[tac_plus] Cisco Nexus Authorization problem
Daniel Schmidt
daniel.schmidt at wyo.gov
Thu Aug 6 20:09:53 UTC 2015
This part of the email looks interesting:
But if you
want them in conf t mode but restrict their commands at that level, you
need to enable something like this:
aaa authorization config-commands default group myTacacsGroup local
On Thu, Aug 6, 2015 at 10:10 AM, <Kevin.Cruse at instinet.com> wrote:
> Hey Aaron,
>
> Sorry to keep bothering you - I am pulling my hair out trying to get this
> working!! I scrapped the mavvis version and installed the native version of
> tac_plus (tac_plus version F4.0.4.28) and authorization seems to fail for
> devices, here is my config. Do you see something amiss? I also tried
> getting 'do_auth' to work but that doesn't work either.
>
> Arista1#sh run | i aaa
> aaa group server tacacs+ CiscoACS
> aaa authentication login default group CiscoACS local
> aaa authorization exec default group CiscoACS none
> aaa authorization commands 0-14 default group CiscoACS local
> aaa authorization commands 15 default group CiscoACS none
> aaa accounting exec default start-stop group CiscoACS
> aaa accounting commands all default start-stop group CiscoACS
> no aaa root
> Arista1#
>
>
> group = snm {
> default service = deny
> default
> service = exec {
> priv-lvl = 15
> }
> cmd = show {
> permit ip
> permit interface
> }
> cmd = configure {
> deny .*
> }
> cmd = clear {
> permit "counters"
> permit "qos stat"
> permit "mls qos int"
> }
> cmd = disable {
> permit .*
> }
> cmd = enable {
> permit .*
> }
> cmd = end {
> permit .*
> }
> cmd = exit {
> permit .*
> }
> cmd = logout {
> permit .*
> }
> cmd = ping {
> permit .*
> }
> cmd = set {
> permit "length 0"
> }
> cmd = show {
> deny "controllers vip"
> permit .*
> }
> cmd = skip-page-display {
> permit .*
> }
> cmd = terminal {
> permit "length 0"
> }
> cmd = write {
> permit "network"
> permit "terminal"
> permit "memory"
> }
> }
>
>
>
> user = testuser {
> login = PAM
> member = snm
> }
>
>
> !!! router allows commands which should be denied !!
>
>
> Arista1 login: testuser
> Password:
> Last login: Thu Aug 6 16:12:19 on ttyS0
> Arista1>en
> Password:
> Arista1#configure terminal <-------- Should be denied
> Arista1(config)#interface ethernet 10 <----------- Should be denied
> Arista1(config-if-Et10)#shut <----------- Should be denied
> Arista1(config-if-Et10)#no shut <----------- Should be denied
> Arista1(config-if-Et10)#end
> Arista1#
>
>
>
> !!! SAME EXAMPLE WITH DO_AUTH
>
>
>
> group = snm {
> default service = deny
> default
> service = exec {
> priv-lvl = 15
> }
> cmd = show {
> permit ip
> permit interface
> }
> cmd = configure {
> deny .*
> }
> cmd = clear {
> permit "counters"
> permit "qos stat"
> permit "mls qos int"
> }
> cmd = disable {
> permit .*
> }
> cmd = enable {
> permit .*
> }
> cmd = end {
> permit .*
> }
> cmd = exit {
> permit .*
> }
> cmd = logout {
> permit .*
> }
> cmd = ping {
> permit .*
> }
> cmd = set {
> permit "length 0"
> }
> cmd = show {
> deny "controllers vip"
> permit .*
> }
> cmd = skip-page-display {
> permit .*
> }
> cmd = terminal {
> permit "length 0"
> }
> cmd = write {
> permit "network"
> permit "terminal"
> permit "memory"
> }
> after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.pyc
> -u $user -l /var/log/tacacs/do_auth_log.txt
> -f /usr/local/sbin/tacplus/do_auth.ini"
