From matta at surveymonkey.com Sun Aug 2 03:01:48 2015 From: matta at surveymonkey.com (Matt Almgren) Date: Sun, 2 Aug 2015 03:01:48 +0000 Subject: [tac_plus] Is there a config ACL to limit Client IP, not NAS IP? In-Reply-To: References: Message-ID: Re-sending. I didn't see this make it to the list. -- Matt Almgren, Sr. Networking Engineer 101 Lytton Ave., Palo Alto. CA 94301 matta at surveymonkey.com 408.499.9669 ________________________________ From: Matt Almgren Sent: Saturday, August 1, 2015 4:50 PM To: tac_plus at shrubbery.net Subject: Is there a config ACL to limit Client IP, not NAS IP? I'm aware of the Host ACL usage in TACACS: acl = TEST-ACL { # Permit these NAS to login via TACACS permit = ^10\. } But is there any configuration that will limit which client (i.e. rancid server) is able to authenticate with TAC+ ? I'm trying to lock down RANCID so only that server/user can login to our network equipment with certain privileges. I think this might be feasible with do_auth, but I haven't played around with that yet. -- Matt Almgren, Sr. Networking Engineer 101 Lytton Ave., Palo Alto. CA 94301 matta at surveymonkey.com 408.499.9669 -------------- next part -------------- An HTML attachment was scrubbed... URL: From matta at surveymonkey.com Sat Aug 1 23:50:50 2015 From: matta at surveymonkey.com (Matt Almgren) Date: Sat, 1 Aug 2015 23:50:50 +0000 Subject: [tac_plus] Is there a config ACL to limit Client IP, not NAS IP? Message-ID: I'm aware of the Host ACL usage in TACACS: acl = TEST-ACL { # Permit these NAS to login via TACACS permit = ^10\. } But is there any configuration that will limit which client (i.e. rancid server) is able to authenticate with TAC+ ? I'm trying to lock down RANCID so only that server/user can login to our network equipment with certain privileges. I think this might be feasible with do_auth, but I haven't played around with that yet. -- Matt Almgren, Sr. Networking Engineer 101 Lytton Ave., Palo Alto. CA 94301 matta at surveymonkey.com 408.499.9669 -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Sun Aug 2 14:36:57 2015 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Sun, 2 Aug 2015 16:36:57 +0200 Subject: [tac_plus] Is there a config ACL to limit Client IP, not NAS IP? In-Reply-To: References: Message-ID: <55BE2B09.3040504@gmail.com> There is no way to do what you want directly in tac_plus.conf. It's not only feasible with do_auth.py, it's fully supported and really is the way you should be moving forward. tl;dr tac_plus.conf is very restrictive in what it can do, and I think this is by design. So many parts of tac_plus to my mind hark back to ages ago when dialup and ppp auth were firmly in Tacacs+ radar, one of these things is the config, and it's the simplest thing possible the devs could get away with :-) If you need to do anything more (and these days everyone needs to do much much more), you are supposed to delegate that complex decision to a callout, and this is what do_auth.py does For instance, it is entirely reasonable to limit rancid logins to your rancid servers only, or for your support people to be in more than one group, or trusted folks can enable on anything except your Nexus (NetOps only). tac_plus.conf can't do any of these, do_auth can do all of them and more. On 02/08/2015 01:50, Matt Almgren wrote: > > I'm aware of the Host ACL usage in TACACS: > > > acl = TEST-ACL { > > # Permit these NAS to login via TACACS > > permit = ^10\. > > } > > But is there any configuration that will limit which client (i.e. rancid server) is able to authenticate with TAC+ ? I'm trying to lock down RANCID so only that server/user can login to our network equipment with certain privileges. > > > I think this might be feasible with do_auth, but I haven't played around with that yet. > > > -- > > Matt Almgren, Sr. Networking Engineer > > 101 Lytton Ave., Palo Alto. CA 94301 > > matta at surveymonkey.com > > 408.499.9669 > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- Alan McKinnon alan.mckinnon at gmail.com From john at op-sec.us Sun Aug 2 17:53:21 2015 From: john at op-sec.us (John Fraizer) Date: Sun, 2 Aug 2015 10:53:21 -0700 Subject: [tac_plus] Is there a config ACL to limit Client IP, not NAS IP? In-Reply-To: <55BE2B09.3040504@gmail.com> References: <55BE2B09.3040504@gmail.com> Message-ID: +1 do_auth.py -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Sun, Aug 2, 2015 at 7:36 AM, Alan McKinnon wrote: > There is no way to do what you want directly in tac_plus.conf. > > It's not only feasible with do_auth.py, it's fully supported and really > is the way you should be moving forward. > > tl;dr > > tac_plus.conf is very restrictive in what it can do, and I think this is > by design. So many parts of tac_plus to my mind hark back to ages ago > when dialup and ppp auth were firmly in Tacacs+ radar, one of these > things is the config, and it's the simplest thing possible the devs > could get away with :-) > > If you need to do anything more (and these days everyone needs to do > much much more), you are supposed to delegate that complex decision to a > callout, and this is what do_auth.py does > > For instance, it is entirely reasonable to limit rancid logins to your > rancid servers only, or for your support people to be in more than one > group, or trusted folks can enable on anything except your Nexus (NetOps > only). tac_plus.conf can't do any of these, do_auth can do all of them > and more. > > > On 02/08/2015 01:50, Matt Almgren wrote: >> >> I'm aware of the Host ACL usage in TACACS: >> >> >> acl = TEST-ACL { >> >> # Permit these NAS to login via TACACS >> >> permit = ^10\. >> >> } >> >> But is there any configuration that will limit which client (i.e. rancid server) is able to authenticate with TAC+ ? I'm trying to lock down RANCID so only that server/user can login to our network equipment with certain privileges. >> >> >> I think this might be feasible with do_auth, but I haven't played around with that yet. >> >> >> -- >> >> Matt Almgren, Sr. Networking Engineer >> >> 101 Lytton Ave., Palo Alto. CA 94301 >> >> matta at surveymonkey.com >> >> 408.499.9669 >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus >> > > > -- > Alan McKinnon > alan.mckinnon at gmail.com > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus From matta at surveymonkey.com Tue Aug 4 22:12:58 2015 From: matta at surveymonkey.com (Matt Almgren) Date: Tue, 4 Aug 2015 22:12:58 +0000 Subject: [tac_plus] do_auth not parsing config file Message-ID: Ok, I've taken the do_auth leap to try and secure our rancid logins. I've added this line to the end of the rancid group within tac_plus.conf: after authorization "/usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini" And I have a simple/default do_auth.ini file: rancid = fewcommands [fewcommands] host_allow = .* device_permit = .* command_permit = show users show int.* show ip int.* show controllers.* show conf.* But I seem to be getting these errors in the do_auth.log. I checked and the file exists and seems permissions are ok: root at sjc-nettools01:~/tacacs-do_auth# more log.txt 2015-08-03 15:09:00,229 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini' 2015-08-03 15:16:18,673 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini' 2015-08-03 15:16:40,629 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini' 2015-08-04 14:57:49,990 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini' root at sjc-nettools01:~/tacacs-do_auth# ls -lrt /root/tacacs-do_auth/do_auth.ini -rw-r--r-- 1 root root 343 Aug 3 15:25 /root/tacacs-do_auth/do_auth.ini root at sjc-nettools01:~/tacacs-do_auth# tac_plus.log: Tue Aug 4 15:10:36 2015 [2950]: After authorization call: /usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini Tue Aug 4 15:10:36 2015 [2950]: substitute: /usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini Tue Aug 4 15:10:36 2015 [2950]: Dollar substitution: /usr/bin/python /root/tacacs-do_auth/do_auth.py -i 10.1.21.1 -u rancid -d 10.1.0.8 -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini Tue Aug 4 15:10:36 2015 [2950]: input service=junos-exec Tue Aug 4 15:10:36 2015 [2950]: input local-user-name=remote-rancid Tue Aug 4 15:10:36 2015 [2950]: pid 2951 child exited status 1 Tue Aug 4 15:10:36 2015 [2950]: cmd /usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini returns 1 (unconditional deny) Tue Aug 4 15:10:36 2015 [2950]: authorization query for 'rancid' unknown from 10.1.0.8 rejected Tue Aug 4 15:10:36 2015 [2953]: connect from 10.1.0.8 [10.1.0.8] I wish it would output more debugs, but that's all I got to go on. Anybody see this before? -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Wed Aug 5 06:53:42 2015 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Wed, 5 Aug 2015 08:53:42 +0200 Subject: [tac_plus] do_auth not parsing config file In-Reply-To: References: Message-ID: <55C1B2F6.5000805@gmail.com> On 05/08/2015 00:12, Matt Almgren wrote: > Ok, I've taken the do_auth leap to try and secure our rancid logins. > > > I've added this line to the end of the rancid group within tac_plus.conf: > > > after authorization "/usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini" > > > And I have a simple/default do_auth.ini file: > > > rancid = > > fewcommands > > > [fewcommands] > > host_allow = > > .* > > device_permit = > > .* > > command_permit = > > show users > > show int.* > > show ip int.* > > show controllers.* > > show conf.* > > > But I seem to be getting these errors in the do_auth.log. I checked and the file exists and seems permissions are ok: > > > root at sjc-nettools01:~/tacacs-do_auth# more log.txt > > 2015-08-03 15:09:00,229 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini' > > 2015-08-03 15:16:18,673 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini' > > 2015-08-03 15:16:40,629 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini' > > 2015-08-04 14:57:49,990 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini' > > root at sjc-nettools01:~/tacacs-do_auth# ls -lrt /root/tacacs-do_auth/do_auth.ini > > -rw-r--r-- 1 root root 343 Aug 3 15:25 /root/tacacs-do_auth/do_auth.ini > > root at sjc-nettools01:~/tacacs-do_auth# > > > > tac_plus.log: > > > Tue Aug 4 15:10:36 2015 [2950]: After authorization call: /usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini > > Tue Aug 4 15:10:36 2015 [2950]: substitute: /usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini > > Tue Aug 4 15:10:36 2015 [2950]: Dollar substitution: /usr/bin/python /root/tacacs-do_auth/do_auth.py -i 10.1.21.1 -u rancid -d 10.1.0.8 -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini > > Tue Aug 4 15:10:36 2015 [2950]: input service=junos-exec > > Tue Aug 4 15:10:36 2015 [2950]: input local-user-name=remote-rancid > > Tue Aug 4 15:10:36 2015 [2950]: pid 2951 child exited status 1 > > Tue Aug 4 15:10:36 2015 [2950]: cmd /usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini returns 1 (unconditional deny) > > Tue Aug 4 15:10:36 2015 [2950]: authorization query for 'rancid' unknown from 10.1.0.8 rejected > > Tue Aug 4 15:10:36 2015 [2953]: connect from 10.1.0.8 [10.1.0.8] > > > > I wish it would output more debugs, but that's all I got to go on. > > > Anybody see this before? do-auth is launched by tac_plus and so runs as that user. Are you running tac_plus as root, or do you drop privs? -- Alan McKinnon alan.mckinnon at gmail.com From alan.mckinnon at gmail.com Wed Aug 5 11:57:05 2015 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Wed, 5 Aug 2015 13:57:05 +0200 Subject: [tac_plus] do_auth not parsing config file In-Reply-To: References: <55C1B2F6.5000805@gmail.com> Message-ID: <55C1FA11.2010200@gmail.com> Then it's the "parse" part of the error that is causing issues, not the "open" part, python is very picky about the structure of .ini files, especially wrt to indentation. Your post shows ".*" in the permit/allow sections to be indented, I had assumed that was mail client pasting issues. Make sure those are indented same as the commands higher up. https://github.com/jathanism/do_auth#do_authini is a good template On 05/08/2015 09:52, Matt Almgren wrote: > Tac_plus is running as root on this particular server. > > The permissions on the ini file are that of root, so I'm not sure why it's not able to open it. > > I can open it as root and edit it. > > -- Matt > > > ________________________________________ > From: tac_plus on behalf of Alan McKinnon > Sent: Tuesday, August 4, 2015 11:53 PM > To: tac_plus at shrubbery.net > Subject: Re: [tac_plus] do_auth not parsing config file > > On 05/08/2015 00:12, Matt Almgren wrote: >> Ok, I've taken the do_auth leap to try and secure our rancid logins. >> >> >> I've added this line to the end of the rancid group within tac_plus.conf: >> >> >> after authorization "/usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini" >> >> >> And I have a simple/default do_auth.ini file: >> >> >> rancid = >> >> fewcommands >> >> >> [fewcommands] >> >> host_allow = >> >> .* >> >> device_permit = >> >> .* >> >> command_permit = >> >> show users >> >> show int.* >> >> show ip int.* >> >> show controllers.* >> >> show conf.* >> >> >> But I seem to be getting these errors in the do_auth.log. I checked and the file exists and seems permissions are ok: >> >> >> root at sjc-nettools01:~/tacacs-do_auth# more log.txt >> >> 2015-08-03 15:09:00,229 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini' >> >> 2015-08-03 15:16:18,673 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini' >> >> 2015-08-03 15:16:40,629 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini' >> >> 2015-08-04 14:57:49,990 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini' >> >> root at sjc-nettools01:~/tacacs-do_auth# ls -lrt /root/tacacs-do_auth/do_auth.ini >> >> -rw-r--r-- 1 root root 343 Aug 3 15:25 /root/tacacs-do_auth/do_auth.ini >> >> root at sjc-nettools01:~/tacacs-do_auth# >> >> >> >> tac_plus.log: >> >> >> Tue Aug 4 15:10:36 2015 [2950]: After authorization call: /usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini >> >> Tue Aug 4 15:10:36 2015 [2950]: substitute: /usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini >> >> Tue Aug 4 15:10:36 2015 [2950]: Dollar substitution: /usr/bin/python /root/tacacs-do_auth/do_auth.py -i 10.1.21.1 -u rancid -d 10.1.0.8 -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini >> >> Tue Aug 4 15:10:36 2015 [2950]: input service=junos-exec >> >> Tue Aug 4 15:10:36 2015 [2950]: input local-user-name=remote-rancid >> >> Tue Aug 4 15:10:36 2015 [2950]: pid 2951 child exited status 1 >> >> Tue Aug 4 15:10:36 2015 [2950]: cmd /usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini returns 1 (unconditional deny) >> >> Tue Aug 4 15:10:36 2015 [2950]: authorization query for 'rancid' unknown from 10.1.0.8 rejected >> >> Tue Aug 4 15:10:36 2015 [2953]: connect from 10.1.0.8 [10.1.0.8] >> >> >> >> I wish it would output more debugs, but that's all I got to go on. >> >> >> Anybody see this before? > > > do-auth is launched by tac_plus and so runs as that user. > > Are you running tac_plus as root, or do you drop privs? > > > -- > Alan McKinnon > alan.mckinnon at gmail.com > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- Alan McKinnon alan.mckinnon at gmail.com From matta at surveymonkey.com Wed Aug 5 07:52:29 2015 From: matta at surveymonkey.com (Matt Almgren) Date: Wed, 5 Aug 2015 07:52:29 +0000 Subject: [tac_plus] do_auth not parsing config file In-Reply-To: <55C1B2F6.5000805@gmail.com> References: , <55C1B2F6.5000805@gmail.com> Message-ID: Tac_plus is running as root on this particular server. The permissions on the ini file are that of root, so I'm not sure why it's not able to open it. I can open it as root and edit it. -- Matt ________________________________________ From: tac_plus on behalf of Alan McKinnon Sent: Tuesday, August 4, 2015 11:53 PM To: tac_plus at shrubbery.net Subject: Re: [tac_plus] do_auth not parsing config file On 05/08/2015 00:12, Matt Almgren wrote: > Ok, I've taken the do_auth leap to try and secure our rancid logins. > > > I've added this line to the end of the rancid group within tac_plus.conf: > > > after authorization "/usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini" > > > And I have a simple/default do_auth.ini file: > > > rancid = > > fewcommands > > > [fewcommands] > > host_allow = > > .* > > device_permit = > > .* > > command_permit = > > show users > > show int.* > > show ip int.* > > show controllers.* > > show conf.* > > > But I seem to be getting these errors in the do_auth.log. I checked and the file exists and seems permissions are ok: > > > root at sjc-nettools01:~/tacacs-do_auth# more log.txt > > 2015-08-03 15:09:00,229 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini' > > 2015-08-03 15:16:18,673 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini' > > 2015-08-03 15:16:40,629 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini' > > 2015-08-04 14:57:49,990 [CRITICAL]: Can't open/parse config file: '/root/tacacs-do_auth/do_auth.ini' > > root at sjc-nettools01:~/tacacs-do_auth# ls -lrt /root/tacacs-do_auth/do_auth.ini > > -rw-r--r-- 1 root root 343 Aug 3 15:25 /root/tacacs-do_auth/do_auth.ini > > root at sjc-nettools01:~/tacacs-do_auth# > > > > tac_plus.log: > > > Tue Aug 4 15:10:36 2015 [2950]: After authorization call: /usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini > > Tue Aug 4 15:10:36 2015 [2950]: substitute: /usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini > > Tue Aug 4 15:10:36 2015 [2950]: Dollar substitution: /usr/bin/python /root/tacacs-do_auth/do_auth.py -i 10.1.21.1 -u rancid -d 10.1.0.8 -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini > > Tue Aug 4 15:10:36 2015 [2950]: input service=junos-exec > > Tue Aug 4 15:10:36 2015 [2950]: input local-user-name=remote-rancid > > Tue Aug 4 15:10:36 2015 [2950]: pid 2951 child exited status 1 > > Tue Aug 4 15:10:36 2015 [2950]: cmd /usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini returns 1 (unconditional deny) > > Tue Aug 4 15:10:36 2015 [2950]: authorization query for 'rancid' unknown from 10.1.0.8 rejected > > Tue Aug 4 15:10:36 2015 [2953]: connect from 10.1.0.8 [10.1.0.8] > > > > I wish it would output more debugs, but that's all I got to go on. > > > Anybody see this before? do-auth is launched by tac_plus and so runs as that user. Are you running tac_plus as root, or do you drop privs? -- Alan McKinnon alan.mckinnon at gmail.com _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus From john at op-sec.us Wed Aug 5 21:39:56 2015 From: john at op-sec.us (John Fraizer) Date: Wed, 5 Aug 2015 14:39:56 -0700 Subject: [tac_plus] do_auth not parsing config file In-Reply-To: References: Message-ID: Matt, You're missing some stuff... Specifically, you're missing the [users] section heading. Try this: [users] rancid = rancid_group [rancid_group] host_deny = host_allow = .* device_deny = device_permit = .* command_deny = enable password.* enable secret.* command_permit = show.* dir.* more.* copy .* terminal .* enable.* write t.* set length .* set logging session disable.* exit.* av_pairs = priv-lvl=15 shell:roles="network-admin vdc-admin" local-user-name = remote allow-commands = (.*copy .*)|(.*show .*)|(.*write .*)|(.*exit) deny-commands = .* allow-configuration = deny-configuation = And for your rancid group in tac_plus.conf, try: group = randid_group { default service = permit service = exec { priv-lvl = 1 optional idletime = 30 optional acl = 2 shell:roles="\"network-operator vdc-operator\"" } service = junos-exec { bug-fix = "first pair is lost" local-user-name = "remote" allow-commands = "(.*exit)|(show cli auth.*)" deny-commands = ".*" allow-configuration = "" deny-configuration = "" } after authorization "/usr/bin/python /root/tacacs-do_auth/do_auth.py -i $address -u $user -d $name -l /root/tacacs-do_auth/log.txt -f /root/tacacs-do_auth/do_auth.ini" } I'm using this *exact* do_auth.ini config for RANCID in our network with devices ranging the spectrum of Cisco CatOS, IOS, IOS-XR, NX-OS, Arista EOS, and Juniper. Note: My TAC_PLUS is patched to only send PASS_ADD and never send PASS_REPL. I posted my patch to this list a couple of weeks ago. You may or may not need that patch to successfully use do_auth.py with your network devices. The error you're seeing is based on the lack of the "[users]" header in your do_auth.ini file though. -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Tue, Aug 4, 2015 at 3:12 PM, Matt Almgren wrote: > rancid = > > fewcommands > > > [fewcommands] > > host_allow = > > .* > > device_permit = > > .* > > command_permit = > > show users > > show int.* > > show ip int.* > > show controllers.* > > show conf.* -------------- next part -------------- An HTML attachment was scrubbed... URL: From Kevin.Cruse at Instinet.com Thu Aug 6 16:10:48 2015 From: Kevin.Cruse at Instinet.com (Kevin.Cruse at Instinet.com) Date: Thu, 6 Aug 2015 12:10:48 -0400 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B92A28@mbx030-w1-co-6.exch030.domain.local> <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> Message-ID: Hey Aaron, Sorry to keep bothering you - I am pulling my hair out trying to get this working!! I scrapped the mavvis version and installed the native version of tac_plus (tac_plus version F4.0.4.28) and authorization seems to fail for devices, here is my config. Do you see something amiss? I also tried getting 'do_auth' to work but that doesn't work either. Arista1#sh run | i aaa aaa group server tacacs+ CiscoACS aaa authentication login default group CiscoACS local aaa authorization exec default group CiscoACS none aaa authorization commands 0-14 default group CiscoACS local aaa authorization commands 15 default group CiscoACS none aaa accounting exec default start-stop group CiscoACS aaa accounting commands all default start-stop group CiscoACS no aaa root Arista1# group = snm { default service = deny default service = exec { priv-lvl = 15 } cmd = show { permit ip permit interface } cmd = configure { deny .* } cmd = clear { permit "counters" permit "qos stat" permit "mls qos int" } cmd = disable { permit .* } cmd = enable { permit .* } cmd = end { permit .* } cmd = exit { permit .* } cmd = logout { permit .* } cmd = ping { permit .* } cmd = set { permit "length 0" } cmd = show { deny "controllers vip" permit .* } cmd = skip-page-display { permit .* } cmd = terminal { permit "length 0" } cmd = write { permit "network" permit "terminal" permit "memory" } } user = testuser { login = PAM member = snm } !!! router allows commands which should be denied !! Arista1 login: testuser Password: Last login: Thu Aug 6 16:12:19 on ttyS0 Arista1>en Password: Arista1#configure terminal <-------- Should be denied Arista1(config)#interface ethernet 10 <----------- Should be denied Arista1(config-if-Et10)#shut <----------- Should be denied Arista1(config-if-Et10)#no shut <----------- Should be denied Arista1(config-if-Et10)#end Arista1# !!! SAME EXAMPLE WITH DO_AUTH group = snm { default service = deny default service = exec { priv-lvl = 15 } cmd = show { permit ip permit interface } cmd = configure { deny .* } cmd = clear { permit "counters" permit "qos stat" permit "mls qos int" } cmd = disable { permit .* } cmd = enable { permit .* } cmd = end { permit .* } cmd = exit { permit .* } cmd = logout { permit .* } cmd = ping { permit .* } cmd = set { permit "length 0" } cmd = show { deny "controllers vip" permit .* } cmd = skip-page-display { permit .* } cmd = terminal { permit "length 0" } cmd = write { permit "network" permit "terminal" permit "memory" } after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.pyc -u $user -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini" } Arista1 login: testuser Password: Last login: Thu Aug 6 16:14:44 on ttyS0 Arista1>en Password: Arista1#configure terminal <-------- Should be denied Arista1(config)#interface ethernet 10 <-------- Should be denied Arista1(config-if-Et10)#shut <-------- Should be denied Arista1(config-if-Et10)#no shut Arista1(config-if-Et10)#end Arista1# !! When i run the debug to do_auth it just hangs at prompt, meaning it does not run then hand back the prompt: tac01 tacplus $ sudo /usr/bin/python2 /usr/local/sbin/tacplus/do_auth.py -u $user -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini -D this is what i would expect: tac01 tacplus $ sudo /usr/bin/python2 /usr/local/sbin/tacplus/do_auth.py -u $user -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini -D tac01 tacplus $ !! do_auth.ini tac01 tacplus $ cat do_auth.ini [users] kcruse = snm [snm] command_deny = configure .* terminal .* interface .* shutdown .* command_permit = show.* hcvmtac01 tacplus $ From: Aaron Wasserott To: "Kevin.Cruse at Instinet.com" , Cc: "tac_plus at shrubbery.net" Date: 07/22/2015 03:28 PM Subject: RE: [tac_plus] Cisco Nexus Authorization problem Kevin, I just tested this and it works for me. User can run show commands, but not enter conf t mode. Arista DCS-7050S-52-R running code 4.8.3. In production we run do_auth. It comes bundled with the latest version of tac_plus and makes tweaking authorization a lot easier. It?s more scalable, syntax is cleaner, and it has its own authorization logs which are easier to read. # tac_plus.conf group = tier1 { default service = permit login = PAM pap = PAM default command = deny cmd = show {permit .*} service = exec { priv-lvl = 15 } service = raccess { priv-lvl = 0 } } user = first.last { member = tier1 } # switch AAA commands aaa group server tacacs+ TacGroup aaa authentication login default group TacGroup local aaa authorization exec default group TacGroup none aaa authorization commands 15 default group TacGroup none aaa accounting exec default start-stop group TacGroup aaa accounting commands 15 default start-stop group TacGroup no aaa root -Aaron From: Kevin.Cruse at Instinet.com [mailto:Kevin.Cruse at Instinet.com] Sent: Wednesday, July 22, 2015 12:44 PM To: Aaron Wasserott Cc: tac_plus at shrubbery.net Subject: RE: [tac_plus] Cisco Nexus Authorization problem Aaron Do you have experience with Arista? It seems I am having similar problem with this device. Authentication works fine, but once i login and send enable password I can run any command i'd like. It's not restricting access to my preconfigured commands: Arista1#sh run | i aaa aaa group server tacacs+ CiscoACS aaa authentication login default group CiscoACS local aaa authorization exec default group CiscoACS local aaa authorization commands all default group CiscoACS local aaa accounting exec default start-stop group CiscoACS aaa accounting commands all default start-stop group CiscoACS no aaa root ----- user = testuser { login = clear "test123" pap = clear "test123" member = snm } group = snm { default service = deny service = shell { set shell:roles="\"network-admin\"" default command = deny default attribute = deny set priv-lvl = 15 cmd = configure {deny .*} cmd = clear { permit "counters" permit "qos stat" permit "mls qos int" } cmd = disable {permit .*} cmd = enable {permit .*} cmd = end {permit .*} cmd = exit {permit .*} cmd = logout {permit .*} cmd = ping {permit .*} cmd = set { permit "length 0" } cmd = show { deny "controllers vip" permit .* } cmd = skip-page-display {permit .