[tac_plus] IPv6 ACL commands not working with do_auth and IOS-XR

Daniel Schmidt daniel.schmidt at wyo.gov
Fri Apr 24 22:01:23 UTC 2015 

Can you get me a log of that failure?  Set debug to True in the code.

271 DEBUG = os.getenv('DEBUG', *True*)



On Fri, Apr 24, 2015 at 3:43 PM, Daniel Schmidt <daniel.schmidt at wyo.gov>
wrote:

> Hum... certainly doesn't do that on Brocade/Cisco routers/switches.  Let
> me research this a second, Aaron.
>
> On Fri, Apr 24, 2015 at 11:51 AM, Aaron Wasserott <
> aaron.wasserott at viawest.com> wrote:
>
>> I have a Cisco ASR 9000 running 4.3.2 and cannot enter some IPv6 ACL
>> commands when do_auth is enabled for that user. Tac_plus version is
>> F4.0.4.28 and do_auth.py is 1.92
>> Note: In the examples below I am using invalid addresses, but am trying
>> valid addresses in the actual commands.
>>
>> Here is the error we see when do_auth is enabled:
>>
>> RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6
>> xx90::/16 any
>> Command authorization failed
>> % Incomplete command.
>>
>> Here is running that same command w/o do_auth enabled:
>>
>> RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6
>> xx90::/16 any
>> RP/0/RSP0/CPU0:asr-9010-01(config)#commit
>> Thu Apr 23 09:51:35.413 UTC
>> RP/0/RSP0/CPU0:asr-9010-01(config)#do sh access-lists ipv6 test
>> Thu Apr 23 09:52:01.073 UTC
>> ipv6 access-list test
>> 10 permit ipv6 xx90::/16 any
>>
>> At first I thought maybe it was just the double-colons that do_auth
>> doesn't like ....
>>
>> Here without IPv6 short-hand and with do_auth enabled:
>>
>> RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6
>> xx90:0:0:0:0:0:0:0/128 any
>> Command authorization failed
>> % Incomplete command.
>> RP/0/RSP0/CPU0:asr-9010-01(config)#commit
>> Thu Apr 23 10:01:45.208 UTC
>> No configuration changes to commit.
>>
>> Here without IPv6 short-hand and and do_auth disabled:
>>
>> RP/0/RSP0/CPU0:asr-9010-01(config)#ipv6 access-list test permit ipv6
>> xx90:0:0:0:0:0:0:0/128 any
>> RP/0/RSP0/CPU0:asr-9010-01(config)#commit
>> Thu Apr 23 10:02:30.903 UTC
>> RP/0/RSP0/CPU0:asr-9010-01(config)#do sh access-lists ipv6 test
>> Thu Apr 23 10:02:33.440 UTC
>> ipv6 access-list test
>> 10 permit ipv6 host xx90:: any
>>
>> But it appears that it doesn't like any colons in authorization commands.
>> If I enter the ACL with "any any" it works. With do_auth enabled I don't
>> get any hits in the do_auth.log for the failing command.
>>
>> This is happening in production, but I have setup a simple lab to play
>> with using very minimal settings, and a fresh install of the daemon
>> installed from source.
>>
>> tac_plus version:
>>
>> sudo /usr/local/sbin/tac_plus -v
>> tac_plus version F4.0.4.28
>> ACLS
>> FIONBIO
>> LIBWRAP
>> LINUX
>> LITTLE_ENDIAN
>> LOG_DAEMON
>> NO_PWAGE
>> REAPCHILD
>> REAPSIGIGN
>> RETSIGTYPE RETSIGTYPE
>> SHADOW_PASSWORDS
>> SIGTSTP
>> SIGTTIN
>> SIGTTOU
>> SO_REUSEADDR
>> STRERROR
>> TAC_PLUS_PORT
>> UENABLE
>> __STDC__
>>
>>
>> Here is my tac_plus.conf file:
>>
>> key = password
>> # password should be "password" for user testuser
>> default authentication = file /etc/passwd
>>
>> group = test {
>>         default service = permit
>>         service = exec {
>>                 priv-lvl = 15
>>                 }
>>        after authorization "/usr/bin/python /usr/local/bin/do_auth.pyc -i
>> $address -u $user -d $name -l /var/log/do_auth.log -f
>> /etc/tacacs/do_auth.ini"
>> }
>>
>> user = testuser {
>>         member = test
>> }
>>
>>
>> And my do_auth file:
>>
>> DEFAULT =
>>        neteng-group
>>
>> [neteng-group]
>> host_allow =
>>         .*
>> device_deny =
>>         10.99.0.15
>> device_permit =
>>         .*
>> command_permit =
>>         .*
>>
>>
>> And here are AAA commands on the router:
>>
>> tacacs-server host 10.11.11.10 port 49
>> key 7 071F205F5D1E161713
>> !
>> aaa group server tacacs+ mytacacs
>> server 10.11.11.10
>> !
>> aaa authorization exec default group mytacacs none
>> aaa authorization commands default group mytacacs none
>> aaa authentication login default group mytacacs local
>>
>> Thanks!
>>
>> -Aaron
>> This message contains information that may be confidential, privileged or
>> otherwise protected by law from disclosure. It is intended for the
>> exclusive use of the addressee(s). Unless you are the addressee or
>> authorized agent of the addressee, you may not review, copy, distribute or
>> disclose to anyone the message or any information contained within. If you
>> have received this message in error, please contact the sender by
>> electronic reply and immediately delete all copies of the message.
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <
>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20150424/00b6c868/attachment.html
>> >
>> _______________________________________________
>> tac_plus mailing list
>> tac_plus at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo/tac_plus
>>
>
>

-- 

E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150424/324dfb26/attachment.html>

More information about the tac_plus mailing list