[tac_plus] IPv6 ACL commands not working with do_auth and IOS-XR

Daniel Schmidt daniel.schmidt at wyo.gov
Fri Apr 24 21:43:24 UTC 2015 

Hum... certainly doesn't do that on Brocade/Cisco routers/switches.  Let me
research this a second, Aaron.

On Fri, Apr 24, 2015 at 11:51 AM, Aaron Wasserott <
aaron.wasserott at viawest.com> wrote:

> I have a Cisco ASR 9000 running 4.3.2 and cannot enter some IPv6 ACL
> commands when do_auth is enabled for that user. Tac_plus version is
> F4.0.4.28 and do_auth.py is 1.92
> Note: In the examples below I am using invalid addresses, but am trying
> valid addresses in the actual commands.
>
> Here is the error we see when do_auth is enabled:
>
> RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6
> xx90::/16 any
> Command authorization failed
> % Incomplete command.
>
> Here is running that same command w/o do_auth enabled:
>
> RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6
> xx90::/16 any
> RP/0/RSP0/CPU0:asr-9010-01(config)#commit
> Thu Apr 23 09:51:35.413 UTC
> RP/0/RSP0/CPU0:asr-9010-01(config)#do sh access-lists ipv6 test
> Thu Apr 23 09:52:01.073 UTC
> ipv6 access-list test
> 10 permit ipv6 xx90::/16 any
>
> At first I thought maybe it was just the double-colons that do_auth
> doesn't like ....
>
> Here without IPv6 short-hand and with do_auth enabled:
>
> RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6
> xx90:0:0:0:0:0:0:0/128 any
> Command authorization failed
> % Incomplete command.
> RP/0/RSP0/CPU0:asr-9010-01(config)#commit
> Thu Apr 23 10:01:45.208 UTC
> No configuration changes to commit.
>
> Here without IPv6 short-hand and and do_auth disabled:
>
> RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6
> xx90:0:0:0:0:0:0:0/128 any
> RP/0/RSP0/CPU0:asr-9010-01(config)#commit
> Thu Apr 23 10:02:30.903 UTC
> RP/0/RSP0/CPU0:asr-9010-01(config)#do sh access-lists ipv6 test
> Thu Apr 23 10:02:33.440 UTC
> ipv6 access-list test
> 10 permit ipv6 host xx90:: any
>
> But it appears that it doesn't like any colons in authorization commands.
> If I enter the ACL with "any any" it works. With do_auth enabled I don't
> get any hits in the do_auth.log for the failing command.
>
> This is happening in production, but I have setup a simple lab to play
> with using very minimal settings, and a fresh install of the daemon
> installed from source.
>
> tac_plus version:
>
> sudo /usr/local/sbin/tac_plus -v
> tac_plus version F4.0.4.28
> ACLS
> FIONBIO
> LIBWRAP
> LINUX
> LITTLE_ENDIAN
> LOG_DAEMON
> NO_PWAGE
> REAPCHILD
> REAPSIGIGN
> RETSIGTYPE RETSIGTYPE
> SHADOW_PASSWORDS
> SIGTSTP
> SIGTTIN
> SIGTTOU
> SO_REUSEADDR
> STRERROR
> TAC_PLUS_PORT
> UENABLE
> __STDC__
>
>
> Here is my tac_plus.conf file:
>
> key = password
> # password should be "password" for user testuser
> default authentication = file /etc/passwd
>
> group = test {
>         default service = permit
>         service = exec {
>                 priv-lvl = 15
>                 }
>        after authorization "/usr/bin/python /usr/local/bin/do_auth.pyc -i
> $address -u $user -d $name -l /var/log/do_auth.log -f
> /etc/tacacs/do_auth.ini"
> }
>
> user = testuser {
>         member = test
> }
>
>
> And my do_auth file:
>
> DEFAULT =
>        neteng-group
>
> [neteng-group]
> host_allow =
>         .*
> device_deny =
>         10.99.0.15
> device_permit =
>         .*
> command_permit =
>         .*
>
>
> And here are AAA commands on the router:
>
> tacacs-server host 10.11.11.10 port 49
> key 7 071F205F5D1E161713
> !
> aaa group server tacacs+ mytacacs
> server 10.11.11.10
> !
> aaa authorization exec default group mytacacs none
> aaa authorization commands default group mytacacs none
> aaa authentication login default group mytacacs local
>
> Thanks!
>
> -Aaron
> This message contains information that may be confidential, privileged or
> otherwise protected by law from disclosure. It is intended for the
> exclusive use of the addressee(s). Unless you are the addressee or
> authorized agent of the addressee, you may not review, copy, distribute or
> disclose to anyone the message or any information contained within. If you
> have received this message in error, please contact the sender by
> electronic reply and immediately delete all copies of the message.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20150424/00b6c868/attachment.html
> >
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>

-- 

E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150424/8088c8be/attachment.html>

More information about the tac_plus mailing list