[tac_plus] Need help with do_auth config
Asif Iqbal
vadud3 at gmail.com
Tue Jun 17 18:57:23 UTC 2014
On Tue, Jun 17, 2014 at 2:31 PM, Daniel Schmidt <daniel.schmidt at wyo.gov>
wrote:
> I've never had a Alcatel Lucent switch to test. I'm not sure what options
> it sends; getopt does not correctly parse missing fields. (hence the
> -fix_crs_bug option) When I get time, I need to iterate through
> sys.argv[1:] and remove any blank options.
>
yes Alcatel lucent does not generate any log, not even DEBUG log when I
login to router unlike cisco.
It starts logging only when I start typing on the router after the login,
and / or when I exit or logout of the
router.
I can collect some debug log for you to parse. What debug level log you
need with tac_plus? I usually
use "-d 8 -d 16", but I can add more levels. I can provide some log tonight
when they are not busy.
>
>
> On Mon, Jun 16, 2014 at 1:30 PM, Asif Iqbal <vadud3 at gmail.com> wrote:
>
>> On Mon, Jun 16, 2014 at 3:02 PM, Aaron Wasserott <
>> aaron.wasserott at viawest.com> wrote:
>>
>> > In both do_auth.ini and tac_plus.conf be sure to spell the special
>> > username as "DEFAULT" - minding the upper-case.
>> >
>> > Do you have any log entries for that failed attempt in
>> > /root/do_auth/do_auth.log?
>> >
>>
>> 2014-06-16 16:54:30,195 [CRITICAL]: Did you forget "default service =
>> permit" in tac_plus.conf?
>>
>> That was if I did not have "default service = permit" in the doauthaccess
>> group.
>>
>>
>> > Does your group doauthaccess have the same settings as the other regular
>> > group, other than the addition of after auth?
>> >
>>
>> Yes
>>
>>
>>
>> >
>> > What device type did you test against? I would test against Cisco IOS to
>> > start with until you get it working.
>> >
>> >
>> Alcatel Lucent.
>>
>> OK let me try against cisco
>>
>>
>>
>> > You also might want to try toggling off the "-fix_crs_bug" flag and test
>> > login against IOS just to be safe. I've not used that flag before
>> > personally.
>> >
>> >
>> OK
>>
>> Thanks
>>
>>
>>
>> > -----Original Message-----
>> > From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of
>> Asif
>> > Iqbal
>> > Sent: Sunday, June 15, 2014 5:09 PM
>> > To: tac_plus at shrubbery.net
>> > Subject: [tac_plus] Need help with do_auth config
>> >
>> > Let me know if there is a separate mailing list for do_auth related
>> > questions.
>> >
>> > So I am trying to follow the do_auth.ini syntax and need some help.
>> >
>> > I have setup the config file like below and failing to authorize.
>> >
>> > Here is the do_auth.ini file
>> >
>> > [users]
>> > default =
>> > noprivs
>> > foo =
>> > newgroup
>> >
>> > [newgroup]
>> > host_allow =
>> > .*
>> > command_permit =
>> > show configuration.*
>> > device_permit =
>> > .*
>> >
>> > [noprivs]
>> > host_deny =
>> > .*
>> > device_deny =
>> > .*
>> > command_deny =
>> > .*
>> >
>> > Here is the error message
>> >
>> > Username: iqbala
>> > Password:
>> > % Authorization failed.
>> > Connection closed by foreign host.
>> >
>> >
>> > Here is the relevant part in tacacs.conf
>> >
>> > group = doauthaccess {
>> > after authorization "/usr/bin/python /root/do_auth/do_auth.pyc -i
>> > $address -fix_crs_bug -u $user -d $name -l /root/do_auth/do_auth.log -f
>> > /root/do_auth/do_auth.ini"
>> > }
>> >
>> > user = foo {
>> > login = PAM
>> > member = doauthaccess
>> > }
>> >
>> > If I change the member to another group which is regular group and not
>> > using after authorization, user ``foo'' can login fine.
>> >
>> > I must not do doing something right.
>> >
>> > Please advise.
>> >
>> >
>> >
>> >
>> > --
>> > Asif Iqbal
>> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
>> > A: Because it messes up the order in which people normally read text.
>> > Q: Why is top-posting such a bad thing?
>> > -------------- next part --------------
>> > An HTML attachment was scrubbed...
>> > URL: <
>> >
>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140615/69fb3916/attachment.html
>> > >
>> > _______________________________________________
>> > tac_plus mailing list
>> > tac_plus at shrubbery.net
>> > http://www.shrubbery.net/mailman/listinfo/tac_plus
>> >
>>
>>
>>
>> --
>> Asif Iqbal
>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
>> A: Because it messes up the order in which people normally read text.
>> Q: Why is top-posting such a bad thing?
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <
>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140616/ba90c9e1/attachment.html
>> >
>>
>> _______________________________________________
>> tac_plus mailing list
>> tac_plus at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo/tac_plus
>>
>
> E-Mail to and from me, in connection with the transaction
> of public business, is subject to the Wyoming Public Records
> Act and may be disclosed to third parties.
>
>
>
--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20140617/886d4c6e/attachment.html>
More information about the tac_plus
mailing list