[tac_plus] Cisco Nexus Authorization problem

Kevin.Cruse at Instinet.com Kevin.Cruse at Instinet.com
Thu Aug 6 20:58:32 UTC 2015


tried that! arista only takes this command with no arguments:

aaa authorization config-commands

it still didn't work.

fyi - i just tried same config with cisco router and it works perfectly,
running 4.13.11M of EOS.



From:	Daniel Schmidt <daniel.schmidt at wyo.gov>
To:	Kevin.Cruse at instinet.com,
Cc:	Aaron Wasserott <aaron.wasserott at viawest.com>,
            "tac_plus at shrubbery.net" <tac_plus at shrubbery.net>
Date:	08/06/2015 04:09 PM
Subject:	Re: [tac_plus] Cisco Nexus Authorization problem



This part of the email looks interesting:

But if you
want them in conf t mode but restrict their commands at that level, you
need to enable something like this:

aaa authorization config-commands default group myTacacsGroup local

On Thu, Aug 6, 2015 at 10:10 AM, <Kevin.Cruse at instinet.com> wrote:
  Hey Aaron,

  Sorry to keep bothering you - I am pulling my hair out trying to get this
  working!! I scrapped the mavvis version and installed the native version
  of
  tac_plus (tac_plus version F4.0.4.28) and authorization seems to fail for
  devices, here is my config. Do you see something amiss? I also tried
  getting 'do_auth' to work but that doesn't work either.

  Arista1#sh run | i aaa
  aaa group server tacacs+ CiscoACS
  aaa authentication login default group CiscoACS local
  aaa authorization exec default group CiscoACS none
  aaa authorization commands 0-14 default group CiscoACS local
  aaa authorization commands 15 default group CiscoACS none
  aaa accounting exec default start-stop group CiscoACS
  aaa accounting commands all default start-stop group CiscoACS
  no aaa root
  Arista1#


   group = snm {
          default service = deny
          default
          service = exec {
          priv-lvl = 15
          }
          cmd = show {
          permit ip
          permit interface
          }
          cmd = configure {
          deny .*
          }
          cmd = clear {
          permit "counters"
          permit "qos stat"
          permit "mls qos int"
          }
          cmd = disable {
          permit .*
          }
          cmd = enable {
          permit .*
          }
          cmd = end {
          permit .*
          }
          cmd = exit {
          permit .*
          }
          cmd = logout {
          permit .*
          }
          cmd = ping {
          permit .*
          }
          cmd = set {
          permit "length 0"
          }
          cmd = show {
          deny "controllers vip"
          permit .*
          }
          cmd = skip-page-display {
          permit .*
          }
          cmd = terminal {
          permit "length 0"
          }
          cmd = write {
          permit "network"
          permit "terminal"
          permit "memory"
          }
   }



  user = testuser {
          login = PAM
          member = snm
  }


  !!! router allows commands which should be denied !!


  Arista1 login: testuser
  Password:
  Last login: Thu Aug  6 16:12:19 on ttyS0
  Arista1>en
  Password:
  Arista1#configure terminal <-------- Should be denied
  Arista1(config)#interface ethernet 10 <----------- Should be denied
  Arista1(config-if-Et10)#shut  <----------- Should be denied
  Arista1(config-if-Et10)#no shut  <----------- Should be denied
  Arista1(config-if-Et10)#end
  Arista1#



  !!! SAME EXAMPLE WITH DO_AUTH



  group = snm {
          default service = deny
          default
          service = exec {
          priv-lvl = 15
          }
          cmd = show {
          permit ip
          permit interface
          }
          cmd = configure {
          deny .*
          }
          cmd = clear {
          permit "counters"
          permit "qos stat"
          permit "mls qos int"
          }
          cmd = disable {
          permit .*
          }
          cmd = enable {
          permit .*
          }
          cmd = end {
          permit .*
          }
          cmd = exit {
          permit .*
          }
          cmd = logout {
          permit .*
          }
          cmd = ping {
          permit .*
          }
          cmd = set {
          permit "length 0"
          }
          cmd = show {
          deny "controllers vip"
          permit .*
          }
          cmd = skip-page-display {
          permit .*
          }
          cmd = terminal {
          permit "length 0"
          }
          cmd = write {
          permit "network"
          permit "terminal"
          permit "memory"
          }
   after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.pyc
  -u $user -l /var/log/tacacs/do_auth_log.txt
  -f /usr/local/sbin/tacplus/do_auth.ini"
   }





