From vadud3 at gmail.com Thu Apr 2 12:05:55 2015 From: vadud3 at gmail.com (Asif Iqbal) Date: Thu, 2 Apr 2015 08:05:55 -0400 Subject: [tac_plus] Authentication using Likewise and AD In-Reply-To: References: Message-ID: On Tue, Mar 31, 2015 at 9:29 AM, Matt Almgren wrote: > I?ve been over that guide several times. When I use the entire library > stack as shown in that > I am assuming you also read the ``notes'' section on that same paragraph? It shows to use login = PAM You want to try to talk to LDAP directly, may be, instead of using Likewise format of userid at domain > [..] -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From matta at surveymonkey.com Thu Apr 2 13:21:11 2015 From: matta at surveymonkey.com (Matt Almgren) Date: Thu, 2 Apr 2015 13:21:11 +0000 Subject: [tac_plus] Authentication using Likewise and AD In-Reply-To: References: Message-ID: You assumed correctly. I?ve read and read and talked to people. In the end? I gave up trying to get Likewise to work. I installed pam_ldap, said ?no to overwriting existing config files?, configured my LDAP client, and it?s all working great now. I followed the info here: http://www.shrubbery.net/pipermail/tac_plus/2014-March/001407.html I modified the first two files it mentioned since I wasn?t running OpenLDAP. I had to make one small change and that was the ?base? was just the DC and then the ?binddn? was the whle LDAP attribute line. Thanks for all the suggestions! ? Matt From: Asif Iqbal > Date: Thursday, April 2, 2015 at 5:05 AM To: Matt Almgren > Cc: "tac_plus at shrubbery.net" > Subject: Re: [tac_plus] Authentication using Likewise and AD On Tue, Mar 31, 2015 at 9:29 AM, Matt Almgren > wrote: I?ve been over that guide several times. When I use the entire library stack as shown in that I am assuming you also read the ``notes'' section on that same paragraph? It shows to use login = PAM You want to try to talk to LDAP directly, may be, instead of using Likewise format of userid at domain > [..] -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From matta at surveymonkey.com Tue Apr 7 18:41:44 2015 From: matta at surveymonkey.com (Matt Almgren) Date: Tue, 7 Apr 2015 18:41:44 +0000 Subject: [tac_plus] Change logfile location? Message-ID: I have setup tac_plus F4.0.4.28 on Ubuntu 14.04.1 LTS with the following configure command: ./configure --bindir=/usr/local/bin --sbindir=/usr/local/sbin --localstatedir=/var/local/tacacs --sysconfdir=/etc --with-logfile=/var/log/tacacs/tacacs --with-pidfile=/var/run/tacacs.pid --with-acctfile=/var/log/tacacs/acctfile I noticed that the default tac_plus log file was /var/log/syslog. I added this to the init script command line: -l /var/log/tacacs/tac_plus.log in hopes it would change to only logging there. I see the newly created log file logging? BUT, I?m also seeing logging in /var/log/syslog for the same output. Is there any way to stop it from logging to syslog? Thanks, Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Tue Apr 7 19:44:52 2015 From: heas at shrubbery.net (heasley) Date: Tue, 7 Apr 2015 19:44:52 +0000 Subject: [tac_plus] Change logfile location? In-Reply-To: References: Message-ID: <20150407194452.GA77095@shrubbery.net> Tue, Apr 07, 2015 at 06:41:44PM +0000, Matt Almgren: > I have setup tac_plus F4.0.4.28 on Ubuntu 14.04.1 LTS with the following configure command: > > ./configure --bindir=/usr/local/bin --sbindir=/usr/local/sbin --localstatedir=/var/local/tacacs --sysconfdir=/etc --with-logfile=/var/log/tacacs/tacacs --with-pidfile=/var/run/tacacs.pid --with-acctfile=/var/log/tacacs/acctfile > > I noticed that the default tac_plus log file was /var/log/syslog. I added this to the init script command line: -l /var/log/tacacs/tac_plus.log in hopes it would change to only logging there. > > I see the newly created log file logging? BUT, I?m also seeing logging in /var/log/syslog for the same output. Is there any way to stop it from logging to syslog? it really just uses -l for debugging output. its wants to log to syslog for everything else. From matta at surveymonkey.com Tue Apr 7 20:05:46 2015 From: matta at surveymonkey.com (Matt Almgren) Date: Tue, 7 Apr 2015 20:05:46 +0000 Subject: [tac_plus] Change logfile location? In-Reply-To: <20150407194452.GA77095@shrubbery.net> References: <20150407194452.GA77095@shrubbery.net> Message-ID: So there?s no configurable option? When I had this installed in a CentOS6 box, it wrote the logs to /var/log/tac_plus.log without me having to configure it. ? Matt On 4/7/15, 12:44 PM, "heasley" wrote: >Tue, Apr 07, 2015 at 06:41:44PM +0000, Matt Almgren: >> I have setup tac_plus F4.0.4.28 on Ubuntu 14.04.1 LTS with the >>following configure command: >> >> ./configure --bindir=/usr/local/bin --sbindir=/usr/local/sbin >>--localstatedir=/var/local/tacacs --sysconfdir=/etc >>--with-logfile=/var/log/tacacs/tacacs --with-pidfile=/var/run/tacacs.pid >>--with-acctfile=/var/log/tacacs/acctfile >> >> I noticed that the default tac_plus log file was /var/log/syslog. I >>added this to the init script command line: -l >>/var/log/tacacs/tac_plus.log in hopes it would change to only logging >>there. >> >> I see the newly created log file logging? BUT, I?m also seeing logging >>in /var/log/syslog for the same output. Is there any way to stop it >>from logging to syslog? > >it really just uses -l for debugging output. its wants to log to syslog >for everything else. From alan.mckinnon at gmail.com Tue Apr 7 20:07:53 2015 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Tue, 07 Apr 2015 22:07:53 +0200 Subject: [tac_plus] Change logfile location? In-Reply-To: References: <20150407194452.GA77095@shrubbery.net> Message-ID: <55243919.8010709@gmail.com> On 07/04/2015 22:05, Matt Almgren wrote: > So there?s no configurable option? When I had this installed in a > CentOS6 box, it wrote the logs to /var/log/tac_plus.log without me having > to configure it. It's syslog doing that, tac_plus can't change what syslog does. Configure your syslogger to write the logs where you want them. > > ? Matt > > > > > > > > > > On 4/7/15, 12:44 PM, "heasley" wrote: > >> Tue, Apr 07, 2015 at 06:41:44PM +0000, Matt Almgren: >>> I have setup tac_plus F4.0.4.28 on Ubuntu 14.04.1 LTS with the >>> following configure command: >>> >>> ./configure --bindir=/usr/local/bin --sbindir=/usr/local/sbin >>> --localstatedir=/var/local/tacacs --sysconfdir=/etc >>> --with-logfile=/var/log/tacacs/tacacs --with-pidfile=/var/run/tacacs.pid >>> --with-acctfile=/var/log/tacacs/acctfile >>> >>> I noticed that the default tac_plus log file was /var/log/syslog. I >>> added this to the init script command line: -l >>> /var/log/tacacs/tac_plus.log in hopes it would change to only logging >>> there. >>> >>> I see the newly created log file logging? BUT, I?m also seeing logging >>> in /var/log/syslog for the same output. Is there any way to stop it >> >from logging to syslog? >> >> it really just uses -l for debugging output. its wants to log to syslog >> for everything else. > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- Alan McKinnon alan.mckinnon at gmail.com From heas at shrubbery.net Tue Apr 7 20:18:15 2015 From: heas at shrubbery.net (heasley) Date: Tue, 7 Apr 2015 20:18:15 +0000 Subject: [tac_plus] Change logfile location? In-Reply-To: <55243919.8010709@gmail.com> References: <20150407194452.GA77095@shrubbery.net> <55243919.8010709@gmail.com> Message-ID: <20150407201815.GB77095@shrubbery.net> Tue, Apr 07, 2015 at 10:07:53PM +0200, Alan McKinnon: > On 07/04/2015 22:05, Matt Almgren wrote: > > So there?s no configurable option? When I had this installed in a > > CentOS6 box, it wrote the logs to /var/log/tac_plus.log without me having > > to configure it. writing to syslog avoids the issues of locking and multiple daemons writing to the same file. > It's syslog doing that, tac_plus can't change what syslog does. > Configure your syslogger to write the logs where you want them. > > > > > > > > ? Matt > > > > > > > > > > > > > > > > > > > > On 4/7/15, 12:44 PM, "heasley" wrote: > > > >> Tue, Apr 07, 2015 at 06:41:44PM +0000, Matt Almgren: > >>> I have setup tac_plus F4.0.4.28 on Ubuntu 14.04.1 LTS with the > >>> following configure command: > >>> > >>> ./configure --bindir=/usr/local/bin --sbindir=/usr/local/sbin > >>> --localstatedir=/var/local/tacacs --sysconfdir=/etc > >>> --with-logfile=/var/log/tacacs/tacacs --with-pidfile=/var/run/tacacs.pid > >>> --with-acctfile=/var/log/tacacs/acctfile > >>> > >>> I noticed that the default tac_plus log file was /var/log/syslog. I > >>> added this to the init script command line: -l > >>> /var/log/tacacs/tac_plus.log in hopes it would change to only logging > >>> there. > >>> > >>> I see the newly created log file logging? BUT, I?m also seeing logging > >>> in /var/log/syslog for the same output. Is there any way to stop it > >> >from logging to syslog? > >> > >> it really just uses -l for debugging output. its wants to log to syslog > >> for everything else. > > > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo/tac_plus > > > > > -- > Alan McKinnon > alan.mckinnon at gmail.com > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus From matta at surveymonkey.com Tue Apr 7 23:29:09 2015 From: matta at surveymonkey.com (Matt Almgren) Date: Tue, 7 Apr 2015 