[tac_plus] IPv6 ACL commands not working with do_auth and IOS-XR
Aaron Wasserott
aaron.wasserott at viawest.com
Fri Apr 24 17:51:46 UTC 2015
I have a Cisco ASR 9000 running 4.3.2 and cannot enter some IPv6 ACL commands when do_auth is enabled for that user. Tac_plus version is F4.0.4.28 and do_auth.py is 1.92
Note: In the examples below I am using invalid addresses, but am trying valid addresses in the actual commands.
Here is the error we see when do_auth is enabled:
RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6 xx90::/16 any
Command authorization failed
% Incomplete command.
Here is running that same command w/o do_auth enabled:
RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6 xx90::/16 any
RP/0/RSP0/CPU0:asr-9010-01(config)#commit
Thu Apr 23 09:51:35.413 UTC
RP/0/RSP0/CPU0:asr-9010-01(config)#do sh access-lists ipv6 test
Thu Apr 23 09:52:01.073 UTC
ipv6 access-list test
10 permit ipv6 xx90::/16 any
At first I thought maybe it was just the double-colons that do_auth doesn't like ....
Here without IPv6 short-hand and with do_auth enabled:
RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6 xx90:0:0:0:0:0:0:0/128 any
Command authorization failed
% Incomplete command.
RP/0/RSP0/CPU0:asr-9010-01(config)#commit
Thu Apr 23 10:01:45.208 UTC
No configuration changes to commit.
Here without IPv6 short-hand and and do_auth disabled:
RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6 xx90:0:0:0:0:0:0:0/128 any
RP/0/RSP0/CPU0:asr-9010-01(config)#commit
Thu Apr 23 10:02:30.903 UTC
RP/0/RSP0/CPU0:asr-9010-01(config)#do sh access-lists ipv6 test
Thu Apr 23 10:02:33.440 UTC
ipv6 access-list test
10 permit ipv6 host xx90:: any
But it appears that it doesn't like any colons in authorization commands. If I enter the ACL with "any any" it works. With do_auth enabled I don't get any hits in the do_auth.log for the failing command.
This is happening in production, but I have setup a simple lab to play with using very minimal settings, and a fresh install of the daemon installed from source.
tac_plus version:
sudo /usr/local/sbin/tac_plus -v
tac_plus version F4.0.4.28
ACLS
FIONBIO
LIBWRAP
LINUX
LITTLE_ENDIAN
LOG_DAEMON
NO_PWAGE
REAPCHILD
REAPSIGIGN
RETSIGTYPE RETSIGTYPE
SHADOW_PASSWORDS
SIGTSTP
SIGTTIN
SIGTTOU
SO_REUSEADDR
STRERROR
TAC_PLUS_PORT
UENABLE
__STDC__
Here is my tac_plus.conf file:
key = password
# password should be "password" for user testuser
default authentication = file /etc/passwd
group = test {
default service = permit
service = exec {
priv-lvl = 15
}
after authorization "/usr/bin/python /usr/local/bin/do_auth.pyc -i $address -u $user -d $name -l /var/log/do_auth.log -f /etc/tacacs/do_auth.ini"
}
user = testuser {
member = test
}
And my do_auth file:
DEFAULT =
neteng-group
[neteng-group]
host_allow =
.*
device_deny =
10.99.0.15
device_permit =
.*
command_permit =
.*
And here are AAA commands on the router:
tacacs-server host 10.11.11.10 port 49
key 7 071F205F5D1E161713
!
aaa group server tacacs+ mytacacs
server 10.11.11.10
!
aaa authorization exec default group mytacacs none
aaa authorization commands default group mytacacs none
aaa authentication login default group mytacacs local
Thanks!
-Aaron
This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150424/00b6c868/attachment.html>
More information about the tac_plus
mailing list