  Arista1 login: testuser
  Password:
  Last login: Thu Aug  6 16:14:44 on ttyS0
  Arista1>en
  Password:
  Arista1#configure terminal <-------- Should be denied
  Arista1(config)#interface ethernet 10 <-------- Should be denied
  Arista1(config-if-Et10)#shut <-------- Should be denied
  Arista1(config-if-Et10)#no shut
  Arista1(config-if-Et10)#end
  Arista1#


  !! When i run the debug to do_auth it just hangs at prompt, meaning it
  does
  not run then hand back the prompt:

  tac01 tacplus $ sudo /usr/bin/python2 /usr/local/sbin/tacplus/do_auth.py
  -u
  $user -l /var/log/tacacs/do_auth_log.txt
  -f /usr/local/sbin/tacplus/do_auth.ini -D

  this is what i would expect:

  tac01 tacplus $ sudo /usr/bin/python2 /usr/local/sbin/tacplus/do_auth.py
  -u
  $user -l /var/log/tacacs/do_auth_log.txt
  -f /usr/local/sbin/tacplus/do_auth.ini -D
  tac01 tacplus $


  !! do_auth.ini

  tac01 tacplus $ cat do_auth.ini
  [users]
  kcruse =
          snm
  [snm]
  command_deny =
      configure .*
      terminal .*
      interface .*
      shutdown .*
  command_permit =
      show.*
  hcvmtac01 tacplus $



  From:   Aaron Wasserott <aaron.wasserott at viawest.com>
  To:     "Kevin.Cruse at Instinet.com" <Kevin.Cruse at Instinet.com>,
  Cc:     "tac_plus at shrubbery.net" <tac_plus at shrubbery.net>
  Date:   07/22/2015 03:28 PM
  Subject:        RE: [tac_plus] Cisco Nexus Authorization problem



  Kevin,

  I just tested this and it works for me. User can run show commands, but
  not
  enter conf t mode.

  Arista DCS-7050S-52-R running code 4.8.3. In production we run do_auth.
  It
  comes bundled with the latest version of tac_plus and makes tweaking
  authorization a lot easier. It’s more scalable, syntax is cleaner, and it
  has its own authorization logs which are easier to read.

  # tac_plus.conf

  group = tier1 {
      default service = permit
      login = PAM
      pap = PAM
                  default command = deny
                  cmd = show {permit .*}
      service = exec {
          priv-lvl = 15
      }
      service = raccess {
          priv-lvl = 0
      }
  }

  user = first.last {
      member = tier1
  }

  # switch AAA commands
  aaa group server tacacs+ TacGroup
  aaa authentication login default group TacGroup local
  aaa authorization exec default group TacGroup none
  aaa authorization commands 15 default group TacGroup none
  aaa accounting exec default start-stop group TacGroup
  aaa accounting commands 15 default start-stop group TacGroup
  no aaa root

  -Aaron

  From: Kevin.Cruse at Instinet.com [mailto:Kevin.Cruse at Instinet.com]
  Sent: Wednesday, July 22, 2015 12:44 PM
  To: Aaron Wasserott
  Cc: tac_plus at shrubbery.net
  Subject: RE: [tac_plus] Cisco Nexus Authorization problem



  Aaron

  Do you have experience with Arista? It seems I am having similar problem
  with this device. Authentication works fine, but once i login and send
  enable password I can run any command i'd like. It's not restricting
  access
  to my preconfigured commands:


  Arista1#sh run | i aaa
  aaa group server tacacs+ CiscoACS
  aaa authentication login default group CiscoACS local
  aaa authorization exec default group CiscoACS local
  aaa authorization commands all default group CiscoACS local
  aaa accounting exec default start-stop group CiscoACS
  aaa accounting commands all default start-stop group CiscoACS
  no aaa root