23:29:09 +0000 Subject: [tac_plus] f5 authentication wants to use PAP Message-ID: Almost there guys? So I?ve followed all the online guides of how to setup f5 with TAC+. In fact, I?ve done this probably a dozen times with f5 LTM running 11.4.x. These particular f5s all have 11.6.x on them. Not sure if that makes a difference. My tac_plus.conf looks like this: group = admin service = ppp protocol = ip F5-LTM-User-Info-1 = adm } user = matta-user { default service = permit name = "Matt Almgren" member = admin #login = PAM } I?ve setup the f5 to use tacacs with service=ppp, protocol =ip. I?ve triple-checked the shared key (and as shown below, its fine). I?ve created a remote role with the above attribute string with Administrator and tmsh rights. I see this on the f5 /var/log/audit logs: Apr 7 15:10:15 lb-foo err sshd[28512]: pam_tacplus: auth failed: Login incorrect Apr 7 15:10:15 lb-foo alert sshd[28512]: pam_unix(sshd:auth): check pass; user unknown Apr 7 15:10:15 lb-foo notice sshd[28512]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 And I can?t login. Even disabling PAM and using DES keys (which always works) doesn?t seem to work here. HOWEVER, I have gotten it to work, by adding this to the tac_plus.conf user stanza: login = cleartext "abc123" pap = cleartext ?abc123" So something with PAP works? But I want to use PAM and LDAP and not store passwords in the config file, let alone in cleartext! How can I fix this and make it work correctly? Thanks for all the help?almost done with this deployment. :) ? Matt -- Matt Almgren, Sr. Networking Engineer [SurveyMonkeyLogo011310] 101 Lytton Ave., Palo Alto. CA 94301 matta at surveymonkey.com 408.499.9669 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 58F70DEF-D44E-4751-BA46-EB24CF224D3E.png Type: image/png Size: 11359 bytes Desc: 58F70DEF-D44E-4751-BA46-EB24CF224D3E.png URL: From matta at surveymonkey.com Tue Apr 7 23:31:16 2015 From: matta at surveymonkey.com (Matt Almgren) Date: Tue, 7 Apr 2015 23:31:16 +0000 Subject: [tac_plus] f5 authentication wants to use PAP Message-ID: Oh, and this is a typo leftover from my testing. The correct stanza which I want to work is below (login not commented out.) user = matta-user { default service = permit name = "Matt Almgren" member = admin login = PAM } On 4/7/15, 4:29 PM, "Matt Almgren" wrote: >user = matta-user { > default service = permit > name = "Matt Almgren" > member = admin > #login = PAM >} From daniel.schmidt at wyo.gov Tue Apr 7 23:38:45 2015 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Tue, 7 Apr 2015 17:38:45 -0600 Subject: [tac_plus] f5 authentication wants to use PAP In-Reply-To: References: Message-ID: Kinda sounds nx-os. Have you tried pap = PAM? On Tue, Apr 7, 2015 at 5:31 PM, Matt Almgren wrote: > Oh, and this is a typo leftover from my testing. The correct stanza which > I want to work is below (login not commented out.) > > > user = matta-user { > default service = permit > name = "Matt Almgren" > member = admin > login = PAM > } > > > > > > > > > > > On 4/7/15, 4:29 PM, "Matt Almgren" wrote: > > >user = matta-user { > > default service = permit > > name = "Matt Almgren" > > member = admin > > #login = PAM > >} > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From matta at surveymonkey.com Wed Apr 8 15:33:21 2015 From: matta at surveymonkey.com (Matt Almgren) Date: Wed, 8 Apr 2015 15:33:21 +0000 Subject: [tac_plus] f5 authentication wants to use PAP In-Reply-To: References: Message-ID: Hi Daniel, thanks for the tip. I also saw this last night which said the same thing: http://conzetti.blogspot.com/2013/03/tacplus-freeipa-and-f5.html?m=1 I tried that and it worked perfectly! Thanks for the help! ? Matt From: Daniel Schmidt > Date: Tuesday, April 7, 2015 at 4:38 PM To: Matt Almgren > Cc: "tac_plus at shrubbery.net" > Subject: Re: [tac_plus] f5 authentication wants to use PAP Kinda sounds nx-os. Have you tried pap = PAM? On Tue, Apr 7, 2015 at 5:31 PM, Matt Almgren > wrote: Oh, and this is a typo leftover from my testing. The correct stanza which I want to work is below (login not commented out.) user = matta-user { default service = permit name = "Matt Almgren" member = admin login = PAM } On 4/7/15, 4:29 PM, "Matt Almgren" > wrote: >user = matta-user { > default service = permit > name = "Matt Almgren" > member = admin > #login = PAM >} _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Michael.Josten at hs-niederrhein.de Fri Apr 10 08:44:53 2015 From: Michael.Josten at hs-niederrhein.de (Josten, Michael) Date: Fri, 10 Apr 2015 10:44:53 +0200 Subject: [tac_plus] Tac_Plus init script does not stop daemon Message-ID: <9BDA0B754D62C64FBE6B0CFFA429C47A38F568532A@prometheus> Hello, we are running tac_plus F4.0.4.28 compiled with PAM support on a debian wheezy box. We recently noticed that the init script isn't stopping the tacacs daemon at all. The PID remains the same and pid file under /var/run remains untouched. A "kill" does fix it but I think this is a dirty solution. The PID file and daemon both belong to root, I've read in some PAM stack tac_plus guide, that tac+ has to be run as root as it couldn't communicate with the pam stack otherwise. Currently I don't know how to fix this, I hope you can help me. Pastebin Link to init script : http://pastebin.com/YARCkGni Michael Josten Mitarbeiter IT-Betrieb Hochschule Niederrhein KIS - Kommunikations und Informationssysteme Service Niederrhein University of Applied Sciences Communication and Informationsystems Service Reinarzstr. 49 D - 47805 Krefeld Telefon: +49 2151 822 3129 Fax: +49 2151 822 853123 Email: michael.josten at hs-niederrhein.de www.hs-niederrhein.de -------------- next part -------------- An HTML attachment was scrubbed... URL: From josem.junk at gmail.com Thu Apr 9 20:01:24 2015 From: josem.junk at gmail.com (Jose Martinez) Date: Thu, 9 Apr 2015 15:01:24 -0500 Subject: [tac_plus] Logging not working correct in tac_plus Message-ID: Hi all, I have a new installation of tac_plus and I'm trying to send logging to it's own log file instead of the syslog. I have this in my config file: accounting file = /var/log/tac_plus.acct but the file is never created. I do see logs in my /var/log/syslog file though. Why is it going to syslog? Thanks for any help. -------------- next part -------------- An HTML attachment was scrubbed... URL: From john at op-sec.us Sat Apr 11 00:53:43 2015 From: john at op-sec.us (John Fraizer) Date: Fri, 10 Apr 2015 17:53:43 -0700 Subject: [tac_plus] Logging not working correct in tac_plus In-Reply-To: References: Message-ID: Only ACCOUNTING records will be logged to that file. Do you have your devices configured to send accounting records to t+? John Fraizer --Sent from my Android phone. Please excuse any typos. On Apr 10, 2015 8:05 AM, "Jose Martinez" wrote: > Hi all, > > I have a new installation of tac_plus and I'm trying to send logging to > it's own log file instead of the syslog. > > I have this in my config file: > > accounting file = /var/log/tac_plus.acct > > but the file is never created. I do see logs in my /var/log/syslog file > though. Why is it going to syslog? > > Thanks for any help. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20150409/deaf8bea/attachment.html > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -------------- next part -------------- An HTML attachment was scrubbed... URL: From m4rtntns at gmail.com Mon Apr 13 08:54:37 2015 From: m4rtntns at gmail.com (Martin T) Date: Mon, 13 Apr 2015 11:54:37 +0300 Subject: [tac_plus] What part of tac_plus daemon configuration does "aaa authorization exec default group tacacs+" command in Cisco IOS TACACS+ client check? Message-ID: Hi, in Cisco IOS TACACS+ client there is a command "aaa authorization exec default group tacacs+". Am I correct that all this command does is to force TACACS+ client to take account the "service = exec" configuration snippet in tac_plus daemon configuration file? For example: service = exec { priv-lvl = 15 autocmd = "show version" } thanks, Martin From krux at thcnet.net Tue Apr 14 15:45:38 2015 From: krux at thcnet.net (Krux) Date: Tue, 14 Apr 2015 08:45:38 -0700 Subject: [tac_plus] What part of tac_plus daemon configuration does "aaa authorization exec default group tacacs+" command in Cisco IOS TACACS+ client check? In-Reply-To: References: Message-ID: Authorization exec is used to tell the Cisco device to use the privilege level specified by the TACACS+ server when logging in. For example privilege level 15. This means you don't have to issue the enable command. It is also required if you want to use features like the scp server to push firmware to your device, since the scp server requires that your exec level be 15 on login. perl -e 's==UBER?=+y[:-o]}(;->\n{q-yp-y+k}?print:??;-p#)' On April 13, 2015 1:54:37 AM PDT, Martin T wrote: >Hi, > >in Cisco IOS TACACS+ client there is a command "aaa authorization exec >default group tacacs+". Am I correct that all this command does is to >force TACACS+ client to take account the "service = exec" >configuration snippet in tac_plus daemon configuration file? For >example: > >service = exec { > priv-lvl = 15 > autocmd = "show version" >} > > >thanks, >Martin >_______________________________________________ >tac_plus mailing list >tac_plus at shrubbery.net >http://www.shrubbery.net/mailman/listinfo/tac_plus From mus3 at lehigh.edu Tue Apr 14 16:28:42 2015 From: mus3 at lehigh.edu (Munroe Sollog) Date: Tue, 14 Apr 2015 12:28:42 -0400 Subject: [tac_plus] cmd=connect Message-ID: <552D403A.2060205@lehigh.