*} cmd = terminal { permit "length 0" } cmd = write { permit "network" permit "terminal" permit "memory" } } } ---- Arista1 login: testuser Password: Last login: Wed Jul 22 18:49:42 on ttyS0 Arista1>en Password: Arista1#conf t <--- This command should be restricted Arista1(config)#interface eth 10 <--- This command should be restricted Arista1(config-if-Et10)#shut <--- This command should be restricted Arista1(config-if-Et10)#end Arista1#exit Inactive hide details for Aaron Wasserott ---07/16/2015 09:26:32 PM---Try changing "service = shell" to "service = exec" and seAaron Wasserott ---07/16/2015 09:26:32 PM---Try changing "service = shell" to "service = exec" and see if that works. I have NX-OS working fine From: Aaron Wasserott To: "Kevin.Cruse at Instinet.com" , " tac_plus at shrubbery.net" , Date: 07/16/2015 09:26 PM Subject: RE: [tac_plus] Cisco Nexus Authorization problem Try changing "service = shell" to "service = exec" and see if that works. I have NX-OS working fine using that. Also, I have never seen the shell service used in real-world examples for network devices. But reading the manpage it appears it should work to prevent them from entering configuration mode, as long as your AAA commands are set right. service=shell for exec startup, and also for command authorizations. Requires: aaa authorization exec tacacs+ Whether authorization happens, and at which prompt level, depends on the aaa authorization settings. It's possible to only restrict exec level commands, and prevent them from entering the 'conf t' command. But if you want them in conf t mode but restrict their commands at that level, you need to enable something like this: aaa authorization config-commands default group myTacacsGroup local If changing the service doesn't work, include the AAA commands on your NX-OS switches. -----Original Message----- From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Kevin.Cruse at Instinet.com Sent: Thursday, July 16, 2015 3:40 PM To: tac_plus at shrubbery.net Subject: [tac_plus] Cisco Nexus Authorization problem Hello I have configured TACPLUS to work with cisco nexus device. I am able to successfully authenticate, however, I am able to run all commands on router. It seems the router is not restricted to the commands specified in my group config. Has anyone gotten Cisco nexus to work properly with tacplus? I need to limit certain users and cannot get this working properly. Any help is greatly appreciated!!! Thanks. Group Config: group = snm { default service = deny service = shell { set shell:roles="\"network-admin\"" default command = deny default attribute = deny set priv-lvl = 15 cmd = configure {deny .*} cmd = clear { permit "counters" permit "qos stat" permit "mls qos int" } cmd = disable {permit .*} cmd = enable {permit .*} cmd = end {permit .*} cmd = exit {permit .*} cmd = logout {permit .*} cmd = ping {permit .*} cmd = set { permit "length 0" } cmd = show { deny "controllers vip" permit .* } cmd = skip-page-display {permit .*} cmd = terminal { permit "length 0" } cmd = write { permit "network" permit "terminal" permit "memory" } } } user = testuser { member = snm } Session output from router: telnet labrouter Trying labrouter... Connected to labrouter. Escape character is '^]'. User Access Verification login: testuser Password: Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Copyright (c) 2002-2014, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php LABROUTER# configure <------------------------------------------------------------ This should be denied Enter configuration commands, one per line. End with CNTL/Z. LABROUTER(config)# interface ethernet 1/1 configure <------------------------------------------------------------ This should be denied LABROUTER(config-if)# shut <------------------------------------------------------------ This should be denied LABROUTER(config-if)# no shut <------------------------------------------------------------ This should be denied LABROUTER(config-if)# end LABROUTER# ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: < http://www.shrubbery.net/pipermail/tac_plus/attachments/20150716/5c309608/attachment.html > _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From Kevin.Cruse at Instinet.com Thu Aug 6 20:58:32 2015 From: Kevin.Cruse at Instinet.com (Kevin.Cruse at Instinet.com) Date: Thu, 6 Aug 2015 16:58:32 -0400 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B92A28@mbx030-w1-co-6.exch030.domain.local><1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> Message-ID: tried that! arista only takes this command with no arguments: aaa authorization config-commands it still didn't work. fyi - i just tried same config with cisco router and it works perfectly, running 4.13.11M of EOS. From: Daniel Schmidt To: Kevin.Cruse at instinet.com, Cc: Aaron Wasserott , "tac_plus at shrubbery.net" Date: 08/06/2015 04:09 PM Subject: Re: [tac_plus] Cisco Nexus Authorization problem This part of the email looks interesting: But if you want them in conf t mode but restrict their commands at that level, you need to enable something like this: aaa authorization config-commands default group myTacacsGroup local On Thu, Aug 6, 2015 at 10:10 AM, wrote: Hey Aaron, Sorry to keep bothering you - I am pulling my hair out trying to get this working!! I scrapped the mavvis version and installed the native version of tac_plus (tac_plus version F4.0.4.28) and authorization seems to fail for devices, here is my config. Do you see something amiss? I also tried getting 'do_auth' to work but that doesn't work either. Arista1#sh run | i aaa aaa group server tacacs+ CiscoACS aaa authentication login default group CiscoACS local aaa authorization exec default group CiscoACS none aaa authorization commands 0-14 default group CiscoACS local aaa authorization commands 15 default group CiscoACS none aaa accounting exec default start-stop group CiscoACS aaa accounting commands all default start-stop group CiscoACS no aaa root Arista1# ?group = snm { ? ? ? ? default service = deny ? ? ? ? default ? ? ? ? service = exec { ? ? ? ? priv-lvl = 15 ? ? ? ? } ? ? ? ? cmd = show { ? ? ? ? permit ip ? ? ? ? permit interface ? ? ? ? } ? ? ? ? cmd = configure { ? ? ? ? deny .* ? ? ? ? } ? ? ? ? cmd = clear { ? ? ? ? permit "counters" ? ? ? ? permit "qos stat" ? ? ? ? permit "mls qos int" ? ? ? ? } ? ? ? ? cmd = disable { ? ? ? ? permit .* ? ? ? ? } ? ? ? ? cmd = enable { ? ? ? ? permit .* ? ? ? ? } ? ? ? ? cmd = end { ? ? ? ? permit .* ? ? ? ? } ? ? ? ? cmd = exit { ? ? ? ? permit .* ? ? ? ? } ? ? ? ? cmd = logout { ? ? ? ? permit .* ? ? ? ? } ? ? ? ? cmd = ping { ? ? ? ? permit .* ? ? ? ? } ? ? ? ? cmd = set { ? ? ? ? permit "length 0" ? ? ? ? } ? ? ? ? cmd = show { ? ? ? ? deny "controllers vip" ? ? ? ? permit .* ? ? ? ? } ? ? ? ? cmd = skip-page-display { ? ? ? ? permit .* ? ? ? ? } ? ? ? ? cmd = terminal { ? ? ? ? permit "length 0" ? ? ? ? } ? ? ? ? cmd = write { ? ? ? ? permit "network" ? ? ? ? permit "terminal" ? ? ? ? permit "memory" ? ? ? ? } ?} user = testuser { ? ? ? ? login = PAM ? ? ? ? member = snm } !!! router allows commands which should be denied !! Arista1 login: testuser Password: Last login: Thu Aug? 6 16:12:19 on ttyS0 Arista1>en Password: Arista1#configure terminal <-------- Should be denied Arista1(config)#interface ethernet 10 <----------- Should be denied Arista1(config-if-Et10)#shut? <----------- Should be denied Arista1(config-if-Et10)#no shut? <----------- Should be denied Arista1(config-if-Et10)#end Arista1# !!! SAME EXAMPLE WITH DO_AUTH group = snm { ? ? ? ? default service = deny ? ? ? ? default ? ? ? ? service = exec { ? ? ? ? priv-lvl = 15 ? ? ? ? } ? ? ? ? cmd = show { ? ? ? ? permit ip ? ? ? ? permit interface ? ? ? ? } ? ? ? ? cmd = configure { ? ? ? ? deny .* ? ? ? ? } ? ? ? ? cmd = clear { ? ? ? ? permit "counters" ? ? ? ? permit "qos stat" ? ? ? ? permit "mls qos int" ? ? ? ? } ? ? ? ? cmd = disable { ? ? ? ? permit .* ? ? ? ? } ? ? ? ? cmd = enable { ? ? ? ? permit .* ? ? ? ? } ? ? ? ? cmd = end { ? ? ? ? permit .* ? ? ? ? } ? ? ? ? cmd = exit { ? ? ? ? permit .* ? ? ? ? } ? ? ? ? cmd = logout { ? ? ? ? permit .* ? ? ? ? } ? ? ? ? cmd = ping { ? ? ? ? permit .* ? ? ? ? } ? ? ? ? cmd = set { ? ? ? ? permit "length 0" ? ? ? ? } ? ? ? ? cmd = show { ? ? ? ? deny "controllers vip" ? ? ? ? permit .* ? ? ? ? } ? ? ? ? cmd = skip-page-display { ? ? ? ? permit .* ? ? ? ? } ? ? ? ? cmd = terminal { ? ? ? ? permit "length 0" ? ? ? ? } ? ? ? ? cmd = write { ? ? ? ? permit "network" ? ? ? ? permit "terminal" ? ? ? ? permit "memory" ? ? ? ? } ?after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.pyc -u $user -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini" ?} Arista1 login: testuser Password: Last login: Thu Aug? 6 16:14:44 on ttyS0 Arista1>en Password: Arista1#configure terminal <-------- Should be denied Arista1(config)#interface ethernet 10 <-------- Should be denied Arista1(config-if-Et10)#shut <-------- Should be denied Arista1(config-if-Et10)#no shut Arista1(config-if-Et10)#end Arista1# !! When i run the debug to do_auth it just hangs at prompt, meaning it does not run then hand back the prompt: tac01 tacplus $ sudo /usr/bin/python2 /usr/local/sbin/tacplus/do_auth.py -u $user -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini -D this is what i would expect: tac01 tacplus $ sudo /usr/bin/python2 /usr/local/sbin/tacplus/do_auth.py -u $user -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini -D tac01 tacplus $ !! do_auth.ini tac01 tacplus $ cat do_auth.ini [users] kcruse = ? ? ? ? snm [snm] command_deny = ? ? configure .* ? ? terminal .* ? ? interface .* ? ? shutdown .* command_permit = ? ? show.* hcvmtac01 tacplus $ From:? ?Aaron Wasserott To:? ? ?"Kevin.Cruse at Instinet.com" , Cc:? ? ?"tac_plus at shrubbery.net" Date:? ?07/22/2015 03:28 PM Subject:? ? ? ? RE: [tac_plus] Cisco Nexus Authorization problem Kevin, I just tested this and it works for me. User can run show commands, but not enter conf t mode. Arista DCS-7050S-52-R running code 4.8.3. In production we run do_auth. It comes bundled with the latest version of tac_plus and makes tweaking authorization a lot easier. It?s more scalable, syntax is cleaner, and it has its own authorization logs which are easier to read. # tac_plus.conf group = tier1 { ? ? default service = permit ? ? login = PAM ? ? pap = PAM ? ? ? ? ? ? ? ? default command = deny ? ? ? ? ? ? ? ? cmd = show {permit .*} ? ? service = exec { ? ? ? ? priv-lvl = 15 ? ? } ? ? service = raccess { ? ? ? ? priv-lvl = 0 ? ? } } user = first.last { ? ? member = tier1 } # switch AAA commands aaa group server tacacs+ TacGroup aaa authentication login default group TacGroup local aaa authorization exec default group TacGroup none aaa authorization commands 15 default group TacGroup none aaa accounting exec default start-stop group TacGroup aaa accounting commands 15 default start-stop group TacGroup no aaa root -Aaron From: Kevin.Cruse at Instinet.com [mailto:Kevin.Cruse at Instinet.com] Sent: Wednesday, July 22, 2015 12:44 PM To: Aaron Wasserott Cc: tac_plus at shrubbery.net Subject: RE: [tac_plus] Cisco Nexus Authorization problem Aaron Do you have experience with Arista? It seems I am having similar problem with this device. Authentication works fine, but once i login and send enable password I can run any command i'd like. It's not restricting access to my preconfigured commands: Arista1#sh run | i aaa aaa group server tacacs+ CiscoACS aaa authentication login default group CiscoACS local aaa authorization exec default group CiscoACS local aaa authorization commands all default group CiscoACS local aaa accounting exec default start-stop group CiscoACS aaa accounting commands all default start-stop group CiscoACS no aaa root ----- ? ? ? ? ? ?user = testuser { ? ? ? ? ? ? ? ? login = clear "test123" ? ? ? ? ? ? ? ? pap = clear "test123" ? ? ? ? ? ? ? ? member = snm ? ? ? ? } ? ? ? ? group = snm { ? ? ? ? ? ? ? ? default service = deny ? ? ? ? ? ? ? ? service = shell { ? ? ? ? ? ? ? ? set shell:roles="\"network-admin\"" ? ? ? ? ? ? ? ? default command = deny ? ? ? ? ? ? ? ? default attribute = deny ? ? ? ? ? ? ? ? set priv-lvl = 15 ? ? ? ? ? ? ? ? cmd = configure {deny .*} ? ? ? ? ? ? ? ? cmd = clear { ? ? ? ? ? ? ? ? permit "counters" ? ? ? ? ? ? ? ? permit "qos stat" ? ? ? ? ? ? ? ? permit "mls qos int" ? ? ? ? ? ? ? ? } ? ? ? ? ? ? ? ? cmd = disable {permit .*} ? ? ? ? ? ? ? ? cmd = enable {permit .*} ? ? ? ? ? ? ? ? cmd = end {permit .*} ? ? ? ? ? ? ? ? cmd = exit {permit .*} ? ? ? ? ? ? ? ? cmd = logout {permit .*} ? ? ? ? ? ? ? ? cmd = ping {permit .*} ? ? ? ? ? ? ? ? cmd = set { ? ? ? ? ? ? ? ? permit "length 0" ? ? ? ? ? ? ? ? } ? ? ? ? ? ? ? ? cmd = show { ? ? ? ? ? ? ? ? deny "controllers vip" ? ? ? ? ? ? ? ? permit .* ? ? ? ? ? ? ? ? } ? ? ? ? ? ? ? ? cmd = skip-page-display {permit .*} ? ? ? ? ? ? ? ? cmd = terminal { ? ? ? ? ? ? ? ? permit "length 0" ? ? ? ? ? ? ? ? } ? ? ? ? ? ? ? ? cmd = write { ? ? ? ? ? ? ? ? permit "network" ? ? ? ? ? ? ? ? permit "terminal" ? ? ? ? ? ? ? ? permit "memory" ? ? ? ? ? ? ? ? } ? ? ? ? ? ? ? ? } ? ? ? ? } ---- Arista1 login: testuser Password: Last login: Wed Jul 22 18:49:42 on ttyS0 Arista1>en Password: Arista1#conf t <--- This command should be restricted Arista1(config)#interface eth 10 <--- This command should be restricted Arista1(config-if-Et10)#shut <--- This command should be restricted Arista1(config-if-Et10)#end Arista1#exit Inactive hide details for Aaron Wasserott ---07/16/2015 09:26:32 PM---Try changing "service = shell" to "service = exec" and seAaron Wasserott ---07/16/2015 09:26:32 PM---Try changing "service = shell" to "service = exec" and see if that works. I have NX-OS working fine From: Aaron Wasserott To: "Kevin.Cruse at Instinet.com" , " tac_plus at shrubbery.net" , Date: 07/16/2015 09:26 PM Subject: RE: [tac_plus] Cisco Nexus Authorization problem Try changing "service = shell" to "service = exec" and see if that works. I have NX-OS working fine using that. Also, I have never seen the shell service used in real-world examples for network devices. But reading the manpage it appears it should work to prevent them from entering configuration mode, as long as your AAA commands are set right. service=shell for? ?exec? ?startup,? ?and? ?also? ?for? ? command authorizations. Requires: aaa authorization exec tacacs+ Whether authorization happens, and at which prompt level, depends on the aaa authorization settings. It's possible to only restrict exec level commands, and prevent them from entering the 'conf t' command. But if you want them in conf t mode but restrict their commands at that level, you need to enable something like this: aaa authorization config-commands default group myTacacsGroup local If changing the service doesn't work, include the AAA commands on your NX-OS switches. -----Original Message----- From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Kevin.Cruse at Instinet.com Sent: Thursday, July 16, 2015 3:40 PM To: tac_plus at shrubbery.net Subject: [tac_plus] Cisco Nexus Authorization problem Hello I have configured TACPLUS to work with cisco nexus device. I am able to successfully? authenticate, however, I am able to run all commands on router. It seems the router is not restricted to the commands specified in my group config. Has anyone gotten Cisco nexus to work properly with tacplus? I need to limit certain users and cannot get this working properly. Any help is greatly appreciated!!! Thanks. Group Config: ? ? ? ?group = snm { ? ? ? ? ? ? ? ?default service = deny ? ? ? ? ? ? ? ?service = shell { ? ? ? ? ? ? ? ?set shell:roles="\"network-admin\"" ? ? ? ? ? ? ? ?default command = deny ? ? ? ? ? ? ? ?default attribute = deny ? ? ? ? ? ? ? ?set priv-lvl = 15 ? ? ? ? ? ? ? ?cmd = configure {deny .*} ? ? ? ? ? ? ? ?cmd = clear { ? ? ? ? ? ? ? ?permit "counters" ? ? ? ? ? ? ? ?permit "qos stat" ? ? ? ? ? ? ? ?permit "mls qos int" ? ? ? ? ? ? ? ?} ? ? ? ? ? ? ? ?cmd = disable {permit .*} ? ? ? ? ? ? ? ?cmd = enable {permit .*} ? ? ? ? ? ? ? ?cmd = end {permit .*} ? ? ? ? ? ? ? ?cmd = exit {permit .*} ? ? ? ? ? ? ? ?cmd = logout {permit .*} ? ? ? ? ? ? ? ?cmd = ping {permit .*} ? ? ? ? ? ? ? ?cmd = set { ? ? ? ? ? ? ? ?permit "length 0" ? ? ? ? ? ? ? ?} ? ? ? ? ? ? ? ?cmd = show { ? ? ? ? ? ? ? ?deny "controllers vip" ? ? ? ? ? ? ? ?permit .* ? ? ? ? ? ? ? ?} ? ? ? ? ? ? ? ?cmd = skip-page-display {permit .*} ? ? ? ? ? ? ? ?cmd = terminal { ? ? ? ? ? ? ? ?permit "length 0" ? ? ? ? ? ? ? ?} ? ? ? ? ? ? ? ?cmd = write { ? ? ? ? ? ? ? ?permit "network" ? ? ? ? ? ? ? ?permit "terminal" ? ? ? ? ? ? ? ?permit "memory" ? ? ? ? ? ? ? ?} ? ? ? ? ? ? ? ?} ? ? ? ?} ? ? ? ?user = testuser { ? ? ? ? ? ? ? ?member = snm ? ? ? ?} Session output from router: telnet labrouter Trying labrouter... Connected to labrouter. Escape character is '^]'. User Access Verification login: testuser Password: Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Copyright (c) 2002-2014, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php LABROUTER# configure <------------------------------------------------------------ This should be denied Enter configuration commands, one per line.? End with CNTL/Z. LABROUTER(config)# interface ethernet 1/1 configure <------------------------------------------------------------ This should be denied LABROUTER(config-if)# shut <------------------------------------------------------------ This should be denied LABROUTER(config-if)# no shut <------------------------------------------------------------ This should be denied LABROUTER(config-if)# end LABROUTER# ========================================================================================================= ? <<<< Disclaimer >>>>? ?This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: < http://www.shrubbery.net/pipermail/tac_plus/attachments/20150716/5c309608/attachment.html > _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. =========================================================================================================? <<<< Disclaimer >>>>? ?This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: < http://www.shrubbery.net/pipermail/tac_plus/attachments/20150806/4f638c2e/attachment.html > -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: < http://www.shrubbery.net/pipermail/tac_plus/attachments/20150806/4f638c2e/attachment.gif > _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From john at op-sec.us Thu Aug 6 21:45:30 2015 From: john at op-sec.us (John Fraizer) Date: Thu, 6 Aug 2015 14:45:30 -0700 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B92A28@mbx030-w1-co-6.exch030.domain.local> <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> Message-ID: If you provide the logs from do_auth and tac_plus, it will help us help you. ;-) Your config for do_auth is broken though. You have to use default service = permit with do_auth.py. This is going to be a LONG email but, it contains working example AAA configs for CatOS, IOS, IOS-XR, NX-OX, Arista EOS and Juniper JUNOS. These are the actual configs I'm using on our network. In addition, I've included working examples for tac_plus.conf and do_auth.ini that will work with these AAA configs. Here is the config I use for Arista EOS: tacacs-server key 7 tacacs-server host x.x.x.A tacacs-server host x.x.x.B ! aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ local aaa authorization exec default group tacacs+ local aaa authorization commands all default group tacacs+ none aaa accounting exec default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ aaa accounting commands all default stop-only group tacacs+ ! For CatOS: #tacacs+ set tacacs server x.x.x.B set tacacs server x.x.x.A primary set tacacs directedrequest enable set tacacs key ! #authentication set authentication login tacacs enable telnet primary set authentication enable tacacs enable telnet primary ! #accounting set accounting exec enable stop-only tacacs+ set accounting connect enable stop-only tacacs+ set accounting system enable stop-only tacacs+ set accounting commands enable all stop-only tacacs+ ! ! #authorization set authorization exec enable tacacs+ if-authenticated telnet set authorization commands enable all tacacs+ if-authenticated telnet For IOS: aaa new-model ! ! aaa authentication username-prompt "Local Username: " aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization config-commands aaa authorization exec default group tacacs+ local aaa authorization commands 0 default group tacacs+ if-authenticated aaa authorization commands 1 default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ if-authenticated aaa accounting send stop-record authentication failure aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default stop-only group tacacs+ aaa accounting commands 1 default stop-only group tacacs+ aaa accounting commands 15 default stop-only group tacacs+ aaa accounting network default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! ! ! aaa session-id common ! tacacs-server host x.x.x.A tacacs-server host x.x.x.B tacacs-server directed-request tacacs-server key 7 ! For IOS-XR: tacacs source-interface Loopback0 vrf default tacacs-server host x.x.x.A port 49 ! tacacs-server host x.x.x.B port 49 ! tacacs-server key 7 ! aaa accounting exec default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ aaa accounting commands default start-stop group tacacs+ aaa authorization exec default group tacacs+ local aaa authorization commands default group tacacs+ none aaa authentication login default group tacacs+ local For NX-OS: ip tacacs source-interface loopback0 tacacs-server host x.x.x.A key 7 tacacs-server host x.x.x.B key 7 aaa group server tacacs+ AAA-SERVERS server x.x.x.A server x.x.x.B aaa authentication login default group AAA-SERVERS aaa authorization config-commands default group AAA-SERVERS local aaa authorization commands default group AAA-SERVERS local aaa accounting default group AAA-SERVERS aaa authentication login error-enable aaa authentication login ascii-authentication For JUNOS: set system authentication-order tacplus set system authentication-order password set system tacplus-server x.x.x.A secret set system tacplus-server x.x.x.A source-address a.b.c.d set system tacplus-server x.x.x.B secret set system tacplus-server x.x.x.B source-address a.b.c.d set system accounting events login set system accounting events change-log set system accounting events interactive-commands set system accounting destination tacplus set system login user remote full-name "Local template for TACACS+ authentication" set system login user remote uid 9999 set system login user remote class super-user And here is a working example for tac_plus version F4.0.4.28 with do_auth.py (latest 1.x version from GitHub)... And tac_plus.conf: # # This is tac_plus.conf # key = "redacted" logging = local7 accounting syslog default authentication = file /etc/passwd group = doauthaccess { default service = permit service = exec { priv-lvl = 1 optional idletime = 30 optional acl = 2 shell:roles="\"network-operator vdc-operator\"" } service = junos-exec { bug-fix = "first pair is lost" local-user-name = "remote" allow-commands = "(.*exit)|(show cli auth.*)" deny-commands = ".*" allow-configuration = "" deny-configuration = "" } after authorization "/usr/bin/python /opt/sbin/do_auth.py -i $address -u $user -d $name -l /opt/log/do_auth.log -f /opt/etc/tacacs/do_auth.ini" } # # Default user - Used when no user specific stanza exists in tac_plus.conf. # user = DEFAULT { member = doauthaccess login = PAM } user = $enable$ { login = des } # # End of tac_plus.conf # And for do_auth.ini: # # This is do_auth.ini # [users] ## Any user who is not a member of another group inherits ## the privs of the no_authority group. default = no_authority joeblow = no_aaa_commands ############################## ## ## ## Default Group ## ## Undefined users receive ## ## this group by default ## ## ## ############################## [no_authority] host_deny = host_allow = .* device_deny = device_permit = .* command_deny = command_permit = exit.* av_pairs = priv-lvl=1 shell:roles="network-operator vdc-operator" local-user-name = remote allow-commands = (.*exit)|(show cli auth.*) deny-commands = .* allow-configuration = deny-configuration = [no_aaa_commands] host_deny = host_allow = .* device_deny = device_permit = .* command_deny = aaa.* no aaa.* command_permit = .* av_pairs = priv-lvl=15 shell:roles="network-admin vdc-admin" local-user-name = remote allow-commands = .* deny-commands = allow-configuration = .* deny-configuration = (.*system .*accounting.*)|(.*system login.*)|(.*system .*tacplus-options.*)|(.*system .*tacplus-server.*) # # End of do_auth.ini # These are literally copy/pasted from my operational configs with very little redaction. This config works with our very large fleet of CatOS. IOS, IOS-XR, NX-OS, EOS and JUNOS devices. If this doesn't get you going, give up... `cause there's no hope. ;-) -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Thu, Aug 6, 2015 at 9:10 AM, wrote: > Hey Aaron, > > Sorry to keep bothering you - I am pulling my hair out trying to get this > working!! I scrapped the mavvis version and installed the native version of > tac_plus (tac_plus version F4.0.4.28) and authorization seems to fail for > devices, here is my config. Do you see something amiss? I also tried > getting 'do_auth' to work but that doesn't work either. > > Arista1#sh run | i aaa > aaa group server tacacs+ CiscoACS > aaa authentication login default group CiscoACS local > aaa authorization exec default group CiscoACS none > aaa authorization commands 0-14 default group CiscoACS local > aaa authorization commands 15 default group CiscoACS none > aaa accounting exec default start-stop group CiscoACS > aaa accounting commands all default start-stop group CiscoACS > no aaa root > Arista1# > > > group = snm { > default service = deny > default > service = exec { > priv-lvl = 15 > } > cmd = show { > permit ip > permit interface > } > cmd = configure { > deny .* > } > cmd = clear { > permit "counters" > permit "qos stat" > permit "mls qos int" > } > cmd = disable { > permit .* > } > cmd = enable { > permit .* > } > cmd = end { > permit .* > } > cmd = exit { > permit .* > } > cmd = logout { > permit .* > } > cmd = ping { > permit .* > } > cmd = set { > permit "length 0" > } > cmd = show { > deny "controllers vip" > permit .* > } > cmd = skip-page-display { > permit .* > } > cmd = terminal { > permit "length 0" > } > cmd = write { > permit "network" > permit "terminal" > permit "memory" > } > } > > > > user = testuser { > login = PAM > member = snm > } > > > !!! router allows commands which should be denied !! > > > Arista1 login: testuser > Password: > Last login: Thu Aug 6 16:12:19 on ttyS0 > Arista1>en > Password: > Arista1#configure terminal <-------- Should be denied > Arista1(config)#interface ethernet 10 <----------- Should be denied > Arista1(config-if-Et10)#shut <----------- Should be denied > Arista1(config-if-Et10)#no shut <----------- Should be denied > Arista1(config-if-Et10)#end > Arista1# > > > > !!! SAME EXAMPLE WITH DO_AUTH > > > > group = snm { > default service = deny > default > service = exec { > priv-lvl = 15 > } > cmd = show { > permit ip > permit interface > } > cmd = configure { > deny .* > } > cmd = clear { > permit "counters" > permit "qos stat" > permit "mls qos int" > } > cmd = disable { > permit .* > } > cmd = enable { > permit .* > } > cmd = end { > permit .* > } > cmd = exit { > permit .* > } > cmd = logout { > permit .* > } > cmd = ping { > permit .* > } > cmd = set { > permit "length 0" > } > cmd = show { > deny "controllers vip" > permit .* > } > cmd = skip-page-display { > permit .* > } > cmd = terminal { > permit "length 0" > } > cmd = write { > permit "network" > permit "terminal" > permit "memory" > } > after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.pyc > -u $user -l /var/log/tacacs/do_auth_log.txt > -f /usr/local/sbin/tacplus/do_auth.ini" > } > > > > > > Arista1 login: testuser > Password: > Last login: Thu Aug 6 16:14:44 on ttyS0 > Arista1>en > Password: > Arista1#configure terminal <-------- Should be denied > Arista1(config)#interface ethernet 10 <-------- Should be denied > Arista1(config-if-Et10)#shut <-------- Should be denied > Arista1(config-if-Et10)#no shut > Arista1(config-if-Et10)#end > Arista1# > > > !! When i run the debug to do_auth it just hangs at prompt, meaning it does > not run then hand back the prompt: > > tac01 tacplus $ sudo /usr/bin/python2 /usr/local/sbin/tacplus/do_auth.py -u > $user -l /var/log/tacacs/do_auth_log.txt > -f /usr/local/sbin/tacplus/do_auth.ini -D > > this is what i would expect: > > tac01 tacplus $ sudo /usr/bin/python2 /usr/local/sbin/tacplus/do_auth.py -u > $user -l /var/log/tacacs/do_auth_log.txt > -f /usr/local/sbin/tacplus/do_auth.ini -D > tac01 tacplus $ > > > !! do_auth.ini > > tac01 tacplus $ cat do_auth.ini > [users] > kcruse = > snm > [snm] > command_deny = > configure .