  -----

             user = testuser {
                  login = clear "test123"
                  pap = clear "test123"
                  member = snm
          }


          group = snm {
                  default service = deny
                  service = shell {
                  set shell:roles="\"network-admin\""
                  default command = deny
                  default attribute = deny
                  set priv-lvl = 15
                  cmd = configure {deny .*}
                  cmd = clear {
                  permit "counters"
                  permit "qos stat"
                  permit "mls qos int"
                  }
                  cmd = disable {permit .*}
                  cmd = enable {permit .*}
                  cmd = end {permit .*}
                  cmd = exit {permit .*}
                  cmd = logout {permit .*}
                  cmd = ping {permit .*}
                  cmd = set {
                  permit "length 0"
                  }
                  cmd = show {
                  deny "controllers vip"
                  permit .*
                  }
                  cmd = skip-page-display {permit .*}
                  cmd = terminal {
                  permit "length 0"
                  }
                  cmd = write {
                  permit "network"
                  permit "terminal"
                  permit "memory"
                  }
                  }
          }

  ----


  Arista1 login: testuser
  Password:
  Last login: Wed Jul 22 18:49:42 on ttyS0
  Arista1>en
  Password:
  Arista1#conf t <--- This command should be restricted
  Arista1(config)#interface eth 10 <--- This command should be restricted
  Arista1(config-if-Et10)#shut <--- This command should be restricted
  Arista1(config-if-Et10)#end
  Arista1#exit



  Inactive hide details for Aaron Wasserott ---07/16/2015 09:26:32 PM---Try
  changing "service = shell" to "service = exec" and seAaron Wasserott
  ---07/16/2015 09:26:32 PM---Try changing "service = shell" to "service =
  exec" and see if that works. I have NX-OS working fine

  From: Aaron Wasserott <aaron.wasserott at viawest.com>
  To: "Kevin.Cruse at Instinet.com" <Kevin.Cruse at Instinet.com>, "
  tac_plus at shrubbery.net" <tac_plus at shrubbery.net>,
  Date: 07/16/2015 09:26 PM
  Subject: RE: [tac_plus] Cisco Nexus Authorization problem




  Try changing "service = shell" to "service = exec" and see if that works.
  I
  have NX-OS working fine using that. Also, I have never seen the shell
  service used in real-world examples for network devices. But reading the
  manpage it appears it should work to prevent them from entering
  configuration mode, as long as your AAA commands are set right.

  service=shell
  for   exec   startup,   and   also   for    command authorizations.
  Requires: aaa authorization exec tacacs+

  Whether authorization happens, and at which prompt level, depends on the
  aaa authorization settings. It's possible to only restrict exec level
  commands, and prevent them from entering the 'conf t' command. But if you
  want them in conf t mode but restrict their commands at that level, you
  need to enable something like this:

  aaa authorization config-commands default group myTacacsGroup local

  If changing the service doesn't work, include the AAA commands on your
  NX-OS switches.

  -----Original Message-----
  From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of
  Kevin.Cruse at Instinet.com
  Sent: Thursday, July 16, 2015 3:40 PM
  To: tac_plus at shrubbery.net
  Subject: [tac_plus] Cisco Nexus Authorization problem



  Hello

  I have configured TACPLUS to work with cisco nexus device. I am able to
  successfully  authenticate, however, I am able to run all commands on
  router. It seems the router is not restricted to the commands specified
  in
  my group config. Has anyone gotten Cisco nexus to work properly with
  tacplus? I need to limit certain users and cannot get this working
  properly. Any help is greatly appreciated!!! Thanks.

  Group Config:

         group = snm {
                 default service = deny
                 service = shell {
                 set shell:roles="\"network-admin\""
                 default command = deny
                 default attribute = deny
                 set priv-lvl = 15
                 cmd = configure {deny .*}
                 cmd = clear {
                 permit "counters"
                 permit "qos stat"
                 permit "mls qos int"
                 }
                 cmd = disable {permit .*}
                 cmd = enable {permit .*}
                 cmd = end {permit .*}
                 cmd = exit {permit .*}
                 cmd = logout {permit .*}
                 cmd = ping {permit .*}
                 cmd = set {
                 permit "length 0"
                 }
                 cmd = show {
                 deny "controllers vip"
                 permit .*
                 }
                 cmd = skip-page-display {permit .*}
                 cmd = terminal {
                 permit "length 0"
                 }
                 cmd = write {
                 permit "network"
                 permit "terminal"
                 permit "memory"
                 }
                 }
         }