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm using tac_plus as an audit history for all users, and I'm noticing that the accounting log is logging: cmd=connect I believe it is whenever someone types in 'enable' '' Does this make sense, and if so any advice on how to get tac_plus to not save the password in the audit log? for reference: $ tac_plus -v tac_plus version F4.0.4.27a ACLS FIONBIO LIBWRAP LINUX LITTLE_ENDIAN LOG_DAEMON PAM NO_PWAGE REAPCHILD RETSIGTYPE RETSIGTYPE SHADOW_PASSWORDS SIGTSTP SIGTTIN SIGTTOU SO_REUSEADDR STRERROR TAC_PLUS_PORT UENABLE __STDC__ Thanks. - -- Munroe Sollog LTS - Network Analyst x85002 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVLUA5AAoJEPbbZiWCKDVCIcsH/0MMz1sYAQFY4FXMzLUrKa0E IYJxEuM7QWkQ6wIfFhdf51xOBuepKytGK3JlWuGZaZMdENgEZj/bD4BNxS+4ukAj fR8xuQSy6AooQLYgdcfJYd/g7udhVmrhBhCDCGQz3HCHKfJyp2V4XmCZPfMVy7EA 7NMhfbPto7nPEkVtDqrjBShgXohrf0OtMXMbdWxljJ+W7P/+nEc4+vfRz/CSpd1a PnHlwYLRaBIo921xB7I3SiPJqUPhI8i8s52HuzcmJacfT5TypQ9pY08X712QUztJ zpsFsX2xS3tyWingWKhrqWMtuFpFIWwTeQ7mIOqqd5NTHDhL3DupC1jBOWp2vfA= =FXGG -----END PGP SIGNATURE----- From heas at shrubbery.net Tue Apr 14 16:39:09 2015 From: heas at shrubbery.net (heasley) Date: Tue, 14 Apr 2015 16:39:09 +0000 Subject: [tac_plus] cmd=connect In-Reply-To: <552D403A.2060205@lehigh.edu> References: <552D403A.2060205@lehigh.edu> Message-ID: <20150414163909.GH27717@shrubbery.net> Tue, Apr 14, 2015 at 12:28:42PM -0400, Munroe Sollog: > I'm using tac_plus as an audit history for all users, and I'm noticing that the accounting log is > logging: > > cmd=connect > > I believe it is whenever someone types in 'enable' '' > > Does this make sense, and if so any advice on how to get tac_plus to not save the password in the > audit log? it could be; the contents come from the device, not from the tacacs daemon. there is a connect command on some ciscos that connects to linecards and remote systems and other devices may have such a commands. From john at op-sec.us Tue Apr 14 16:41:25 2015 From: john at op-sec.us (John Fraizer) Date: Tue, 14 Apr 2015 09:41:25 -0700 Subject: [tac_plus] cmd=connect In-Reply-To: <552D403A.2060205@lehigh.edu> References: <552D403A.2060205@lehigh.edu> Message-ID: Provide the entire accounting record rather than a description of it and we'll be able to help you more. But, that is not what tac_plus would show when a user goes into enable. This is what it shows from an Arista: Apr 14 16:33:36 10.244.165.35 jfraizer ssh 192.168.56.1 stop task_id=21 service=shell priv-lvl=1 start_time=1429029214 timezone=UTC cmd=enable And here is what it shows from a Cisco CSR1000v: Apr 14 16:34:43 10.244.165.36 jfraizer tty1 192.168.56.1 stop task_id=3 timezone=UTC service=shell priv-lvl=1 cmd=enable -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Tue, Apr 14, 2015 at 9:28 AM, Munroe Sollog wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I'm using tac_plus as an audit history for all users, and I'm noticing > that the accounting log is > logging: > > cmd=connect > > I believe it is whenever someone types in 'enable' '' > > Does this make sense, and if so any advice on how to get tac_plus to not > save the password in the > audit log? > > for reference: > $ tac_plus -v > tac_plus version F4.0.4.27a > ACLS > FIONBIO > LIBWRAP > LINUX > LITTLE_ENDIAN > LOG_DAEMON > PAM > NO_PWAGE > REAPCHILD > RETSIGTYPE RETSIGTYPE > SHADOW_PASSWORDS > SIGTSTP > SIGTTIN > SIGTTOU > SO_REUSEADDR > STRERROR > TAC_PLUS_PORT > UENABLE > __STDC__ > > > > Thanks. > > - -- > Munroe Sollog > LTS - Network Analyst > x85002 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.12 (GNU/Linux) > > iQEcBAEBAgAGBQJVLUA5AAoJEPbbZiWCKDVCIcsH/0MMz1sYAQFY4FXMzLUrKa0E > IYJxEuM7QWkQ6wIfFhdf51xOBuepKytGK3JlWuGZaZMdENgEZj/bD4BNxS+4ukAj > fR8xuQSy6AooQLYgdcfJYd/g7udhVmrhBhCDCGQz3HCHKfJyp2V4XmCZPfMVy7EA > 7NMhfbPto7nPEkVtDqrjBShgXohrf0OtMXMbdWxljJ+W7P/+nEc4+vfRz/CSpd1a > PnHlwYLRaBIo921xB7I3SiPJqUPhI8i8s52HuzcmJacfT5TypQ9pY08X712QUztJ > zpsFsX2xS3tyWingWKhrqWMtuFpFIWwTeQ7mIOqqd5NTHDhL3DupC1jBOWp2vfA= > =FXGG > -----END PGP SIGNATURE----- > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -------------- next part -------------- An HTML attachment was scrubbed... URL: From john at op-sec.us Tue Apr 14 16:48:09 2015 From: john at op-sec.us (John Fraizer) Date: Tue, 14 Apr 2015 09:48:09 -0700 Subject: [tac_plus] cmd=connect In-Reply-To: References: <552D403A.2060205@lehigh.edu> Message-ID: I just figured out what you're seeing. lab1-c2#en lab1-c2#somepassword Translating "somepassword" % Bad IP address or host name Translating "somepassword" % Unknown command or computer name, or unable to find computer address lab1-c2# Produces this: Apr 14 16:42:42 10.244.165.35 jfraizer tty1 192.168.56.1 start task_id=5 timezone=UTC service=shell Apr 14 16:42:44 10.244.165.35 jfraizer tty1 192.168.56.1 stop task_id=5 timezone=UTC service=shell priv-lvl=0 cmd=enable Apr 14 16:42:47 10.244.165.35 jfraizer tty1 192.168.56.1 stop task_id=6 timezone=UTC service=shell priv-lvl=1 cmd=connect somepassword Here is the situation: I've got my tac_plus (plus do_auth) configured to give priv-lvl=15 on login. So, me typing enable is NOT necessary for me to get into enable mode. I'm ALREADY there. When I do so, it just drops me back to a prompt (NOT a password prompt). When the next thing I send is "somepassword", the Cisco translates this to "connect somepassword". I would venture to guess that you're giving priv-lvl=15 on login and that you've got users who don't realize they're already enabled or that you've got some script running that is hard coded to blindly send commands vs. examining its current prompt to determine its priv-lvl. -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Tue, Apr 14, 2015 at 9:41 AM, John Fraizer wrote: > Provide the entire accounting record rather than a description of it and > we'll be able to help you more. But, that is not what tac_plus would show > when a user goes into enable. > > This is what it shows from an Arista: > > Apr 14 16:33:36 10.244.165.35 jfraizer ssh 192.168.56.1 stop task_id=21 > service=shell priv-lvl=1 start_time=1429029214 timezone=UTC cmd=enable > > > And here is what it shows from a Cisco CSR1000v: > > Apr 14 16:34:43 10.244.165.36 jfraizer tty1 192.168.56.1 stop task_id=3 > timezone=UTC service=shell priv-lvl=1 cmd=enable > > > > > -- > John Fraizer > LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ > > > > On Tue, Apr 14, 2015 at 9:28 AM, Munroe Sollog wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I'm using tac_plus as an audit history for all users, and I'm noticing >> that the accounting log is >> logging: >> >> cmd=connect >> >> I believe it is whenever someone types in 'enable' '> password>' >> >> Does this make sense, and if so any advice on how to get tac_plus to not >> save the password in the >> audit log? >> >> for reference: >> $ tac_plus -v >> tac_plus version F4.0.4.27a >> ACLS >> FIONBIO >> LIBWRAP >> LINUX >> LITTLE_ENDIAN >> LOG_DAEMON >> PAM >> NO_PWAGE >> REAPCHILD >> RETSIGTYPE RETSIGTYPE >> SHADOW_PASSWORDS >> SIGTSTP >> SIGTTIN >> SIGTTOU >> SO_REUSEADDR >> STRERROR >> TAC_PLUS_PORT >> UENABLE >> __STDC__ >> >> >> >> Thanks. >> >> - -- >> Munroe Sollog >> LTS - Network Analyst >> x85002 >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.12 (GNU/Linux) >> >> iQEcBAEBAgAGBQJVLUA5AAoJEPbbZiWCKDVCIcsH/0MMz1sYAQFY4FXMzLUrKa0E >> IYJxEuM7QWkQ6wIfFhdf51xOBuepKytGK3JlWuGZaZMdENgEZj/bD4BNxS+4ukAj >> fR8xuQSy6AooQLYgdcfJYd/g7udhVmrhBhCDCGQz3HCHKfJyp2V4XmCZPfMVy7EA >> 7NMhfbPto7nPEkVtDqrjBShgXohrf0OtMXMbdWxljJ+W7P/+nEc4+vfRz/CSpd1a >> PnHlwYLRaBIo921xB7I3SiPJqUPhI8i8s52HuzcmJacfT5TypQ9pY08X712QUztJ >> zpsFsX2xS3tyWingWKhrqWMtuFpFIWwTeQ7mIOqqd5NTHDhL3DupC1jBOWp2vfA= >> =FXGG >> -----END PGP SIGNATURE----- >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From m4rtntns at gmail.com Thu Apr 16 10:38:40 2015 From: m4rtntns at gmail.com (Martin T) Date: Thu, 16 Apr 2015 13:38:40 +0300 Subject: [tac_plus] What part of tac_plus daemon configuration does "aaa authorization exec default group tacacs+" command in Cisco IOS TACACS+ client check? In-Reply-To: References: Message-ID: Krux, I think it is bit more than just the privilege level. Looks like it is the whole "service = exec" configuration snippet which specifies for example "autocmd" or "idletime" besides "priv-lvl". regards, Martin On 4/14/15, Krux wrote: > Authorization exec is used to tell the Cisco device to use the privilege > level specified by the TACACS+ server when logging in. For example privilege > level 15. This means you don't have to issue the enable command. It is also > required if you want to use features like the scp server to push firmware to > your device, since the scp server requires that your exec level be 15 on > login. > perl -e 's==UBER?