* > terminal .* > interface .* > shutdown .* > command_permit = > show.* > hcvmtac01 tacplus $ > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Thu Aug 6 20:09:53 2015 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Thu, 6 Aug 2015 14:09:53 -0600 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B92A28@mbx030-w1-co-6.exch030.domain.local> <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> Message-ID: This part of the email looks interesting: But if you want them in conf t mode but restrict their commands at that level, you need to enable something like this: aaa authorization config-commands default group myTacacsGroup local On Thu, Aug 6, 2015 at 10:10 AM, wrote: > Hey Aaron, > > Sorry to keep bothering you - I am pulling my hair out trying to get this > working!! I scrapped the mavvis version and installed the native version of > tac_plus (tac_plus version F4.0.4.28) and authorization seems to fail for > devices, here is my config. Do you see something amiss? I also tried > getting 'do_auth' to work but that doesn't work either. > > Arista1#sh run | i aaa > aaa group server tacacs+ CiscoACS > aaa authentication login default group CiscoACS local > aaa authorization exec default group CiscoACS none > aaa authorization commands 0-14 default group CiscoACS local > aaa authorization commands 15 default group CiscoACS none > aaa accounting exec default start-stop group CiscoACS > aaa accounting commands all default start-stop group CiscoACS > no aaa root > Arista1# > > > group = snm { > default service = deny > default > service = exec { > priv-lvl = 15 > } > cmd = show { > permit ip > permit interface > } > cmd = configure { > deny .* > } > cmd = clear { > permit "counters" > permit "qos stat" > permit "mls qos int" > } > cmd = disable { > permit .* > } > cmd = enable { > permit .* > } > cmd = end { > permit .* > } > cmd = exit { > permit .* > } > cmd = logout { > permit .* > } > cmd = ping { > permit .* > } > cmd = set { > permit "length 0" > } > cmd = show { > deny "controllers vip" > permit .* > } > cmd = skip-page-display { > permit .* > } > cmd = terminal { > permit "length 0" > } > cmd = write { > permit "network" > permit "terminal" > permit "memory" > } > } > > > > user = testuser { > login = PAM > member = snm > } > > > !!! router allows commands which should be denied !! > > > Arista1 login: testuser > Password: > Last login: Thu Aug 6 16:12:19 on ttyS0 > Arista1>en > Password: > Arista1#configure terminal <-------- Should be denied > Arista1(config)#interface ethernet 10 <----------- Should be denied > Arista1(config-if-Et10)#shut <----------- Should be denied > Arista1(config-if-Et10)#no shut <----------- Should be denied > Arista1(config-if-Et10)#end > Arista1# > > > > !!! SAME EXAMPLE WITH DO_AUTH > > > > group = snm { > default service = deny > default > service = exec { > priv-lvl = 15 > } > cmd = show { > permit ip > permit interface > } > cmd = configure { > deny .* > } > cmd = clear { > permit "counters" > permit "qos stat" > permit "mls qos int" > } > cmd = disable { > permit .* > } > cmd = enable { > permit .* > } > cmd = end { > permit .* > } > cmd = exit { > permit .* > } > cmd = logout { > permit .* > } > cmd = ping { > permit .* > } > cmd = set { > permit "length 0" > } > cmd = show { > deny "controllers vip" > permit .* > } > cmd = skip-page-display { > permit .* > } > cmd = terminal { > permit "length 0" > } > cmd = write { > permit "network" > permit "terminal" > permit "memory" > } > after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.pyc > -u $user -l /var/log/tacacs/do_auth_log.txt > -f /usr/local/sbin/tacplus/do_auth.ini" > } > > > > > > Arista1 login: testuser > Password: > Last login: Thu Aug 6 16:14:44 on ttyS0 > Arista1>en > Password: > Arista1#configure terminal <-------- Should be denied > Arista1(config)#interface ethernet 10 <-------- Should be denied > Arista1(config-if-Et10)#shut <-------- Should be denied > Arista1(config-if-Et10)#no shut > Arista1(config-if-Et10)#end > Arista1# > > > !! When i run the debug to do_auth it just hangs at prompt, meaning it does > not run then hand back the prompt: > > tac01 tacplus $ sudo /usr/bin/python2 /usr/local/sbin/tacplus/do_auth.py -u > $user -l /var/log/tacacs/do_auth_log.txt > -f /usr/local/sbin/tacplus/do_auth.ini -D > > this is what i would expect: > > tac01 tacplus $ sudo /usr/bin/python2 /usr/local/sbin/tacplus/do_auth.py -u > $user -l /var/log/tacacs/do_auth_log.txt > -f /usr/local/sbin/tacplus/do_auth.ini -D > tac01 tacplus $ > > > !! do_auth.ini > > tac01 tacplus $ cat do_auth.ini > [users] > kcruse = > snm > [snm] > command_deny = > configure .* > terminal .* > interface .* > shutdown .* > command_permit = > show.* > hcvmtac01 tacplus $ > > > > From: Aaron Wasserott > To: "Kevin.Cruse at Instinet.com" , > Cc: "tac_plus at shrubbery.net" > Date: 07/22/2015 03:28 PM > Subject: RE: [tac_plus] Cisco Nexus Authorization problem > > > > Kevin, > > I just tested this and it works for me. User can run show commands, but not > enter conf t mode. > > Arista DCS-7050S-52-R running code 4.8.3. In production we run do_auth. It > comes bundled with the latest version of tac_plus and makes tweaking > authorization a lot easier. It?s more scalable, syntax is cleaner, and it > has its own authorization logs which are easier to read. > > # tac_plus.conf > > group = tier1 { > default service = permit > login = PAM > pap = PAM > default command = deny > cmd = show {permit .*} > service = exec { > priv-lvl = 15 > } > service = raccess { > priv-lvl = 0 > } > } > > user = first.last { > member = tier1 > } > > # switch AAA commands > aaa group server tacacs+ TacGroup > aaa authentication login default group TacGroup local > aaa authorization exec default group TacGroup none > aaa authorization commands 15 default group TacGroup none > aaa accounting exec default start-stop group TacGroup > aaa accounting commands 15 default start-stop group TacGroup > no aaa root > > -Aaron > > From: Kevin.Cruse at Instinet.com [mailto:Kevin.Cruse at Instinet.com] > Sent: Wednesday, July 22, 2015 12:44 PM > To: Aaron Wasserott > Cc: tac_plus at shrubbery.net > Subject: RE: [tac_plus] Cisco Nexus Authorization problem > > > > Aaron > > Do you have experience with Arista? It seems I am having similar problem > with this device. Authentication works fine, but once i login and send > enable password I can run any command i'd like. It's not restricting access > to my preconfigured commands: > > > Arista1#sh run | i aaa > aaa group server tacacs+ CiscoACS > aaa authentication login default group CiscoACS local > aaa authorization exec default group CiscoACS local > aaa authorization commands all default group CiscoACS local > aaa accounting exec default start-stop group CiscoACS > aaa accounting commands all default start-stop group CiscoACS > no aaa root > > ----- > > user = testuser { > login = clear "test123" > pap = clear "test123" > member = snm > } > > > group = snm { > default service = deny > service = shell { > set shell:roles="\"network-admin\"" > default command = deny > default attribute = deny > set priv-lvl = 15 > cmd = configure {deny .*} > cmd = clear { > permit "counters" > permit "qos stat" > permit "mls qos int" > } > cmd = disable {permit .*} > cmd = enable {permit .*} > cmd = end {permit .*} > cmd = exit {permit .*} > cmd = logout {permit .*} > cmd = ping {permit .*} > cmd = set { > permit "length 0" > } > cmd = show { > deny "controllers vip" > permit .* > } > cmd = skip-page-display {permit .*} > cmd = terminal { > permit "length 0" > } > cmd = write { > permit "network" > permit "terminal" > permit "memory" > } > } > } > > ---- > > > Arista1 login: testuser > Password: > Last login: Wed Jul 22 18:49:42 on ttyS0 > Arista1>en > Password: > Arista1#conf t <--- This command should be restricted > Arista1(config)#interface eth 10 <--- This command should be restricted > Arista1(config-if-Et10)#shut <--- This command should be restricted > Arista1(config-if-Et10)#end > Arista1#exit > > > > Inactive hide details for Aaron Wasserott ---07/16/2015 09:26:32 PM---Try > changing "service = shell" to "service = exec" and seAaron Wasserott > ---07/16/2015 09:26:32 PM---Try changing "service = shell" to "service = > exec" and see if that works. I have NX-OS working fine > > From: Aaron Wasserott > To: "Kevin.Cruse at Instinet.com" , " > tac_plus at shrubbery.net" , > Date: 07/16/2015 09:26 PM > Subject: RE: [tac_plus] Cisco Nexus Authorization problem > > > > > Try changing "service = shell" to "service = exec" and see if that works. I > have NX-OS working fine using that. Also, I have never seen the shell > service used in real-world examples for network devices. But reading the > manpage it appears it should work to prevent them from entering > configuration mode, as long as your AAA commands are set right. > > service=shell > for exec startup, and also for command authorizations. > Requires: aaa authorization exec tacacs+ > > Whether authorization happens, and at which prompt level, depends on the > aaa authorization settings. It's possible to only restrict exec level > commands, and prevent them from entering the 'conf t' command. But if you > want them in conf t mode but restrict their commands at that level, you > need to enable something like this: > > aaa authorization config-commands default group myTacacsGroup local > > If changing the service doesn't work, include the AAA commands on your > NX-OS switches. > > -----Original Message----- > From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of > Kevin.Cruse at Instinet.com > Sent: Thursday, July 16, 2015 3:40 PM > To: tac_plus at shrubbery.net > Subject: [tac_plus] Cisco Nexus Authorization problem > > > > Hello > > I have configured TACPLUS to work with cisco nexus device. I am able to > successfully authenticate, however, I am able to run all commands on > router. It seems the router is not restricted to the commands specified in > my group config. Has anyone gotten Cisco nexus to work properly with > tacplus? I need to limit certain users and cannot get this working > properly. Any help is greatly appreciated!!! Thanks. > > Group Config: > > group = snm { > default service = deny > service = shell { > set shell:roles="\"network-admin\"" > default command = deny > default attribute = deny > set priv-lvl = 15 > cmd = configure {deny .*} > cmd = clear { > permit "counters" > permit "qos stat" > permit "mls qos int" > } > cmd = disable {permit .*} > cmd = enable {permit .*} > cmd = end {permit .*} > cmd = exit {permit .*} > cmd = logout {permit .*} > cmd = ping {permit .*} > cmd = set { > permit "length 0" > } > cmd = show { > deny "controllers vip" > permit .* > } > cmd = skip-page-display {permit .*} > cmd = terminal { > permit "length 0" > } > cmd = write { > permit "network" > permit "terminal" > permit "memory" > } > } > } > > > user = testuser { > > member = snm > } > > > Session output from router: > > telnet labrouter > Trying labrouter... > Connected to labrouter. > Escape character is '^]'. > User Access Verification > login: testuser > Password: > Cisco Nexus Operating System (NX-OS) Software TAC support: > http://www.cisco.com/tac Copyright (c) 2002-2014, Cisco Systems, Inc. All > rights reserved. > The copyrights to certain works contained in this software are owned by > other third parties and used and distributed under license. Certain > components of this software are licensed under the GNU General Public > License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) > Version 2.1. A copy of each such license is available at > http://www.opensource.org/licenses/gpl-2.0.php and > http://www.opensource.org/licenses/lgpl-2.1.php > LABROUTER# configure > <------------------------------------------------------------ This should > be denied Enter configuration commands, one per line. End with CNTL/Z. > LABROUTER(config)# interface ethernet 1/1 configure > <------------------------------------------------------------ This should > be denied LABROUTER(config-if)# shut > <------------------------------------------------------------ This should > be denied LABROUTER(config-if)# no shut > <------------------------------------------------------------ This should > be denied LABROUTER(config-if)# end LABROUTER# > > > ========================================================================================================= > <<<< Disclaimer >>>> This message is intended solely for use by the > named addressee(s). If you receive this transmission in error, please > immediately notify the sender and destroy this message in its entirety, > whether in electronic or hard copy format. Any unauthorized use (and > reliance thereon), copying, disclosure, retention, or distribution of this > transmission or the material in this transmission is forbidden. We reserve > the right to monitor and archive electronic communications. This material > does not constitute an offer or solicitation with respect to the purchase > or sale of any security. It should not be construed to contain any > recommendation regarding any security or strategy. Any views expressed are > those of the individual sender, except where the message states otherwise > and the sender is authorized to state them to be the views of any such > entity. This communication is provided on an ?as is? basis. It contains > material that is owned by Instinet Incorporated, its subsidiaries or its or > their licensors, and may not, in whole or in part, be (i) copied, > photocopied or duplicated in any form, by any means, or (ii) redistributed, > posted, published, excerpted, or quoted without Instinet Incorporated's > prior written consent. Please access the following link for important > information and instructions: > http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt > Securities products and services are provided by locally registered > brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty > Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian > Securities & Investments Commission; Instinet Canada Limited, member > IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the > Securities and Futures Commission of Hong Kong; Instinet Singapore Services > Private Limited, regulated by the Monetary Authority of Singapore, trading > member of The Singapore Exchange Securities Trading Private Limited and > clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, > member SIPC. > > > ========================================================================================================= > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20150716/5c309608/attachment.html > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > This message contains information that may be confidential, privileged or > otherwise protected by law from disclosure. It is intended for the > exclusive use of the addressee(s). Unless you are the addressee or > authorized agent of the addressee, you may not review, copy, distribute or > disclose to anyone the message or any information contained within. If you > have received this message in error, please contact the sender by > electronic reply and immediately delete all copies of the message. > > > > ========================================================================================================= > > > > <<<< Disclaimer >>>> > > > This message is intended solely for use by the named addressee(s). If you > receive this transmission in error, please immediately notify the sender > and destroy this message in its entirety, whether in electronic or hard > copy format. Any unauthorized use (and reliance thereon), copying, > disclosure, retention, or distribution of this transmission or the material > in this transmission is forbidden. We reserve the right to monitor and > archive electronic communications. This material does not constitute an > offer or solicitation with respect to the purchase or sale of any security. > It should not be construed to contain any recommendation regarding any > security or strategy. Any views expressed are those of the individual > sender, except where the message states otherwise and the sender is > authorized to state them to be the views of any such entity. This > communication is provided on an ?as is? basis. It contains material that is > owned by Instinet Incorporated, its subsidiaries or its or their licensors, > and may not, in whole or in part, be (i) copied, photocopied or duplicated > in any form, by any means, or (ii) redistributed, posted, published, > excerpted, or quoted without Instinet Incorporated's prior written consent. > Please access the following link for important information and > instructions: > http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt > > > Securities products and services are provided by locally registered > brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty > Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian > Securities & Investments Commission; Instinet Canada Limited, member > IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the > Securities and Futures Commission of Hong Kong; Instinet Singapore Services > Private Limited, regulated by the Monetary Authority of Singapore, trading > member of The Singapore Exchange Securities Trading Private Limited and > clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, > member SIPC. > > > > > > ========================================================================================================= > > > > This message contains information that may be confidential, privileged or > otherwise protected by law from disclosure. It is intended for the > exclusive use of the addressee(s). Unless you are the addressee or > authorized agent of the addressee, you may not review, copy, distribute or > disclose to anyone the message or any information contained within. If you > have received this message in error, please contact the sender by > electronic reply and immediately delete all copies of the message. > > > > ========================================================================================================= > <<<< Disclaimer >>>> This message is intended solely for use by the named > addressee(s). If you receive this transmission in error, please immediately > notify the sender and destroy this message in its entirety, whether in > electronic or hard copy format. Any unauthorized use (and reliance > thereon), copying, disclosure, retention, or distribution of this > transmission or the material in this transmission is forbidden. We reserve > the right to monitor and archive electronic communications. This material > does not constitute an offer or solicitation with respect to the purchase > or sale of any security. It should not be construed to contain any > recommendation regarding any security or strategy. Any views expressed are > those of the individual sender, except where the message states otherwise > and the sender is authorized to state them to be the views of any such > entity. This communication is provided on an ?as is? basis. It contains > material that is owned by Instinet Incorporated, its subsidiaries or its or > their licensors, and may not, in whole or in part, be (i) copied, > photocopied or duplicated in any form, by any means, or (ii) redistributed, > posted, published, excerpted, or quoted without Instinet Incorporated's > prior written consent. Please access the following link for important > information and instructions: > http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt > Securities products and services are provided by locally registered > brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty > Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian > Securities & Investments Commission; Instinet Canada Limited, member > IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the > Securities and Futures Commission of Hong Kong; Instinet Singapore Services > Private Limited, regulated by the Monetary Authority of Singapore, trading > member of The Singapore Exchange Securities Trading Private Limited and > clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, > member SIPC. > > > ========================================================================================================= > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20150806/4f638c2e/attachment.html > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: graycol.gif > Type: image/gif > Size: 105 bytes > Desc: not available > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20150806/4f638c2e/attachment.gif > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From john at op-sec.us Thu Aug 6 22:53:43 2015 From: john at op-sec.us (John Fraizer) Date: Thu, 6 Aug 2015 15:53:43 -0700 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B92A28@mbx030-w1-co-6.exch030.domain.local> <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> Message-ID: I'm not sure when this command became available in EOS but, at least in 4.14.5F, you will get what you want with: aaa authorization commands all default group tacacs+ none -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Thu, Aug 6, 2015 at 1:58 PM, wrote: > tried that! arista only takes this command with no arguments: > > aaa authorization config-commands > > it still didn't work. > > fyi - i just tried same config with cisco router and it works perfectly, > running 4.13.11M of EOS. > > > > From: Daniel Schmidt > To: Kevin.Cruse at instinet.com, > Cc: Aaron Wasserott , > "tac_plus at shrubbery.net" > Date: 08/06/2015 04:09 PM > Subject: Re: [tac_plus] Cisco Nexus Authorization problem > > > > This part of the email looks interesting: > > But if you > want them in conf t mode but restrict their commands at that level, you > need to enable something like this: > > aaa authorization config-commands default group myTacacsGroup local > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Kevin.Cruse at Instinet.com Fri Aug 7 12:16:18 2015 From: Kevin.Cruse at Instinet.com (Kevin.Cruse at Instinet.com) Date: Fri, 7 Aug 2015 08:16:18 -0400 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B92A28@mbx030-w1-co-6.exch030.domain.local> <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> Message-ID: I will try upgrading to 4.14.5F and see what happens! thanks wondering if you are familiar with this error in do_auth execution, I am permitting exit in do_auth.ini. seems to be some issue with do_auth script: Reading config Version F4.0.4.28 Initialized 1 tac_plus server F4.0.4.28 starting socket FD 4 AF 2 uid=0 euid=0 gid=0 egid=0 s=23660848 connect from router1 [172.28.10.124] Start authorization request do_author: user='testuser' user 'testuser' found authorize_cmd: user=testuser, cmd=exit cmd exit does not exist, denied by default After authorization call: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini substitute: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini Dollar substitution: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u testuser -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini pid 24672 child exited status 1 cmd /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini returns 1 (unconditional deny) authorization query for 'testuser' tty130 from router1 rejected connect from router1 [1.1.1.1] do_auth.ini: [users] testuser = snm [snm] command_deny = configure .* show controllers vip .* command_permit = show ip .* show interface .* clear counters .* clear qos stat .* clear mls qos int .* disable .* enable .* end .* exit .* logout .* ping .* set length .* show .* skip-page-display .* write network .* write terminal .* write memory .* From: John Fraizer To: "Kevin.Cruse at Instinet.com" , Cc: Daniel Schmidt , "tac_plus at shrubbery.net" Date: 08/06/2015 06:54 PM Subject: Re: [tac_plus] Cisco Nexus Authorization problem I'm not sure when this command became available in EOS but, at least in 4.14.5F, you will get what you want with: aaa authorization commands all default group tacacs+ none -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Thu, Aug 6, 2015 at 1:58 PM, wrote: tried that! arista only takes this command with no arguments: aaa authorization config-commands it still didn't work. fyi - i just tried same config with cisco router and it works perfectly, running 4.13.11M of EOS. From:? ?Daniel Schmidt To:? ? ?Kevin.Cruse at instinet.com, Cc:? ? ?Aaron Wasserott , ? ? ? ? ? ? "tac_plus at shrubbery.net" Date:? ?08/06/2015 04:09 PM Subject:? ? ? ? Re: [tac_plus] Cisco Nexus Authorization problem This part of the email looks interesting: But if you want them in conf t mode but restrict their commands at that level, you need to enable something like this: aaa authorization config-commands default group myTacacsGroup local ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From john at op-sec.us Fri Aug 7 16:54:12 2015 From: john at op-sec.us (John Fraizer) Date: Fri, 7 Aug 2015 09:54:12 -0700 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B92A28@mbx030-w1-co-6.exch030.domain.local> <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> Message-ID: Here is one problem: *cmd exit does not exist, denied by default* It looks like you've got default service = deny in your tac_plus.conf. To use do_auth, you need default service = permit. Your after auth line doesn't look right either. */usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini* You're not giving it the device address or the address of the user attempting to auth. Try changing the after authorization line in tac_plus.conf to: *after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address -u $user -d $name -l /tmp/do_auth.log -f /usr/local/sbin/tacplus/do_auth.ini"* Note that this will create a do_auth specific log in /tmp/do_auth.log but, right now - we'll need that for debugging purposes. Also remember, you'll need to restart tac_plus for this change to take effect. Here is an example tac_plus group that I know to work properly with do_auth.py on CatOS, IOS, IOS-XR, NX-OS, EOS and JUNOS: group = doauthaccess { default service = permit service = exec { priv-lvl = 1 optional idletime = 30 optional acl = 2 shell:roles="\"network-operator vdc-operator\"" } service = junos-exec { bug-fix = "first pair is lost" local-user-name = "remote" allow-commands = "(.*exit)|(show cli auth.*)" deny-commands = ".*" allow-configuration = "" deny-configuration = "" } after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address -u $user -d $name -l /tmp/do_auth.log -f /usr/local/sbin/tacplus/do_auth.ini" *}* One more thing... Looking at your do_auth.ini, you seem to have a space between the commands and ".*" which should not be there. For example: exit .* ...should be: exit.* I posted a complete working tac_plus.conf and do_auth.ini along with the AAA config I use on devices the other day. Take a look at that post as well. -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Fri, Aug 7, 2015 at 5:16 AM, wrote: > I will try upgrading to 4.14.5F and see what happens! thanks > > wondering if you are familiar with this error in do_auth execution, I am > permitting exit in do_auth.ini. seems to be some issue with do_auth script: > > Reading config > Version F4.0.4.28 Initialized 1 > tac_plus server F4.0.4.28 starting > socket FD 4 AF 2 > uid=0 euid=0 gid=0 egid=0 s=23660848 > connect from router1 [172.28.10.124] > Start authorization request > do_author: user='testuser' > user 'testuser' found > authorize_cmd: user=testuser, cmd=exit > cmd exit does not exist, denied by default > After authorization call: /usr/bin/python > /usr/local/sbin/tacplus/do_auth.py -u $user -l > /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini > *substitute: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user > -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini* > *Dollar substitution: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py > -u testuser -l /var/log/tacacs/do_auth_log.txt -f > /usr/local/sbin/tacplus/do_auth.ini* > *pid 24672 child exited status 1* > cmd /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l > /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini > returns 1 (unconditional deny) > authorization query for 'testuser' tty130 from router1 rejected > connect from router1 [1.1.1.1] > > > do_auth.ini: > > [users] > testuser = > snm > [snm] > command_deny = > configure .