         user = testuser {

                 member = snm
         }


  Session output from router:

  telnet labrouter
  Trying labrouter...
  Connected to labrouter.
  Escape character is '^]'.
  User Access Verification
  login: testuser
  Password:
  Cisco Nexus Operating System (NX-OS) Software TAC support:
  http://www.cisco.com/tac Copyright (c) 2002-2014, Cisco Systems, Inc. All
  rights reserved.
  The copyrights to certain works contained in this software are owned by
  other third parties and used and distributed under license. Certain
  components of this software are licensed under the GNU General Public
  License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL)
  Version 2.1. A copy of each such license is available at
  http://www.opensource.org/licenses/gpl-2.0.php and
  http://www.opensource.org/licenses/lgpl-2.1.php
  LABROUTER# configure
  <------------------------------------------------------------ This should
  be denied Enter configuration commands, one per line.  End with CNTL/Z.
  LABROUTER(config)# interface ethernet 1/1 configure
  <------------------------------------------------------------ This should
  be denied LABROUTER(config-if)# shut
  <------------------------------------------------------------ This should
  be denied LABROUTER(config-if)# no shut
  <------------------------------------------------------------ This should
  be denied LABROUTER(config-if)# end LABROUTER#

  =========================================================================================================

    <<<< Disclaimer >>>>   This message is intended solely for use by the
  named addressee(s). If you receive this transmission in error, please
  immediately notify the sender and destroy this message in its entirety,
  whether in electronic or hard copy format. Any unauthorized use (and
  reliance thereon), copying, disclosure, retention, or distribution of
  this
  transmission or the material in this transmission is forbidden. We
  reserve
  the right to monitor and archive electronic communications. This material
  does not constitute an offer or solicitation with respect to the purchase
  or sale of any security. It should not be construed to contain any
  recommendation regarding any security or strategy. Any views expressed
  are
  those of the individual sender, except where the message states otherwise
  and the sender is authorized to state them to be the views of any such
  entity. This communication is provided on an “as is” basis. It contains
  material that is owned by Instinet Incorporated, its subsidiaries or its
  or
  their licensors, and may not, in whole or in part, be (i) copied,
  photocopied or duplicated in any form, by any means, or (ii)
  redistributed,
  posted, published, excerpted, or quoted without Instinet Incorporated's
  prior written consent. Please access the following link for important
  information and instructions:
  http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt
  Securities products and services are provided by locally registered
  brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty
  Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian
  Securities & Investments Commission; Instinet Canada Limited, member
  IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the
  Securities and Futures Commission of Hong Kong; Instinet Singapore
  Services
  Private Limited, regulated by the Monetary Authority of Singapore,
  trading
  member of The Singapore Exchange Securities Trading Private Limited and
  clearing member of The Central Depository (Pte) Limited; and Instinet,
  LLC,
  member SIPC.

  =========================================================================================================


  -------------- next part --------------
  An HTML attachment was scrubbed...
  URL: <
  http://www.shrubbery.net/pipermail/tac_plus/attachments/20150716/5c309608/attachment.html

  >
  _______________________________________________
  tac_plus mailing list
  tac_plus at shrubbery.net
  http://www.shrubbery.net/mailman/listinfo/tac_plus
  This message contains information that may be confidential, privileged or
  otherwise protected by law from disclosure. It is intended for the
  exclusive use of the addressee(s). Unless you are the addressee or
  authorized agent of the addressee, you may not review, copy, distribute
  or
  disclose to anyone the message or any information contained within. If
  you
  have received this message in error, please contact the sender by
  electronic reply and immediately delete all copies of the message.