> }
>
>
>
>
>
> Arista1 login: testuser
> Password:
> Last login: Thu Aug 6 16:14:44 on ttyS0
> Arista1>en
> Password:
> Arista1#configure terminal <-------- Should be denied
> Arista1(config)#interface ethernet 10 <-------- Should be denied
> Arista1(config-if-Et10)#shut <-------- Should be denied
> Arista1(config-if-Et10)#no shut
> Arista1(config-if-Et10)#end
> Arista1#
>
>
> !! When i run the debug to do_auth it just hangs at prompt, meaning it does
> not run then hand back the prompt:
>
> tac01 tacplus $ sudo /usr/bin/python2 /usr/local/sbin/tacplus/do_auth.py -u
> $user -l /var/log/tacacs/do_auth_log.txt
> -f /usr/local/sbin/tacplus/do_auth.ini -D
>
> this is what i would expect:
>
> tac01 tacplus $ sudo /usr/bin/python2 /usr/local/sbin/tacplus/do_auth.py -u
> $user -l /var/log/tacacs/do_auth_log.txt
> -f /usr/local/sbin/tacplus/do_auth.ini -D
> tac01 tacplus $
>
>
> !! do_auth.ini
>
> tac01 tacplus $ cat do_auth.ini
> [users]
> kcruse =
> snm
> [snm]
> command_deny =
> configure .*
> terminal .*
> interface .*
> shutdown .*
> command_permit =
> show.*
> hcvmtac01 tacplus $
>
>
>
> From: Aaron Wasserott <aaron.wasserott at viawest.com>
> To: "Kevin.Cruse at Instinet.com" <Kevin.Cruse at Instinet.com>,
> Cc: "tac_plus at shrubbery.net" <tac_plus at shrubbery.net>
> Date: 07/22/2015 03:28 PM
> Subject: RE: [tac_plus] Cisco Nexus Authorization problem
>
>
>
> Kevin,
>
> I just tested this and it works for me. User can run show commands, but not
> enter conf t mode.
>
> Arista DCS-7050S-52-R running code 4.8.3. In production we run do_auth. It
> comes bundled with the latest version of tac_plus and makes tweaking
> authorization a lot easier. It’s more scalable, syntax is cleaner, and it
> has its own authorization logs which are easier to read.
>
> # tac_plus.conf
>
> group = tier1 {
> default service = permit
> login = PAM
> pap = PAM
> default command = deny
> cmd = show {permit .*}
> service = exec {
> priv-lvl = 15
> }
> service = raccess {
> priv-lvl = 0
> }
> }
>
> user = first.last {
> member = tier1
> }
>
> # switch AAA commands
> aaa group server tacacs+ TacGroup
> aaa authentication login default group TacGroup local
> aaa authorization exec default group TacGroup none
> aaa authorization commands 15 default group TacGroup none
> aaa accounting exec default start-stop group TacGroup
> aaa accounting commands 15 default start-stop group TacGroup
> no aaa root
>
> -Aaron
>
> From: Kevin.Cruse at Instinet.com [mailto:Kevin.Cruse at Instinet.com]
> Sent: Wednesday, July 22, 2015 12:44 PM
> To: Aaron Wasserott
> Cc: tac_plus at shrubbery.net
> Subject: RE: [tac_plus] Cisco Nexus Authorization problem
>
>
>
> Aaron
>
> Do you have experience with Arista? It seems I am having similar problem
> with this device. Authentication works fine, but once i login and send
> enable password I can run any command i'd like. It's not restricting access
> to my preconfigured commands:
>
>
> Arista1#sh run | i aaa
> aaa group server tacacs+ CiscoACS
> aaa authentication login default group CiscoACS local
> aaa authorization exec default group CiscoACS local
> aaa authorization commands all default group CiscoACS local
> aaa accounting exec default start-stop group CiscoACS
> aaa accounting commands all default start-stop group CiscoACS
> no aaa root
>
> -----
>
> user = testuser {