* > show controllers vip .* > command_permit = > show ip .* > show interface .* > clear counters .* > clear qos stat .* > clear mls qos int .* > disable .* > enable .* > end .* > exit .* > logout .* > ping .* > set length .* > show .* > skip-page-display .* > write network .* > write terminal .* > write memory .* > > > > > [image: Inactive hide details for John Fraizer ---08/06/2015 06:54:05 > PM---I'm not sure when this command became available in EOS but,]John > Fraizer ---08/06/2015 06:54:05 PM---I'm not sure when this command became > available in EOS but, at least in 4.14.5F, you will get what y > > From: John Fraizer > To: "Kevin.Cruse at Instinet.com" , > Cc: Daniel Schmidt , "tac_plus at shrubbery.net" < > tac_plus at shrubbery.net> > Date: 08/06/2015 06:54 PM > Subject: Re: [tac_plus] Cisco Nexus Authorization problem > ------------------------------ > > > > I'm not sure when this command became available in EOS but, at least in > 4.14.5F, you will get what you want with: > > aaa authorization commands all default group tacacs+ none > > > -- > John Fraizer > LinkedIn profile: *http://www.linkedin.com/in/johnfraizer/* > > > > > On Thu, Aug 6, 2015 at 1:58 PM, <*Kevin.Cruse at instinet.com* > > wrote: > > tried that! arista only takes this command with no arguments: > > aaa authorization config-commands > > it still didn't work. > > fyi - i just tried same config with cisco router and it works > perfectly, > running 4.13.11M of EOS. > > > > From: Daniel Schmidt <*daniel.schmidt at wyo.gov* > > > To: *Kevin.Cruse at instinet.com* , > Cc: Aaron Wasserott <*aaron.wasserott at viawest.com* > >, > "*tac_plus at shrubbery.net* " < > *tac_plus at shrubbery.net* > > Date: 08/06/2015 04:09 PM > Subject: Re: [tac_plus] Cisco Nexus Authorization problem > > > > This part of the email looks interesting: > > But if you > want them in conf t mode but restrict their commands at that level, you > need to enable something like this: > > aaa authorization config-commands default group myTacacsGroup local > > > > > ========================================================================================================= > > > *<<<< Disclaimer >>>>* > > This message is intended solely for use by the named addressee(s). If you > receive this transmission in error, please immediately notify the sender > and destroy this message in its entirety, whether in electronic or hard > copy format. Any unauthorized use (and reliance thereon), copying, > disclosure, retention, or distribution of this transmission or the material > in this transmission is forbidden. We reserve the right to monitor and > archive electronic communications. This material does not constitute an > offer or solicitation with respect to the purchase or sale of any security. > It should not be construed to contain any recommendation regarding any > security or strategy. Any views expressed are those of the individual > sender, except where the message states otherwise and the sender is > authorized to state them to be the views of any such entity. This > communication is provided on an ?as is? basis. It contains material that is > owned by Instinet Incorporated, its subsidiaries or its or their licensors, > and may not, in whole or in part, be (i) copied, photocopied or duplicated > in any form, by any means, or (ii) redistributed, posted, published, > excerpted, or quoted without Instinet Incorporated's prior written consent. > Please access the following link for important information and > instructions: > http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt > > Securities products and services are provided by locally registered > brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty > Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian > Securities & Investments Commission; Instinet Canada Limited, member > IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the > Securities and Futures Commission of Hong Kong; Instinet Singapore Services > Private Limited, regulated by the Monetary Authority of Singapore, trading > member of The Singapore Exchange Securities Trading Private Limited and > clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, > member SIPC. > > > > ========================================================================================================= > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From Kevin.Cruse at Instinet.com Mon Aug 17 16:21:41 2015 From: Kevin.Cruse at Instinet.com (Kevin.Cruse at Instinet.com) Date: Mon, 17 Aug 2015 12:21:41 -0400 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B92A28@mbx030-w1-co-6.exch030.domain.local> <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> Message-ID: I am having a strange issue where cisco devices are being authorized by do_auth properly, however, arista devices are not. The arista device is sending command to tacplus but daemont does not send command to do_auth. I can confirm since there is no update to do_auth log when sending commands from arista. any ideas? Everything seems to be working fine except arista, this is my last hurdle! CISCO connect from test.router.com [10.11.128.30] Waiting for packet Read ACCT size=137 validation request from test.router.com PACKET: key=password version 192 (0xc0), type 3, seq no 1, flags 0x1 session_id 677254324 (0x285e14b4), Data length 125 (0x7d) End header ACCT, flags=0x4 method=6 priv_lvl=1 type=1 svc=1 user_len=6 port_len=6 rem_addr_len=14 arg_cnt=6 User: testuser port: tty130 rem_addr: 10.12.144.108 arg[0]: size=13 task_id=41325 arg[1]: size=12 timezone=EDT arg[2]: size=13 service=shell arg[3]: size=21 start_time=1439827839 arg[4]: size=10 priv-lvl=0 arg[5]: size=15 cmd=enable End packet Writing ACCT size=17 PACKET: key=password version 192 (0xc0), type 3, seq no 2, flags 0x1 session_id 677254324 (0x285e14b4), Data length 5 (0x5) End header ACCT/REPLY status=1 msg_len=0 data_len=0 msg: data: End packet test.router.com: disconnect session request from test.router.com sock=5 connect from test.router.com [10.11.128.30] Waiting for packet Read AUTHOR size=104 validation request from test.router.com PACKET: key=password version 192 (0xc0), type 2, seq no 1, flags 0x1 session_id 4255328848 (0xfda32a50), Data length 92 (0x5c) End header type=AUTHOR, priv_lvl=15, authen=1 method=none svc=0 user_len=6 port_len=6 rem_addr_len=14 arg_cnt=4 User: testuser port: tty130 rem_addr: 10.12.144.108 arg[0]: size=13 service=shell arg[1]: size=13 cmd=configure arg[2]: size=16 cmd-arg=terminal arg[3]: size=12 cmd-arg= End packet Writing AUTHOR/FAIL size=18 PACKET: key=password version 192 (0xc0), type 2, seq no 2, flags 0x1 session_id 4255328848 (0xfda32a50), Data length 6 (0x6) End header type=AUTHOR/REPLY status=16 (AUTHOR/FAIL) msg_len=0, data_len=0 arg_cnt=0 msg: data: End packet authorization query for 'testuser' tty130 from test.router.com rejected test.router.com: disconnect ARISTA connect from Aristalab-1.router.com [10.15.10.18] Waiting for packet Read ACCT size=119 validation request from Aristalab-1.router.com PACKET: key=password version 192 (0xc0), type 3, seq no 1, flags 0x1 session_id 1744489531 (0x67facc3b), Data length 107 (0x6b) End header ACCT, flags=0x4 method=6 priv_lvl=1 type=1 svc=1 user_len=6 port_len=5 rem_addr_len=0 arg_cnt=6 User: testuser port: ttyS0 rem_addr: arg[0]: size=10 task_id=22 arg[1]: size=13 service=shell arg[2]: size=10 priv-lvl=1 arg[3]: size=21 start_time=1439828055 arg[4]: size=12 timezone=UTC arg[5]: size=15 cmd=enable End packet Writing ACCT size=17 PACKET: key=password version 192 (0xc0), type 3, seq no 2, flags 0x1 session_id 1744489531 (0x67facc3b), Data length 5 (0x5) End header ACCT/REPLY status=1 msg_len=0 data_len=0 msg: data: End packet Aristalab-1.router.com: disconnect session request from Aristalab-1.router.com sock=5 connect from Aristalab-1.router.com [10.15.10.18] Waiting for packet Read ACCT size=132 validation request from Aristalab-1.router.com PACKET: key=password version 192 (0xc0), type 3, seq no 1, flags 0x1 session_id 1288212585 (0x4cc89069), Data length 120 (0x78) End header ACCT, flags=0x4 method=6 priv_lvl=15 type=1 svc=1 user_len=6 port_len=5 rem_addr_len=0 arg_cnt=6 User: testuser port: ttyS0 rem_addr: arg[0]: size=10 task_id=23 arg[1]: size=13 service=shell arg[2]: size=11 priv-lvl=15 arg[3]: size=21 start_time=1439828061 arg[4]: size=12 timezone=UTC arg[5]: size=27 cmd=configure terminal End packet Writing ACCT size=17 PACKET: key=password version 192 (0xc0), type 3, seq no 2, flags 0x1 session_id 1288212585 (0x4cc89069), Data length 5 (0x5) End header ACCT/REPLY status=1 msg_len=0 data_len=0 msg: data: End packet Aristalab-1.router.com: disconnect tac_plus.cfg: group = snm { default service = permit service = exec { priv-lvl = 15 } after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address -fix_crs_bug -u $user -d $name -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini" } do_auth.ini: [snm] host_allow = .* device_permit = .* command_deny = configure.* show controllers vip.* command_permit = show ip.* show interface.* clear counters.* clear qos stat.* clear mls qos int.* disable.* enable.* end.* exit.* logout.* ping.* set length.* show.* skip-page-display.* write network.* write terminal.* write memory.* terminal length.* From: John Fraizer To: "Kevin.Cruse at Instinet.com" , Cc: Daniel Schmidt , "tac_plus at shrubbery.net" Date: 08/07/2015 12:54 PM Subject: Re: [tac_plus] Cisco Nexus Authorization problem Here is one problem: cmd exit does not exist, denied by default It looks like you've got default service = deny in your tac_plus.conf.? To use do_auth, you need default service = permit. Your after auth line doesn't look right either. /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini You're not giving it the device address or the address of the user attempting to auth.? Try changing the after authorization line in tac_plus.conf to: after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address -u $user -d $name -l /tmp/do_auth.log -f /usr/local/sbin/tacplus/do_auth.ini" Note that this will create a do_auth specific log in /tmp/do_auth.log but, right now - we'll need that for debugging purposes. Also remember, you'll need to restart tac_plus for this change to take effect. Here is an example tac_plus group that I know to work properly with do_auth.py on CatOS, IOS, IOS-XR, NX-OS, EOS and JUNOS: group = doauthaccess { ? ? ? ? default service = permit ? ? ? ? service = exec { ? ? ? ? ? ? ? ? priv-lvl = 1 ? ? ? ? ? ? ? ? optional idletime = 30 ? ? ? ? ? ? ? ? optional acl = 2 ? ? ? ? ? ? ? ? shell:roles="\"network-operator vdc-operator\"" ? ? ? ? ? ? ? ? } ? ? ? ? service = junos-exec { ? ? ? ? ? ? ? ? bug-fix = "first pair is lost" ? ? ? ? ? ? ? ? local-user-name = "remote" ? ? ? ? ? ? ? ? allow-commands = "(.*exit)|(show cli auth.*)" ? ? ? ? ? ? ? ? deny-commands = ".*" ? ? ? ? ? ? ? ? allow-configuration = "" ? ? ? ? ? ? ? ? deny-configuration = "" ? ? ? ? ? ? ? ? } after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address -u $user -d $name -l /tmp/do_auth.log -f /usr/local/sbin/tacplus/do_auth.ini" } One more thing... Looking at your do_auth.ini, you seem to have a space between the commands and ".*" which should not be there. For example: exit .* ...should be: exit.* I posted a complete working tac_plus.conf and do_auth.ini along with the AAA config I use on devices the other day.? Take a look at that post as well. -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Fri, Aug 7, 2015 at 5:16 AM, wrote: I will try upgrading to 4.14.5F and see what happens! thanks wondering if you are familiar with this error in do_auth execution, I am permitting exit in do_auth.ini. seems to be some issue with do_auth script: Reading config Version F4.0.4.28 Initialized 1 tac_plus server F4.0.4.28 starting socket FD 4 AF 2 uid=0 euid=0 gid=0 egid=0 s=23660848 connect from router1 [172.28.10.124] Start authorization request do_author: user='testuser' user 'testuser' found authorize_cmd: user=testuser, cmd=exit cmd exit does not exist, denied by default After authorization call: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini substitute: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini Dollar substitution: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u testuser -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini pid 24672 child exited status 1 cmd /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini returns 1 (unconditional deny) authorization query for 'testuser' tty130 from router1 rejected connect from router1 [1.1.1.1] do_auth.ini: [users] testuser = ? ? ? ? snm [snm] command_deny = ? ? ? ? configure .* ? ? ? ? show controllers vip .* command_permit = ? ? ? ? show ip .* ? ? ? ? show interface .* ? ? ? ? clear counters .* ? ? ? ? clear qos stat .* ? ? ? ? clear mls qos int .* ? ? ? ? disable .* ? ? ? ? enable .* ? ? ? ? end .* ? ? ? ? exit .* ? ? ? ? logout .* ? ? ? ? ping .* ? ? ? ? set length .* ? ? ? ? show .* ? ? ? ? skip-page-display .* ? ? ? ? write network .* ? ? ? ? write terminal .* ? ? ? ? write memory .* Inactive hide details for John Fraizer ---08/06/2015 06:54:05 PM---I'm not sure when this command became available in EOS but, John Fraizer ---08/06/2015 06:54:05 PM---I'm not sure when this command became available in EOS but, at least in 4.14.5F, you will get what y From: John Fraizer To: "Kevin.Cruse at Instinet.com" , Cc: Daniel Schmidt , "tac_plus at shrubbery.net" < tac_plus at shrubbery.net> Date: 08/06/2015 06:54 PM Subject: Re: [tac_plus] Cisco Nexus Authorization problem I'm not sure when this command became available in EOS but, at least in 4.14.5F, you will get what you want with: aaa authorization commands all default group tacacs+ none -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Thu, Aug 6, 2015 at 1:58 PM, wrote: tried that! arista only takes this command with no arguments: aaa authorization config-commands it still didn't work. fyi - i just tried same config with cisco router and it works perfectly, running 4.13.11M of EOS. From:? ?Daniel Schmidt To:? ? ?Kevin.Cruse at instinet.com, Cc:? ? ?Aaron Wasserott , ? ? ? ? ? ? "tac_plus at shrubbery.net" Date:? ?08/06/2015 04:09 PM Subject:? ? ? ? Re: [tac_plus] Cisco Nexus Authorization problem This part of the email looks interesting: But if you want them in conf t mode but restrict their commands at that level, you need to enable something like this: aaa authorization config-commands default group myTacacsGroup local ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From Kevin.Cruse at Instinet.com Mon Aug 17 18:03:04 2015 From: Kevin.Cruse at Instinet.com (Kevin.Cruse at Instinet.com) Date: Mon, 17 Aug 2015 14:03:04 -0400 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> Message-ID: John, Here is the configuration from arista: Arista1#sh run | i aaa aaa group server tacacs+ CiscoACS aaa authentication login default group CiscoACS local aaa authorization exec default group CiscoACS local aaa authorization commands all default group CiscoACS local aaa accounting exec default start-stop group CiscoACS aaa accounting commands all default start-stop group CiscoACS no aaa root Arista1# Just fyi - I've configured the command "#aaa authorization config-commands" as well, for some reason it does not show up in configuration. I opened a ticket with arista and they've confirmed it should still work which makes sense as i'm seeing the commands sent to tacplus. Arista1#sh ver Arista DCS-7124SX-F Software image version: 4.13.11M Kevin From: John Fraizer To: "Kevin.Cruse at Instinet.com" , Cc: Daniel Schmidt , "tac_plus at shrubbery.net" Date: 08/17/2015 12:58 PM Subject: Re: [tac_plus] Cisco Nexus Authorization problem What version of EOS are you running on your Arista device(s)? Take a look at the "tab completion" available for "aaa authorization". Also, if you can provide the output of "show run | i aaa", it will be easier to help you. Initially, it looks as if your Arista devices are not configure to authorize commands.? Note that the packet dump shows "ACCT" type for "enable" and "configure terminal" vs. "AUTHOR". -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Mon, Aug 17, 2015 at 12:21 PM, wrote: I am having a strange issue where cisco devices are being authorized by do_auth properly, however, arista devices are not.? The arista device is sending command to tacplus but daemont does not send command to do_auth. I can confirm since there is no update to do_auth log when sending commands from arista. any ideas?? Everything seems to be working fine except arista, this is my last hurdle! CISCO connect from test.router.com [10.11.128.30] Waiting for packet Read ACCT size=137 validation request from test.router.com PACKET: key=password version 192 (0xc0), type 3, seq no 1, flags 0x1 session_id 677254324 (0x285e14b4), Data length 125 (0x7d) End header ACCT, flags=0x4 method=6 priv_lvl=1 type=1 svc=1 user_len=6 port_len=6 rem_addr_len=14 arg_cnt=6 User: testuser port: tty130 rem_addr: 10.12.144.108 arg[0]: size=13 task_id=41325 arg[1]: size=12 timezone=EDT arg[2]: size=13 service=shell arg[3]: size=21 start_time=1439827839 arg[4]: size=10 priv-lvl=0 arg[5]: size=15 cmd=enable End packet Writing ACCT size=17 PACKET: key=password version 192 (0xc0), type 3, seq no 2, flags 0x1 session_id 677254324 (0x285e14b4), Data length 5 (0x5) End header ACCT/REPLY status=1 msg_len=0 data_len=0 msg: data: End packet test.router.com: disconnect session request from test.router.com sock=5 connect from test.router.com [10.11.128.30] Waiting for packet Read AUTHOR size=104 validation request from test.router.com PACKET: key=password version 192 (0xc0), type 2, seq no 1, flags 0x1 session_id 4255328848 (0xfda32a50), Data length 92 (0x5c) End header type=AUTHOR, priv_lvl=15, authen=1 method=none svc=0 user_len=6 port_len=6 rem_addr_len=14 arg_cnt=4 User: testuser port: tty130 rem_addr: 10.12.144.108 arg[0]: size=13 service=shell arg[1]: size=13 cmd=configure arg[2]: size=16 cmd-arg=terminal arg[3]: size=12 cmd-arg= End packet Writing AUTHOR/FAIL size=18 PACKET: key=password version 192 (0xc0), type 2, seq no 2, flags 0x1 session_id 4255328848 (0xfda32a50), Data length 6 (0x6) End header type=AUTHOR/REPLY status=16 (AUTHOR/FAIL) msg_len=0, data_len=0 arg_cnt=0 msg: data: End packet authorization query for 'testuser' tty130 from test.router.com rejected test.router.com: disconnect ARISTA connect from Aristalab-1.router.com [10.15.10.18] Waiting for packet Read ACCT size=119 validation request from Aristalab-1.router.com PACKET: key=password version 192 (0xc0), type 3, seq no 1, flags 0x1 session_id 1744489531 (0x67facc3b), Data length 107 (0x6b) End header ACCT, flags=0x4 method=6 priv_lvl=1 type=1 svc=1 user_len=6 port_len=5 rem_addr_len=0 arg_cnt=6 User: testuser port: ttyS0 rem_addr: arg[0]: size=10 task_id=22 arg[1]: size=13 service=shell arg[2]: size=10 priv-lvl=1 arg[3]: size=21 start_time=1439828055 arg[4]: size=12 timezone=UTC arg[5]: size=15 cmd=enable End packet Writing ACCT size=17 PACKET: key=password version 192 (0xc0), type 3, seq no 2, flags 0x1 session_id 1744489531 (0x67facc3b), Data length 5 (0x5) End header ACCT/REPLY status=1 msg_len=0 data_len=0 msg: data: End packet Aristalab-1.router.com: disconnect session request from Aristalab-1.router.com sock=5 connect from Aristalab-1.router.com [10.15.10.18] Waiting for packet Read ACCT size=132 validation request from Aristalab-1.router.com PACKET: key=password version 192 (0xc0), type 3, seq no 1, flags 0x1 session_id 1288212585 (0x4cc89069), Data length 120 (0x78) End header ACCT, flags=0x4 method=6 priv_lvl=15 type=1 svc=1 user_len=6 port_len=5 rem_addr_len=0 arg_cnt=6 User: testuser port: ttyS0 rem_addr: arg[0]: size=10 task_id=23 arg[1]: size=13 service=shell arg[2]: size=11 priv-lvl=15 arg[3]: size=21 start_time=1439828061 arg[4]: size=12 timezone=UTC arg[5]: size=27 cmd=configure terminal End packet Writing ACCT size=17 PACKET: key=password version 192 (0xc0), type 3, seq no 2, flags 0x1 session_id 1288212585 (0x4cc89069), Data length 5 (0x5) End header ACCT/REPLY status=1 msg_len=0 data_len=0 msg: data: End packet Aristalab-1.router.com: disconnect tac_plus.cfg: ?group = snm { ? ? ? ? default service = permit ? ? ? ? service = exec { ? ? ? ? priv-lvl = 15 ? ? ? ? } ? ? ? ? after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address -fix_crs_bug -u $user -d $name -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini" ?} do_auth.ini: [snm] host_allow = ? ? ? ? .* device_permit = ? ? ? ? .* command_deny = ? ? ? ? configure.* ? ? ? ? show controllers vip.* command_permit = ? ? ? ? show ip.* ? ? ? ? show interface.* ? ? ? ? clear counters.* ? ? ? ? clear qos stat.* ? ? ? ? clear mls qos int.* ? ? ? ? disable.* ? ? ? ? enable.* ? ? ? ? end.* ? ? ? ? exit.* ? ? ? ? logout.* ? ? ? ? ping.* ? ? ? ? set length.* ? ? ? ? show.* ? ? ? ? skip-page-display.* ? ? ? ? write network.* ? ? ? ? write terminal.* ? ? ? ? write memory.* ? ? ? ? terminal length.* Inactive hide details for John Fraizer ---08/07/2015 12:54:36 PM---Here is one problem: *cmd exit does not exist, denied by defJohn Fraizer ---08/07/2015 12:54:36 PM---Here is one problem: *cmd exit does not exist, denied by default* From: John Fraizer To: "Kevin.Cruse at Instinet.com" , Cc: Daniel Schmidt , "tac_plus at shrubbery.net" < tac_plus at shrubbery.net> Date: 08/07/2015 12:54 PM Subject: Re: [tac_plus] Cisco Nexus Authorization problem Here is one problem: cmd exit does not exist, denied by default It looks like you've got default service = deny in your tac_plus.conf. To use do_auth, you need default service = permit. Your after auth line doesn't look right either. /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini You're not giving it the device address or the address of the user attempting to auth.? Try changing the after authorization line in tac_plus.conf to: after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address -u $user -d $name -l /tmp/do_auth.log -f /usr/local/sbin/tacplus/do_auth.ini" Note that this will create a do_auth specific log in /tmp/do_auth.log but, right now - we'll need that for debugging purposes. Also remember, you'll need to restart tac_plus for this change to take effect. Here is an example tac_plus group that I know to work properly with do_auth.py on CatOS, IOS, IOS-XR, NX-OS, EOS and JUNOS: group = doauthaccess { ? ? ? ? default service = permit ? ? ? ? service = exec { ? ? ? ? ? ? ? ? priv-lvl = 1 ? ? ? ? ? ? ? ? optional idletime = 30 ? ? ? ? ? ? ? ? optional acl = 2 ? ? ? ? ? ? ? ? shell:roles="\"network-operator vdc-operator\"" ? ? ? ? ? ? ? ? } ? ? ? ? service = junos-exec { ? ? ? ? ? ? ? ? bug-fix = "first pair is lost" ? ? ? ? ? ? ? ? local-user-name = "remote" ? ? ? ? ? ? ? ? allow-commands = "(.*exit)|(show cli auth.*)" ? ? ? ? ? ? ? ? deny-commands = ".*" ? ? ? ? ? ? ? ? allow-configuration = "" ? ? ? ? ? ? ? ? deny-configuration = "" ? ? ? ? ? ? ? ? } after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address -u $user -d $name -l /tmp/do_auth.log -f /usr/local/sbin/tacplus/do_auth.ini" } One more thing... Looking at your do_auth.ini, you seem to have a space between the commands and ".*" which should not be there. For example: exit .* ...should be: exit.* I posted a complete working tac_plus.conf and do_auth.ini along with the AAA config I use on devices the other day.? Take a look at that post as well. -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Fri, Aug 7, 2015 at 5:16 AM, wrote: I will try upgrading to 4.14.5F and see what happens! thanks wondering if you are familiar with this error in do_auth execution, I am permitting exit in do_auth.ini. seems to be some issue with do_auth script: Reading config Version F4.0.4.28 Initialized 1 tac_plus server F4.0.4.28 starting socket FD 4 AF 2 uid=0 euid=0 gid=0 egid=0 s=23660848 connect from router1 [172.28.10.124] Start authorization request do_author: user='testuser' user 'testuser' found authorize_cmd: user=testuser, cmd=exit cmd exit does not exist, denied by default After authorization call: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini substitute: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini Dollar substitution: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u testuser -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini pid 24672 child exited status 1 cmd /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini returns 1 (unconditional deny) authorization query for 'testuser' tty130 from router1 rejected connect from router1 [1.1.1.1] do_auth.ini: [users] testuser = ? ? ? ? snm [snm] command_deny = ? ? ? ? configure .* ? ? ? ? show controllers vip .* command_permit = ? ? ? ? show ip .* ? ? ? ? show interface .* ? ? ? ? clear counters .* ? ? ? ? clear qos stat .* ? ? ? ? clear mls qos int .* ? ? ? ? disable .* ? ? ? ? enable .* ? ? ? ? end .* ? ? ? ? exit .* ? ? ? ? logout .* ? ? ? ? ping .* ? ? ? ? set length .* ? ? ? ? show .* ? ? ? ? skip-page-display .* ? ? ? ? write network .* ? ? ? ? write terminal .* ? ? ? ? write memory .* Inactive hide details for John Fraizer ---08/06/2015 06:54:05 PM---I'm not sure when this command became available in EOS but, John Fraizer ---08/06/2015 06:54:05 PM---I'm not sure when this command became available in EOS but, at least in 4.14.5F, you will get what y From: John Fraizer To: "Kevin.Cruse at Instinet.com" , Cc: Daniel Schmidt , " tac_plus at shrubbery.net" Date: 08/06/2015 06:54 PM Subject: Re: [tac_plus] Cisco Nexus Authorization problem I'm not sure when this command became available in EOS but, at least in 4.14.5F, you will get what you want with: aaa authorization commands all default group tacacs+ none -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Thu, Aug 6, 2015 at 1:58 PM, wrote: tried that! arista only takes this command with no arguments: aaa authorization config-commands it still didn't work. fyi - i just tried same config with cisco router and it works perfectly, running 4.13.11M of EOS. From:? ?Daniel Schmidt To:? ? ?Kevin.Cruse at instinet.com, Cc:? ? ?Aaron Wasserott , ? ? ? ? ? ? "tac_plus at shrubbery.net" Date:? ?08/06/2015 04:09 PM Subject:? ? ? ? Re: [tac_plus] Cisco Nexus Authorization problem This part of the email looks interesting: But if you want them in conf t mode but restrict their commands at that level, you need to enable something like this: aaa authorization config-commands default group myTacacsGroup local ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From Kevin.Cruse at Instinet.com Mon Aug 17 19:14:02 2015 From: Kevin.Cruse at Instinet.com (Kevin.Cruse at Instinet.com) Date: Mon, 17 Aug 2015 15:14:02 -0400 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> Message-ID: I was connecting to console which does not have authorization enabled. It's working now. Thanks for your help! From: John Fraizer To: "Kevin.Cruse at Instinet.com" , Cc: Daniel Schmidt , "tac_plus at shrubbery.net" Date: 08/17/2015 02:23 PM Subject: Re: [tac_plus] Cisco Nexus Authorization problem Kevin, I'm not using defined tacacs+ groups in our configuration so, that is a variable that could be triggering a bug in AAA authorization but, your config is very similar to what we're using: ! tacacs-server key 7 tacacs-server host x.x.x.a tacacs-server host x.x.x.b ! aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ local aaa authorization exec default group tacacs+ local aaa authorization commands all default group tacacs+ none aaa accounting exec default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ aaa accounting commands all default stop-only group tacacs+ ! Please note though that based on what you sent in your original email, your EOS device is not sending AUTH requests for commands.? I only see ACCT records being sent: Here is the AUTH request coming from your Cisco: session request from?test.router.com?sock=5 connect from?test.router.com?