  =========================================================================================================




  <<<< Disclaimer >>>>


  This message is intended solely for use by the named addressee(s). If you
  receive this transmission in error, please immediately notify the sender
  and destroy this message in its entirety, whether in electronic or hard
  copy format. Any unauthorized use (and reliance thereon), copying,
  disclosure, retention, or distribution of this transmission or the
  material
  in this transmission is forbidden. We reserve the right to monitor and
  archive electronic communications. This material does not constitute an
  offer or solicitation with respect to the purchase or sale of any
  security.
  It should not be construed to contain any recommendation regarding any
  security or strategy. Any views expressed are those of the individual
  sender, except where the message states otherwise and the sender is
  authorized to state them to be the views of any such entity. This
  communication is provided on an “as is” basis. It contains material that
  is
  owned by Instinet Incorporated, its subsidiaries or its or their
  licensors,
  and may not, in whole or in part, be (i) copied, photocopied or
  duplicated
  in any form, by any means, or (ii) redistributed, posted, published,
  excerpted, or quoted without Instinet Incorporated's prior written
  consent.
  Please access the following link for important information and
  instructions:
  http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt


  Securities products and services are provided by locally registered
  brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty
  Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian
  Securities & Investments Commission; Instinet Canada Limited, member
  IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the
  Securities and Futures Commission of Hong Kong; Instinet Singapore
  Services
  Private Limited, regulated by the Monetary Authority of Singapore,
  trading
  member of The Singapore Exchange Securities Trading Private Limited and
  clearing member of The Central Depository (Pte) Limited; and Instinet,
  LLC,
  member SIPC.




  =========================================================================================================




  This message contains information that may be confidential, privileged or
  otherwise protected by law from disclosure. It is intended for the
  exclusive use of the addressee(s). Unless you are the addressee or
  authorized agent of the addressee, you may not review, copy, distribute
  or
  disclose to anyone the message or any information contained within. If
  you
  have received this message in error, please contact the sender by
  electronic reply and immediately delete all copies of the message.



  ========================================================================================================= 
 <<<< Disclaimer >>>>   This message is intended solely for use by the
  named addressee(s). If you receive this transmission in error, please
  immediately notify the sender and destroy this message in its entirety,
  whether in electronic or hard copy format. Any unauthorized use (and
  reliance thereon), copying, disclosure, retention, or distribution of
  this transmission or the material in this transmission is forbidden. We
  reserve the right to monitor and archive electronic communications. This
  material does not constitute an offer or solicitation with respect to the
  purchase or sale of any security. It should not be construed to contain
  any recommendation regarding any security or strategy. Any views
  expressed are those of the individual sender, except where the message
  states otherwise and the sender is authorized to state them to be the
  views of any such entity. This communication is provided on an “as is”
  basis. It contains material that is owned by Instinet Incorporated, its
  subsidiaries or its or their licensors, and may not, in whole or in part,
  be (i) copied, photocopied or duplicated in any form, by any means, or
  (ii) redistributed, posted, published, excerpted, or quoted without
  Instinet Incorporated's prior written consent. Please access the
  following link for important information and instructions:
  http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt
  Securities products and services are provided by locally registered
  brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty
  Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian
  Securities & Investments Commission; Instinet Canada Limited, member
  IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the
  Securities and Futures Commission of Hong Kong; Instinet Singapore
  Services Private Limited, regulated by the Monetary Authority of
  Singapore, trading member of The Singapore Exchange Securities Trading
  Private Limited and clearing member of The Central Depository (Pte)
  Limited; and Instinet, LLC, member SIPC.

  =========================================================================================================

  -------------- next part --------------
  An HTML attachment was scrubbed...
  URL: <
  http://www.shrubbery.net/pipermail/tac_plus/attachments/20150806/4f638c2e/attachment.html
  >
  -------------- next part --------------
  A non-text attachment was scrubbed...
  Name: graycol.gif
  Type: image/gif
  Size: 105 bytes
  Desc: not available
  URL: <
  http://www.shrubbery.net/pipermail/tac_plus/attachments/20150806/4f638c2e/attachment.gif
  >
  _______________________________________________
  tac_plus mailing list
  tac_plus at shrubbery.net
  http://www.shrubbery.net/mailman/listinfo/tac_plus



E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.

=========================================================================================================  <<<< Disclaimer >>>>   This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an “as is” basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions:  http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt   Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC.  

=========================================================================================================  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150806/021fb211/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150806/021fb211/attachment.gif>


More information about the tac_plus mailing list