[tac_plus] do_auth and aaa authorization not working with Foundry ServerIronXL load-balancers

Aaron Wasserott aaron.wasserott at viawest.com
Fri Mar 14 23:45:19 UTC 2014 

I enabled debugging and recompiled do_auth.py. However I found two lines that generate an error. I couldn't figure out how to fix them so I left them commented out. There were 14 other DEBUG lines I uncommented that compiled successfully.

### Line 339:

  File "do_auth-debug.py", line 339
    log_file.write('Hello World!' + '\n')
                                        ^
IndentationError: unindent does not match any outer indentation level

### Line 375: 

  File "do_auth-debug.py", line 375
    return_pairs = av_pairs[2:]
                              ^
IndentationError: unindent does not match any outer indentation level



Here is the log output from do_auth.log. Both of them are with 'aaa authorization exec' enabled on the ServerIron:

### do_auth.log with -D switch off

service=shell
cmd*
priv-lvl=15
Thing:priv-lvl
Thing:15

not len(the_command) > 0
Returning:priv-lvl=15
2014-03-14 17:27:36: User 'testuser' granted access to device '10.99.1.11' in group 'test-group' from '10.33.144.34'
Exiting status 2

### do_auth.log with -D switch on

service=shell
cmd=show
cmd-arg=users
cmd-arg=wide
cmd-arg=<cr>
show users wide
2014-03-14 17:39:59: User 'testuser' allowed command 'show users wide' to device '10.99.1.11' in 'test-group'->'command_permit'



-----Original Message-----
From: heasley [mailto:heas at shrubbery.net] 
Sent: Friday, March 14, 2014 4:39 PM
To: Aaron Wasserott
Cc: tac_plus at shrubbery.net
Subject: Re: [tac_plus] do_auth and aaa authorization not working with Foundry ServerIronXL load-balancers

Fri, Mar 14, 2014 at 04:17:00PM +0000, Aaron Wasserott:
> I have many ancient Foundry  ServerIronXL load-balancers. They work fine with basic TACACS AAA but when I implement do_auth I cannot login. I noticed some interesting behavior, that if I either turn off authorization or enable do_auth debugging it will work.
> 
> Below are tacacs debug outputs for the 3 scenarios with do_auth. 1) with authorization and it fails. 2)  without authorization and it passes. 3) with authorization and with debugging and it passes. Doing a compare, between scenario 1 and 3 it appears the root issue is that without debugging, do_auth will send AUTHOR/PASS_REPL and with debugging it will send AUTHOR/PASS_ADD. If you paste the entire debug output (with header) below into a text editor, this in on line 115. Shortly after that on line 138 there are other differences, and w/o debugging it either sends or receives (I can't tell) data not sent/received with debugging. Also notice that w/o debugging it never receives the username. Then w/o debugging it gets a null packet when it expects a continue, pointing to the ServerIron not liking something sent to it.
> 
> I am hoping to find a way to modify how do_auth communicates with the ServerIron's that leaves debugging off, and authorization on.

i believe something is missing; the do-auth script is exiting with value 2 but not writing the AVPs or the AVPs are empty.  There are many debugging messages in the script that are commented out.  you should uncomment them and try the script; there are only two places where it exits with code 2.
it may be that it should be exiting with code 1.

More information about the tac_plus mailing list