[10.11.128.30] Waiting for packet Read AUTHOR size=104 validation request from?test.router.com PACKET: key=password version 192 (0xc0), type 2, seq no 1, flags 0x1 session_id?4255328848?(0xfda32a50), Data length 92 (0x5c) End header type=AUTHOR, priv_lvl=15, authen=1 method=none svc=0 user_len=6 port_len=6 rem_addr_len=14 arg_cnt=4 User: testuser port: tty130 rem_addr: 10.12.144.108 arg[0]: size=13 service=shell arg[1]: size=13 cmd=configure arg[2]: size=16 cmd-arg=terminal arg[3]: size=12 cmd-arg= End packet Writing AUTHOR/FAIL size=18 PACKET: key=password version 192 (0xc0), type 2, seq no 2, flags 0x1 session_id?4255328848?(0xfda32a50), Data length 6 (0x6) End header type=AUTHOR/REPLY status=16 (AUTHOR/FAIL) msg_len=0, data_len=0 arg_cnt=0 msg: data: End packet authorization query for 'testuser' tty130 from?test.router.com rejected test.router.com: disconnect ...vs the ACCT record being sent by the EOS device(s): session request from?Aristalab-1.router.com?sock=5 connect from?Aristalab-1.router.com?[10.15.10.18] Waiting for packet Read ACCT size=132 validation request from?Aristalab-1.router.com PACKET: key=password version 192 (0xc0), type 3, seq no 1, flags 0x1 session_id 1288212585 (0x4cc89069), Data length 120 (0x78) End header ACCT, flags=0x4 method=6 priv_lvl=15 type=1 svc=1 user_len=6 port_len=5 rem_addr_len=0 arg_cnt=6 User: testuser port: ttyS0 rem_addr: arg[0]: size=10 task_id=23 arg[1]: size=13 service=shell arg[2]: size=11 priv-lvl=15 arg[3]: size=21 start_time=1439828061 arg[4]: size=12 timezone=UTC arg[5]: size=27 cmd=configure terminal End packet Writing ACCT size=17 PACKET: key=password version 192 (0xc0), type 3, seq no 2, flags 0x1 session_id 1288212585 (0x4cc89069), Data length 5 (0x5) End header ACCT/REPLY status=1 msg_len=0 data_len=0 msg: data: End packet Aristalab-1.router.com: disconnect So, in effect, where the Cisco device is asking permission to execute the command, the EOS device is simply informing the TACACS+ server ?that the command was executed.? It's a matter of ACCOUNT vs AUTHORIZE. You might want to update your ticket with Arista to include that information.? You may also want to try enumerating your TACACS+ servers the way I have vs. using a AAA group just to rule that variable out as the vector that is triggering a bug.? I understand that if you've got a large EOS deployment, it is non-trivial to push AAA config changes to them all but, trust me - it can be done.? I've got a fleet > 2000 EOS devices and I just updated their AAA config a few weeks ago. The safest way to do it would be as follows: (1) Enumerate the TACACS+ servers outside of the group: ! tacacs-server key 7 tacacs-server host x.x.x.a tacacs-server host x.x.x.b ! Then, update your aaa auth commands as follows: ! aaa authorization exec default group tacacs+ local aaa authorization commands all default group tacacs+ none ! Please let me know if this helps and also update me if Arista identifies a bug.? That's information I'd like to have in our "tribal knowledge" store. -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Mon, Aug 17, 2015 at 2:03 PM, wrote: John, Here is the configuration from arista: Arista1#sh run | i aaa aaa group server tacacs+ CiscoACS aaa authentication login default group CiscoACS local aaa authorization exec default group CiscoACS local aaa authorization commands all default group CiscoACS local aaa accounting exec default start-stop group CiscoACS aaa accounting commands all default start-stop group CiscoACS no aaa root Arista1# Just fyi - I've configured the command "#aaa authorization config-commands" as well, for some reason it does not show up in configuration. I opened a ticket with arista and they've confirmed it should still work which makes sense as i'm seeing the commands sent to tacplus. Arista1#sh ver Arista DCS-7124SX-F Software image version: 4.13.11M Kevin Inactive hide details for John Fraizer ---08/17/2015 12:58:52 PM---What version of EOS are you running on your Arista device(s)John Fraizer ---08/17/2015 12:58:52 PM---What version of EOS are you running on your Arista device(s)? Take a look at the "tab completion" av From: John Fraizer To: "Kevin.Cruse at Instinet.com" , Cc: Daniel Schmidt , "tac_plus at shrubbery.net" < tac_plus at shrubbery.net> Date: 08/17/2015 12:58 PM Subject: Re: [tac_plus] Cisco Nexus Authorization problem What version of EOS are you running on your Arista device(s)? Take a look at the "tab completion" available for "aaa authorization". Also, if you can provide the output of "show run | i aaa", it will be easier to help you. Initially, it looks as if your Arista devices are not configure to authorize commands.? Note that the packet dump shows "ACCT" type for "enable" and "configure terminal" vs. "AUTHOR". -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Mon, Aug 17, 2015 at 12:21 PM, wrote: I am having a strange issue where cisco devices are being authorized by do_auth properly, however, arista devices are not. The arista device is sending command to tacplus but daemont does not send command to do_auth. I can confirm since there is no update to do_auth log when sending commands from arista. any ideas? Everything seems to be working fine except arista, this is my last hurdle! CISCO connect from test.router.com?[10.11.128.30] Waiting for packet Read ACCT size=137 validation request from test.router.com PACKET: key=password version 192 (0xc0), type 3, seq no 1, flags 0x1 session_id 677254324 (0x285e14b4), Data length 125 (0x7d) End header ACCT, flags=0x4 method=6 priv_lvl=1 type=1 svc=1 user_len=6 port_len=6 rem_addr_len=14 arg_cnt=6 User: testuser port: tty130 rem_addr: 10.12.144.108 arg[0]: size=13 task_id=41325 arg[1]: size=12 timezone=EDT arg[2]: size=13 service=shell arg[3]: size=21 start_time=1439827839 arg[4]: size=10 priv-lvl=0 arg[5]: size=15 cmd=enable End packet Writing ACCT size=17 PACKET: key=password version 192 (0xc0), type 3, seq no 2, flags 0x1 session_id 677254324 (0x285e14b4), Data length 5 (0x5) End header ACCT/REPLY status=1 msg_len=0 data_len=0 msg: data: End packet test.router.com: disconnect session request from test.router.com?sock=5 connect from test.router.com?[10.11.128.30] Waiting for packet Read AUTHOR size=104 validation request from test.router.com PACKET: key=password version 192 (0xc0), type 2, seq no 1, flags 0x1 session_id 4255328848?(0xfda32a50), Data length 92 (0x5c) End header type=AUTHOR, priv_lvl=15, authen=1 method=none svc=0 user_len=6 port_len=6 rem_addr_len=14 arg_cnt=4 User: testuser port: tty130 rem_addr: 10.12.144.108 arg[0]: size=13 service=shell arg[1]: size=13 cmd=configure arg[2]: size=16 cmd-arg=terminal arg[3]: size=12 cmd-arg= End packet Writing AUTHOR/FAIL size=18 PACKET: key=password version 192 (0xc0), type 2, seq no 2, flags 0x1 session_id 4255328848?(0xfda32a50), Data length 6 (0x6) End header type=AUTHOR/REPLY status=16 (AUTHOR/FAIL) msg_len=0, data_len=0 arg_cnt=0 msg: data: End packet authorization query for 'testuser' tty130 from test.router.com rejected test.router.com: disconnect ARISTA connect from Aristalab-1.router.com?[10.15.10.18] Waiting for packet Read ACCT size=119 validation request from Aristalab-1.router.com PACKET: key=password version 192 (0xc0), type 3, seq no 1, flags 0x1 session_id 1744489531 (0x67facc3b), Data length 107 (0x6b) End header ACCT, flags=0x4 method=6 priv_lvl=1 type=1 svc=1 user_len=6 port_len=5 rem_addr_len=0 arg_cnt=6 User: testuser port: ttyS0 rem_addr: arg[0]: size=10 task_id=22 arg[1]: size=13 service=shell arg[2]: size=10 priv-lvl=1 arg[3]: size=21 start_time=1439828055 arg[4]: size=12 timezone=UTC arg[5]: size=15 cmd=enable End packet Writing ACCT size=17 PACKET: key=password version 192 (0xc0), type 3, seq no 2, flags 0x1 session_id 1744489531 (0x67facc3b), Data length 5 (0x5) End header ACCT/REPLY status=1 msg_len=0 data_len=0 msg: data: End packet Aristalab-1.router.com: disconnect session request from Aristalab-1.router.com?sock=5 connect from Aristalab-1.router.com?[10.15.10.18] Waiting for packet Read ACCT size=132 validation request from Aristalab-1.router.com PACKET: key=password version 192 (0xc0), type 3, seq no 1, flags 0x1 session_id 1288212585 (0x4cc89069), Data length 120 (0x78) End header ACCT, flags=0x4 method=6 priv_lvl=15 type=1 svc=1 user_len=6 port_len=5 rem_addr_len=0 arg_cnt=6 User: testuser port: ttyS0 rem_addr: arg[0]: size=10 task_id=23 arg[1]: size=13 service=shell arg[2]: size=11 priv-lvl=15 arg[3]: size=21 start_time=1439828061 arg[4]: size=12 timezone=UTC arg[5]: size=27 cmd=configure terminal End packet Writing ACCT size=17 PACKET: key=password version 192 (0xc0), type 3, seq no 2, flags 0x1 session_id 1288212585 (0x4cc89069), Data length 5 (0x5) End header ACCT/REPLY status=1 msg_len=0 data_len=0 msg: data: End packet Aristalab-1.router.com: disconnect tac_plus.cfg: ?group = snm { ? ? ? ? default service = permit ? ? ? ? service = exec { ? ? ? ? priv-lvl = 15 ? ? ? ? } ? ? ? ? after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address -fix_crs_bug -u $user -d $name -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini" ?} do_auth.ini: [snm] host_allow = ? ? ? ? .* device_permit = ? ? ? ? .* command_deny = ? ? ? ? configure.* ? ? ? ? show controllers vip.* command_permit = ? ? ? ? show ip.* ? ? ? ? show interface.* ? ? ? ? clear counters.* ? ? ? ? clear qos stat.* ? ? ? ? clear mls qos int.* ? ? ? ? disable.* ? ? ? ? enable.* ? ? ? ? end.* ? ? ? ? exit.* ? ? ? ? logout.* ? ? ? ? ping.* ? ? ? ? set length.* ? ? ? ? show.* ? ? ? ? skip-page-display.* ? ? ? ? write network.* ? ? ? ? write terminal.* ? ? ? ? write memory.* ? ? ? ? terminal length.* Inactive hide details for John Fraizer ---08/07/2015 12:54:36 PM---Here is one problem: *cmd exit does not exist, denied by def John Fraizer ---08/07/2015 12:54:36 PM---Here is one problem: *cmd exit does not exist, denied by default* From: John Fraizer To: "Kevin.Cruse at Instinet.com" , Cc: Daniel Schmidt , " tac_plus at shrubbery.net" Date: 08/07/2015 12:54 PM Subject: Re: [tac_plus] Cisco Nexus Authorization problem Here is one problem: cmd exit does not exist, denied by default It looks like you've got default service = deny in your tac_plus.conf.? To use do_auth, you need default service = permit. Your after auth line doesn't look right either. /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini You're not giving it the device address or the address of the user attempting to auth.? Try changing the after authorization line in tac_plus.conf to: after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address -u $user -d $name -l /tmp/do_auth.log -f /usr/local/sbin/tacplus/do_auth.ini" Note that this will create a do_auth specific log in /tmp/do_auth.log but, right now - we'll need that for debugging purposes. Also remember, you'll need to restart tac_plus for this change to take effect. Here is an example tac_plus group that I know to work properly with do_auth.py on CatOS, IOS, IOS-XR, NX-OS, EOS and JUNOS: group = doauthaccess { ? ? ? ? default service = permit ? ? ? ? service = exec { ? ? ? ? ? ? ? ? priv-lvl = 1 ? ? ? ? ? ? ? ? optional idletime = 30 ? ? ? ? ? ? ? ? optional acl = 2 ? ? ? ? ? ? ? ? shell:roles="\"network-operator vdc-operator\"" ? ? ? ? ? ? ? ? } ? ? ? ? service = junos-exec { ? ? ? ? ? ? ? ? bug-fix = "first pair is lost" ? ? ? ? ? ? ? ? local-user-name = "remote" ? ? ? ? ? ? ? ? allow-commands = "(.*exit)|(show cli auth.*)" ? ? ? ? ? ? ? ? deny-commands = ".*" ? ? ? ? ? ? ? ? allow-configuration = "" ? ? ? ? ? ? ? ? deny-configuration = "" ? ? ? ? ? ? ? ? } after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address -u $user -d $name -l /tmp/do_auth.log -f /usr/local/sbin/tacplus/do_auth.ini" } One more thing... Looking at your do_auth.ini, you seem to have a space between the commands and ".*" which should not be there. For example: exit .* ...should be: exit.* I posted a complete working tac_plus.conf and do_auth.ini along with the AAA config I use on devices the other day.? Take a look at that post as well. -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Fri, Aug 7, 2015 at 5:16 AM, wrote: I will try upgrading to 4.14.5F and see what happens! thanks wondering if you are familiar with this error in do_auth execution, I am permitting exit in do_auth.ini. seems to be some issue with do_auth script: Reading config Version F4.0.4.28 Initialized 1 tac_plus server F4.0.4.28 starting socket FD 4 AF 2 uid=0 euid=0 gid=0 egid=0 s=23660848 connect from router1 [172.28.10.124] Start authorization request do_author: user='testuser' user 'testuser' found authorize_cmd: user=testuser, cmd=exit cmd exit does not exist, denied by default After authorization call: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini substitute: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini Dollar substitution: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u testuser -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini pid 24672 child exited status 1 cmd /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini returns 1 (unconditional deny) authorization query for 'testuser' tty130 from router1 rejected connect from router1 [1.1.1.1] do_auth.ini: [users] testuser = ? ? ? ? snm [snm] command_deny = ? ? ? ? configure .* ? ? ? ? show controllers vip .* command_permit = ? ? ? ? show ip .* ? ? ? ? show interface .* ? ? ? ? clear counters .* ? ? ? ? clear qos stat .* ? ? ? ? clear mls qos int .* ? ? ? ? disable .* ? ? ? ? enable .* ? ? ? ? end .* ? ? ? ? exit .* ? ? ? ? logout .* ? ? ? ? ping .* ? ? ? ? set length .* ? ? ? ? show .* ? ? ? ? skip-page-display .* ? ? ? ? write network .* ? ? ? ? write terminal .* ? ? ? ? write memory .* Inactive hide details for John Fraizer ---08/06/2015 06:54:05 PM---I'm not sure when this command became available in EOS but, John Fraizer ---08/06/2015 06:54:05 PM---I'm not sure when this command became available in EOS but, at least in 4.14.5F, you will get what y From: John Fraizer To: "Kevin.Cruse at Instinet.com" , Cc: Daniel Schmidt , " tac_plus at shrubbery.net" Date: 08/06/2015 06:54 PM Subject: Re: [tac_plus] Cisco Nexus Authorization problem I'm not sure when this command became available in EOS but, at least in 4.14.5F, you will get what you want with: aaa authorization commands all default group tacacs+ none -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Thu, Aug 6, 2015 at 1:58 PM, wrote: tried that! arista only takes this command with no arguments: aaa authorization config-commands it still didn't work. fyi - i just tried same config with cisco router and it works perfectly, running 4.13.11M of EOS. From:? ?Daniel Schmidt To:? ? ?Kevin.Cruse at instinet.com, Cc:? ? ?Aaron Wasserott , ? ? ? ? ? ? "tac_plus at shrubbery.net" < tac_plus at shrubbery.net> Date:? ?08/06/2015 04:09 PM Subject:? ? ? ? Re: [tac_plus] Cisco Nexus Authorization problem This part of the email looks interesting: But if you want them in conf t mode but restrict their commands at that level, you need to enable something like this: aaa authorization config-commands default group myTacacsGroup local ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From Kevin.Cruse at Instinet.com Mon Aug 17 20:52:24 2015 From: Kevin.Cruse at Instinet.com (Kevin.Cruse at Instinet.com) Date: Mon, 17 Aug 2015 16:52:24 -0400 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: References: Message-ID: Yes - we do the same in our production environment. I was working within lab and had different config. Thanks again for your help. From: John Fraizer To: "Kevin.Cruse at Instinet.com" , Cc: Daniel Schmidt , "tac_plus at shrubbery.net" Date: 08/17/2015 04:46 PM Subject: Re: [tac_plus] Cisco Nexus Authorization problem Ahhh... That makes sense. As a matter of personal opinion, I always enable exec and command auth on the console with fallback to "none" on our production equipment. That way, as long as the TACACS+ infrastructure is available, the policy I set in do_auth.ini is enforced.? If TACACS+ isn't available, we log in as a defined "local" user and enable manually.? It keeps honest people honest. ;-) The EOS AAA config I sent you is from my lab which doesn't have console auth enabled for various reasons. ?[ I'm on vacation and didn't feel like jumping through all VPN + 2FA hoops necessary to log into one of the production EOS devices. ;-)?] Glad its working for you now and it wasn't a bug! -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Mon, Aug 17, 2015 at 3:14 PM, wrote: I was connecting to console which does not have authorization enabled. It's working now. Thanks for your help! Inactive hide details for John Fraizer ---08/17/2015 02:23:34 PM---Kevin, I'm not using defined tacacs+ groups in our configuraJohn Fraizer ---08/17/2015 02:23:34 PM---Kevin, I'm not using defined tacacs+ groups in our configuration so, that is a From: John Fraizer To: "Kevin.Cruse at Instinet.com" , Cc: Daniel Schmidt , "tac_plus at shrubbery.net" < tac_plus at shrubbery.net> Date: 08/17/2015 02:23 PM Subject: Re: [tac_plus] Cisco Nexus Authorization problem Kevin, I'm not using defined tacacs+ groups in our configuration so, that is a variable that could be triggering a bug in AAA authorization but, your config is very similar to what we're using: ! tacacs-server key 7 tacacs-server host x.x.x.a tacacs-server host x.x.x.b ! aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ local aaa authorization exec default group tacacs+ local aaa authorization commands all default group tacacs+ none aaa accounting exec default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ aaa accounting commands all default stop-only group tacacs+ ! Please note though that based on what you sent in your original email, your EOS device is not sending AUTH requests for commands.? I only see ACCT records being sent: Here is the AUTH request coming from your Cisco: session request from?test.router.com?sock=5 connect from?test.router.com?[10.11.128.30] Waiting for packet Read AUTHOR size=104 validation request from?test.router.com PACKET: key=password version 192 (0xc0), type 2, seq no 1, flags 0x1 session_id?4255328848?(0xfda32a50), Data length 92 (0x5c) End header type=AUTHOR, priv_lvl=15, authen=1 method=none svc=0 user_len=6 port_len=6 rem_addr_len=14 arg_cnt=4 User: testuser port: tty130 rem_addr: 10.12.144.108 arg[0]: size=13 service=shell arg[1]: size=13 cmd=configure arg[2]: size=16 cmd-arg=terminal arg[3]: size=12 cmd-arg= End packet Writing AUTHOR/FAIL size=18 PACKET: key=password version 192 (0xc0), type 2, seq no 2, flags 0x1 session_id?4255328848?(0xfda32a50), Data length 6 (0x6) End header type=AUTHOR/REPLY status=16 (AUTHOR/FAIL) msg_len=0, data_len=0 arg_cnt=0 msg: data: End packet authorization query for 'testuser' tty130 from?test.router.com rejected test.router.com: disconnect ...vs the ACCT record being sent by the EOS device(s): session request from?Aristalab-1.router.com?sock=5 connect from?Aristalab-1.router.com?[10.15.10.18] Waiting for packet Read ACCT size=132 validation request from?Aristalab-1.router.com PACKET: key=password version 192 (0xc0), type 3, seq no 1, flags 0x1 session_id 1288212585 (0x4cc89069), Data length 120 (0x78) End header ACCT, flags=0x4 method=6 priv_lvl=15 type=1 svc=1 user_len=6 port_len=5 rem_addr_len=0 arg_cnt=6 User: testuser port: ttyS0 rem_addr: arg[0]: size=10 task_id=23 arg[1]: size=13 service=shell arg[2]: size=11 priv-lvl=15 arg[3]: size=21 start_time=1439828061 arg[4]: size=12 timezone=UTC arg[5]: size=27 cmd=configure terminal End packet Writing ACCT size=17 PACKET: key=password version 192 (0xc0), type 3, seq no 2, flags 0x1 session_id 1288212585 (0x4cc89069), Data length 5 (0x5) End header ACCT/REPLY status=1 msg_len=0 data_len=0 msg: data: End packet Aristalab-1.router.com: disconnect So, in effect, where the Cisco device is asking permission to execute the command, the EOS device is simply informing the TACACS+ server ?that the command was executed.? It's a matter of ACCOUNT vs AUTHORIZE. You might want to update your ticket with Arista to include that information.? You may also want to try enumerating your TACACS+ servers the way I have vs. using a AAA group just to rule that variable out as the vector that is triggering a bug.? I understand that if you've got a large EOS deployment, it is non-trivial to push AAA config changes to them all but, trust me - it can be done.? I've got a fleet > 2000 EOS devices and I just updated their AAA config a few weeks ago. The safest way to do it would be as follows: (1) Enumerate the TACACS+ servers outside of the group: ! tacacs-server key 7 tacacs-server host x.x.x.a tacacs-server host x.x.x.b ! Then, update your aaa auth commands as follows: ! aaa authorization exec default group tacacs+ local aaa authorization commands all default group tacacs+ none ! Please let me know if this helps and also update me if Arista identifies a bug.? That's information I'd like to have in our "tribal knowledge" store. -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Mon, Aug 17, 2015 at 2:03 PM, wrote: John, Here is the configuration from arista: Arista1#sh run | i aaa aaa group server tacacs+ CiscoACS aaa authentication login default group CiscoACS local aaa authorization exec default group CiscoACS local aaa authorization commands all default group CiscoACS local aaa accounting exec default start-stop group CiscoACS aaa accounting commands all default start-stop group CiscoACS no aaa root Arista1# Just fyi - I've configured the command "#aaa authorization config-commands" as well, for some reason it does not show up in configuration. I opened a ticket with arista and they've confirmed it should still work which makes sense as i'm seeing the commands sent to tacplus. Arista1#sh ver Arista DCS-7124SX-F Software image version: 4.13.11M Kevin Inactive hide details for John Fraizer ---08/17/2015 12:58:52 PM---What version of EOS are you running on your Arista device(s) John Fraizer ---08/17/2015 12:58:52 PM---What version of EOS are you running on your Arista device(s)? Take a look at the "tab completion" av From: John Fraizer To: "Kevin.Cruse at Instinet.com" , Cc: Daniel Schmidt , " tac_plus at shrubbery.net" Date: 08/17/2015 12:58 PM Subject: Re: [tac_plus] Cisco Nexus Authorization problem What version of EOS are you running on your Arista device(s)? Take a look at the "tab completion" available for "aaa authorization".? Also, if you can provide the output of "show run | i aaa", it will be easier to help you. Initially, it looks as if your Arista devices are not configure to authorize commands.? Note that the packet dump shows "ACCT" type for "enable" and "configure terminal" vs. "AUTHOR". -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Mon, Aug 17, 2015 at 12:21 PM, wrote: I am having a strange issue where cisco devices are being authorized by do_auth properly, however, arista devices are not.? The arista device is sending command to tacplus but daemont does not send command to do_auth. I can confirm since there is no update to do_auth log when sending commands from arista. any ideas?? Everything seems to be working fine except arista, this is my last hurdle! CISCO connect from test.router.com?[10.11.128.30] Waiting for packet Read ACCT size=137 validation request from test.router.com PACKET: key=password version 192 (0xc0), type 3, seq no 1, flags 0x1 session_id 677254324 (0x285e14b4), Data length 125 (0x7d) End header ACCT, flags=0x4 method=6 priv_lvl=1 type=1 svc=1 user_len=6 port_len=6 rem_addr_len=14 arg_cnt=6 User: testuser port: tty130 rem_addr: 10.12.144.108 arg[0]: size=13 task_id=41325 arg[1]: size=12 timezone=EDT arg[2]: size=13 service=shell arg[3]: size=21 start_time=1439827839 arg[4]: size=10 priv-lvl=0 arg[5]: size=15 cmd=enable End packet Writing ACCT size=17 PACKET: key=password version 192 (0xc0), type 3, seq no 2, flags 0x1 session_id 677254324 (0x285e14b4), Data length 5 (0x5) End header ACCT/REPLY status=1 msg_len=0 data_len=0 msg: data: End packet test.router.com: disconnect session request from test.router.com?sock=5 connect from test.router.com?[10.11.128.30] Waiting for packet Read AUTHOR size=104 validation request from test.router.com PACKET: key=password version 192 (0xc0), type 2, seq no 1, flags 0x1 session_id 4255328848?(0xfda32a50), Data length 92 (0x5c) End header type=AUTHOR, priv_lvl=15, authen=1 method=none svc=0 user_len=6 port_len=6 rem_addr_len=14 arg_cnt=4 User: testuser port: tty130 rem_addr: 10.12.144.108 arg[0]: size=13 service=shell arg[1]: size=13 cmd=configure arg[2]: size=16 cmd-arg=terminal arg[3]: size=12 cmd-arg= End packet Writing AUTHOR/FAIL size=18 PACKET: key=password version 192 (0xc0), type 2, seq no 2, flags 0x1 session_id 4255328848?(0xfda32a50), Data length 6 (0x6) End header type=AUTHOR/REPLY status=16 (AUTHOR/FAIL) msg_len=0, data_len=0 arg_cnt=0 msg: data: End packet authorization query for 'testuser' tty130 from test.router.com?rejected test.router.com: disconnect ARISTA connect from Aristalab-1.router.com?[10.15.10.18] Waiting for packet Read ACCT size=119 validation request from Aristalab-1.router.com PACKET: key=password version 192 (0xc0), type 3, seq no 1, flags 0x1 session_id 1744489531 (0x67facc3b), Data length 107 (0x6b) End header ACCT, flags=0x4 method=6 priv_lvl=1 type=1 svc=1 user_len=6 port_len=5 rem_addr_len=0 arg_cnt=6 User: testuser port: ttyS0 rem_addr: arg[0]: size=10 task_id=22 arg[1]: size=13 service=shell arg[2]: size=10 priv-lvl=1 arg[3]: size=21 start_time=1439828055 arg[4]: size=12 timezone=UTC arg[5]: size=15 cmd=enable End packet Writing ACCT size=17 PACKET: key=password version 192 (0xc0), type 3, seq no 2, flags 0x1 session_id 1744489531 (0x67facc3b), Data length 5 (0x5) End header ACCT/REPLY status=1 msg_len=0 data_len=0 msg: data: End packet Aristalab-1.router.com: disconnect session request from Aristalab-1.router.com?sock=5 connect from Aristalab-1.router.com?[10.15.10.18] Waiting for packet Read ACCT size=132 validation request from Aristalab-1.router.com PACKET: key=password version 192 (0xc0), type 3, seq no 1, flags 0x1 session_id 1288212585 (0x4cc89069), Data length 120 (0x78) End header ACCT, flags=0x4 method=6 priv_lvl=15 type=1 svc=1 user_len=6 port_len=5 rem_addr_len=0 arg_cnt=6 User: testuser port: ttyS0 rem_addr: arg[0]: size=10 task_id=23 arg[1]: size=13 service=shell arg[2]: size=11 priv-lvl=15 arg[3]: size=21 start_time=1439828061 arg[4]: size=12 timezone=UTC arg[5]: size=27 cmd=configure terminal End packet Writing ACCT size=17 PACKET: key=password version 192 (0xc0), type 3, seq no 2, flags 0x1 session_id 1288212585 (0x4cc89069), Data length 5 (0x5) End header ACCT/REPLY status=1 msg_len=0 data_len=0 msg: data: End packet Aristalab-1.router.com: disconnect tac_plus.cfg: ?group = snm { ? ? ? ? default service = permit ? ? ? ? service = exec { ? ? ? ? priv-lvl = 15 ? ? ? ? } ? ? ? ? after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address -fix_crs_bug -u $user -d $name -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini" ?} do_auth.ini: [snm] host_allow = ? ? ? ? .* device_permit = ? ? ? ? .* command_deny = ? ? ? ? configure.* ? ? ? ? show controllers vip.* command_permit = ? ? ? ? show ip.* ? ? ? ? show interface.* ? ? ? ? clear counters.* ? ? ? ? clear qos stat.* ? ? ? ? clear mls qos int.* ? ? ? ? disable.* ? ? ? ? enable.* ? ? ? ? end.* ? ? ? ? exit.* ? ? ? ? logout.* ? ? ? ? ping.* ? ? ? ? set length.* ? ? ? ? show.* ? ? ? ? skip-page-display.* ? ? ? ? write network.* ? ? ? ? write terminal.* ? ? ? ? write memory.* ? ? ? ? terminal length.