[tac_plus] Need help with do_auth config
Aaron Wasserott
aaron.wasserott at viawest.com
Mon Jun 16 19:02:05 UTC 2014
In both do_auth.ini and tac_plus.conf be sure to spell the special username as "DEFAULT" - minding the upper-case.
Do you have any log entries for that failed attempt in /root/do_auth/do_auth.log?
Does your group doauthaccess have the same settings as the other regular group, other than the addition of after auth?
What device type did you test against? I would test against Cisco IOS to start with until you get it working.
You also might want to try toggling off the "-fix_crs_bug" flag and test login against IOS just to be safe. I've not used that flag before personally.
-----Original Message-----
From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Asif Iqbal
Sent: Sunday, June 15, 2014 5:09 PM
To: tac_plus at shrubbery.net
Subject: [tac_plus] Need help with do_auth config
Let me know if there is a separate mailing list for do_auth related questions.
So I am trying to follow the do_auth.ini syntax and need some help.
I have setup the config file like below and failing to authorize.
Here is the do_auth.ini file
[users]
default =
noprivs
foo =
newgroup
[newgroup]
host_allow =
.*
command_permit =
show configuration.*
device_permit =
.*
[noprivs]
host_deny =
.*
device_deny =
.*
command_deny =
.*
Here is the error message
Username: iqbala
Password:
% Authorization failed.
Connection closed by foreign host.
Here is the relevant part in tacacs.conf
group = doauthaccess {
after authorization "/usr/bin/python /root/do_auth/do_auth.pyc -i $address -fix_crs_bug -u $user -d $name -l /root/do_auth/do_auth.log -f /root/do_auth/do_auth.ini"
}
user = foo {
login = PAM
member = doauthaccess
}
If I change the member to another group which is regular group and not using after authorization, user ``foo'' can login fine.
I must not do doing something right.
Please advise.
--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20140615/69fb3916/attachment.html>
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo/tac_plus
More information about the tac_plus
mailing list