=+y[:-o]}(;->\n{q-yp-y+k}?print:??;-p#)' > > On April 13, 2015 1:54:37 AM PDT, Martin T wrote: >>Hi, >> >>in Cisco IOS TACACS+ client there is a command "aaa authorization exec >>default group tacacs+". Am I correct that all this command does is to >>force TACACS+ client to take account the "service = exec" >>configuration snippet in tac_plus daemon configuration file? For >>example: >> >>service = exec { >> priv-lvl = 15 >> autocmd = "show version" >>} >> >> >>thanks, >>Martin >>_______________________________________________ >>tac_plus mailing list >>tac_plus at shrubbery.net >>http://www.shrubbery.net/mailman/listinfo/tac_plus > > > From m4rtntns at gmail.com Thu Apr 16 15:54:52 2015 From: m4rtntns at gmail.com (Martin T) Date: Thu, 16 Apr 2015 18:54:52 +0300 Subject: [tac_plus] enable additional commands centrally for IOS privilege levels other than 15 Message-ID: Hi, privilege level 15 in IOS has all the possible commands for particular IOS release enabled. However, for example privilege level 1 has only few dozens of commands available. Now if I want to allow some of the privilege level 15 commands also for privilege level 1, then I could use the "privilege exec level 1 " command. For example "privilege exec level 1 traceroute". However, is there a way to do this centrally in TACACS+ server? thanks, Martin From aaron.wasserott at viawest.com Thu Apr 16 16:09:15 2015 From: aaron.wasserott at viawest.com (Aaron Wasserott) Date: Thu, 16 Apr 2015 16:09:15 +0000 Subject: [tac_plus] enable additional commands centrally for IOS privilege levels other than 15 In-Reply-To: References: Message-ID: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B651ED@mbx030-w1-co-6.exch030.domain.local> Look into the do_auth.pyc script to control command authorization. http://www.tacacs.org/ -----Original Message----- From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Martin T Sent: Thursday, April 16, 2015 9:55 AM To: tac_plus at shrubbery.net Subject: [tac_plus] enable additional commands centrally for IOS privilege levels other than 15 Hi, privilege level 15 in IOS has all the possible commands for particular IOS release enabled. However, for example privilege level 1 has only few dozens of commands available. Now if I want to allow some of the privilege level 15 commands also for privilege level 1, then I could use the "privilege exec level 1 " command. For example "privilege exec level 1 traceroute". However, is there a way to do this centrally in TACACS+ server? thanks, Martin _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. From john at op-sec.us Thu Apr 16 16:47:59 2015 From: john at op-sec.us (John Fraizer) Date: Thu, 16 Apr 2015 09:47:59 -0700 Subject: [tac_plus] What part of tac_plus daemon configuration does "aaa authorization exec default group tacacs+" command in Cisco IOS TACACS+ client check? In-Reply-To: References: Message-ID: The service = exec stanza tells Tac_Plus to do (everything you have in that stanza) whenever the device requests authorization for "exec". -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Thu, Apr 16, 2015 at 3:38 AM, Martin T wrote: > Krux, > > I think it is bit more than just the privilege level. Looks like it is > the whole "service = exec" configuration snippet which specifies for > example "autocmd" or "idletime" besides "priv-lvl". > > > regards, > Martin > > On 4/14/15, Krux wrote: > > Authorization exec is used to tell the Cisco device to use the privilege > > level specified by the TACACS+ server when logging in. For example > privilege > > level 15. This means you don't have to issue the enable command. It is > also > > required if you want to use features like the scp server to push > firmware to > > your device, since the scp server requires that your exec level be 15 on > > login. > > perl -e 's==UBER?=+y[:-o]}(;->\n{q-yp-y+k}?print:??;-p#)' > > > > On April 13, 2015 1:54:37 AM PDT, Martin T wrote: > >>Hi, > >> > >>in Cisco IOS TACACS+ client there is a command "aaa authorization exec > >>default group tacacs+". Am I correct that all this command does is to > >>force TACACS+ client to take account the "service = exec" > >>configuration snippet in tac_plus daemon configuration file? For > >>example: > >> > >>service = exec { > >> priv-lvl = 15 > >> autocmd = "show version" > >>} > >> > >> > >>thanks, > >>Martin > >>_______________________________________________ > >>tac_plus mailing list > >>tac_plus at shrubbery.net > >>http://www.shrubbery.net/mailman/listinfo/tac_plus > > > > > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -------------- next part -------------- An HTML attachment was scrubbed... URL: From john at op-sec.us Thu Apr 16 17:34:43 2015 From: john at op-sec.us (John Fraizer) Date: Thu, 16 Apr 2015 10:34:43 -0700 Subject: [tac_plus] enable additional commands centrally for IOS privilege levels other than 15 In-Reply-To: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B651ED@mbx030-w1-co-6.exch030.domain.local> References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B651ED@mbx030-w1-co-6.exch030.domain.local> Message-ID: Here is an example: tac_plus.conf: key = "blah-blah-blah" accounting file = /some/location/tacplus.acct default authentication = file /etc/passwd # # Default group to run all command authentication through do_auth. # group = doauthaccess { default service = permit service = exec { priv-lvl = 1 optional idletime = 30 optional acl = 2 shell:roles="\"network-operator vdc-operator\"" } service = junos-exec { bug-fix = "first pair is lost" local-user-name = "remote" allow-commands = "(.*exit)|(show cli auth.*)" deny-commands = ".*" allow-configuration = "" deny-configuration = ".*" } after authorization "/usr/bin/python /some-location/do_auth.py -i $address -u $user -d $name -l /some-location/do_auth.log -f /some-location/do_auth.ini" } # # Default user - Used when no user specific stanza exists in tac_plus.conf. # user = DEFAULT { member = doauthaccess login = PAM } And then, in do_auth.ini: [users] default = no_authority ren = lab no_authority stimpy = lab production_readonly no_authority # Groups start here # Default group. Can only log out and check # privilege level (JUNOS) [no_authority] host_deny = host_allow = .* device_deny = device_permit = .* command_deny = .* command_permit = exit.* av_pairs = priv-lvl=0 shell:roles="network-operator vdc-operator" local-user-name = test allow-commands = (.*exit)|(show cli auth.*) deny-commands = .* allow-configuration = deny-configuration = # LAB group can do anything - as long as the device # they're logging into is in 192.168.56.0/24 which is # the IP address space used for management in the LAB. [lab] host_deny = host_allow = .* device_deny = device_permit = 192.168.56.* command_deny = command_permit = .* av_pairs = priv-lvl=15 shell:roles="network-admin vdc-admin" local-user-name = remote allow-commands = .* deny-commands = allow-configuration = .* deny-configuration = # This group provides read-only access to ANY device. [production_readonly] host_deny = host_allow = .* device_deny = device_permit = .* command_deny = command_permit = ping.* traceroute.* terminal.* write terminal.* copy running-config terminal.* copy running-config tftp.* copy startup-config terminal.* copy startup-config tftp.* show.* av_pairs = priv-lvl=15 shell:roles="network-admin vdc-admin" local-user-name = remote allow-commands = deny-commands = (.*edit)|(.*configure) allow-configuration = deny-configuration = With the above configuration, user "joe" does not have a user stanza in do_auth.ini so, he will fall through to the "default" group (no_authority) no matter which device he logs into. He will only be able to log out. ;-) User ren is a member of "lab" and "no_authority" so, if he logs into any devices in 192.168.56.0/24, he can do anything. For anything else, he will fall through to the "no_authority" group and only be able to log out. User stimpy is a member of all three groups: lab, production_readonly and no_authority. If he logs into a device in 192.168.56.0/24, he can do anything. If he logs in ANYWHERE else, he will receive the "production_readonly" privileges since it matches on .* for "device_permit". If you look in group "production_readonly", I'm setting priv-lvl=15 or giving "network-admin vdc-admin" or "local-user-name = remote" (depending on which AV pair(s) the device sent to tac_plus. On my Junipers, user "remote" is "super-user" which is basically the same as priv-lvl=15. On anything that does command authorization, I'm only permitting: ping.* traceroute.* terminal.* write terminal.* copy running-config terminal.* copy running-config tftp.* copy startup-config terminal.* copy startup-config tftp.* show.* Anything else will be denied. On the Junipers, since they do RBAC and don't ask to authorize individual commands, I'm simply denying "edit" and "configure" in the "deny-commands" regular expression so, they can't make config changes. Note that ALL users are members of "no_authority" as their "last resort" group. This is because, without that group membership, Cisco's and Arista would get a "denied" authorization for the shell. Junipers flat-out IGNORE that though and the user would get uninhibited "super-user". Silly JUNOS! Placing everyone in "no_authority" makes sure that even if no other groups match, they will at least match on the no_authority group and be granted just enough access to log out of the device (and look at their authority on Junipers): command_deny = .