* Inactive hide details for John Fraizer ---08/07/2015 12:54:36 PM---Here is one problem: *cmd exit does not exist, denied by defJohn Fraizer ---08/07/2015 12:54:36 PM---Here is one problem: *cmd exit does not exist, denied by default* From: John Fraizer To: "Kevin.Cruse at Instinet.com" , Cc: Daniel Schmidt , " tac_plus at shrubbery.net" Date: 08/07/2015 12:54 PM Subject: Re: [tac_plus] Cisco Nexus Authorization problem Here is one problem: cmd exit does not exist, denied by default It looks like you've got default service = deny in your tac_plus.conf.? To use do_auth, you need default service = permit. Your after auth line doesn't look right either. /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini You're not giving it the device address or the address of the user attempting to auth.? Try changing the after authorization line in tac_plus.conf to: after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address -u $user -d $name -l /tmp/do_auth.log -f /usr/local/sbin/tacplus/do_auth.ini" Note that this will create a do_auth specific log in /tmp/do_auth.log but, right now - we'll need that for debugging purposes. Also remember, you'll need to restart tac_plus for this change to take effect. Here is an example tac_plus group that I know to work properly with do_auth.py on CatOS, IOS, IOS-XR, NX-OS, EOS and JUNOS: group = doauthaccess { ? ? ? ? default service = permit ? ? ? ? service = exec { ? ? ? ? ? ? ? ? priv-lvl = 1 ? ? ? ? ? ? ? ? optional idletime = 30 ? ? ? ? ? ? ? ? optional acl = 2 ? ? ? ? ? ? ? ? shell:roles="\"network-operator vdc-operator \"" ? ? ? ? ? ? ? ? } ? ? ? ? service = junos-exec { ? ? ? ? ? ? ? ? bug-fix = "first pair is lost" ? ? ? ? ? ? ? ? local-user-name = "remote" ? ? ? ? ? ? ? ? allow-commands = "(.*exit)|(show cli auth.*)" ? ? ? ? ? ? ? ? deny-commands = ".*" ? ? ? ? ? ? ? ? allow-configuration = "" ? ? ? ? ? ? ? ? deny-configuration = "" ? ? ? ? ? ? ? ? } after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address -u $user -d $name -l /tmp/do_auth.log -f /usr/local/sbin/tacplus/do_auth.ini" } One more thing... Looking at your do_auth.ini, you seem to have a space between the commands and ".*" which should not be there. For example: exit .* ...should be: exit.* I posted a complete working tac_plus.conf and do_auth.ini along with the AAA config I use on devices the other day. Take a look at that post as well. -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Fri, Aug 7, 2015 at 5:16 AM, wrote: I will try upgrading to 4.14.5F and see what happens! thanks wondering if you are familiar with this error in do_auth execution, I am permitting exit in do_auth.ini. seems to be some issue with do_auth script: Reading config Version F4.0.4.28 Initialized 1 tac_plus server F4.0.4.28 starting socket FD 4 AF 2 uid=0 euid=0 gid=0 egid=0 s=23660848 connect from router1 [172.28.10.124] Start authorization request do_author: user='testuser' user 'testuser' found authorize_cmd: user=testuser, cmd=exit cmd exit does not exist, denied by default After authorization call: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini substitute: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini Dollar substitution: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u testuser -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini pid 24672 child exited status 1 cmd /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini returns 1 (unconditional deny) authorization query for 'testuser' tty130 from router1 rejected connect from router1 [1.1.1.1] do_auth.ini: [users] testuser = ? ? ? ? snm [snm] command_deny = ? ? ? ? configure .* ? ? ? ? show controllers vip .* command_permit = ? ? ? ? show ip .* ? ? ? ? show interface .* ? ? ? ? clear counters .* ? ? ? ? clear qos stat .* ? ? ? ? clear mls qos int .* ? ? ? ? disable .* ? ? ? ? enable .* ? ? ? ? end .* ? ? ? ? exit .* ? ? ? ? logout .* ? ? ? ? ping .* ? ? ? ? set length .* ? ? ? ? show .* ? ? ? ? skip-page-display .* ? ? ? ? write network .* ? ? ? ? write terminal .* ? ? ? ? write memory .* Inactive hide details for John Fraizer ---08/06/2015 06:54:05 PM---I'm not sure when this command became available in EOS but, John Fraizer ---08/06/2015 06:54:05 PM---I'm not sure when this command became available in EOS but, at least in 4.14.5F, you will get what y From: John Fraizer To: "Kevin.Cruse at Instinet.com" < Kevin.Cruse at instinet.com>, Cc: Daniel Schmidt , " tac_plus at shrubbery.net" Date: 08/06/2015 06:54 PM Subject: Re: [tac_plus] Cisco Nexus Authorization problem I'm not sure when this command became available in EOS but, at least in 4.14.5F, you will get what you want with: aaa authorization commands all default group tacacs+ none -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Thu, Aug 6, 2015 at 1:58 PM, < Kevin.Cruse at instinet.com> wrote: tried that! arista only takes this command with no arguments: aaa authorization config-commands it still didn't work. fyi - i just tried same config with cisco router and it works perfectly, running 4.13.11M of EOS. From:? ?Daniel Schmidt To:? ? ?Kevin.Cruse at instinet.com, Cc:? ? ?Aaron Wasserott < aaron.wasserott at viawest.com>, ? ? ? ? ? ? "tac_plus at shrubbery.net" < tac_plus at shrubbery.net> Date:? ?08/06/2015 04:09 PM Subject:? ? ? ? Re: [tac_plus] Cisco Nexus Authorization problem This part of the email looks interesting: But if you want them in conf t mode but restrict their commands at that level, you need to enable something like this: aaa authorization config-commands default group myTacacsGroup local ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From john at op-sec.us Mon Aug 17 20:46:05 2015 From: john at op-sec.us (John Fraizer) Date: Mon, 17 Aug 2015 16:46:05 -0400 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> Message-ID: Ahhh... That makes sense. As a matter of personal opinion, I always enable exec and command auth on the console with fallback to "none" on our production equipment. That way, as long as the TACACS+ infrastructure is available, the policy I set in do_auth.ini is enforced. If TACACS+ isn't available, we log in as a defined "local" user and enable manually. It keeps honest people honest. ;-) The EOS AAA config I sent you is from my lab which doesn't have console auth enabled for various reasons. [ I'm on vacation and didn't feel like jumping through all VPN + 2FA hoops necessary to log into one of the production EOS devices. ;-) ] Glad its working for you now and it wasn't a bug! -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Mon, Aug 17, 2015 at 3:14 PM, wrote: > I was connecting to console which does not have authorization enabled. > It's working now. Thanks for your help! > > > > [image: Inactive hide details for John Fraizer ---08/17/2015 02:23:34 > PM---Kevin, I'm not using defined tacacs+ groups in our configura]John > Fraizer ---08/17/2015 02:23:34 PM---Kevin, I'm not using defined tacacs+ > groups in our configuration so, that is a > > From: John Fraizer > To: "Kevin.Cruse at Instinet.com" , > Cc: Daniel Schmidt , "tac_plus at shrubbery.net" < > tac_plus at shrubbery.net> > Date: 08/17/2015 02:23 PM > > Subject: Re: [tac_plus] Cisco Nexus Authorization problem > ------------------------------ > > > > Kevin, > > I'm not using defined tacacs+ groups in our configuration so, that is a > variable that could be triggering a bug in AAA authorization but, your > config is very similar to what we're using: > > ! > tacacs-server key 7 > tacacs-server host x.x.x.a > tacacs-server host x.x.x.b > ! > aaa authentication login default group tacacs+ local > aaa authentication enable default group tacacs+ local > aaa authorization exec default group tacacs+ local > aaa authorization commands all default group tacacs+ none > aaa accounting exec default start-stop group tacacs+ > aaa accounting system default start-stop group tacacs+ > aaa accounting commands all default stop-only group tacacs+ > ! > > Please note though that based on what you sent in your original email, > your EOS device is not sending AUTH requests for commands. I only see ACCT > records being sent: > > Here is the AUTH request coming from your Cisco: > > session request from *test.router.com* sock=5 > connect from *test.router.com* [10.11.128.30] > Waiting for packet > Read AUTHOR size=104 > validation request from *test.router.com* > PACKET: key=password > version 192 (0xc0), type 2, seq no 1, flags 0x1 > session_id *4255328848* <4255328848> (0xfda32a50), Data length 92 > (0x5c) > End header > type=AUTHOR, priv_lvl=15, authen=1 > method=none > svc=0 user_len=6 port_len=6 rem_addr_len=14 > arg_cnt=4 > User: > testuser > port: > tty130 > rem_addr: > 10.12.144.108 > arg[0]: size=13 > service=shell > arg[1]: size=13 > cmd=configure > arg[2]: size=16 > cmd-arg=terminal > arg[3]: size=12 > cmd-arg= > End packet > Writing AUTHOR/FAIL size=18 > PACKET: key=password > version 192 (0xc0), type 2, seq no 2, flags 0x1 > session_id *4255328848* <4255328848> (0xfda32a50), Data length 6 (0x6) > End header > type=AUTHOR/REPLY status=16 (AUTHOR/FAIL) > msg_len=0, data_len=0 arg_cnt=0 > msg: > data: > End packet > authorization query for 'testuser' tty130 from *test.router.com* > rejected > *test.router.com* : disconnect > > > ...vs the ACCT record being sent by the EOS device(s): > > session request from *Aristalab-1.router.com* > sock=5 > connect from *Aristalab-1.router.com* > [10.15.10.18] > Waiting for packet > Read ACCT size=132 > validation request from *Aristalab-1.router.com* > > PACKET: key=password > version 192 (0xc0), type 3, seq no 1, flags 0x1 > session_id 1288212585 (0x4cc89069), Data length 120 (0x78) > End header > ACCT, flags=0x4 method=6 priv_lvl=15 > type=1 svc=1 > user_len=6 port_len=5 rem_addr_len=0 > arg_cnt=6 > User: > testuser > port: > ttyS0 > rem_addr: > arg[0]: size=10 > task_id=23 > arg[1]: size=13 > service=shell > arg[2]: size=11 > priv-lvl=15 > arg[3]: size=21 > start_time=1439828061 > arg[4]: size=12 > timezone=UTC > arg[5]: size=27 > cmd=configure terminal > End packet > Writing ACCT size=17 > PACKET: key=password > version 192 (0xc0), type 3, seq no 2, flags 0x1 > session_id 1288212585 (0x4cc89069), Data length 5 (0x5) > End header > ACCT/REPLY status=1 > msg_len=0 data_len=0 > msg: > data: > End packet > *Aristalab-1.router.com* : disconnect > > > So, in effect, where the Cisco device is asking permission to execute the > command, the EOS device is simply informing the TACACS+ server that the > command was executed. It's a matter of ACCOUNT vs AUTHORIZE. > > You might want to update your ticket with Arista to include that > information. You may also want to try enumerating your TACACS+ servers the > way I have vs. using a AAA group just to rule that variable out as the > vector that is triggering a bug. I understand that if you've got a large > EOS deployment, it is non-trivial to push AAA config changes to them all > but, trust me - it can be done. I've got a fleet > 2000 EOS devices and I > just updated their AAA config a few weeks ago. > > The safest way to do it would be as follows: > > (1) Enumerate the TACACS+ servers outside of the group: > ! > tacacs-server key 7 > tacacs-server host x.x.x.a > tacacs-server host x.x.x.b > ! > Then, update your aaa auth commands as follows: > > ! > aaa authorization exec default group tacacs+ local > aaa authorization commands all default group tacacs+ none > ! > > Please let me know if this helps and also update me if Arista identifies a > bug. That's information I'd like to have in our "tribal knowledge" store. > > > -- > John Fraizer > LinkedIn profile: *http://www.linkedin.com/in/johnfraizer/* > > > > > On Mon, Aug 17, 2015 at 2:03 PM, <*Kevin.Cruse at instinet.com* > > wrote: > > John, > > Here is the configuration from arista: > > Arista1#sh run | i aaa > aaa group server tacacs+ CiscoACS > aaa authentication login default group CiscoACS local > aaa authorization exec default group CiscoACS local > aaa authorization commands all default group CiscoACS local > aaa accounting exec default start-stop group CiscoACS > aaa accounting commands all default start-stop group CiscoACS > no aaa root > Arista1# > > > Just fyi - I've configured the command "#aaa authorization > config-commands" as well, for some reason it does not show up in > configuration. I opened a ticket with arista and they've confirmed it > should still work which makes sense as i'm seeing the commands sent to > tacplus. > > > Arista1#sh ver > Arista DCS-7124SX-F > Software image version: 4.13.11M > > > Kevin > > > > > > [image: Inactive hide details for John Fraizer ---08/17/2015 12:58:52 > PM---What version of EOS are you running on your Arista device(s)]John > Fraizer ---08/17/2015 12:58:52 PM---What version of EOS are you running on > your Arista device(s)? Take a look at the "tab completion" av > > From: John Fraizer <*john at op-sec.us* > > To: "Kevin.Cruse at Instinet.com" <*Kevin.Cruse at instinet.com* > >, > Cc: Daniel Schmidt <*daniel.schmidt at wyo.gov* >, > "*tac_plus at shrubbery.net* " < > *tac_plus at shrubbery.net* > > Date: 08/17/2015 12:58 PM > > > Subject: Re: [tac_plus] Cisco Nexus Authorization problem > ------------------------------ > > > > What version of EOS are you running on your Arista device(s)? > > Take a look at the "tab completion" available for "aaa > authorization". Also, if you can provide the output of "show run | i aaa", > it will be easier to help you. > > Initially, it looks as if your Arista devices are not configure to > authorize commands. Note that the packet dump shows "ACCT" type for > "enable" and "configure terminal" vs. "AUTHOR". > > -- > John Fraizer > LinkedIn profile: *http://www.linkedin.com/in/johnfraizer/* > > > > > On Mon, Aug 17, 2015 at 12:21 PM, <*Kevin.Cruse at instinet.com* > > wrote: > I am having a strange issue where cisco devices are being > authorized by do_auth properly, however, arista devices are not. The > arista device is sending command to tacplus but daemont does not send > command to do_auth. I can confirm since there is no update to do_auth log > when sending commands from arista. any ideas? Everything seems to be > working fine except arista, this is my last hurdle! > > > CISCO > > connect from *test.router.com* > [10.11.128.30] > Waiting for packet > Read ACCT size=137 > validation request from *test.router.com* > PACKET: key=password > version 192 (0xc0), type 3, seq no 1, flags 0x1 > session_id 677254324 (0x285e14b4), Data length 125 (0x7d) > End header > ACCT, flags=0x4 method=6 priv_lvl=1 > type=1 svc=1 > user_len=6 port_len=6 rem_addr_len=14 > arg_cnt=6 > User: > testuser > port: > tty130 > rem_addr: > 10.12.144.108 > arg[0]: size=13 > task_id=41325 > arg[1]: size=12 > timezone=EDT > arg[2]: size=13 > service=shell > arg[3]: size=21 > start_time=1439827839 > arg[4]: size=10 > priv-lvl=0 > arg[5]: size=15 > cmd=enable > End packet > Writing ACCT size=17 > PACKET: key=password > version 192 (0xc0), type 3, seq no 2, flags 0x1 > session_id 677254324 (0x285e14b4), Data length 5 (0x5) > End header > ACCT/REPLY status=1 > msg_len=0 data_len=0 > msg: > data: > End packet > *test.router.com* : disconnect > > > session request from *test.router.com* > sock=5 > connect from *test.router.com* > [10.11.128.30] > Waiting for packet > Read AUTHOR size=104 > validation request from *test.router.com* > PACKET: key=password > version 192 (0xc0), type 2, seq no 1, flags 0x1 > session_id *4255328848* <4255328848> (0xfda32a50), Data length 92 > (0x5c) > End header > type=AUTHOR, priv_lvl=15, authen=1 > method=none > svc=0 user_len=6 port_len=6 rem_addr_len=14 > arg_cnt=4 > User: > testuser > port: > tty130 > rem_addr: > 10.12.144.108 > arg[0]: size=13 > service=shell > arg[1]: size=13 > cmd=configure > arg[2]: size=16 > cmd-arg=terminal > arg[3]: size=12 > cmd-arg= > End packet > Writing AUTHOR/FAIL size=18 > PACKET: key=password > version 192 (0xc0), type 2, seq no 2, flags 0x1 > session_id *4255328848* <4255328848> (0xfda32a50), Data length 6 > (0x6) > End header > type=AUTHOR/REPLY status=16 (AUTHOR/FAIL) > msg_len=0, data_len=0 arg_cnt=0 > msg: > data: > End packet > authorization query for 'testuser' tty130 from *test.router.com* > rejected > *test.router.com* : disconnect > > > ARISTA > > connect from *Aristalab-1.router.com* > [10.15.10.18] > Waiting for packet > Read ACCT size=119 > validation request from *Aristalab-1.router.com* > > PACKET: key=password > version 192 (0xc0), type 3, seq no 1, flags 0x1 > session_id 1744489531 (0x67facc3b), Data length 107 (0x6b) > End header > ACCT, flags=0x4 method=6 priv_lvl=1 > type=1 svc=1 > user_len=6 port_len=5 rem_addr_len=0 > arg_cnt=6 > User: > testuser > port: > ttyS0 > rem_addr: > arg[0]: size=10 > task_id=22 > arg[1]: size=13 > service=shell > arg[2]: size=10 > priv-lvl=1 > arg[3]: size=21 > start_time=1439828055 > arg[4]: size=12 > timezone=UTC > arg[5]: size=15 > cmd=enable > End packet > Writing ACCT size=17 > PACKET: key=password > version 192 (0xc0), type 3, seq no 2, flags 0x1 > session_id 1744489531 (0x67facc3b), Data length 5 (0x5) > End header > ACCT/REPLY status=1 > msg_len=0 data_len=0 > msg: > data: > End packet > *Aristalab-1.router.com* : disconnect > > > session request from *Aristalab-1.router.com* > sock=5 > connect from *Aristalab-1.router.com* > [10.15.10.18] > Waiting for packet > Read ACCT size=132 > validation request from *Aristalab-1.router.com* > > PACKET: key=password > version 192 (0xc0), type 3, seq no 1, flags 0x1 > session_id 1288212585 (0x4cc89069), Data length 120 (0x78) > End header > ACCT, flags=0x4 method=6 priv_lvl=15 > type=1 svc=1 > user_len=6 port_len=5 rem_addr_len=0 > arg_cnt=6 > User: > testuser > port: > ttyS0 > rem_addr: > arg[0]: size=10 > task_id=23 > arg[1]: size=13 > service=shell > arg[2]: size=11 > priv-lvl=15 > arg[3]: size=21 > start_time=1439828061 > arg[4]: size=12 > timezone=UTC > arg[5]: size=27 > cmd=configure terminal > End packet > Writing ACCT size=17 > PACKET: key=password > version 192 (0xc0), type 3, seq no 2, flags 0x1 > session_id 1288212585 (0x4cc89069), Data length 5 (0x5) > End header > ACCT/REPLY status=1 > msg_len=0 data_len=0 > msg: > data: > End packet > *Aristalab-1.router.com* : disconnect > > > tac_plus.cfg: > > > group = snm { > default service = permit > service = exec { > priv-lvl = 15 > } > after authorization "/usr/bin/python > /usr/local/sbin/tacplus/do_auth.py -i $address -fix_crs_bug -u $user -d > $name -l /var/log/tacacs/do_auth_log.txt -f > /usr/local/sbin/tacplus/do_auth.ini" > > } > > > > do_auth.ini: > > > [snm] > host_allow = > .* > device_permit = > .* > command_deny = > configure.* > show controllers vip.* > command_permit = > show ip.* > show interface.* > clear counters.* > clear qos stat.* > clear mls qos int.* > disable.* > enable.* > end.* > exit.* > logout.* > ping.* > set length.* > show.* > skip-page-display.* > write network.* > write terminal.* > write memory.* > terminal length.* > > > > > > [image: Inactive hide details for John Fraizer ---08/07/2015 > 12:54:36 PM---Here is one problem: *cmd exit does not exist, denied by def]John > Fraizer ---08/07/2015 12:54:36 PM---Here is one problem: *cmd exit does not > exist, denied by default* > > From: John Fraizer <*john at op-sec.us* > > To: "Kevin.Cruse at Instinet.com" <*Kevin.Cruse at instinet.com* > >, > Cc: Daniel Schmidt <*daniel.schmidt at wyo.gov* > >, "*tac_plus at shrubbery.net* > " <*tac_plus at shrubbery.net* > > > Date: 08/07/2015 12:54 PM > > > Subject: Re: [tac_plus] Cisco Nexus Authorization problem > > ------------------------------ > > > > Here is one problem: > > * cmd exit does not exist, denied by default* > > It looks like you've got default service = deny in your > tac_plus.conf. To use do_auth, you need default service = permit. > > Your after auth line doesn't look right either. > > * /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l > /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini* > > You're not giving it the device address or the address of the user > attempting to auth. Try changing the after authorization line in > tac_plus.conf to: > > * after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py > -i $address -u $user -d $name -l /tmp/do_auth.log -f > /usr/local/sbin/tacplus/do_auth.ini"* > > Note that this will create a do_auth specific log in > /tmp/do_auth.log but, right now - we'll need that for debugging purposes. > > Also remember, you'll need to restart tac_plus for this change to > take effect. > > Here is an example tac_plus group that I know to work properly with > do_auth.py on CatOS, IOS, IOS-XR, NX-OS, EOS and JUNOS: > > group = doauthaccess { > default service = permit > > service = exec { > priv-lvl = 1 > optional idletime = 30 > optional acl = 2 > shell:roles="\"network-operator vdc-operator\"" > } > > service = junos-exec { > bug-fix = "first pair is lost" > local-user-name = "remote" > allow-commands = "(.*exit)|(show cli auth.*)" > deny-commands = ".*" > allow-configuration = "" > deny-configuration = "" > } > after authorization "/usr/bin/python > /usr/local/sbin/tacplus/do_auth.py -i $address -u $user -d $name -l > /tmp/do_auth.log -f /usr/local/sbin/tacplus/do_auth.ini" > * }* > > > One more thing... Looking at your do_auth.ini, you seem to have a > space between the commands and ".*" which should not be there. > > For example: > > exit .* > > ...should be: > > exit.* > > > I posted a complete working tac_plus.conf and do_auth.ini along > with the AAA config I use on devices the other day. Take a look at that > post as well. > > > -- > John Fraizer > LinkedIn profile: *http://www.linkedin.com/in/johnfraizer/* > > > > > On Fri, Aug 7, 2015 at 5:16 AM, <*Kevin.Cruse at instinet.com* > > wrote: > I will try upgrading to 4.14.5F and see what happens! thanks > > wondering if you are familiar with this error in do_auth > execution, I am permitting exit in do_auth.ini. seems to be some issue with > do_auth script: > > Reading config > Version F4.0.4.28 Initialized 1 > tac_plus server F4.0.4.28 starting > socket FD 4 AF 2 > uid=0 euid=0 gid=0 egid=0 s=23660848 > connect from router1 [172.28.10.124] > Start authorization request > do_author: user='testuser' > user 'testuser' found > authorize_cmd: user=testuser, cmd=exit > cmd exit does not exist, denied by default > After authorization call: /usr/bin/python > /usr/local/sbin/tacplus/do_auth.py -u $user -l > /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini > > > * substitute: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user > -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini > Dollar substitution: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u > testuser -l /var/log/tacacs/do_auth_log.txt -f > /usr/local/sbin/tacplus/do_auth.ini pid 24672 child exited status 1* > cmd /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user > -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini > returns 1 (unconditional deny) > authorization query for 'testuser' tty130 from router1 rejected > connect from router1 [1.1.1.1] > > > do_auth.ini: > > [users] > testuser = > snm > [snm] > command_deny = > configure .* > show controllers vip .* > command_permit = > show ip .* > show interface .* > clear counters .* > clear qos stat .* > clear mls qos int .* > disable .* > enable .* > end .* > exit .* > logout .* > ping .* > set length .* > show .* > skip-page-display .* > write network .* > write terminal .* > write memory .* > > > > > [image: Inactive hide details for John Fraizer ---08/06/2015 > 06:54:05 PM---I'm not sure when this command became available in EOS but,]John > Fraizer ---08/06/2015 06:54:05 PM---I'm not sure when this command became > available in EOS but, at least in 4.14.5F, you will get what y > > From: John Fraizer <*john at op-sec.us* > > To: "Kevin.Cruse at Instinet.com" <*Kevin.Cruse at instinet.com* > >, > Cc: Daniel Schmidt <*daniel.schmidt at wyo.gov* > >, "*tac_plus at shrubbery.net* > " <*tac_plus at shrubbery.net* > > > Date: 08/06/2015 06:54 PM > Subject: Re: [tac_plus] Cisco Nexus Authorization problem > ------------------------------ > > > > > I'm not sure when this command became available in EOS but, at > least in 4.14.5F, you will get what you want with: > > aaa authorization commands all default group tacacs+ none > > > -- > John Fraizer > LinkedIn profile: *http://www.linkedin.com/in/johnfraizer/* > > > > > On Thu, Aug 6, 2015 at 1:58 PM, <*Kevin.Cruse at instinet.com* > > wrote: > tried that! arista only takes this command with no arguments: > > aaa authorization config-commands > > it still didn't work. > > fyi - i just tried same config with cisco router and it works > perfectly, > running 4.13.11M of EOS. > > > > From: Daniel Schmidt <*daniel.schmidt at wyo.gov* > > > To: *Kevin.Cruse at instinet.com* , > Cc: Aaron Wasserott <*aaron.wasserott at viawest.com* > >, > "*tac_plus at shrubbery.net* " > <*tac_plus at shrubbery.net* > > Date: 08/06/2015 04:09 PM > Subject: Re: [tac_plus] Cisco Nexus Authorization > problem > > > > This part of the email looks interesting: > > But if you > want them in conf t mode but restrict their commands at that > level, you > need to enable something like this: > > aaa authorization config-commands default group myTacacsGroup > local > > > * > ========================================================================================================= > * > > *<<<< Disclaimer >>>>* > > *This message is intended solely for use by the named > addressee(s). If you receive this transmission in error, please immediately > notify the sender and destroy this message in its entirety, whether in > electronic or hard copy format. Any unauthorized use (and reliance > thereon), copying, disclosure, retention, or distribution of this > transmission or the material in this transmission is forbidden. We reserve > the right to monitor and archive electronic communications. This material > does not constitute an offer or solicitation with respect to the purchase > or sale of any security. It should not be construed to contain any > recommendation regarding any security or strategy. Any views expressed are > those of the individual sender, except where the message states otherwise > and the sender is authorized to state them to be the views of any such > entity. This communication is provided on an ?as is? basis. It contains > material that is owned by Instinet Incorporated, its subsidiaries or its or > their licensors, and may not, in whole or in part, be (i) copied, > photocopied or duplicated in any form, by any means, or (ii) redistributed, > posted, published, excerpted, or quoted without Instinet Incorporated's > prior written consent. Please access the following link for important > information and instructions: * > *http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt* > > > > *Securities products and services are provided by locally > registered brokerage subsidiaries of Instinet Incorporated: Instinet > Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the > Australian Securities & Investments Commission; Instinet Canada Limited, > member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by > the Securities and Futures Commission of Hong Kong; Instinet Singapore > Services Private Limited, regulated by the Monetary Authority of Singapore, > trading member of The Singapore Exchange Securities Trading Private Limited > and clearing member of The Central Depository (Pte) Limited; and Instinet, > LLC, member SIPC. * > > > > * > ========================================================================================================= > * > > > > > * > ========================================================================================================= > * > > *<<<< Disclaimer >>>>* > > *This message is intended solely for use by the named addressee(s). > If you receive this transmission in error, please immediately notify the > sender and destroy this message in its entirety, whether in electronic or > hard copy format. Any unauthorized use (and reliance thereon), copying, > disclosure, retention, or distribution of this transmission or the material > in this transmission is forbidden. We reserve the right to monitor and > archive electronic communications. This material does not constitute an > offer or solicitation with respect to the purchase or sale of any security. > It should not be construed to contain any recommendation regarding any > security or strategy. Any