[tac_plus] Need help with do_auth config

Daniel Schmidt daniel.schmidt at wyo.gov
Tue Jun 17 18:31:30 UTC 2014


I've never had a Alcatel Lucent switch to test.  I'm not sure what options
it sends; getopt does not correctly parse missing fields.  (hence the
-fix_crs_bug option)  When I get time, I need to iterate through
sys.argv[1:] and remove any blank options.


On Mon, Jun 16, 2014 at 1:30 PM, Asif Iqbal <vadud3 at gmail.com> wrote:

> On Mon, Jun 16, 2014 at 3:02 PM, Aaron Wasserott <
> aaron.wasserott at viawest.com> wrote:
>
> > In both do_auth.ini and tac_plus.conf be sure to spell the special
> > username as "DEFAULT" - minding the upper-case.
> >
> > Do you have any log entries for that failed attempt in
> > /root/do_auth/do_auth.log?
> >
>
> 2014-06-16 16:54:30,195 [CRITICAL]: Did you forget "default service =
> permit" in tac_plus.conf?
>
> That was if I did not have "default service = permit" in the doauthaccess
> group.
>
>
> > Does your group doauthaccess have the same settings as the other regular
> > group, other than the addition of after auth?
> >
>
> Yes
>
>
>
> >
> > What device type did you test against? I would test against Cisco IOS to
> > start with until you get it working.
> >
> >
> Alcatel Lucent.
>
> OK let me try against cisco
>
>
>
> > You also might want to try toggling off the "-fix_crs_bug" flag and test
> > login against IOS just to be safe. I've not used that flag before
> > personally.
> >
> >
> OK
>
> Thanks
>
>
>
> >  -----Original Message-----
> > From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Asif
> > Iqbal
> > Sent: Sunday, June 15, 2014 5:09 PM
> > To: tac_plus at shrubbery.net
> > Subject: [tac_plus] Need help with do_auth config
> >
> > Let me know if there is a separate mailing list for do_auth related
> > questions.
> >
> > So I am trying to follow the do_auth.ini syntax and need some help.
> >
> > I have setup the config file like below and failing to authorize.
> >
> > Here is the do_auth.ini file
> >
> > [users]
> > default =
> >     noprivs
> > foo =
> >     newgroup
> >
> > [newgroup]
> > host_allow =
> >     .*
> > command_permit =
> >     show configuration.*
> > device_permit =
> >     .*
> >
> > [noprivs]
> > host_deny =
> >     .*
> > device_deny =
> >     .*
> > command_deny =
> >     .*
> >
> > Here is the error message
> >
> > Username: iqbala
> > Password:
> > % Authorization failed.
> > Connection closed by foreign host.
> >
> >
> > Here is the relevant part in tacacs.conf
> >
> > group = doauthaccess {
> >     after authorization "/usr/bin/python /root/do_auth/do_auth.pyc -i
> > $address -fix_crs_bug -u $user -d $name -l /root/do_auth/do_auth.log -f
> > /root/do_auth/do_auth.ini"
> > }
> >
> > user = foo {
> >         login = PAM
> >         member = doauthaccess
> > }
> >
> > If I change the member to another group which is regular group and not
> > using after authorization, user ``foo'' can login fine.
> >
> > I must not do doing something right.
> >
> > Please advise.
> >
> >
> >
> >
> > --
> > Asif Iqbal
> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> > A: Because it messes up the order in which people normally read text.
> > Q: Why is top-posting such a bad thing?
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: <
> >
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140615/69fb3916/attachment.html
> > >
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo/tac_plus
> >
>
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140616/ba90c9e1/attachment.html
> >
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>


E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20140617/49b3ad72/attachment.html>


More information about the tac_plus mailing list