> login = clear "test123"
> pap = clear "test123"
> member = snm
> }
>
>
> group = snm {
> default service = deny
> service = shell {
> set shell:roles="\"network-admin\""
> default command = deny
> default attribute = deny
> set priv-lvl = 15
> cmd = configure {deny .*}
> cmd = clear {
> permit "counters"
> permit "qos stat"
> permit "mls qos int"
> }
> cmd = disable {permit .*}
> cmd = enable {permit .*}
> cmd = end {permit .*}
> cmd = exit {permit .*}
> cmd = logout {permit .*}
> cmd = ping {permit .*}
> cmd = set {
> permit "length 0"
> }
> cmd = show {
> deny "controllers vip"
> permit .*
> }
> cmd = skip-page-display {permit .*}
> cmd = terminal {
> permit "length 0"
> }
> cmd = write {
> permit "network"
> permit "terminal"
> permit "memory"
> }
> }
> }
>
> ----
>
>
> Arista1 login: testuser
> Password:
> Last login: Wed Jul 22 18:49:42 on ttyS0
> Arista1>en
> Password:
> Arista1#conf t <--- This command should be restricted
> Arista1(config)#interface eth 10 <--- This command should be restricted
> Arista1(config-if-Et10)#shut <--- This command should be restricted
> Arista1(config-if-Et10)#end
> Arista1#exit
>
>
>
> Inactive hide details for Aaron Wasserott ---07/16/2015 09:26:32 PM---Try
> changing "service = shell" to "service = exec" and seAaron Wasserott
> ---07/16/2015 09:26:32 PM---Try changing "service = shell" to "service =
> exec" and see if that works. I have NX-OS working fine
>
> From: Aaron Wasserott <aaron.wasserott at viawest.com>
> To: "Kevin.Cruse at Instinet.com" <Kevin.Cruse at Instinet.com>, "
> tac_plus at shrubbery.net" <tac_plus at shrubbery.net>,
> Date: 07/16/2015 09:26 PM
> Subject: RE: [tac_plus] Cisco Nexus Authorization problem
>
>
>
>
> Try changing "service = shell" to "service = exec" and see if that works. I
> have NX-OS working fine using that. Also, I have never seen the shell
> service used in real-world examples for network devices. But reading the
> manpage it appears it should work to prevent them from entering
> configuration mode, as long as your AAA commands are set right.
>
> service=shell
> for exec startup, and also for command authorizations.
> Requires: aaa authorization exec tacacs+
>
> Whether authorization happens, and at which prompt level, depends on the
> aaa authorization settings. It's possible to only restrict exec level
> commands, and prevent them from entering the 'conf t' command. But if you
> want them in conf t mode but restrict their commands at that level, you
> need to enable something like this:
>
> aaa authorization config-commands default group myTacacsGroup local
>
> If changing the service doesn't work, include the AAA commands on your
> NX-OS switches.
>
> -----Original Message-----
> From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of
> Kevin.Cruse at Instinet.com
> Sent: Thursday, July 16, 2015 3:40 PM
> To: tac_plus at shrubbery.net
> Subject: [tac_plus] Cisco Nexus Authorization problem
>
>
>
> Hello
>
> I have configured TACPLUS to work with cisco nexus device. I am able to
> successfully authenticate, however, I am able to run all commands on
> router. It seems the router is not restricted to the commands specified in
> my group config. Has anyone gotten Cisco nexus to work properly with
> tacplus? I need to limit certain users and cannot get this working
> properly. Any help is greatly appreciated!!! Thanks.
>
> Group Config:
>
> group = snm {
> default service = deny
> service = shell {
> set shell:roles="\"network-admin\""
> default command = deny
> default attribute = deny
> set priv-lvl = 15
> cmd = configure {deny .*}
> cmd = clear {
> permit "counters"
> permit "qos stat"
> permit "mls qos int"
> }
> cmd = disable {permit .*}
> cmd = enable {permit .*}
> cmd = end {permit .*}
> cmd = exit {permit .*}
> cmd = logout {permit .*}
> cmd = ping {permit .*}
> cmd = set {
> permit "length 0"
> }
> cmd = show {
> deny "controllers vip"
> permit .*
> }
> cmd = skip-page-display {permit .*}
> cmd = terminal {
> permit "length 0"
> }
> cmd = write {
> permit "network"
> permit "terminal"
> permit "memory"
> }
> }
> }
>
>
> user = testuser {
>
> member = snm
> }
>
>
> Session output from router:
>
> telnet labrouter
> Trying labrouter...
> Connected to labrouter.
> Escape character is '^]'.
> User Access Verification
> login: testuser
> Password:
> Cisco Nexus Operating System (NX-OS) Software TAC support:
> http://www.cisco.com/tac Copyright (c) 2002-2014, Cisco Systems, Inc. All
> rights reserved.
> The copyrights to certain works contained in this software are owned by
> other third parties and used and distributed under license. Certain
> components of this software are licensed under the GNU General Public
> License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL)
> Version 2.1. A copy of each such license is available at
> http://www.opensource.org/licenses/gpl-2.0.php and
> http://www.opensource.org/licenses/lgpl-2.1.php
> LABROUTER# configure
> <------------------------------------------------------------ This should
> be denied Enter configuration commands, one per line. End with CNTL/Z.
> LABROUTER(config)# interface ethernet 1/1 configure
> <------------------------------------------------------------ This should
> be denied LABROUTER(config-if)# shut
> <------------------------------------------------------------ This should
> be denied LABROUTER(config-if)# no shut
> <------------------------------------------------------------ This should
> be denied LABROUTER(config-if)# end LABROUTER#
>
>
> =========================================================================================================
> <<<< Disclaimer >>>> This message is intended solely for use by the
> named addressee(s). If you receive this transmission in error, please
> immediately notify the sender and destroy this message in its entirety,
> whether in electronic or hard copy format. Any unauthorized use (and
> reliance thereon), copying, disclosure, retention, or distribution of this
> transmission or the material in this transmission is forbidden. We reserve
> the right to monitor and archive electronic communications. This material
> does not constitute an offer or solicitation with respect to the purchase
> or sale of any security. It should not be construed to contain any
> recommendation regarding any security or strategy. Any views expressed are
> those of the individual sender, except where the message states otherwise
> and the sender is authorized to state them to be the views of any such
> entity. This communication is provided on an “as is” basis. It contains
> material that is owned by Instinet Incorporated, its subsidiaries or its or
> their licensors, and may not, in whole or in part, be (i) copied,
> photocopied or duplicated in any form, by any means, or (ii) redistributed,
> posted, published, excerpted, or quoted without Instinet Incorporated's
> prior written consent. Please access the following link for important
> information and instructions:
> http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt
> Securities products and services are provided by locally registered
> brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty
> Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian
> Securities & Investments Commission; Instinet Canada Limited, member
> IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the
> Securities and Futures Commission of Hong Kong; Instinet Singapore Services
> Private Limited, regulated by the Monetary Authority of Singapore, trading
> member of The Singapore Exchange Securities Trading Private Limited and
> clearing member of The Central Depository (Pte) Limited; and Instinet, LLC,
> member SIPC.
>
>
> =========================================================================================================
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
>
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20150716/5c309608/attachment.html
> >
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
> This message contains information that may be confidential, privileged or
> otherwise protected by law from disclosure. It is intended for the
> exclusive use of the addressee(s). Unless you are the addressee or
> authorized agent of the addressee, you may not review, copy, distribute or
> disclose to anyone the message or any information contained within. If you
> have received this message in error, please contact the sender by
> electronic reply and immediately delete all copies of the message.