views expressed are those of the individual > sender, except where the message states otherwise and the sender is > authorized to state them to be the views of any such entity. This > communication is provided on an ?as is? basis. It contains material that is > owned by Instinet Incorporated, its subsidiaries or its or their licensors, > and may not, in whole or in part, be (i) copied, photocopied or duplicated > in any form, by any means, or (ii) redistributed, posted, published, > excerpted, or quoted without Instinet Incorporated's prior written consent. > Please access the following link for important information and > instructions: * > *http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt* > > > *Securities products and services are provided by locally > registered brokerage subsidiaries of Instinet Incorporated: Instinet > Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the > Australian Securities & Investments Commission; Instinet Canada Limited, > member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by > the Securities and Futures Commission of Hong Kong; Instinet Singapore > Services Private Limited, regulated by the Monetary Authority of Singapore, > trading member of The Singapore Exchange Securities Trading Private Limited > and clearing member of The Central Depository (Pte) Limited; and Instinet, > LLC, member SIPC. * > > > > * > ========================================================================================================= > * > > > > > * > ========================================================================================================= > * > > *<<<< Disclaimer >>>>* > > *This message is intended solely for use by the named addressee(s). If > you receive this transmission in error, please immediately notify the > sender and destroy this message in its entirety, whether in electronic or > hard copy format. Any unauthorized use (and reliance thereon), copying, > disclosure, retention, or distribution of this transmission or the material > in this transmission is forbidden. We reserve the right to monitor and > archive electronic communications. This material does not constitute an > offer or solicitation with respect to the purchase or sale of any security. > It should not be construed to contain any recommendation regarding any > security or strategy. Any views expressed are those of the individual > sender, except where the message states otherwise and the sender is > authorized to state them to be the views of any such entity. This > communication is provided on an ?as is? basis. It contains material that is > owned by Instinet Incorporated, its subsidiaries or its or their licensors, > and may not, in whole or in part, be (i) copied, photocopied or duplicated > in any form, by any means, or (ii) redistributed, posted, published, > excerpted, or quoted without Instinet Incorporated's prior written consent. > Please access the following link for important information and > instructions: * > *http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt* > > > *Securities products and services are provided by locally registered > brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty > Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian > Securities & Investments Commission; Instinet Canada Limited, member > IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the > Securities and Futures Commission of Hong Kong; Instinet Singapore Services > Private Limited, regulated by the Monetary Authority of Singapore, trading > member of The Singapore Exchange Securities Trading Private Limited and > clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, > member SIPC. * > > > > * > ========================================================================================================= > * > > > > > > ========================================================================================================= > > > *<<<< Disclaimer >>>>* > > This message is intended solely for use by the named addressee(s). If you > receive this transmission in error, please immediately notify the sender > and destroy this message in its entirety, whether in electronic or hard > copy format. Any unauthorized use (and reliance thereon), copying, > disclosure, retention, or distribution of this transmission or the material > in this transmission is forbidden. We reserve the right to monitor and > archive electronic communications. This material does not constitute an > offer or solicitation with respect to the purchase or sale of any security. > It should not be construed to contain any recommendation regarding any > security or strategy. Any views expressed are those of the individual > sender, except where the message states otherwise and the sender is > authorized to state them to be the views of any such entity. This > communication is provided on an ?as is? basis. It contains material that is > owned by Instinet Incorporated, its subsidiaries or its or their licensors, > and may not, in whole or in part, be (i) copied, photocopied or duplicated > in any form, by any means, or (ii) redistributed, posted, published, > excerpted, or quoted without Instinet Incorporated's prior written consent. > Please access the following link for important information and > instructions: > http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt > > Securities products and services are provided by locally registered > brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty > Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian > Securities & Investments Commission; Instinet Canada Limited, member > IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the > Securities and Futures Commission of Hong Kong; Instinet Singapore Services > Private Limited, regulated by the Monetary Authority of Singapore, trading > member of The Singapore Exchange Securities Trading Private Limited and > clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, > member SIPC. > > > > ========================================================================================================= > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From john at op-sec.us Mon Aug 17 18:23:07 2015 From: john at op-sec.us (John Fraizer) Date: Mon, 17 Aug 2015 14:23:07 -0400 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> Message-ID: Kevin, I'm not using defined tacacs+ groups in our configuration so, that is a variable that could be triggering a bug in AAA authorization but, your config is very similar to what we're using: ! tacacs-server key 7 tacacs-server host x.x.x.a tacacs-server host x.x.x.b ! aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ local aaa authorization exec default group tacacs+ local aaa authorization commands all default group tacacs+ none aaa accounting exec default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ aaa accounting commands all default stop-only group tacacs+ ! Please note though that based on what you sent in your original email, your EOS device is not sending AUTH requests for commands. I only see ACCT records being sent: Here is the AUTH request coming from your Cisco: session request from *test.router.com* sock=5 connect from *test.router.com* [10.11.128.30] Waiting for packet Read AUTHOR size=104 validation request from *test.router.com* PACKET: key=password version 192 (0xc0), type 2, seq no 1, flags 0x1 session_id *4255328848* <4255328848> (0xfda32a50), Data length 92 (0x5c) End header type=AUTHOR, priv_lvl=15, authen=1 method=none svc=0 user_len=6 port_len=6 rem_addr_len=14 arg_cnt=4 User: testuser port: tty130 rem_addr: 10.12.144.108 arg[0]: size=13 service=shell arg[1]: size=13 cmd=configure arg[2]: size=16 cmd-arg=terminal arg[3]: size=12 cmd-arg= End packet Writing AUTHOR/FAIL size=18 PACKET: key=password version 192 (0xc0), type 2, seq no 2, flags 0x1 session_id *4255328848* <4255328848> (0xfda32a50), Data length 6 (0x6) End header type=AUTHOR/REPLY status=16 (AUTHOR/FAIL) msg_len=0, data_len=0 arg_cnt=0 msg: data: End packet authorization query for 'testuser' tty130 from *test.router.com* rejected *test.router.com* : disconnect ...vs the ACCT record being sent by the EOS device(s): session request from *Aristalab-1.router.com* sock=5 connect from *Aristalab-1.router.com* [10.15.10.18] Waiting for packet Read ACCT size=132 validation request from *Aristalab-1.router.com* PACKET: key=password version 192 (0xc0), type 3, seq no 1, flags 0x1 session_id 1288212585 (0x4cc89069), Data length 120 (0x78) End header ACCT, flags=0x4 method=6 priv_lvl=15 type=1 svc=1 user_len=6 port_len=5 rem_addr_len=0 arg_cnt=6 User: testuser port: ttyS0 rem_addr: arg[0]: size=10 task_id=23 arg[1]: size=13 service=shell arg[2]: size=11 priv-lvl=15 arg[3]: size=21 start_time=1439828061 arg[4]: size=12 timezone=UTC arg[5]: size=27 cmd=configure terminal End packet Writing ACCT size=17 PACKET: key=password version 192 (0xc0), type 3, seq no 2, flags 0x1 session_id 1288212585 (0x4cc89069), Data length 5 (0x5) End header ACCT/REPLY status=1 msg_len=0 data_len=0 msg: data: End packet *Aristalab-1.router.com* : disconnect So, in effect, where the Cisco device is asking permission to execute the command, the EOS device is simply informing the TACACS+ server that the command was executed. It's a matter of ACCOUNT vs AUTHORIZE. You might want to update your ticket with Arista to include that information. You may also want to try enumerating your TACACS+ servers the way I have vs. using a AAA group just to rule that variable out as the vector that is triggering a bug. I understand that if you've got a large EOS deployment, it is non-trivial to push AAA config changes to them all but, trust me - it can be done. I've got a fleet > 2000 EOS devices and I just updated their AAA config a few weeks ago. The safest way to do it would be as follows: (1) Enumerate the TACACS+ servers outside of the group: ! tacacs-server key 7 tacacs-server host x.x.x.a tacacs-server host x.x.x.b ! Then, update your aaa auth commands as follows: ! aaa authorization exec default group tacacs+ local aaa authorization commands all default group tacacs+ none ! Please let me know if this helps and also update me if Arista identifies a bug. That's information I'd like to have in our "tribal knowledge" store. -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Mon, Aug 17, 2015 at 2:03 PM, wrote: > John, > > Here is the configuration from arista: > > Arista1#sh run | i aaa > aaa group server tacacs+ CiscoACS > aaa authentication login default group CiscoACS local > aaa authorization exec default group CiscoACS local > aaa authorization commands all default group CiscoACS local > aaa accounting exec default start-stop group CiscoACS > aaa accounting commands all default start-stop group CiscoACS > no aaa root > Arista1# > > > Just fyi - I've configured the command "#aaa authorization > config-commands" as well, for some reason it does not show up in > configuration. I opened a ticket with arista and they've confirmed it > should still work which makes sense as i'm seeing the commands sent to > tacplus. > > > Arista1#sh ver > Arista DCS-7124SX-F > Software image version: 4.13.11M > > > Kevin > > > > > > [image: Inactive hide details for John Fraizer ---08/17/2015 12:58:52 > PM---What version of EOS are you running on your Arista device(s)]John > Fraizer ---08/17/2015 12:58:52 PM---What version of EOS are you running on > your Arista device(s)? Take a look at the "tab completion" av > > From: John Fraizer > To: "Kevin.Cruse at Instinet.com" , > Cc: Daniel Schmidt , "tac_plus at shrubbery.net" < > tac_plus at shrubbery.net> > Date: 08/17/2015 12:58 PM > > Subject: Re: [tac_plus] Cisco Nexus Authorization problem > ------------------------------ > > > > What version of EOS are you running on your Arista device(s)? > > Take a look at the "tab completion" available for "aaa authorization". > Also, if you can provide the output of "show run | i aaa", it will be > easier to help you. > > Initially, it looks as if your Arista devices are not configure to > authorize commands. Note that the packet dump shows "ACCT" type for > "enable" and "configure terminal" vs. "AUTHOR". > > -- > John Fraizer > LinkedIn profile: *http://www.linkedin.com/in/johnfraizer/* > > > > > On Mon, Aug 17, 2015 at 12:21 PM, <*Kevin.Cruse at instinet.com* > > wrote: > > I am having a strange issue where cisco devices are being authorized > by do_auth properly, however, arista devices are not. The arista device is > sending command to tacplus but daemont does not send command to do_auth. I > can confirm since there is no update to do_auth log when sending commands > from arista. any ideas? Everything seems to be working fine except arista, > this is my last hurdle! > > > CISCO > > connect from *test.router.com* [10.11.128.30] > Waiting for packet > Read ACCT size=137 > validation request from *test.router.com* > PACKET: key=password > version 192 (0xc0), type 3, seq no 1, flags 0x1 > session_id 677254324 (0x285e14b4), Data length 125 (0x7d) > End header > ACCT, flags=0x4 method=6 priv_lvl=1 > type=1 svc=1 > user_len=6 port_len=6 rem_addr_len=14 > arg_cnt=6 > User: > testuser > port: > tty130 > rem_addr: > 10.12.144.108 > arg[0]: size=13 > task_id=41325 > arg[1]: size=12 > timezone=EDT > arg[2]: size=13 > service=shell > arg[3]: size=21 > start_time=1439827839 > arg[4]: size=10 > priv-lvl=0 > arg[5]: size=15 > cmd=enable > End packet > Writing ACCT size=17 > PACKET: key=password > version 192 (0xc0), type 3, seq no 2, flags 0x1 > session_id 677254324 (0x285e14b4), Data length 5 (0x5) > End header > ACCT/REPLY status=1 > msg_len=0 data_len=0 > msg: > data: > End packet > *test.router.com* : disconnect > > > session request from *test.router.com* sock=5 > connect from *test.router.com* [10.11.128.30] > Waiting for packet > Read AUTHOR size=104 > validation request from *test.router.com* > PACKET: key=password > version 192 (0xc0), type 2, seq no 1, flags 0x1 > session_id *4255328848* <4255328848> (0xfda32a50), Data length 92 > (0x5c) > End header > type=AUTHOR, priv_lvl=15, authen=1 > method=none > svc=0 user_len=6 port_len=6 rem_addr_len=14 > arg_cnt=4 > User: > testuser > port: > tty130 > rem_addr: > 10.12.144.108 > arg[0]: size=13 > service=shell > arg[1]: size=13 > cmd=configure > arg[2]: size=16 > cmd-arg=terminal > arg[3]: size=12 > cmd-arg= > End packet > Writing AUTHOR/FAIL size=18 > PACKET: key=password > version 192 (0xc0), type 2, seq no 2, flags 0x1 > session_id *4255328848* <4255328848> (0xfda32a50), Data length 6 (0x6) > End header > type=AUTHOR/REPLY status=16 (AUTHOR/FAIL) > msg_len=0, data_len=0 arg_cnt=0 > msg: > data: > End packet > authorization query for 'testuser' tty130 from *test.router.com* > rejected > *test.router.com* : disconnect > > > ARISTA > > connect from *Aristalab-1.router.com* > [10.15.10.18] > Waiting for packet > Read ACCT size=119 > validation request from *Aristalab-1.router.com* > > PACKET: key=password > version 192 (0xc0), type 3, seq no 1, flags 0x1 > session_id 1744489531 (0x67facc3b), Data length 107 (0x6b) > End header > ACCT, flags=0x4 method=6 priv_lvl=1 > type=1 svc=1 > user_len=6 port_len=5 rem_addr_len=0 > arg_cnt=6 > User: > testuser > port: > ttyS0 > rem_addr: > arg[0]: size=10 > task_id=22 > arg[1]: size=13 > service=shell > arg[2]: size=10 > priv-lvl=1 > arg[3]: size=21 > start_time=1439828055 > arg[4]: size=12 > timezone=UTC > arg[5]: size=15 > cmd=enable > End packet > Writing ACCT size=17 > PACKET: key=password > version 192 (0xc0), type 3, seq no 2, flags 0x1 > session_id 1744489531 (0x67facc3b), Data length 5 (0x5) > End header > ACCT/REPLY status=1 > msg_len=0 data_len=0 > msg: > data: > End packet > *Aristalab-1.router.com* : disconnect > > > session request from *Aristalab-1.router.com* > sock=5 > connect from *Aristalab-1.router.com* > [10.15.10.18] > Waiting for packet > Read ACCT size=132 > validation request from *Aristalab-1.router.com* > > PACKET: key=password > version 192 (0xc0), type 3, seq no 1, flags 0x1 > session_id 1288212585 (0x4cc89069), Data length 120 (0x78) > End header > ACCT, flags=0x4 method=6 priv_lvl=15 > type=1 svc=1 > user_len=6 port_len=5 rem_addr_len=0 > arg_cnt=6 > User: > testuser > port: > ttyS0 > rem_addr: > arg[0]: size=10 > task_id=23 > arg[1]: size=13 > service=shell > arg[2]: size=11 > priv-lvl=15 > arg[3]: size=21 > start_time=1439828061 > arg[4]: size=12 > timezone=UTC > arg[5]: size=27 > cmd=configure terminal > End packet > Writing ACCT size=17 > PACKET: key=password > version 192 (0xc0), type 3, seq no 2, flags 0x1 > session_id 1288212585 (0x4cc89069), Data length 5 (0x5) > End header > ACCT/REPLY status=1 > msg_len=0 data_len=0 > msg: > data: > End packet > *Aristalab-1.router.com* : disconnect > > > tac_plus.cfg: > > > group = snm { > default service = permit > service = exec { > priv-lvl = 15 > } > after authorization "/usr/bin/python > /usr/local/sbin/tacplus/do_auth.py -i $address -fix_crs_bug -u $user -d > $name -l /var/log/tacacs/do_auth_log.txt -f > /usr/local/sbin/tacplus/do_auth.ini" > > } > > > > do_auth.ini: > > > [snm] > host_allow = > .* > device_permit = > .* > command_deny = > configure.* > show controllers vip.* > command_permit = > show ip.* > show interface.* > clear counters.* > clear qos stat.* > clear mls qos int.* > disable.* > enable.* > end.* > exit.* > logout.* > ping.* > set length.* > show.* > skip-page-display.* > write network.* > write terminal.* > write memory.* > terminal length.* > > > > > > [image: Inactive hide details for John Fraizer ---08/07/2015 12:54:36 > PM---Here is one problem: *cmd exit does not exist, denied by def]John > Fraizer ---08/07/2015 12:54:36 PM---Here is one problem: *cmd exit does not > exist, denied by default* > > From: John Fraizer <*john at op-sec.us* > > To: "Kevin.Cruse at Instinet.com" <*Kevin.Cruse at instinet.com* > >, > Cc: Daniel Schmidt <*daniel.schmidt at wyo.gov* >, > "*tac_plus at shrubbery.net* " < > *tac_plus at shrubbery.net* > > Date: 08/07/2015 12:54 PM > > > Subject: Re: [tac_plus] Cisco Nexus Authorization problem > ------------------------------ > > > > Here is one problem: > > * cmd exit does not exist, denied by default* > > It looks like you've got default service = deny in your > tac_plus.conf. To use do_auth, you need default service = permit. > > Your after auth line doesn't look right either. > > * /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l > /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini* > > You're not giving it the device address or the address of the user > attempting to auth. Try changing the after authorization line in > tac_plus.conf to: > > * after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py > -i $address -u $user -d $name -l /tmp/do_auth.log -f > /usr/local/sbin/tacplus/do_auth.ini"* > > Note that this will create a do_auth specific log in /tmp/do_auth.log > but, right now - we'll need that for debugging purposes. > > Also remember, you'll need to restart tac_plus for this change to take > effect. > > Here is an example tac_plus group that I know to work properly with > do_auth.py on CatOS, IOS, IOS-XR, NX-OS, EOS and JUNOS: > > group = doauthaccess { > default service = permit > > service = exec { > priv-lvl = 1 > optional idletime = 30 > optional acl = 2 > shell:roles="\"network-operator vdc-operator\"" > } > > service = junos-exec { > bug-fix = "first pair is lost" > local-user-name = "remote" > allow-commands = "(.*exit)|(show cli auth.*)" > deny-commands = ".*" > allow-configuration = "" > deny-configuration = "" > } > after authorization "/usr/bin/python > /usr/local/sbin/tacplus/do_auth.py -i $address -u $user -d $name -l > /tmp/do_auth.log -f /usr/local/sbin/tacplus/do_auth.ini" > * }* > > > One more thing... Looking at your do_auth.ini, you seem to have a > space between the commands and ".*" which should not be there. > > For example: > > exit .* > > ...should be: > > exit.* > > > I posted a complete working tac_plus.conf and do_auth.ini along with > the AAA config I use on devices the other day. Take a look at that post as > well. > > > -- > John Fraizer > LinkedIn profile: *http://www.linkedin.com/in/johnfraizer/* > > > > > On Fri, Aug 7, 2015 at 5:16 AM, <*Kevin.Cruse at instinet.com* > > wrote: > I will try upgrading to 4.14.5F and see what happens! thanks > > wondering if you are familiar with this error in do_auth execution, > I am permitting exit in do_auth.ini. seems to be some issue with do_auth > script: > > Reading config > Version F4.0.4.28 Initialized 1 > tac_plus server F4.0.4.28 starting > socket FD 4 AF 2 > uid=0 euid=0 gid=0 egid=0 s=23660848 > connect from router1 [172.28.10.124] > Start authorization request > do_author: user='testuser' > user 'testuser' found > authorize_cmd: user=testuser, cmd=exit > cmd exit does not exist, denied by default > After authorization call: /usr/bin/python > /usr/local/sbin/tacplus/do_auth.py -u $user -l > /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini > > > * substitute: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user > -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini > Dollar substitution: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u > testuser -l /var/log/tacacs/do_auth_log.txt -f > /usr/local/sbin/tacplus/do_auth.ini pid 24672 child exited status 1* > cmd /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l > /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini > returns 1 (unconditional deny) > authorization query for 'testuser' tty130 from router1 rejected > connect from router1 [1.1.1.1] > > > do_auth.ini: > > [users] > testuser = > snm > [snm] > command_deny = > configure .* > show controllers vip .* > command_permit = > show ip .* > show interface .* > clear counters .* > clear qos stat .* > clear mls qos int .* > disable .* > enable .* > end .* > exit .* > logout .* > ping .* > set length .* > show .* > skip-page-display .* > write network .* > write terminal .* > write memory .* > > > > > [image: Inactive hide details for John Fraizer ---08/06/2015 > 06:54:05 PM---I'm not sure when this command became available in EOS but,]John > Fraizer ---08/06/2015 06:54:05 PM---I'm not sure when this command became > available in EOS but, at least in 4.14.5F, you will get what y > > From: John Fraizer <*john at op-sec.us* > > To: "Kevin.Cruse at Instinet.com" <*Kevin.Cruse at instinet.com* > >, > Cc: Daniel Schmidt <*daniel.schmidt at wyo.gov* > >, "*tac_plus at shrubbery.net* > " <*tac_plus at shrubbery.net* > > > Date: 08/06/2015 06:54 PM > Subject: Re: [tac_plus] Cisco Nexus Authorization problem > ------------------------------ > > > > > I'm not sure when this command became available in EOS but, at > least in 4.14.5F, you will get what you want with: > > aaa authorization commands all default group tacacs+ none > > > -- > John Fraizer > LinkedIn profile: *http://www.linkedin.com/in/johnfraizer/* > > > > > On Thu, Aug 6, 2015 at 1:58 PM, <*Kevin.Cruse at instinet.com* > > wrote: > tried that! arista only takes this command with no arguments: > > aaa authorization config-commands > > it still didn't work. > > fyi - i just tried same config with cisco router and it works > perfectly, > running 4.13.11M of EOS. > > > > From: Daniel Schmidt <*daniel.schmidt at wyo.gov* > > > To: *Kevin.Cruse at instinet.com* , > Cc: Aaron Wasserott <*aaron.wasserott at viawest.com* > >, > "*tac_plus at shrubbery.net* " < > *tac_plus at shrubbery.net* > > Date: 08/06/2015 04:09 PM > Subject: Re: [tac_plus] Cisco Nexus Authorization problem > > > > This part of the email looks interesting: > > But if you > want them in conf t mode but restrict their commands at that > level, you > need to enable something like this: > > aaa authorization config-commands default group myTacacsGroup > local > > > * > ========================================================================================================= > * > > *<<<< Disclaimer >>>>* > > *This message is intended solely for use by the named addressee(s). > If you receive this transmission in error, please immediately notify the > sender and destroy this message in its entirety, whether in electronic or > hard copy format. Any unauthorized use (and reliance thereon), copying, > disclosure, retention, or distribution of this transmission or the material > in this transmission is forbidden. We reserve the right to monitor and > archive electronic communications. This material does not constitute an > offer or solicitation with respect to the purchase or sale of any security. > It should not be construed to contain any recommendation regarding any > security or strategy. Any views expressed are those of the individual > sender, except where the message states otherwise and the sender is > authorized to state them to be the views of any such entity. This > communication is provided on an ?as is? basis. It contains material that is > owned by Instinet Incorporated, its subsidiaries or its or their licensors, > and may not, in whole or in part, be (i) copied, photocopied or duplicated > in any form, by any means, or (ii) redistributed, posted, published, > excerpted, or quoted without Instinet Incorporated's prior written consent. > Please access the following link for important information and > instructions: * > *http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt* > > > *Securities products and services are provided by locally > registered brokerage subsidiaries of Instinet Incorporated: Instinet > Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the > Australian Securities & Investments Commission; Instinet Canada Limited, > member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by > the Securities and Futures Commission of Hong Kong; Instinet Singapore > Services Private Limited, regulated by the Monetary Authority of Singapore, > trading member of The Singapore Exchange Securities Trading Private Limited > and clearing member of The Central Depository (Pte) Limited; and Instinet, > LLC, member SIPC. * > > > > * > ========================================================================================================= > * > > > > > * > ========================================================================================================= > * > > *<<<< Disclaimer >>>>* > > *This message is intended solely for use by the named addressee(s). If > you receive this transmission in error, please immediately notify the > sender and destroy this message in its entirety, whether in electronic or > hard copy format. Any unauthorized use (and reliance thereon), copying, > disclosure, retention, or distribution of this transmission or the material > in this transmission is forbidden. We reserve the right to monitor and > archive electronic communications. This material does not constitute an > offer or solicitation with respect to the purchase or sale of any security. > It should not be construed to contain any recommendation regarding any > security or strategy. Any views expressed are those of the individual > sender, except where the message states otherwise and the sender is > authorized to state them to be the views of any such entity. This > communication is provided on an ?as is? basis. It contains material that is > owned by Instinet Incorporated, its subsidiaries or its or their licensors, > and may not, in whole or in part, be (i) copied, photocopied or duplicated > in any form, by any means, or (ii) redistributed, posted, published, > excerpted, or quoted without Instinet Incorporated's prior written consent. > Please access the following link for important information and > instructions: * > *http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt* > > > *Securities products and services are provided by locally registered > brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty > Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian > Securities & Investments Commission; Instinet Canada Limited, member > IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the > Securities and Futures Commission of Hong