* command_permit = exit.* av_pairs = priv-lvl=0 shell:roles="network-operator vdc-operator" local-user-name = test allow-commands = (.*exit)|(show cli auth.*) deny-commands = .* allow-configuration = deny-configuration = There you go... a quick tutorial on using do_auth.py via the "after authorization" function in tac_plus. You'll never believe you lived without it once you set it up. Just be sure to TEST the configurations. You might find a corner-case like I did with silly JUNOS doing the opposite of what you would expect. -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Thu, Apr 16, 2015 at 9:09 AM, Aaron Wasserott < aaron.wasserott at viawest.com> wrote: > Look into the do_auth.pyc script to control command authorization. > > http://www.tacacs.org/ > > -----Original Message----- > From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of > Martin T > Sent: Thursday, April 16, 2015 9:55 AM > To: tac_plus at shrubbery.net > Subject: [tac_plus] enable additional commands centrally for IOS privilege > levels other than 15 > > Hi, > > privilege level 15 in IOS has all the possible commands for particular IOS > release enabled. However, for example privilege level 1 has only few dozens > of commands available. Now if I want to allow some of the privilege level > 15 commands also for privilege level 1, then I could use the "privilege > exec level 1 " command. For example "privilege exec level 1 > traceroute". However, is there a way to do this centrally in TACACS+ server? > > > thanks, > Martin > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > This message contains information that may be confidential, privileged or > otherwise protected by law from disclosure. It is intended for the > exclusive use of the addressee(s). Unless you are the addressee or > authorized agent of the addressee, you may not review, copy, distribute or > disclose to anyone the message or any information contained within. If you > have received this message in error, please contact the sender by > electronic reply and immediately delete all copies of the message. > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Thu Apr 16 17:53:10 2015 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Thu, 16 Apr 2015 11:53:10 -0600 Subject: [tac_plus] enable additional commands centrally for IOS privilege levels other than 15 In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B651ED@mbx030-w1-co-6.exch030.domain.local> Message-ID: Jathan and I are planning to improve the JUNOS support. I'm always glad to hear that this little python snippet I started a few years ago has made people's lives easier. On Thu, Apr 16, 2015 at 11:34 AM, John Fraizer wrote: > Here is an example: > > tac_plus.conf: > > key = "blah-blah-blah" > accounting file = /some/location/tacplus.acct > > default authentication = file /etc/passwd > > # > # Default group to run all command authentication through do_auth. > # > group = doauthaccess { > default service = permit > > service = exec { > priv-lvl = 1 > optional idletime = 30 > optional acl = 2 > shell:roles="\"network-operator vdc-operator\"" > } > > service = junos-exec { > bug-fix = "first pair is lost" > local-user-name = "remote" > allow-commands = "(.*exit)|(show cli auth.*)" > deny-commands = ".*" > allow-configuration = "" > deny-configuration = ".*" > } > after authorization "/usr/bin/python /some-location/do_auth.py -i > $address -u $user -d $name -l /some-location/do_auth.log -f > /some-location/do_auth.ini" > } > > > # > # Default user - Used when no user specific stanza exists in tac_plus.conf. > # > user = DEFAULT { > member = doauthaccess > login = PAM > } > > > And then, in do_auth.ini: > > [users] > default = > no_authority > > ren = > lab > no_authority > > stimpy = > lab > production_readonly > no_authority > > # Groups start here > > # Default group. Can only log out and check > # privilege level (JUNOS) > [no_authority] > host_deny = > host_allow = > .* > device_deny = > device_permit = > .* > command_deny = > .* > command_permit = > exit.* > av_pairs = > priv-lvl=0 > shell:roles="network-operator vdc-operator" > local-user-name = test > allow-commands = (.*exit)|(show cli auth.*) > deny-commands = .* > allow-configuration = > deny-configuration = > > # LAB group can do anything - as long as the device > # they're logging into is in 192.168.56.0/24 which is > # the IP address space used for management in the LAB. > [lab] > host_deny = > host_allow = > .* > device_deny = > device_permit = > 192.168.56.* > command_deny = > command_permit = > .* > av_pairs = > priv-lvl=15 > shell:roles="network-admin vdc-admin" > local-user-name = remote > allow-commands = .* > deny-commands = > allow-configuration = .* > deny-configuration = > > > # This group provides read-only access to ANY device. > [production_readonly] > host_deny = > host_allow = > .* > device_deny = > device_permit = > .* > command_deny = > command_permit = > ping.* > traceroute.* > terminal.* > write terminal.* > copy running-config terminal.* > copy running-config tftp.* > copy startup-config terminal.* > copy startup-config tftp.* > show.* > av_pairs = > priv-lvl=15 > shell:roles="network-admin vdc-admin" > local-user-name = remote > allow-commands = > deny-commands = (.*edit)|(.*configure) > allow-configuration = > deny-configuration = > > > > > With the above configuration, user "joe" does not have a user stanza in > do_auth.ini so, he will fall through to the "default" group (no_authority) > no matter which device he logs into. He will only be able to log out. ;-) > User ren is a member of "lab" and "no_authority" so, if he logs into any > devices in 192.168.56.0/24, he can do anything. For anything else, he > will > fall through to the "no_authority" group and only be able to log out. > User stimpy is a member of all three groups: lab, production_readonly and > no_authority. If he logs into a device in 192.168.56.0/24, he can do > anything. If he logs in ANYWHERE else, he will receive the > "production_readonly" privileges since it matches on .* for > "device_permit". > > If you look in group "production_readonly", I'm setting priv-lvl=15 or > giving "network-admin vdc-admin" or "local-user-name = remote" (depending > on which AV pair(s) the device sent to tac_plus. On my Junipers, user > "remote" is "super-user" which is basically the same as priv-lvl=15. > > On anything that does command authorization, I'm only permitting: > ping.* > traceroute.* > terminal.* > write terminal.* > copy running-config terminal.* > copy running-config tftp.* > copy startup-config terminal.* > copy startup-config tftp.* > show.* > > Anything else will be denied. > > On the Junipers, since they do RBAC and don't ask to authorize individual > commands, I'm simply denying "edit" and "configure" in the "deny-commands" > regular expression so, they can't make config changes. > > Note that ALL users are members of "no_authority" as their "last resort" > group. This is because, without that group membership, Cisco's and Arista > would get a "denied" authorization for the shell. Junipers flat-out IGNORE > that though and the user would get uninhibited "super-user". Silly JUNOS! > Placing everyone in "no_authority" makes sure that even if no other groups > match, they will at least match on the no_authority group and be granted > just enough access to log out of the device (and look at their authority on > Junipers): > > command_deny = > .* > command_permit = > exit.* > av_pairs = > priv-lvl=0 > shell:roles="network-operator vdc-operator" > local-user-name = test > allow-commands = (.*exit)|(show cli auth.*) > deny-commands = .* > allow-configuration = > deny-configuration = > > There you go... a quick tutorial on using do_auth.py via the "after > authorization" function in tac_plus. You'll never believe you lived > without it once you set it up. Just be sure to TEST the configurations. > You might find a corner-case like I did with silly JUNOS doing the opposite > of what you would expect. > > > -- > John Fraizer > LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ > > > > On Thu, Apr 16, 2015 at 9:09 AM, Aaron Wasserott < > aaron.wasserott at viawest.com> wrote: > > > Look into the do_auth.pyc script to control command authorization. > > > > http://www.tacacs.org/ > > > > -----Original Message----- > > From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of > > Martin T > > Sent: Thursday, April 16, 2015 9:55 AM > > To: tac_plus at shrubbery.net > > Subject: [tac_plus] enable additional commands centrally for IOS > privilege > > levels other than 15 > > > > Hi, > > > > privilege level 15 in IOS has all the possible commands for particular > IOS > > release enabled. However, for example privilege level 1 has only few > dozens > > of commands available. Now if I want to allow some of the privilege level > > 15 commands also for privilege level 1, then I could use the "privilege > > exec level 1 " command. For example "privilege exec level 1 > > traceroute". However, is there a way to do this centrally in TACACS+ > server? > > > > > > thanks, > > Martin > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo/tac_plus > > This message contains information that may be confidential, privileged or > > otherwise protected by