ Authorization via LDAP
>
> Wed, Nov 06, 2013 at 11:02:46AM +0530, Sachin.6.Gupta:
> > Hi All,
> >
> > Is it possible to do TACACS+ Authorization via LDAP?
> > I know that Authentication can be done via LDAP, but is TACACS+ authorization also possible?
>
> yes, via PAM.
>
> ============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>
> ============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================

============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>
http://www.shrubbery.net/mailman/listinfo/tac_plus



E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.




============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================

From heas at shrubbery.net  Thu Nov  7 17:34:44 2013
From: heas at shrubbery.net (heasley)
Date: Thu, 7 Nov 2013 17:34:44 +0000
Subject: [tac_plus] TACACS+ Authorization via LDAP
In-Reply-To: <251C71CF3919A942A3A12FDD3CC76101DC11CE122A@SINNODMBX001.TechMahindra.com>
References: <251C71CF3919A942A3A12FDD3CC76101DC11CE0597@SINNODMBX001.TechMahindra.com>
 <20131106063521.GA78952@shrubbery.net>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE06C9@SINNODMBX001.TechMahindra.com>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE06E6@SINNODMBX001.TechMahindra.com>
 <20131106170841.GD98326@shrubbery.net>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE122A@SINNODMBX001.TechMahindra.com>
Message-ID: <20131107173444.GH38671@shrubbery.net>

Thu, Nov 07, 2013 at 09:24:04AM +0530, Sachin.6.Gupta:
> Thanks Heas for clarifying.
> 
> However, I need to the following: Authentication via LDAP (using PAM I guess) and Authorization and Accounting as it happens.
> But for Authorization how would I configure Users and Groups in TACACS+ when the same would be configured in LDAP.

perhaps use a cron job to dump ldap to build tac_plus.conf via cron?

it occured to me that you could use an external script to do authorization
against ldap.  you'd have to write that script.

> Is there a how to link for this? Authentication via LDAP and Authorization also?
> 
> TIA
> 
> -----Original Message-----
> From: heasley [mailto:heas at shrubbery.net] 
> Sent: Wednesday, November 06, 2013 10:39 PM
> To: Sachin.6.Gupta
> Cc: heasley; tac_plus at shrubbery.net
> Subject: Re: [tac_plus] TACACS+ Authorization via LDAP
> 
> Wed, Nov 06, 2013 at 12:12:22PM +0530, Sachin.6.Gupta:
> > I found one link which states that Authorization via LDAP is not possible.
> > http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.html
> > 
> > Quote:
> > "Currently, tac_plus only allows authentication using pam (since pam is only used for authentication anyway). Authorizations are still configured within the conf file, no ldap groups allowed :("
> 
> sorry, i misread it - there is no facility for authorization via pam (or ldap).
> 
> > Regards
> > 
> > -----Original Message-----
> > From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Sachin.6.Gupta
> > Sent: Wednesday, November 06, 2013 12:07 PM
> > To: heasley
> > Cc: tac_plus at shrubbery.net
> > Subject: Re: [tac_plus] TACACS+ Authorization via LDAP
> > 
> > Thanks. Can you please provide more details on using PAM (LDAP) for Authorization?
> > Any links or mails would be helpful.
> > 
> > -----Original Message-----
> > From: heasley [mailto:heas at shrubbery.net] 
> > Sent: Wednesday, November 06, 2013 12:05 PM
> > To: Sachin.6.Gupta
> > Cc: tac_plus at shrubbery.net
> > Subject: Re: [tac_plus] TACACS+ Authorization via LDAP
> > 
> > Wed, Nov 06, 2013 at 11:02:46AM +0530, Sachin.6.Gupta:
> > > Hi All,
> > > 
> > > Is it possible to do TACACS+ Authorization via LDAP?
> > > I know that Authentication can be done via LDAP, but is TACACS+ authorization also possible?
> > 
> > yes, via PAM.
> > 
> > ============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo/tac_plus
> > 
> > ============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================
> 
> ============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================

From SG00123446 at TechMahindra.com  Thu Nov  7 17:42:29 2013
From: SG00123446 at TechMahindra.com (Sachin.6.Gupta)
Date: Thu, 7 Nov 2013 23:12:29 +0530
Subject: [tac_plus] TACACS+ Authorization via LDAP
In-Reply-To: <20131107173444.GH38671@shrubbery.net>
References: <251C71CF3919A942A3A12FDD3CC76101DC11CE0597@SINNODMBX001.TechMahindra.com>
 <20131106063521.GA78952@shrubbery.net>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE06C9@SINNODMBX001.TechMahindra.com>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE06E6@SINNODMBX001.TechMahindra.com>
 <20131106170841.GD98326@shrubbery.net>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE122A@SINNODMBX001.TechMahindra.com>,
 <20131107173444.GH38671@shrubbery.net>
Message-ID: <251C71CF3919A942A3A12FDD3CC76101DC11BBDD68@SINNODMBX001.TechMahindra.com>

would i have to write this script to generate the tac_plus.conf file from LDAP or it would be available on the net? LDAP server doesnt have to be on the same system. rt? It would be a remote system.