Kong; Instinet Singapore Services > Private Limited, regulated by the Monetary Authority of Singapore, trading > member of The Singapore Exchange Securities Trading Private Limited and > clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, > member SIPC. * > > > > * > ========================================================================================================= > * > > > > > > ========================================================================================================= > > > *<<<< Disclaimer >>>>* > > This message is intended solely for use by the named addressee(s). If you > receive this transmission in error, please immediately notify the sender > and destroy this message in its entirety, whether in electronic or hard > copy format. Any unauthorized use (and reliance thereon), copying, > disclosure, retention, or distribution of this transmission or the material > in this transmission is forbidden. We reserve the right to monitor and > archive electronic communications. This material does not constitute an > offer or solicitation with respect to the purchase or sale of any security. > It should not be construed to contain any recommendation regarding any > security or strategy. Any views expressed are those of the individual > sender, except where the message states otherwise and the sender is > authorized to state them to be the views of any such entity. This > communication is provided on an ?as is? basis. It contains material that is > owned by Instinet Incorporated, its subsidiaries or its or their licensors, > and may not, in whole or in part, be (i) copied, photocopied or duplicated > in any form, by any means, or (ii) redistributed, posted, published, > excerpted, or quoted without Instinet Incorporated's prior written consent. > Please access the following link for important information and > instructions: > http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt > > Securities products and services are provided by locally registered > brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty > Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian > Securities & Investments Commission; Instinet Canada Limited, member > IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the > Securities and Futures Commission of Hong Kong; Instinet Singapore Services > Private Limited, regulated by the Monetary Authority of Singapore, trading > member of The Singapore Exchange Securities Trading Private Limited and > clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, > member SIPC. > > > > ========================================================================================================= > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From john at op-sec.us Mon Aug 17 21:45:28 2015 From: john at op-sec.us (John Fraizer) Date: Mon, 17 Aug 2015 17:45:28 -0400 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> Message-ID: On Mon, Aug 17, 2015 at 2:03 PM, wrote: > > Just fyi - I've configured the command "#aaa authorization > config-commands" as well, for some reason it does not show up in > configuration. > There is some interesting trivia behind that. "aaa authorization config-commands" is the "default" behavior. BUT, if someone has issued "no aaa authorization config-commands" on the device (which also does not show up in the config), the behavior changes. You have to issue "aaa authorization config-commands" to reenable the behavior. You just have to love those hidden gems! John -------------- next part -------------- An HTML attachment was scrubbed... URL: From john at op-sec.us Mon Aug 17 16:58:27 2015 From: john at op-sec.us (John Fraizer) Date: Mon, 17 Aug 2015 12:58:27 -0400 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B92A28@mbx030-w1-co-6.exch030.domain.local> <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> Message-ID: What version of EOS are you running on your Arista device(s)? Take a look at the "tab completion" available for "aaa authorization". Also, if you can provide the output of "show run | i aaa", it will be easier to help you. Initially, it looks as if your Arista devices are not configure to authorize commands. Note that the packet dump shows "ACCT" type for "enable" and "configure terminal" vs. "AUTHOR". -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Mon, Aug 17, 2015 at 12:21 PM, wrote: > I am having a strange issue where cisco devices are being authorized by > do_auth properly, however, arista devices are not. The arista device is > sending command to tacplus but daemont does not send command to do_auth. I > can confirm since there is no update to do_auth log when sending commands > from arista. any ideas? Everything seems to be working fine except arista, > this is my last hurdle! > > > CISCO > > connect from test.router.com [10.11.128.30] > Waiting for packet > Read ACCT size=137 > validation request from test.router.com > PACKET: key=password > version 192 (0xc0), type 3, seq no 1, flags 0x1 > session_id 677254324 (0x285e14b4), Data length 125 (0x7d) > End header > ACCT, flags=0x4 method=6 priv_lvl=1 > type=1 svc=1 > user_len=6 port_len=6 rem_addr_len=14 > arg_cnt=6 > User: > testuser > port: > tty130 > rem_addr: > 10.12.144.108 > arg[0]: size=13 > task_id=41325 > arg[1]: size=12 > timezone=EDT > arg[2]: size=13 > service=shell > arg[3]: size=21 > start_time=1439827839 > arg[4]: size=10 > priv-lvl=0 > arg[5]: size=15 > cmd=enable > End packet > Writing ACCT size=17 > PACKET: key=password > version 192 (0xc0), type 3, seq no 2, flags 0x1 > session_id 677254324 (0x285e14b4), Data length 5 (0x5) > End header > ACCT/REPLY status=1 > msg_len=0 data_len=0 > msg: > data: > End packet > test.router.com: disconnect > > > session request from test.router.com sock=5 > connect from test.router.com [10.11.128.30] > Waiting for packet > Read AUTHOR size=104 > validation request from test.router.com > PACKET: key=password > version 192 (0xc0), type 2, seq no 1, flags 0x1 > session_id 4255328848 (0xfda32a50), Data length 92 (0x5c) > End header > type=AUTHOR, priv_lvl=15, authen=1 > method=none > svc=0 user_len=6 port_len=6 rem_addr_len=14 > arg_cnt=4 > User: > testuser > port: > tty130 > rem_addr: > 10.12.144.108 > arg[0]: size=13 > service=shell > arg[1]: size=13 > cmd=configure > arg[2]: size=16 > cmd-arg=terminal > arg[3]: size=12 > cmd-arg= > End packet > Writing AUTHOR/FAIL size=18 > PACKET: key=password > version 192 (0xc0), type 2, seq no 2, flags 0x1 > session_id 4255328848 (0xfda32a50), Data length 6 (0x6) > End header > type=AUTHOR/REPLY status=16 (AUTHOR/FAIL) > msg_len=0, data_len=0 arg_cnt=0 > msg: > data: > End packet > authorization query for 'testuser' tty130 from test.router.com rejected > test.router.com: disconnect > > > ARISTA > > connect from Aristalab-1.router.com [10.15.10.18] > Waiting for packet > Read ACCT size=119 > validation request from Aristalab-1.router.com > PACKET: key=password > version 192 (0xc0), type 3, seq no 1, flags 0x1 > session_id 1744489531 (0x67facc3b), Data length 107 (0x6b) > End header > ACCT, flags=0x4 method=6 priv_lvl=1 > type=1 svc=1 > user_len=6 port_len=5 rem_addr_len=0 > arg_cnt=6 > User: > testuser > port: > ttyS0 > rem_addr: > arg[0]: size=10 > task_id=22 > arg[1]: size=13 > service=shell > arg[2]: size=10 > priv-lvl=1 > arg[3]: size=21 > start_time=1439828055 > arg[4]: size=12 > timezone=UTC > arg[5]: size=15 > cmd=enable > End packet > Writing ACCT size=17 > PACKET: key=password > version 192 (0xc0), type 3, seq no 2, flags 0x1 > session_id 1744489531 (0x67facc3b), Data length 5 (0x5) > End header > ACCT/REPLY status=1 > msg_len=0 data_len=0 > msg: > data: > End packet > Aristalab-1.router.com: disconnect > > > session request from Aristalab-1.router.com sock=5 > connect from Aristalab-1.router.com [10.15.10.18] > Waiting for packet > Read ACCT size=132 > validation request from Aristalab-1.router.com > PACKET: key=password > version 192 (0xc0), type 3, seq no 1, flags 0x1 > session_id 1288212585 (0x4cc89069), Data length 120 (0x78) > End header > ACCT, flags=0x4 method=6 priv_lvl=15 > type=1 svc=1 > user_len=6 port_len=5 rem_addr_len=0 > arg_cnt=6 > User: > testuser > port: > ttyS0 > rem_addr: > arg[0]: size=10 > task_id=23 > arg[1]: size=13 > service=shell > arg[2]: size=11 > priv-lvl=15 > arg[3]: size=21 > start_time=1439828061 > arg[4]: size=12 > timezone=UTC > arg[5]: size=27 > cmd=configure terminal > End packet > Writing ACCT size=17 > PACKET: key=password > version 192 (0xc0), type 3, seq no 2, flags 0x1 > session_id 1288212585 (0x4cc89069), Data length 5 (0x5) > End header > ACCT/REPLY status=1 > msg_len=0 data_len=0 > msg: > data: > End packet > Aristalab-1.router.com: disconnect > > > tac_plus.cfg: > > > group = snm { > default service = permit > service = exec { > priv-lvl = 15 > } > after authorization "/usr/bin/python > /usr/local/sbin/tacplus/do_auth.py -i $address -fix_crs_bug -u $user -d > $name -l /var/log/tacacs/do_auth_log.txt -f > /usr/local/sbin/tacplus/do_auth.ini" > > } > > > > do_auth.ini: > > > [snm] > host_allow = > .* > device_permit = > .* > command_deny = > configure.* > show controllers vip.* > command_permit = > show ip.* > show interface.* > clear counters.* > clear qos stat.* > clear mls qos int.* > disable.* > enable.* > end.* > exit.* > logout.* > ping.* > set length.* > show.* > skip-page-display.* > write network.* > write terminal.* > write memory.* > terminal length.* > > > > > > [image: Inactive hide details for John Fraizer ---08/07/2015 12:54:36 > PM---Here is one problem: *cmd exit does not exist, denied by def]John > Fraizer ---08/07/2015 12:54:36 PM---Here is one problem: *cmd exit does not > exist, denied by default* > > From: John Fraizer > To: "Kevin.Cruse at Instinet.com" , > Cc: Daniel Schmidt , "tac_plus at shrubbery.net" < > tac_plus at shrubbery.net> > Date: 08/07/2015 12:54 PM > > Subject: Re: [tac_plus] Cisco Nexus Authorization problem > ------------------------------ > > > > Here is one problem: > > *cmd exit does not exist, denied by default* > > It looks like you've got default service = deny in your tac_plus.conf. To > use do_auth, you need default service = permit. > > Your after auth line doesn't look right either. > > */usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l > /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini* > > You're not giving it the device address or the address of the user > attempting to auth. Try changing the after authorization line in > tac_plus.conf to: > > *after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py > -i $address -u $user -d $name -l /tmp/do_auth.log -f > /usr/local/sbin/tacplus/do_auth.ini"* > > Note that this will create a do_auth specific log in /tmp/do_auth.log but, > right now - we'll need that for debugging purposes. > > Also remember, you'll need to restart tac_plus for this change to take > effect. > > Here is an example tac_plus group that I know to work properly with > do_auth.py on CatOS, IOS, IOS-XR, NX-OS, EOS and JUNOS: > > group = doauthaccess { > default service = permit > > service = exec { > priv-lvl = 1 > optional idletime = 30 > optional acl = 2 > shell:roles="\"network-operator vdc-operator\"" > } > > service = junos-exec { > bug-fix = "first pair is lost" > local-user-name = "remote" > allow-commands = "(.*exit)|(show cli auth.*)" > deny-commands = ".*" > allow-configuration = "" > deny-configuration = "" > } > after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i > $address -u $user -d $name -l /tmp/do_auth.log -f > /usr/local/sbin/tacplus/do_auth.ini" > *}* > > > One more thing... Looking at your do_auth.ini, you seem to have a space > between the commands and ".*" which should not be there. > > For example: > > exit .* > > ...should be: > > exit.* > > > I posted a complete working tac_plus.conf and do_auth.ini along with the > AAA config I use on devices the other day. Take a look at that post as > well. > > > -- > John Fraizer > LinkedIn profile: *http://www.linkedin.com/in/johnfraizer/* > > > > > On Fri, Aug 7, 2015 at 5:16 AM, <*Kevin.Cruse at instinet.com* > > wrote: > > I will try upgrading to 4.14.5F and see what happens! thanks > > wondering if you are familiar with this error in do_auth execution, I > am permitting exit in do_auth.ini. seems to be some issue with do_auth > script: > > Reading config > Version F4.0.4.28 Initialized 1 > tac_plus server F4.0.4.28 starting > socket FD 4 AF 2 > uid=0 euid=0 gid=0 egid=0 s=23660848 > connect from router1 [172.28.10.124] > Start authorization request > do_author: user='testuser' > user 'testuser' found > authorize_cmd: user=testuser, cmd=exit > cmd exit does not exist, denied by default > After authorization call: /usr/bin/python > /usr/local/sbin/tacplus/do_auth.py -u $user -l > /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini > > > * substitute: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user > -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini > Dollar substitution: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u > testuser -l /var/log/tacacs/do_auth_log.txt -f > /usr/local/sbin/tacplus/do_auth.ini pid 24672 child exited status 1* > cmd /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l > /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini > returns 1 (unconditional deny) > authorization query for 'testuser' tty130 from router1 rejected > connect from router1 [1.1.1.1] > > > do_auth.ini: > > [users] > testuser = > snm > [snm] > command_deny = > configure .* > show controllers vip .* > command_permit = > show ip .* > show interface .* > clear counters .* > clear qos stat .* > clear mls qos int .* > disable .* > enable .* > end .* > exit .* > logout .* > ping .* > set length .* > show .* > skip-page-display .* > write network .* > write terminal .* > write memory .* > > > > > [image: Inactive hide details for John Fraizer ---08/06/2015 06:54:05 > PM---I'm not sure when this command became available in EOS but,]John > Fraizer ---08/06/2015 06:54:05 PM---I'm not sure when this command became > available in EOS but, at least in 4.14.5F, you will get what y > > From: John Fraizer <*john at op-sec.us* > > To: "Kevin.Cruse at Instinet.com" <*Kevin.Cruse at instinet.com* > >, > Cc: Daniel Schmidt <*daniel.schmidt at wyo.gov* >, > "*tac_plus at shrubbery.net* " < > *tac_plus at shrubbery.net* > > Date: 08/06/2015 06:54 PM > Subject: Re: [tac_plus] Cisco Nexus Authorization problem > ------------------------------ > > > > > I'm not sure when this command became available in EOS but, at least > in 4.14.5F, you will get what you want with: > > aaa authorization commands all default group tacacs+ none > > > -- > John Fraizer > LinkedIn profile: *http://www.linkedin.com/in/johnfraizer/* > > > > > On Thu, Aug 6, 2015 at 1:58 PM, <*Kevin.Cruse at instinet.com* > > wrote: > tried that! arista only takes this command with no arguments: > > aaa authorization config-commands > > it still didn't work. > > fyi - i just tried same config with cisco router and it works > perfectly, > running 4.13.11M of EOS. > > > > From: Daniel Schmidt <*daniel.schmidt at wyo.gov* > > > To: *Kevin.Cruse at instinet.com* , > Cc: Aaron Wasserott <*aaron.wasserott at viawest.com* > >, > "*tac_plus at shrubbery.net* " < > *tac_plus at shrubbery.net* > > Date: 08/06/2015 04:09 PM > Subject: Re: [tac_plus] Cisco Nexus Authorization problem > > > > This part of the email looks interesting: > > But if you > want them in conf t mode but restrict their commands at that level, > you > need to enable something like this: > > aaa authorization config-commands default group myTacacsGroup local > > > * > ========================================================================================================= > * > > *<<<< Disclaimer >>>>* > > *This message is intended solely for use by the named addressee(s). If > you receive this transmission in error, please immediately notify the > sender and destroy this message in its entirety, whether in electronic or > hard copy format. Any unauthorized use (and reliance thereon), copying, > disclosure, retention, or distribution of this transmission or the material > in this transmission is forbidden. We reserve the right to monitor and > archive electronic communications. This material does not constitute an > offer or solicitation with respect to the purchase or sale of any security. > It should not be construed to contain any recommendation regarding any > security or strategy. Any views expressed are those of the individual > sender, except where the message states otherwise and the sender is > authorized to state them to be the views of any such entity. This > communication is provided on an ?as is? basis. It contains material that is > owned by Instinet Incorporated, its subsidiaries or its or their licensors, > and may not, in whole or in part, be (i) copied, photocopied or duplicated > in any form, by any means, or (ii) redistributed, posted, published, > excerpted, or quoted without Instinet Incorporated's prior written consent. > Please access the following link for important information and > instructions: * > *http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt* > > > *Securities products and services are provided by locally registered > brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty > Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian > Securities & Investments Commission; Instinet Canada Limited, member > IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the > Securities and Futures Commission of Hong Kong; Instinet Singapore Services > Private Limited, regulated by the Monetary Authority of Singapore, trading > member of The Singapore Exchange Securities Trading Private Limited and > clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, > member SIPC. * > > > > * > ========================================================================================================= > * > > > > > > ========================================================================================================= > > > *<<<< Disclaimer >>>>* > > This message is intended solely for use by the named addressee(s). If you > receive this transmission in error, please immediately notify the sender > and destroy this message in its entirety, whether in electronic or hard > copy format. Any unauthorized use (and reliance thereon), copying, > disclosure, retention, or distribution of this transmission or the material > in this transmission is forbidden. We reserve the right to monitor and > archive electronic communications. This material does not constitute an > offer or solicitation with respect to the purchase or sale of any security. > It should not be construed to contain any recommendation regarding any > security or strategy. Any views expressed are those of the individual > sender, except where the message states otherwise and the sender is > authorized to state them to be the views of any such entity. This > communication is provided on an ?as is? basis. It contains material that is > owned by Instinet Incorporated, its subsidiaries or its or their licensors, > and may not, in whole or in part, be (i) copied, photocopied or duplicated > in any form, by any means, or (ii) redistributed, posted, published, > excerpted, or quoted without Instinet Incorporated's prior written consent. > Please access the following link for important information and > instructions: > http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt > > Securities products and services are provided by locally registered > brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty > Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian > Securities & Investments Commission; Instinet Canada Limited, member > IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the > Securities and Futures Commission of Hong Kong; Instinet Singapore Services > Private Limited, regulated by the Monetary Authority of Singapore, trading > member of The Singapore Exchange Securities Trading Private Limited and > clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, > member SIPC. > > > > ========================================================================================================= > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From Kevin.Cruse at Instinet.com Tue Aug 18 14:39:02 2015 From: Kevin.Cruse at Instinet.com (Kevin.Cruse at Instinet.com) Date: Tue, 18 Aug 2015 10:39:02 -0400 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> Message-ID: agreed. It makes little sense to discard it from running config view. From: John Fraizer To: "Kevin.Cruse at Instinet.com" , Cc: Daniel Schmidt , "tac_plus at shrubbery.net" Date: 08/17/2015 05:45 PM Subject: Re: [tac_plus] Cisco Nexus Authorization problem On Mon, Aug 17, 2015 at 2:03 PM, wrote: Just fyi - I've configured the command "#aaa authorization config-commands" as well, for some reason it does not show up in configuration. There is some interesting trivia behind that. ?"aaa authorization config-commands" is the "default" behavior.? BUT, if someone has issued "no aaa authorization config-commands" on the device (which also does not show up in the config), the behavior changes.? You have to issue "aaa authorization config-commands" to reenable the behavior. You just have to love those hidden gems! John ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From Kevin.Cruse at Instinet.com Wed Aug 19 15:12:55 2015 From: Kevin.Cruse at Instinet.com (Kevin.Cruse at Instinet.com) Date: Wed, 19 Aug 2015 11:12:55 -0400 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> Message-ID: John Are you familiar with the logging options with tacplus? I noticed there is no 'authentication' log (i was previously using the mavvis version which had it). Additionally, the accounting log does not have a rolling date, meaning - I would like the log file name to have the date which changes daily. ie - accounting.20150820, accounting.20150821, etc. Is there an option for this? I also noticed the accounting log does not show 'failed' logins. If i try to login to router with incorrect password it does not get logged. Kevin From: John Fraizer To: "Kevin.Cruse at Instinet.com" , Cc: Daniel Schmidt , "tac_plus at shrubbery.net" Date: 08/17/2015 05:45 PM Subject: Re: [tac_plus] Cisco Nexus Authorization problem On Mon, Aug 17, 2015 at 2:03 PM, wrote: Just fyi - I've configured the command "#aaa authorization config-commands" as well, for some reason it does not show up in configuration. There is some interesting trivia behind that. ?"aaa authorization config-commands" is the "default" behavior.? BUT, if someone has issued "no aaa authorization config-commands" on the device (which also does not show up in the config), the behavior changes.? You have to issue "aaa authorization config-commands" to reenable the behavior. You just have to love those hidden gems! John ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From john at op-sec.us Wed Aug 19 21:23:34 2015 From: john at op-sec.us (John Fraizer) Date: Wed, 19 Aug 2015 17:23:34 -0400 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> Message-ID: I'm actually using a modified version of tac_plus internally in our network. I'm logging to syslog and using log rotate to do rotation. I'm working on a patch I can release to the public but, I have a lot on my plate currently and that's on the back burner. John Fraizer --Sent from my Android phone. Please excuse any typos. On Aug 19, 2015 11:12 AM, wrote: > John > > Are you familiar with the logging options with tacplus? I noticed there is > no 'authentication' log (i was previously using the mavvis version which > had it). Additionally, the accounting log does not have a rolling date, > meaning - I would like the log file name to have the date which changes > daily. ie - accounting.20150820, accounting.20150821, etc. Is there an > option for this? I also noticed the accounting log does not show 'failed' > logins. If i try to login to router with incorrect password it does not get > logged. > > > Kevin > > > > [image: Inactive hide details for John Fraizer ---08/17/2015 05:45:49 > PM---On Mon, Aug 17, 2015 at 2:03 PM, ]John > Fraizer ---08/17/2015 05:45:49 PM---On Mon, Aug 17, 2015 at 2:03 PM, < > Kevin.Cruse at instinet.com> wrote: > > > From: John Fraizer > To: "Kevin.Cruse at Instinet.com" , > Cc: Daniel Schmidt , "tac_plus at shrubbery.net" < > tac_plus at shrubbery.net> > Date: 08/17/2015 05:45 PM > Subject: Re: [tac_plus] Cisco Nexus Authorization problem > ------------------------------ > > > > > On Mon, Aug 17, 2015 at 2:03 PM, <*Kevin.Cruse at instinet.com* > > wrote: > > > Just fyi - I've configured the command "#aaa authorization > config-commands" as well, for some reason it does not show up in > configuration. > > > > There is some interesting trivia behind that. "aaa authorization > config-commands" is the "default" behavior. BUT, if someone has issued "no > aaa authorization config-commands" on the device (which also does not show > up in the config), the behavior changes. You have to issue "aaa > authorization config-commands" to reenable the behavior. > > You just have to love those hidden gems! > > John > > > > ========================================================================================================= > > > *<<<< Disclaimer >>>>* > > This message is intended solely for use by the named addressee(s). If you > receive this transmission in error, please immediately notify the sender > and destroy this message in its entirety, whether in electronic or hard > copy format. Any unauthorized use (and reliance thereon), copying, > disclosure, retention, or distribution of this transmission or the material > in this transmission is forbidden. We reserve the right to monitor and > archive electronic communications. This material does not constitute an > offer or solicitation with respect to the purchase or sale of any security. > It should not be construed to contain any recommendation regarding any > security or strategy. Any views expressed are those of the individual > sender, except where the message states otherwise and the sender is > authorized to state them to be the views of any such entity. This > communication is provided on an ?as is? basis. It contains material that is > owned by Instinet Incorporated, its subsidiaries or its or their licensors, > and may not, in whole or in part, be (i) copied, photocopied or duplicated > in any form, by any means, or (ii) redistributed, posted, published, > excerpted, or quoted without Instinet Incorporated's prior written consent. > Please access the following link for important information and > instructions: > http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt > > Securities products and services are provided by locally registered > brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty > Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian > Securities & Investments Commission; Instinet Canada Limited, member > IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the > Securities and Futures Commission of Hong Kong; Instinet Singapore Services > Private Limited, regulated by the Monetary Authority of Singapore, trading > member of The Singapore Exchange Securities Trading Private Limited and > clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, > member SIPC. > > > > ========================================================================================================= > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From poonam8 at gmail.com Mon Aug 31 20:49:43 2015 From: poonam8 at gmail.com (Poonam Kumar) Date: Mon, 31 Aug 2015 15:49:43 -0500 Subject: [tac_plus] TACACS+ Client Support Message-ID: Hi I am totally a newbie to tacacs. I am searching for a Tacacs+ client. I was looking into the Gentoo portage and it uses your daemon. Do your code just supports the daemon (server)? If it does support the client as well, are there any steps or user guide on how to set it up ? Thanks Poonam -------------- next part -------------- An HTML attachment was scrubbed... URL: