[tac_plus] Need help with do_auth config

Asif Iqbal vadud3 at gmail.com
Mon Jun 16 19:30:43 UTC 2014


On Mon, Jun 16, 2014 at 3:02 PM, Aaron Wasserott <
aaron.wasserott at viawest.com> wrote:

> In both do_auth.ini and tac_plus.conf be sure to spell the special
> username as "DEFAULT" - minding the upper-case.
>
> Do you have any log entries for that failed attempt in
> /root/do_auth/do_auth.log?
>

2014-06-16 16:54:30,195 [CRITICAL]: Did you forget "default service =
permit" in tac_plus.conf?

That was if I did not have "default service = permit" in the doauthaccess
group.


> Does your group doauthaccess have the same settings as the other regular
> group, other than the addition of after auth?
>

Yes



>
> What device type did you test against? I would test against Cisco IOS to
> start with until you get it working.
>
>
Alcatel Lucent.

OK let me try against cisco



> You also might want to try toggling off the "-fix_crs_bug" flag and test
> login against IOS just to be safe. I've not used that flag before
> personally.
>
>
OK

Thanks



>  -----Original Message-----
> From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Asif
> Iqbal
> Sent: Sunday, June 15, 2014 5:09 PM
> To: tac_plus at shrubbery.net
> Subject: [tac_plus] Need help with do_auth config
>
> Let me know if there is a separate mailing list for do_auth related
> questions.
>
> So I am trying to follow the do_auth.ini syntax and need some help.
>
> I have setup the config file like below and failing to authorize.
>
> Here is the do_auth.ini file
>
> [users]
> default =
>     noprivs
> foo =
>     newgroup
>
> [newgroup]
> host_allow =
>     .*
> command_permit =
>     show configuration.*
> device_permit =
>     .*
>
> [noprivs]
> host_deny =
>     .*
> device_deny =
>     .*
> command_deny =
>     .*
>
> Here is the error message
>
> Username: iqbala
> Password:
> % Authorization failed.
> Connection closed by foreign host.
>
>
> Here is the relevant part in tacacs.conf
>
> group = doauthaccess {
>     after authorization "/usr/bin/python /root/do_auth/do_auth.pyc -i
> $address -fix_crs_bug -u $user -d $name -l /root/do_auth/do_auth.log -f
> /root/do_auth/do_auth.ini"
> }
>
> user = foo {
>         login = PAM
>         member = doauthaccess
> }
>
> If I change the member to another group which is regular group and not
> using after authorization, user ``foo'' can login fine.
>
> I must not do doing something right.
>
> Please advise.
>
>
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140615/69fb3916/attachment.html
> >
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>



-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20140616/ba90c9e1/attachment.html>


More information about the tac_plus mailing list