So some sort of querying script would be required i guess to dump to the tac_plus.conf file. rt?

Regards
________________________________________
From: heasley [heas at shrubbery.net]
Sent: Thursday, November 07, 2013 11:04 PM
To: Sachin.6.Gupta
Cc: heasley; tac_plus at shrubbery.net
Subject: Re: [tac_plus] TACACS+ Authorization via LDAP

Thu, Nov 07, 2013 at 09:24:04AM +0530, Sachin.6.Gupta:
> Thanks Heas for clarifying.
>
> However, I need to the following: Authentication via LDAP (using PAM I guess) and Authorization and Accounting as it happens.
> But for Authorization how would I configure Users and Groups in TACACS+ when the same would be configured in LDAP.

perhaps use a cron job to dump ldap to build tac_plus.conf via cron?

it occured to me that you could use an external script to do authorization
against ldap.  you'd have to write that script.

> Is there a how to link for this? Authentication via LDAP and Authorization also?
>
> TIA
>
> -----Original Message-----
> From: heasley [mailto:heas at shrubbery.net]
> Sent: Wednesday, November 06, 2013 10:39 PM
> To: Sachin.6.Gupta
> Cc: heasley; tac_plus at shrubbery.net
> Subject: Re: [tac_plus] TACACS+ Authorization via LDAP
>
> Wed, Nov 06, 2013 at 12:12:22PM +0530, Sachin.6.Gupta:
> > I found one link which states that Authorization via LDAP is not possible.
> > http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.html
> >
> > Quote:
> > "Currently, tac_plus only allows authentication using pam (since pam is only used for authentication anyway). Authorizations are still configured within the conf file, no ldap groups allowed :("
>
> sorry, i misread it - there is no facility for authorization via pam (or ldap).
>
> > Regards
> >
> > -----Original Message-----
> > From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Sachin.6.Gupta
> > Sent: Wednesday, November 06, 2013 12:07 PM
> > To: heasley
> > Cc: tac_plus at shrubbery.net
> > Subject: Re: [tac_plus] TACACS+ Authorization via LDAP
> >
> > Thanks. Can you please provide more details on using PAM (LDAP) for Authorization?
> > Any links or mails would be helpful.
> >
> > -----Original Message-----
> > From: heasley [mailto:heas at shrubbery.net]
> > Sent: Wednesday, November 06, 2013 12:05 PM
> > To: Sachin.6.Gupta
> > Cc: tac_plus at shrubbery.net
> > Subject: Re: [tac_plus] TACACS+ Authorization via LDAP
> >
> > Wed, Nov 06, 2013 at 11:02:46AM +0530, Sachin.6.Gupta:
> > > Hi All,
> > >
> > > Is it possible to do TACACS+ Authorization via LDAP?
> > > I know that Authentication can be done via LDAP, but is TACACS+ authorization also possible?
> >
> > yes, via PAM.
> >
> > ============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo/tac_plus
> >
> > ============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================
>
> ============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================

============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================

From SG00123446 at TechMahindra.com  Thu Nov  7 17:46:44 2013
From: SG00123446 at TechMahindra.com (Sachin.6.Gupta)
Date: Thu, 7 Nov 2013 23:16:44 +0530
Subject: [tac_plus] TACACS+ Authorization via LDAP
In-Reply-To: <CAOHBbgW8kEKSZygNcE-Uh27VURECtnu7GFMKGvkYLwWzM1O+gA@mail.gmail.com>
References: <251C71CF3919A942A3A12FDD3CC76101DC11CE0597@SINNODMBX001.TechMahindra.com>
 <20131106063521.GA78952@shrubbery.net>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE06C9@SINNODMBX001.TechMahindra.com>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE06E6@SINNODMBX001.TechMahindra.com>
 <20131106170841.GD98326@shrubbery.net>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE122A@SINNODMBX001.TechMahindra.com>
 <CAOyMAKnuFY7wBJRSqZTj-uH0xD1yzmxUt9KpUjkBBTy3R+ZMWQ@mail.gmail.com>
 <251C71CF3919A942A3A12FDD3CC76101DC11BBDD67@SINNODMBX001.TechMahindra.com>,
 <CAOHBbgW8kEKSZygNcE-Uh27VURECtnu7GFMKGvkYLwWzM1O+gA@mail.gmail.com>
Message-ID: <251C71CF3919A942A3A12FDD3CC76101DC11BBDD69@SINNODMBX001.TechMahindra.com>

Thanks Asif,

How are u generating the tac_plus.conf file for all the users?
And where is the group bar defined? 

Regards
________________________________________
From: Asif Iqbal [vadud3 at gmail.com]
Sent: Thursday, November 07, 2013 11:14 PM
To: Sachin.6.Gupta
Cc: Daniel Schmidt; tac_plus at shrubbery.net
Subject: Re: [tac_plus] TACACS+ Authorization via LDAP

On Thu, Nov 7, 2013 at 12:25 PM, Sachin.6.Gupta <SG00123446 at techmahindra.com<mailto:SG00123446 at techmahindra.com>> wrote:
Heas mentioned that using PAM LDAP authentication works. Does the current TACACS+ package support this or i need some module to be integrated with TACACS+ also?

I posted on how we use LDAP auth with T+. Here is the link. YMMV

http://www.shrubbery.net/pipermail/tac_plus/2013-August/001319.html


--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu<http://pgp.mit.edu>
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?


============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================

From vadud3 at gmail.com  Thu Nov  7 18:24:23 2013
From: vadud3 at gmail.com (Asif Iqbal)
Date: Thu, 7 Nov 2013 13:24:23 -0500
Subject: [tac_plus] TACACS+ Authorization via LDAP
In-Reply-To: <251C71CF3919A942A3A12FDD3CC76101DC11BBDD69@SINNODMBX001.TechMahindra.com>
References: <251C71CF3919A942A3A12FDD3CC76101DC11CE0597@SINNODMBX001.TechMahindra.com>
 <20131106063521.GA78952@shrubbery.net>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE06C9@SINNODMBX001.TechMahindra.com>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE06E6@SINNODMBX001.TechMahindra.com>
 <20131106170841.GD98326@shrubbery.net>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE122A@SINNODMBX001.TechMahindra.com>
 <CAOyMAKnuFY7wBJRSqZTj-uH0xD1yzmxUt9KpUjkBBTy3R+ZMWQ@mail.gmail.com>
 <251C71CF3919A942A3A12FDD3CC76101DC11BBDD67@SINNODMBX001.TechMahindra.com>
 <CAOHBbgW8kEKSZygNcE-Uh27VURECtnu7GFMKGvkYLwWzM1O+gA@mail.gmail.com>
 <251C71CF3919A942A3A12FDD3CC76101DC11BBDD69@SINNODMBX001.TechMahindra.com>
Message-ID: <CAOHBbgXKbxk=kTyGsRnRGDjBF5tRyDqRnF7PS8mBjyzcXyhJTA@mail.gmail.com>

On Thu, Nov 7, 2013 at 12:46 PM, Sachin.6.Gupta <SG00123446 at techmahindra.com
> wrote:

> How are u generating the tac_plus.conf file for all the users?
> And where is the group bar defined?
>


You start with a basic config file and populate it over time. You can take
a look at tac_plus.conf man page
for start. There are also example command authorization syntaxes for T+
configs in cisco and juniper site.

Cisco and Juniper command authorization are different. So I would recommend
to stick with separate
instances of tac_plus with separate tac_plus.conf for authorization against
cisco and juniper and whatever
other vendor's network devices you are using. If you pick LDAP, you will
have to have different group
names for cisco and juniper since the syntax is different. It would be
messy.

My group bar is in the same tac_plus.conf file and that is where I define
the authorization commands
that are allowed. I have multiple groups and users gets the commands based
on the group they
are assigned.





-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20131107/d17814e6/attachment.html>

From vadud3 at gmail.com  Thu Nov  7 17:44:07 2013
From: vadud3 at gmail.com (Asif Iqbal)
Date: Thu, 7 Nov 2013 12:44:07 -0500
Subject: [tac_plus] TACACS+ Authorization via LDAP
In-Reply-To: <251C71CF3919A942A3A12FDD3CC76101DC11BBDD67@SINNODMBX001.TechMahindra.com>
References: <251C71CF3919A942A3A12FDD3CC76101DC11CE0597@SINNODMBX001.TechMahindra.com>
 <20131106063521.GA78952@shrubbery.net>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE06C9@SINNODMBX001.TechMahindra.com>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE06E6@SINNODMBX001.TechMahindra.com>
 <20131106170841.GD98326@shrubbery.net>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE122A@SINNODMBX001.TechMahindra.com>
 <CAOyMAKnuFY7wBJRSqZTj-uH0xD1yzmxUt9KpUjkBBTy3R+ZMWQ@mail.gmail.com>
 <251C71CF3919A942A3A12FDD3CC76101DC11BBDD67@SINNODMBX001.TechMahindra.com>
Message-ID: <CAOHBbgW8kEKSZygNcE-Uh27VURECtnu7GFMKGvkYLwWzM1O+gA@mail.gmail.com>

On Thu, Nov 7, 2013 at 12:25 PM, Sachin.6.Gupta <SG00123446 at techmahindra.com
> wrote:

> Heas mentioned that using PAM LDAP authentication works. Does the current
> TACACS+ package support this or i need some module to be integrated with
> TACACS+ also?


I posted on how we use LDAP auth with T+. Here is the link. YMMV

http://www.shrubbery.net/pipermail/tac_plus/2013-August/001319.html


-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20131107/762c9593/attachment.html>

From SG00123446 at TechMahindra.com  Fri Nov  8 03:32:20 2013
From: SG00123446 at TechMahindra.com (Sachin.6.Gupta)
Date: Fri, 8 Nov 2013 09:02:20 +0530
Subject: [tac_plus] TACACS+ Authorization via LDAP
In-Reply-To: <CAOHBbgXKbxk=kTyGsRnRGDjBF5tRyDqRnF7PS8mBjyzcXyhJTA@mail.gmail.com>
References: <251C71CF3919A942A3A12FDD3CC76101DC11CE0597@SINNODMBX001.TechMahindra.com>
 <20131106063521.GA78952@shrubbery.net>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE06C9@SINNODMBX001.TechMahindra.com>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE06E6@SINNODMBX001.TechMahindra.com>
 <20131106170841.GD98326@shrubbery.net>
 <251C71CF3919A942A3A12FDD3CC76101DC11CE122A@SINNODMBX001.TechMahindra.com>
 <CAOyMAKnuFY7wBJRSqZTj-uH0xD1yzmxUt9KpUjkBBTy3R+ZMWQ@mail.gmail.com>
 <251C71CF3919A942A3A12FDD3CC76101DC11BBDD67@SINNODMBX001.TechMahindra.com>
 <CAOHBbgW8kEKSZygNcE-Uh27VURECtnu7GFMKGvkYLwWzM1O+gA@mail.gmail.com>
 <251C71CF3919A942A3A12FDD3CC76101DC11BBDD69@SINNODMBX001.TechMahindra.com>
 <CAOHBbgXKbxk=kTyGsRnRGDjBF5tRyDqRnF7PS8mBjyzcXyhJTA@mail.gmail.com>
Message-ID: <251C71CF3919A942A3A12FDD3CC76101DC11D697B3@SINNODMBX001.TechMahindra.com>

Thanks Asif,

>From this I understand that the users in conf file are manually entered.
However, in my case I would prefer to have a cron job (as suggested by Heasly) to dump the users from LDAP to a file for T+ conf.
For authorization, for commands, I would prefer capturing Vendor information in a group and associate commands with them.

Depending on privilege levels of the users, I would assign these groups to Users.

I am currently trying to figure out how to dump my ldap users to txt file.
PS. My ldap server and T+ server would be on remotely separate machines.

Regards

From: Asif Iqbal [mailto:vadud3 at gmail.com]
Sent: Thursday, November 07, 2013 11:54 PM
To: Sachin.6.Gupta
Cc: Daniel Schmidt; tac_plus at shrubbery.net
Subject: Re: [tac_plus] TACACS+ Authorization via LDAP


On Thu, Nov 7, 2013 at 12:46 PM, Sachin.6.Gupta <SG00123446 at techmahindra.com<mailto:SG00123446 at techmahindra.com>> wrote:
How are u generating the tac_plus.conf file for all the users?
And where is the group bar defined?


You start with a basic config file and populate it over time. You can take a look at tac_plus.conf man page
for start. There are also example command authorization syntaxes for T+ configs in cisco and juniper site.

Cisco and Juniper command authorization are different. So I would recommend to stick with separate
instances of tac_plus with separate tac_plus.conf for authorization against cisco and juniper and whatever
other vendor's network devices you are using. If you pick LDAP, you will have to have different group
names for cisco and juniper since the syntax is different. It would be messy.

My group bar is in the same tac_plus.conf file and that is where I define the authorization commands
that are allowed. I have multiple groups and users gets the commands based on the group they
are assigned.





--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu<http://pgp.mit.edu>
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20131108/73091f03/attachment.html>