law from disclosure. It is intended for the > > exclusive use of the addressee(s). Unless you are the addressee or > > authorized agent of the addressee, you may not review, copy, distribute > or > > disclose to anyone the message or any information contained within. If > you > > have received this message in error, please contact the sender by > > electronic reply and immediately delete all copies of the message. > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo/tac_plus > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20150416/02e9a147/attachment.html > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From john at op-sec.us Thu Apr 16 20:08:14 2015 From: john at op-sec.us (John Fraizer) Date: Thu, 16 Apr 2015 13:08:14 -0700 Subject: [tac_plus] enable additional commands centrally for IOS privilege levels other than 15 In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B651ED@mbx030-w1-co-6.exch030.domain.local> Message-ID: do_auth.py is a great tool which has given so much more flexibility to our TACACS+ infrastructure. I've modified it to log to a MySQL database and have also modified tac_plus to allow accounting to a script "after authorization" style. I pass the accounting pairs out and read them into STDIN and log those to the MySQL database too. It makes searching through the logs so much more flexible because I'm able to make Arista / Cisco / Juniper accounting records have a consistent format in the database. I can also tell the difference between the three vendors based only on the pairs they send in their accounting records. New tac_plus directive: accounting script = "/usr/bin/python /someplace/do_accounting.py -f /someplace/do_auth.ini" And I've added the following directives to do_auth.ini which both scripts use to set up their MySQL config: [mysql] user = tacacs password = somepassword host = 10.172.192.1 database = somedatabase Thanks for all the hard work on do_auth.py! Once I've put my changes through enough testing, I'm planning on providing patches to the community for both do_auth.py and tac_plus in case someone else wants to leverage MySQL for logging TACACS stuff. -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Thu, Apr 16, 2015 at 10:53 AM, Daniel Schmidt wrote: > Jathan and I are planning to improve the JUNOS support. I'm always glad > to hear that this little python snippet I started a few years ago has made > people's lives easier. > > On Thu, Apr 16, 2015 at 11:34 AM, John Fraizer wrote: > >> Here is an example: >> >> tac_plus.conf: >> >> key = "blah-blah-blah" >> accounting file = /some/location/tacplus.acct >> >> default authentication = file /etc/passwd >> >> # >> # Default group to run all command authentication through do_auth. >> # >> group = doauthaccess { >> default service = permit >> >> service = exec { >> priv-lvl = 1 >> optional idletime = 30 >> optional acl = 2 >> shell:roles="\"network-operator vdc-operator\"" >> } >> >> service = junos-exec { >> bug-fix = "first pair is lost" >> local-user-name = "remote" >> allow-commands = "(.*exit)|(show cli auth.*)" >> deny-commands = ".*" >> allow-configuration = "" >> deny-configuration = ".*" >> } >> after authorization "/usr/bin/python /some-location/do_auth.py -i >> $address -u $user -d $name -l /some-location/do_auth.log -f >> /some-location/do_auth.ini" >> } >> >> >> # >> # Default user - Used when no user specific stanza exists in >> tac_plus.conf. >> # >> user = DEFAULT { >> member = doauthaccess >> login = PAM >> } >> >> >> And then, in do_auth.ini: >> >> [users] >> default = >> no_authority >> >> ren = >> lab >> no_authority >> >> stimpy = >> lab >> production_readonly >> no_authority >> >> # Groups start here >> >> # Default group. Can only log out and check >> # privilege level (JUNOS) >> [no_authority] >> host_deny = >> host_allow = >> .* >> device_deny = >> device_permit = >> .* >> command_deny = >> .* >> command_permit = >> exit.* >> av_pairs = >> priv-lvl=0 >> shell:roles="network-operator vdc-operator" >> local-user-name = test >> allow-commands = (.*exit)|(show cli auth.*) >> deny-commands = .* >> allow-configuration = >> deny-configuration = >> >> # LAB group can do anything - as long as the device >> # they're logging into is in 192.168.56.0/24 which is >> # the IP address space used for management in the LAB. >> [lab] >> host_deny = >> host_allow = >> .* >> device_deny = >> device_permit = >> 192.168.56.* >> command_deny = >> command_permit = >> .* >> av_pairs = >> priv-lvl=15 >> shell:roles="network-admin vdc-admin" >> local-user-name = remote >> allow-commands = .* >> deny-commands = >> allow-configuration = .* >> deny-configuration = >> >> >> # This group provides read-only access to ANY device. >> [production_readonly] >> host_deny = >> host_allow = >> .* >> device_deny = >> device_permit = >> .* >> command_deny = >> command_permit = >> ping.* >> traceroute.* >> terminal.* >> write terminal.* >> copy running-config terminal.* >> copy running-config tftp.* >> copy startup-config terminal.* >> copy startup-config tftp.* >> show.* >> av_pairs = >> priv-lvl=15 >> shell:roles="network-admin vdc-admin" >> local-user-name = remote >> allow-commands = >> deny-commands = (.*edit)|(.*configure) >> allow-configuration = >> deny-configuration = >> >> >> >> >> With the above configuration, user "joe" does not have a user stanza in >> do_auth.ini so, he will fall through to the "default" group (no_authority) >> no matter which device he logs into. He will only be able to log out. ;-) >> User ren is a member of "lab" and "no_authority" so, if he logs into any >> devices in 192.168.56.0/24, he can do anything. For anything else, he >> will >> fall through to the "no_authority" group and only be able to log out. >> User stimpy is a member of all three groups: lab, production_readonly and >> no_authority. If he logs into a device in 192.168.56.0/24, he can do >> anything. If he logs in ANYWHERE else, he will receive the >> "production_readonly" privileges since it matches on .* for >> "device_permit". >> >> If you look in group "production_readonly", I'm setting priv-lvl=15 or >> giving "network-admin vdc-admin" or "local-user-name = remote" (depending >> on which AV pair(s) the device sent to tac_plus. On my Junipers, user >> "remote" is "super-user" which is basically the same as priv-lvl=15. >> >> On anything that does command authorization, I'm only permitting: >> ping.* >> traceroute.* >> terminal.* >> write terminal.* >> copy running-config terminal.* >> copy running-config tftp.* >> copy startup-config terminal.* >> copy startup-config tftp.* >> show.* >> >> Anything else will be denied. >> >> On the Junipers, since they do RBAC and don't ask to authorize individual >> commands, I'm simply denying "edit" and "configure" in the "deny-commands" >> regular expression so, they can't make config changes. >> >> Note that ALL users are members of "no_authority" as their "last resort" >> group. This is because, without that group membership, Cisco's and Arista >> would get a "denied" authorization for the shell. Junipers flat-out >> IGNORE >> that though and the user would get uninhibited "super-user". Silly JUNOS! >> Placing everyone in "no_authority" makes sure that even if no other groups >> match, they will at least match on the no_authority group and be granted >> just enough access to log out of the device (and look at their authority >> on >> Junipers): >> >> command_deny = >> .* >> command_permit = >> exit.* >> av_pairs = >> priv-lvl=0 >> shell:roles="network-operator vdc-operator" >> local-user-name = test >> allow-commands = (.*exit)|(show cli auth.*) >> deny-commands = .* >> allow-configuration = >> deny-configuration = >> >> There you go... a quick tutorial on using do_auth.py via the "after >> authorization" function in tac_plus. You'll never believe you lived >> without it once you set it up. Just be sure to TEST the configurations. >> You might find a corner-case like I did with silly JUNOS doing the >> opposite >> of what you would expect. >> >> >> -- >> John Fraizer >> LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ >> >> >> >> On Thu, Apr 16, 2015 at 9:09 AM, Aaron Wasserott < >> aaron.wasserott at viawest.com> wrote: >> >> > Look into the do_auth.pyc script to control command authorization. >> > >> > http://www.tacacs.org/ >> > >> > -----Original Message----- >> > From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of >> > Martin T >> > Sent: Thursday, April 16, 2015 9:55 AM >> > To: tac_plus at shrubbery.net >> > Subject: [tac_plus] enable additional commands centrally for IOS >> privilege >> > levels other than 15 >> > >> > Hi, >> > >> > privilege level 15 in IOS has all the possible commands for particular >> IOS >> > release enabled. However, for example privilege level 1 has only few >> dozens >> > of commands available. Now if I want to allow some of the privilege >> level >> > 15 commands also for privilege level 1, then I could use the "privilege >> > exec level 1 " command. For example "privilege exec level 1 >> > traceroute". However, is there a way to do this centrally in TACACS+ >> server? >> > >> > >> > thanks, >> > Martin >> > _______________________________________________ >> > tac_plus mailing list >> > tac_plus at shrubbery.net >> > http://www.shrubbery.net/mailman/listinfo/tac_plus >> > This message contains information that may be confidential, privileged >> or >> > otherwise protected by law from disclosure. It is intended for the >> > exclusive use of the addressee(s). Unless you are the addressee or >> > authorized agent of the addressee, you may not review, copy, distribute >> or >> > disclose to anyone the message or any information contained within. If >> you >> > have received this message in error, please contact the sender by >> > electronic reply and immediately delete all copies of the message. >> > _______________________________________________ >> > tac_plus mailing list >> > tac_plus at shrubbery.net >> > http://www.shrubbery.net/mailman/listinfo/tac_plus >> > >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: < >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20150416/02e9a147/attachment.html >> > >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus >> > > E-Mail to and from me, in connection with the transaction > of public business, is subject to the Wyoming Public Records > Act and may be disclosed to third parties. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From aaron.wasserott at viawest.com Fri Apr 24 17:51:46 2015 From: aaron.wasserott at viawest.com (Aaron Wasserott) Date: Fri, 24 Apr 2015 17:51:46 +0000 Subject: [tac_plus] IPv6 ACL commands not working with do_auth and IOS-XR Message-ID: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B6887C@mbx030-w1-co-6.exch030.domain.local> I have a Cisco ASR 9000 running 4.3.2 and cannot enter some IPv6 ACL commands when do_auth is enabled for that user. Tac_plus version is F4.0.4.28 and do_auth.py is 1.92 Note: In the examples below I am using invalid addresses, but am trying valid addresses in the actual commands. Here is the error we see when do_auth is enabled: RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6 xx90::/16 any Command authorization failed % Incomplete command. Here is running that same command w/o do_auth enabled: RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6 xx90::/16 any RP/0/RSP0/CPU0:asr-9010-01(config)#commit Thu Apr 23 09:51:35.413 UTC RP/0/RSP0/CPU0:asr-9010-01(config)#do sh access-lists ipv6 test Thu Apr 23 09:52:01.073 UTC ipv6 access-list test 10 permit ipv6 xx90::/16 any At first I thought maybe it was just the double-colons that do_auth doesn't like .... Here without IPv6 short-hand and with do_auth enabled: RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6 xx90:0:0:0:0:0:0:0/128 any Command authorization failed % Incomplete command. RP/0/RSP0/CPU0:asr-9010-01(config)#commit Thu Apr 23 10:01:45.208 UTC No configuration changes to commit. Here without IPv6 short-hand and and do_auth disabled: RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6 xx90:0:0:0:0:0:0:0/128 any RP/0/RSP0/CPU0:asr-9010-01(config)#commit Thu Apr 23 10:02:30.903 UTC RP/0/RSP0/CPU0:asr-9010-01(config)#do sh access-lists ipv6 test Thu Apr 23 10:02:33.440 UTC ipv6 access-list test 10 permit ipv6 host xx90:: any But it appears that it doesn't like any colons in authorization commands. If I enter the ACL with "any any" it works. With do_auth enabled I don't get any hits in the do_auth.log for the failing command. This is happening in production, but I have setup a simple lab to play with using very minimal settings, and a fresh install of the daemon installed from source. tac_plus version: sudo /usr/local/sbin/tac_plus -v tac_plus version F4.0.4.28 ACLS FIONBIO LIBWRAP LINUX LITTLE_ENDIAN LOG_DAEMON NO_PWAGE REAPCHILD REAPSIGIGN RETSIGTYPE RETSIGTYPE SHADOW_PASSWORDS SIGTSTP SIGTTIN SIGTTOU SO_REUSEADDR STRERROR TAC_PLUS_PORT UENABLE __STDC__ Here is my tac_plus.conf file: key = password # password should be "password" for user testuser default authentication = file /etc/passwd group = test { default service = permit service = exec { priv-lvl = 15 } after authorization "/usr/bin/python /usr/local/bin/do_auth.pyc -i $address -u $user -d $name -l /var/log/do_auth.log -f /etc/tacacs/do_auth.ini" } user = testuser { member = test } And my do_auth file: DEFAULT = neteng-group [neteng-group] host_allow = .* device_deny = 10.99.0.15 device_permit = .* command_permit = .* And here are AAA commands on the router: tacacs-server host 10.11.11.10 port 49 key 7 071F205F5D1E161713 ! aaa group server tacacs+ mytacacs server 10.11.11.10 ! aaa authorization exec default group mytacacs none aaa authorization commands default group mytacacs none aaa authentication login default group mytacacs local Thanks! -Aaron This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Fri Apr 24 21:43:24 2015 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Fri, 24 Apr 2015 15:43:24 -0600 Subject: [tac_plus] IPv6 ACL commands not working with do_auth and IOS-XR In-Reply-To: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B6887C@mbx030-w1-co-6.exch030.domain.local> References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B6887C@mbx030-w1-co-6.exch030.domain.local> Message-ID: Hum... certainly doesn't do that on Brocade/Cisco routers/switches. Let me research this a second, Aaron. On Fri, Apr 24, 2015 at 11:51 AM, Aaron Wasserott < aaron.wasserott at viawest.com> wrote: > I have a Cisco ASR 9000 running 4.3.2 and cannot enter some IPv6 ACL > commands when do_auth is enabled for that user. Tac_plus version is > F4.0.4.28 and do_auth.py is 1.92 > Note: In the examples below I am using invalid addresses, but am trying > valid addresses in the actual commands. > > Here is the error we see when do_auth is enabled: > > RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6 > xx90::/16 any > Command authorization failed > % Incomplete command. > > Here is running that same command w/o do_auth enabled: > > RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6 > xx90::/16 any > RP/0/RSP0/CPU0:asr-9010-01(config)#commit > Thu Apr 23 09:51:35.413 UTC > RP/0/RSP0/CPU0:asr-9010-01(config)#do sh access-lists ipv6 test > Thu Apr 23 09:52:01.073 UTC > ipv6 access-list test > 10 permit ipv6 xx90::/16 any > > At first I thought maybe it was just the double-colons that do_auth > doesn't like .... > > Here without IPv6 short-hand and with do_auth enabled: > > RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6 > xx90:0:0:0:0:0:0:0/128 any > Command authorization failed > % Incomplete command. > RP/0/RSP0/CPU0:asr-9010-01(config)#commit > Thu Apr 23 10:01:45.208 UTC > No configuration changes to commit. > > Here without IPv6 short-hand and and do_auth disabled: > > RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6 > xx90:0:0:0:0:0:0:0/128 any > RP/0/RSP0/CPU0:asr-9010-01(config)#commit > Thu Apr 23 10:02:30.903 UTC > RP/0/RSP0/CPU0:asr-9010-01(config)#do sh access-lists ipv6 test > Thu Apr 23 10:02:33.440 UTC > ipv6 access-list test > 10 permit ipv6 host xx90:: any > > But it appears that it doesn't like any colons in authorization commands. > If I enter the ACL with "any any" it works. With do_auth enabled I don't > get any hits in the do_auth.log for the failing command. > > This is happening in production, but I have setup a simple lab to play > with using very minimal settings, and a fresh install of the daemon > installed from source. > > tac_plus version: > > sudo /usr/local/sbin/tac_plus -v > tac_plus version F4.0.4.28 > ACLS > FIONBIO > LIBWRAP > LINUX > LITTLE_ENDIAN > LOG_DAEMON > NO_PWAGE > REAPCHILD > REAPSIGIGN > RETSIGTYPE RETSIGTYPE > SHADOW_PASSWORDS > SIGTSTP > SIGTTIN > SIGTTOU > SO_REUSEADDR > STRERROR > TAC_PLUS_PORT > UENABLE > __STDC__ > > > Here is my tac_plus.conf file: > > key = password > # password should be "password" for user testuser > default authentication = file /etc/passwd > > group = test { > default service = permit > service = exec { > priv-lvl = 15 > } > after authorization "/usr/bin/python /usr/local/bin/do_auth.pyc -i > $address -u $user -d $name -l /var/log/do_auth.log -f > /etc/tacacs/do_auth.ini" > } > > user = testuser { > member = test > } > > > And my do_auth file: > > DEFAULT = > neteng-group > > [neteng-group] > host_allow = > .* > device_deny = > 10.99.0.15 > device_permit = > .* > command_permit = > .* > > > And here are AAA commands on the router: > > tacacs-server host 10.11.11.10 port 49 > key 7 071F205F5D1E161713 > ! > aaa group server tacacs+ mytacacs > server 10.11.11.10 > ! > aaa authorization exec default group mytacacs none > aaa authorization commands default group mytacacs none > aaa authentication login default group mytacacs local > > Thanks! > > -Aaron > This message contains information that may be confidential, privileged or > otherwise protected by law from disclosure. It is intended for the > exclusive use of the addressee(s). Unless you are the addressee or > authorized agent of the addressee, you may not review, copy, distribute or > disclose to anyone the message or any information contained within. If you > have received this message in error, please contact the sender by > electronic reply and immediately delete all copies of the message. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20150424/00b6c868/attachment.html > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Fri Apr 24 22:01:23 2015 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Fri, 24 Apr 2015 16:01:23 -0600 Subject: [tac_plus] IPv6 ACL commands not working with do_auth and IOS-XR In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B6887C@mbx030-w1-co-6.exch030.domain.local> Message-ID: Can you get me a log of that failure? Set debug to True in the code. 271 DEBUG = os.getenv('DEBUG', *True*) On Fri, Apr 24, 2015 at 3:43 PM, Daniel Schmidt wrote: > Hum... certainly doesn't do that on Brocade/Cisco routers/switches. Let > me research this a second, Aaron. > > On Fri, Apr 24, 2015 at 11:51 AM, Aaron Wasserott < > aaron.wasserott at viawest.com> wrote: > >> I have a Cisco ASR 9000 running 4.3.2 and cannot enter some IPv6 ACL >> commands when do_auth is enabled for that user. Tac_plus version is >> F4.0.4.28 and do_auth.py is 1.92 >> Note: In the examples below I am using invalid addresses, but am trying >> valid addresses in the actual commands. >> >> Here is the error we see when do_auth is enabled: >> >> RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6 >> xx90::/16 any >> Command authorization failed >> % Incomplete command. >> >> Here is running that same command w/o do_auth enabled: >> >> RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6 >> xx90::/16 any >> RP/0/RSP0/CPU0:asr-9010-01(config)#commit >> Thu Apr 23 09:51:35.413 UTC >> RP/0/RSP0/CPU0:asr-9010-01(config)#do sh access-lists ipv6 test >> Thu Apr 23 09:52:01.073 UTC >> ipv6 access-list test >> 10 permit ipv6 xx90::/16 any >> >> At first I thought maybe it was just the double-colons that do_auth >> doesn't like .... >> >> Here without IPv6 short-hand and with do_auth enabled: >> >> RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6 >> xx90:0:0:0:0:0:0:0/128 any >> Command authorization failed >> % Incomplete command. >> RP/0/RSP0/CPU0:asr-9010-01(config)#commit >> Thu Apr 23 10:01:45.208 UTC >> No configuration changes to commit. >> >> Here without IPv6 short-hand and and do_auth disabled: >> >> RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6 >> xx90:0:0:0:0:0:0:0/128 any >> RP/0/RSP0/CPU0:asr-9010-01(config)#commit >> Thu Apr 23 10:02:30.903 UTC >> RP/0/RSP0/CPU0:asr-9010-01(config)#do sh access-lists ipv6 test >> Thu Apr 23 10:02:33.440 UTC >> ipv6 access-list test >> 10 permit ipv6 host xx90:: any >> >> But it appears that it doesn't like any colons in authorization commands. >> If I enter the ACL with "any any" it works. With do_auth enabled I don't >> get any hits in the do_auth.log for the failing command. >> >> This is happening in production, but I have setup a simple lab to play >> with using very minimal settings, and a fresh install of the daemon >> installed from source. >> >> tac_plus version: >> >> sudo /usr/local/sbin/tac_plus -v >> tac_plus version F4.0.4.28 >> ACLS >> FIONBIO >> LIBWRAP >> LINUX >> LITTLE_ENDIAN >> LOG_DAEMON >> NO_PWAGE >> REAPCHILD >> REAPSIGIGN >> RETSIGTYPE RETSIGTYPE >> SHADOW_PASSWORDS >> SIGTSTP >> SIGTTIN >> SIGTTOU >> SO_REUSEADDR >> STRERROR >> TAC_PLUS_PORT >> UENABLE >> __STDC__ >> >> >> Here is my tac_plus.conf file: >> >> key = password >> # password should be "password" for user testuser >> default authentication = file /etc/passwd >> >> group = test { >> default service = permit >> service = exec { >> priv-lvl = 15 >> } >> after authorization "/usr/bin/python /usr/local/bin/do_auth.pyc -i >> $address -u $user -d $name -l /var/log/do_auth.log -f >> /etc/tacacs/do_auth.ini" >> } >> >> user = testuser { >> member = test >> } >> >> >> And my do_auth file: >> >> DEFAULT = >> neteng-group >> >> [neteng-group] >> host_allow = >> .* >> device_deny = >> 10.99.0.15 >> device_permit = >> .* >> command_permit = >> .* >> >> >> And here are AAA commands on the router: >> >> tacacs-server host 10.11.11.10 port 49 >> key 7 071F205F5D1E161713 >> ! >> aaa group server tacacs+ mytacacs >> server 10.11.11.10 >> ! >> aaa authorization exec default group mytacacs none >> aaa authorization commands default group mytacacs none >> aaa authentication login default group mytacacs local >> >> Thanks! >> >> -Aaron >> This message contains information that may be confidential, privileged or >> otherwise protected by law from disclosure. It is intended for the >> exclusive use of the addressee(s). Unless you are the addressee or >> authorized agent of the addressee, you may not review, copy, distribute or >> disclose to anyone the message or any information contained within. If you >> have received this message in error, please contact the sender by >> electronic reply and immediately delete all copies of the message. >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: < >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20150424/00b6c868/attachment.html >> > >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus >> > > -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From aaron.wasserott at viawest.com Fri Apr 24 22:24:48 2015 From: aaron.wasserott at viawest.com (Aaron Wasserott) Date: Fri, 24 Apr 2015 22:24:48 +0000 Subject: [tac_plus] IPv6 ACL commands not working with do_auth and IOS-XR In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B6887C@mbx030-w1-co-6.exch030.domain.local> Message-ID: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B68A66@mbx030-w1-co-6.exch030.domain.local> I cannot get any hits on ?os.getenv? in the source code folder for version tacacs-F4.0.4.28 (which includes the do_auth files) or in any of the other usual culprits. What file would that line be in? From: Daniel Schmidt [mailto:daniel.schmidt at wyo.gov] Sent: Friday, April 24, 2015 4:01 PM To: Aaron Wasserott Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] IPv6 ACL commands not working with do_auth and IOS-XR Can you get me a log of that failure? Set debug to True in the code. 271 DEBUG = os.getenv('DEBUG', True) On Fri, Apr 24, 2015 at 3:43 PM, Daniel Schmidt > wrote: Hum... certainly doesn't do that on Brocade/Cisco routers/switches. Let me research this a second, Aaron. On Fri, Apr 24, 2015 at 11:51 AM, Aaron Wasserott > wrote: I have a Cisco ASR 9000 running 4.3.2 and cannot enter some IPv6 ACL commands when do_auth is enabled for that user. Tac_plus version is F4.0.4.28 and do_auth.py is 1.92 Note: In the examples below I am using invalid addresses, but am trying valid addresses in the actual commands. Here is the error we see when do_auth is enabled: RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6 xx90::/16 any Command authorization failed % Incomplete command. Here is running that same command w/o do_auth enabled: RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6 xx90::/16 any RP/0/RSP0/CPU0:asr-9010-01(config)#commit Thu Apr 23 09:51:35.413 UTC RP/0/RSP0/CPU0:asr-9010-01(config)#do sh access-lists ipv6 test Thu Apr 23 09:52:01.073 UTC ipv6 access-list test 10 permit ipv6 xx90::/16 any At first I thought maybe it was just the double-colons that do_auth doesn't like .... Here without IPv6 short-hand and with do_auth enabled: RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6 xx90:0:0:0:0:0:0:0/128 any Command authorization failed % Incomplete command. RP/0/RSP0/CPU0:asr-9010-01(config)#commit Thu Apr 23 10:01:45.208 UTC No configuration changes to commit. Here without IPv6 short-hand and and do_auth disabled: RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6 xx90:0:0:0:0:0:0:0/128 any RP/0/RSP0/CPU0:asr-9010-01(config)#commit Thu Apr 23 10:02:30.903 UTC RP/0/RSP0/CPU0:asr-9010-01(config)#do sh access-lists ipv6 test Thu Apr 23 10:02:33.440 UTC ipv6 access-list test 10 permit ipv6 host xx90:: any But it appears that it doesn't like any colons in authorization commands. If I enter the ACL with "any any" it works. With do_auth enabled I don't get any hits in the do_auth.log for the failing command. This is happening in production, but I have setup a simple lab to play with using very minimal settings, and a fresh install of the daemon installed from source. tac_plus version: sudo /usr/local/sbin/tac_plus -v tac_plus version F4.0.4.28 ACLS FIONBIO LIBWRAP LINUX LITTLE_ENDIAN LOG_DAEMON NO_PWAGE REAPCHILD REAPSIGIGN RETSIGTYPE RETSIGTYPE SHADOW_PASSWORDS SIGTSTP SIGTTIN SIGTTOU SO_REUSEADDR STRERROR TAC_PLUS_PORT UENABLE __STDC__ Here is my tac_plus.conf file: key = password # password should be "password" for user testuser default authentication = file /etc/passwd group = test { default service = permit service = exec { priv-lvl = 15 } after authorization "/usr/bin/python /usr/local/bin/do_auth.pyc -i $address -u $user -d $name -l /var/log/do_auth.log -f /etc/tacacs/do_auth.ini" } user = testuser { member = test } And my do_auth file: DEFAULT = neteng-group [neteng-group] host_allow = .* device_deny = 10.99.0.15 device_permit = .* command_permit = .* And here are AAA commands on the router: tacacs-server host 10.11.11.10 port 49 key 7 071F205F5D1E161713 ! aaa group server tacacs+ mytacacs server 10.11.11.10 ! aaa authorization exec default group mytacacs none aaa authorization commands default group mytacacs none aaa authentication login default group mytacacs local Thanks! -Aaron This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. -------------- next part -------------- An HTML attachment was scrubbed... URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. -------------- next part -------------- An HTML attachment was scrubbed... URL: