[tac_plus] TACPLUS AD Authentication
Asif Iqbal
vadud3 at gmail.com
Fri Jun 20 00:06:26 UTC 2014
On Thu, Jun 19, 2014 at 6:52 PM, Daniel Schmidt <daniel.schmidt at wyo.gov>
wrote:
> If you could get the AFL patch in there too, that would be very useful.
>
> https://github.com/ellzey/tac_plus_AFL
>
>
PAM, for our setup, pointing to corporate LDAP and it already has the AFL
feature. So it locks
out an account temporarily after certain number of authentication failure.
>
> On Thu, Jun 19, 2014 at 3:58 PM, Asif Iqbal <vadud3 at gmail.com> wrote:
>
>> I end up patching manually. It's in github.com/asifiqbal/tac_plus
>> ragzilla branch.
>> On Jun 19, 2014 5:14 PM, "Daniel Schmidt" <daniel.schmidt at wyo.gov>
>> wrote:
>>
>>> Arg.
>>>
>>> $ patch -p0 < pamenable.patch
>>> patching file tacacs+-F4.0.4.27a/aceclnt_fn.c
>>> Hunk #1 FAILED at 193.
>>> 1 out of 1 hunk FAILED -- saving rejects to file
>>> tacacs+-F4.0.4.27a/aceclnt_fn.c.rej
>>> patching file tacacs+-F4.0.4.27a/config.c
>>> Hunk #1 FAILED at 1220.
>>> Hunk #2 FAILED at 1908.
>>> 2 out of 2 hunks FAILED -- saving rejects to file
>>> tacacs+-F4.0.4.27a/config.c.rej
>>> patching file tacacs+-F4.0.4.27a/enable.c
>>> Hunk #1 FAILED at 53.
>>> 1 out of 1 hunk FAILED -- saving rejects to file
>>> tacacs+-F4.0.4.27a/enable.c.rej
>>> patching file tacacs+-F4.0.4.27a/pwlib.c
>>> Hunk #2 succeeded at 592 with fuzz 1.
>>> patching file tacacs+-F4.0.4.27a/tacacs.h
>>> patch unexpectedly ends in middle of line
>>> Hunk #1 FAILED at 482.
>>> 1 out of 1 hunk FAILED -- saving rejects to file
>>> tacacs+-F4.0.4.27a/tacacs.h.rej
>>>
>>>
>>>
>>> On Thu, Jun 19, 2014 at 10:40 AM, Asif Iqbal <vadud3 at gmail.com> wrote:
>>>
>>>>
>>>>
>>>>
>>>> On Wed, Apr 16, 2014 at 10:54 AM, Daniel Schmidt <
>>>> daniel.schmidt at wyo.gov> wrote:
>>>>
>>>>> I guess that would work if you wanted EVERY ad user to have access.
>>>>> Full
>>>>> access, at that.
>>>>>
>>>>> If you priv_15 everybody, they shouldn't need an enable password.
>>>>> Doesn't
>>>>> seem 2 work 4 the ASA though. Give everybody one generic enable
>>>>> password
>>>>> maybe.
>>>>>
>>>>
>>>>
>>>>
>>>> OR may be include this patch that Matt Addison is referring to, to the
>>>> original code?
>>>>
>>>> https://gist.github.com/ragzilla/11297928
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>> On Wed, Apr 16, 2014 at 8:47 AM, Linda Slater <lslater at yorku.ca>
>>>>> wrote:
>>>>>
>>>>> > Couple questions:
>>>>> >
>>>>> > I am using PAM_LDAP to authenticate our users via AD. The
>>>>> additional
>>>>> > requirements are now:
>>>>> >
>>>>> >
>>>>> >
>>>>> > 1. No usernames in the Tac+ config file, I will define only groups
>>>>> and use
>>>>> > AD groupings to decide if that user can be allowed to access a
>>>>> network
>>>>> > device. Does anyone have any examples using this method?
>>>>> Currently, I
>>>>> > have the user name ...... login = PAM, listed in the tac...config
>>>>> file.
>>>>> >
>>>>> > 2. Each user that logins into the Network device, must use their AD
>>>>> > password to gain enable access to the network device. Is anyone
>>>>> using
>>>>> > this method to allow users enable access, given that the Tac+ enable
>>>>> > password cannot be pointed to PAM? Each user will have using their
>>>>> own
>>>>> > AD login credentials.
>>>>> >
>>>>> >
>>>>> > Regards,
>>>>> > Linda Slater | Senior Network Designer, Network Development |
>>>>> University
>>>>> > Information Technology
>>>>> > 010 Steacie Science and Engineering Library | York University | 4700
>>>>> Keele
>>>>> > St. , Toronto ON Canada M3J 1P3
>>>>> > T: +1.416.736.2100 ext 22733 | F: +1.416.736.5830 | lslater at yorku.ca
>>>>> |
>>>>> > www.yorku.ca
>>>>> >
>>>>> > York UIT will NEVER send unsolicited requests for passwords or other
>>>>> > personal information via email. Messages requesting such information
>>>>> are
>>>>> > fraudulent and should be deleted.
>>>>> > -------------- next part --------------
>>>>> > An HTML attachment was scrubbed...
>>>>> > URL: <
>>>>> >
>>>>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140416/89ba12d8/attachment.html
>>>>> > >
>>>>> > _______________________________________________
>>>>> > tac_plus mailing list
>>>>> > tac_plus at shrubbery.net
>>>>> > http://www.shrubbery.net/mailman/listinfo/tac_plus
>>>>> >
>>>>>
>>>>>
>>>>> E-Mail to and from me, in connection with the transaction
>>>>> of public business, is subject to the Wyoming Public Records
>>>>> Act and may be disclosed to third parties.
>>>>> -------------- next part --------------
>>>>> An HTML attachment was scrubbed...
>>>>> URL: <
>>>>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140416/b7282d4f/attachment.html
>>>>> >
>>>>>
>>>>> _______________________________________________
>>>>> tac_plus mailing list
>>>>> tac_plus at shrubbery.net
>>>>> http://www.shrubbery.net/mailman/listinfo/tac_plus
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Asif Iqbal
>>>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
>>>> A: Because it messes up the order in which people normally read text.
>>>> Q: Why is top-posting such a bad thing?
>>>>
>>>>
>>> E-Mail to and from me, in connection with the transaction
>>> of public business, is subject to the Wyoming Public Records
>>> Act and may be disclosed to third parties.
>>>
>>>
>>>
> E-Mail to and from me, in connection with the transaction
> of public business, is subject to the Wyoming Public Records
> Act and may be disclosed to third parties.
>
>
>
--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20140619/f95708d1/attachment.html>
More information about the tac_plus
mailing list