[tac_plus] Cisco Nexus Authorization problem
John Fraizer
john at op-sec.us
Thu Aug 6 21:45:30 UTC 2015
If you provide the logs from do_auth and tac_plus, it will help us help
you. ;-) Your config for do_auth is broken though. You have to use
default service = permit with do_auth.py.
This is going to be a LONG email but, it contains working example AAA
configs for CatOS, IOS, IOS-XR, NX-OX, Arista EOS and Juniper JUNOS. These
are the actual configs I'm using on our network. In addition, I've included
working examples for tac_plus.conf and do_auth.ini that will work with
these AAA configs.
Here is the config I use for Arista EOS:
tacacs-server key 7 <redacted>
tacacs-server host x.x.x.A
tacacs-server host x.x.x.B
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization commands all default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa accounting commands all default stop-only group tacacs+
!
For CatOS:
#tacacs+
set tacacs server x.x.x.B
set tacacs server x.x.x.A primary
set tacacs directedrequest enable
set tacacs key <redacted>
!
#authentication
set authentication login tacacs enable telnet primary
set authentication enable tacacs enable telnet primary
!
#accounting
set accounting exec enable stop-only tacacs+
set accounting connect enable stop-only tacacs+
set accounting system enable stop-only tacacs+
set accounting commands enable all stop-only tacacs+
!
!
#authorization
set authorization exec enable tacacs+ if-authenticated telnet
set authorization commands enable all tacacs+ if-authenticated telnet
For IOS:
aaa new-model
!
!
aaa authentication username-prompt "Local Username: "
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default stop-only group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
!
!
aaa session-id common
!
tacacs-server host x.x.x.A
tacacs-server host x.x.x.B
tacacs-server directed-request
tacacs-server key 7 <redacted>
!
For IOS-XR:
tacacs source-interface Loopback0 vrf default
tacacs-server host x.x.x.A port 49
!
tacacs-server host x.x.x.B port 49
!
tacacs-server key 7 <redacted>
!
aaa accounting exec default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa accounting commands default start-stop group tacacs+
aaa authorization exec default group tacacs+ local
aaa authorization commands default group tacacs+ none
aaa authentication login default group tacacs+ local
For NX-OS:
ip tacacs source-interface loopback0
tacacs-server host x.x.x.A key 7 <redacted>
tacacs-server host x.x.x.B key 7 <redacted>
aaa group server tacacs+ AAA-SERVERS
server x.x.x.A
server x.x.x.B
aaa authentication login default group AAA-SERVERS
aaa authorization config-commands default group AAA-SERVERS local
aaa authorization commands default group AAA-SERVERS local
aaa accounting default group AAA-SERVERS
aaa authentication login error-enable
aaa authentication login ascii-authentication
For JUNOS:
set system authentication-order tacplus
set system authentication-order password
set system tacplus-server x.x.x.A secret <redacted>
set system tacplus-server x.x.x.A source-address a.b.c.d
set system tacplus-server x.x.x.B secret <redacted>
set system tacplus-server x.x.x.B source-address a.b.c.d
set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting destination tacplus
set system login user remote full-name "Local template for TACACS+
authentication"
set system login user remote uid 9999
set system login user remote class super-user
And here is a working example for tac_plus version F4.0.4.28 with
do_auth.py (latest 1.x version from GitHub)...
And tac_plus.conf:
#
# This is tac_plus.conf
#
key = "redacted"
logging = local7
accounting syslog
default authentication = file /etc/passwd
group = doauthaccess {
default service = permit
service = exec {
priv-lvl = 1
optional idletime = 30
optional acl = 2
shell:roles="\"network-operator vdc-operator\""
}
service = junos-exec {
bug-fix = "first pair is lost"
local-user-name = "remote"
allow-commands = "(.*exit)|(show cli auth.*)"
deny-commands = ".*"
allow-configuration = ""
deny-configuration = ""
}
after authorization "/usr/bin/python /opt/sbin/do_auth.py -i $address
-u $user -d $name -l /opt/log/do_auth.log -f /opt/etc/tacacs/do_auth.ini"
}
#
# Default user - Used when no user specific stanza exists in tac_plus.conf.
#
user = DEFAULT {
member = doauthaccess
login = PAM
}
user = $enable$ {
login = des <redacted>
}
#
# End of tac_plus.conf
#
And for do_auth.ini:
#
# This is do_auth.ini
#
[users]
## Any user who is not a member of another group inherits
## the privs of the no_authority group.
default =
no_authority
joeblow =
no_aaa_commands
##############################
## ##
## Default Group ##
## Undefined users receive ##
## this group by default ##
## ##
##############################
[no_authority]
host_deny =
host_allow =
.*
device_deny =
device_permit =
.*
command_deny =
command_permit =
exit.*
av_pairs =
priv-lvl=1
shell:roles="network-operator vdc-operator"
local-user-name = remote
allow-commands = (.*exit)|(show cli auth.*)
deny-commands = .*
allow-configuration =
deny-configuration =
[no_aaa_commands]
host_deny =
host_allow =
.*
device_deny =
device_permit =
.*
command_deny =
aaa.*
no aaa.*
command_permit =
.*
av_pairs =
priv-lvl=15
shell:roles="network-admin vdc-admin"
local-user-name = remote
allow-commands = .*
deny-commands =
allow-configuration = .*
deny-configuration = (.*system .*accounting.*)|(.*system
login.*)|(.*system .*tacplus-options.*)|(.*system .*tacplus-server.*)
#
# End of do_auth.ini
#
These are literally copy/pasted from my operational configs with very
little redaction. This config works with our very large fleet of CatOS.
IOS, IOS-XR, NX-OS, EOS and JUNOS devices.
If this doesn't get you going, give up... `cause there's no hope. ;-)
--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/
On Thu, Aug 6, 2015 at 9:10 AM, <Kevin.Cruse at instinet.com> wrote:
> Hey Aaron,
>
> Sorry to keep bothering you - I am pulling my hair out trying to get this
> working!! I scrapped the mavvis version and installed the native version of
> tac_plus (tac_plus version F4.0.4.28) and authorization seems to fail for
> devices, here is my config. Do you see something amiss? I also tried
> getting 'do_auth' to work but that doesn't work either.
>
> Arista1#sh run | i aaa
> aaa group server tacacs+ CiscoACS
> aaa authentication login default group CiscoACS local
> aaa authorization exec default group CiscoACS none
> aaa authorization commands 0-14 default group CiscoACS local
> aaa authorization commands 15 default group CiscoACS none
> aaa accounting exec default start-stop group CiscoACS
> aaa accounting commands all default start-stop group CiscoACS
> no aaa root
> Arista1#
>
>
> group = snm {
> default service = deny
> default
> service = exec {
> priv-lvl = 15
> }
> cmd = show {
> permit ip
> permit interface
> }
> cmd = configure {
> deny .*
> }
> cmd = clear {
> permit "counters"
> permit "qos stat"
> permit "mls qos int"
> }
> cmd = disable {
> permit .*
> }
> cmd = enable {
> permit .*
> }
> cmd = end {
> permit .*
> }
> cmd = exit {
> permit .*
> }
> cmd = logout {
> permit .*
> }
> cmd = ping {
> permit .*
> }
> cmd = set {
> permit "length 0"
> }
> cmd = show {
> deny "controllers vip"
> permit .*
> }
> cmd = skip-page-display {
> permit .*
> }
> cmd = terminal {
> permit "length 0"
> }
> cmd = write {
> permit "network"
> permit "terminal"
> permit "memory"
> }
> }
>
>
>
> user = testuser {
> login = PAM
> member = snm
> }
>
>
> !!! router allows commands which should be denied !!
>
>
> Arista1 login: testuser
> Password:
> Last login: Thu Aug 6 16:12:19 on ttyS0
> Arista1>en
> Password:
> Arista1#configure terminal <-------- Should be denied
> Arista1(config)#interface ethernet 10 <----------- Should be denied
> Arista1(config-if-Et10)#shut <----------- Should be denied
> Arista1(config-if-Et10)#no shut <----------- Should be denied
> Arista1(config-if-Et10)#end
> Arista1#
>
>
>
> !!! SAME EXAMPLE WITH DO_AUTH
>
>
>
> group = snm {
> default service = deny
> default
> service = exec {
> priv-lvl = 15
> }
> cmd = show {
> permit ip
> permit interface
> }
> cmd = configure {
> deny .*
> }
> cmd = clear {
> permit "counters"
> permit "qos stat"
> permit "mls qos int"
> }
> cmd = disable {
> permit .*
> }
> cmd = enable {
> permit .*
> }
> cmd = end {
> permit .*
> }
> cmd = exit {
> permit .*
> }
> cmd = logout {
> permit .*
> }
> cmd = ping {
> permit .*
> }
> cmd = set {
> permit "length 0"
> }
> cmd = show {
> deny "controllers vip"
> permit .*
> }
> cmd = skip-page-display {
> permit .*
> }
> cmd = terminal {
> permit "length 0"
> }
> cmd = write {
> permit "network"
> permit "terminal"
> permit "memory"
> }
> after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.pyc
> -u $user -l /var/log/tacacs/do_auth_log.txt
> -f /usr/local/sbin/tacplus/do_auth.ini"
> }
>
>
>
>
>
> Arista1 login: testuser
> Password:
> Last login: Thu Aug 6 16:14:44 on ttyS0
> Arista1>en
> Password:
> Arista1#configure terminal <-------- Should be denied
> Arista1(config)#interface ethernet 10 <-------- Should be denied
> Arista1(config-if-Et10)#shut <-------- Should be denied
> Arista1(config-if-Et10)#no shut
> Arista1(config-if-Et10)#end
> Arista1#
>
>
> !! When i run the debug to do_auth it just hangs at prompt, meaning it does
> not run then hand back the prompt:
>
> tac01 tacplus $ sudo /usr/bin/python2 /usr/local/sbin/tacplus/do_auth.py -u
> $user -l /var/log/tacacs/do_auth_log.txt
> -f /usr/local/sbin/tacplus/do_auth.ini -D
>
> this is what i would expect:
>
> tac01 tacplus $ sudo /usr/bin/python2 /usr/local/sbin/tacplus/do_auth.py -u
> $user -l /var/log/tacacs/do_auth_log.txt
> -f /usr/local/sbin/tacplus/do_auth.ini -D
> tac01 tacplus $
>
>
> !! do_auth.ini
>
> tac01 tacplus $ cat do_auth.ini
> [users]
> kcruse =
> snm
> [snm]
> command_deny =
> configure .*
> terminal .*
> interface .*
> shutdown .*
> command_permit =
> show.*
> hcvmtac01 tacplus $
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150806/9b36dbb0/attachment.html>
More information about the tac_plus
mailing list