>
>
>
> =========================================================================================================
>
>
>
> <<<< Disclaimer >>>>
>
>
> This message is intended solely for use by the named addressee(s). If you
> receive this transmission in error, please immediately notify the sender
> and destroy this message in its entirety, whether in electronic or hard
> copy format. Any unauthorized use (and reliance thereon), copying,
> disclosure, retention, or distribution of this transmission or the material
> in this transmission is forbidden. We reserve the right to monitor and
> archive electronic communications. This material does not constitute an
> offer or solicitation with respect to the purchase or sale of any security.
> It should not be construed to contain any recommendation regarding any
> security or strategy. Any views expressed are those of the individual
> sender, except where the message states otherwise and the sender is
> authorized to state them to be the views of any such entity. This
> communication is provided on an “as is” basis. It contains material that is
> owned by Instinet Incorporated, its subsidiaries or its or their licensors,
> and may not, in whole or in part, be (i) copied, photocopied or duplicated
> in any form, by any means, or (ii) redistributed, posted, published,
> excerpted, or quoted without Instinet Incorporated's prior written consent.
> Please access the following link for important information and
> instructions:
> http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt
>
>
> Securities products and services are provided by locally registered
> brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty
> Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian
> Securities & Investments Commission; Instinet Canada Limited, member
> IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the
> Securities and Futures Commission of Hong Kong; Instinet Singapore Services
> Private Limited, regulated by the Monetary Authority of Singapore, trading
> member of The Singapore Exchange Securities Trading Private Limited and
> clearing member of The Central Depository (Pte) Limited; and Instinet, LLC,
> member SIPC.
>
>
>
>
>
> =========================================================================================================
>
>
>
> This message contains information that may be confidential, privileged or
> otherwise protected by law from disclosure. It is intended for the
> exclusive use of the addressee(s). Unless you are the addressee or
> authorized agent of the addressee, you may not review, copy, distribute or
> disclose to anyone the message or any information contained within. If you
> have received this message in error, please contact the sender by
> electronic reply and immediately delete all copies of the message.
>
>
>
> =========================================================================================================
> <<<< Disclaimer >>>> This message is intended solely for use by the named
> addressee(s). If you receive this transmission in error, please immediately
> notify the sender and destroy this message in its entirety, whether in
> electronic or hard copy format. Any unauthorized use (and reliance
> thereon), copying, disclosure, retention, or distribution of this
> transmission or the material in this transmission is forbidden. We reserve
> the right to monitor and archive electronic communications. This material
> does not constitute an offer or solicitation with respect to the purchase
> or sale of any security. It should not be construed to contain any
> recommendation regarding any security or strategy. Any views expressed are
> those of the individual sender, except where the message states otherwise
> and the sender is authorized to state them to be the views of any such
> entity. This communication is provided on an “as is” basis. It contains
> material that is owned by Instinet Incorporated, its subsidiaries or its or
> their licensors, and may not, in whole or in part, be (i) copied,
> photocopied or duplicated in any form, by any means, or (ii) redistributed,
> posted, published, excerpted, or quoted without Instinet Incorporated's
> prior written consent. Please access the following link for important
> information and instructions:
> http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt
> Securities products and services are provided by locally registered
> brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty
> Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian
> Securities & Investments Commission; Instinet Canada Limited, member
> IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the
> Securities and Futures Commission of Hong Kong; Instinet Singapore Services
> Private Limited, regulated by the Monetary Authority of Singapore, trading
> member of The Singapore Exchange Securities Trading Private Limited and
> clearing member of The Central Depository (Pte) Limited; and Instinet, LLC,
> member SIPC.
>
>
> =========================================================================================================
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20150806/4f638c2e/attachment.html
> >
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: graycol.gif
> Type: image/gif
> Size: 105 bytes
> Desc: not available
> URL: <
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20150806/4f638c2e/attachment.gif
> >
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>
--
E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150806/f1f0873f/attachment.html>
More information about the tac_plus
mailing list