[tac_plus] Cisco Nexus Authorization problem
Kevin.Cruse at Instinet.com
Kevin.Cruse at Instinet.com
Fri Aug 7 12:16:18 UTC 2015
I will try upgrading to 4.14.5F and see what happens! thanks
wondering if you are familiar with this error in do_auth execution, I am
permitting exit in do_auth.ini. seems to be some issue with do_auth script:
Reading config
Version F4.0.4.28 Initialized 1
tac_plus server F4.0.4.28 starting
socket FD 4 AF 2
uid=0 euid=0 gid=0 egid=0 s=23660848
connect from router1 [172.28.10.124]
Start authorization request
do_author: user='testuser'
user 'testuser' found
authorize_cmd: user=testuser, cmd=exit
cmd exit does not exist, denied by default
After authorization
call: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user
-l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini
substitute: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user
-l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini
Dollar substitution: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u
testuser -l /var/log/tacacs/do_auth_log.txt
-f /usr/local/sbin/tacplus/do_auth.ini
pid 24672 child exited status 1
cmd /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user
-l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini
returns 1 (unconditional deny)
authorization query for 'testuser' tty130 from router1 rejected
connect from router1 [1.1.1.1]
do_auth.ini:
[users]
testuser =
snm
[snm]
command_deny =
configure .*
show controllers vip .*
command_permit =
show ip .*
show interface .*
clear counters .*
clear qos stat .*
clear mls qos int .*
disable .*
enable .*
end .*
exit .*
logout .*
ping .*
set length .*
show .*
skip-page-display .*
write network .*
write terminal .*
write memory .*
From: John Fraizer <john at op-sec.us>
To: "Kevin.Cruse at Instinet.com" <Kevin.Cruse at instinet.com>,
Cc: Daniel Schmidt <daniel.schmidt at wyo.gov>,
"tac_plus at shrubbery.net" <tac_plus at shrubbery.net>
Date: 08/06/2015 06:54 PM
Subject: Re: [tac_plus] Cisco Nexus Authorization problem
I'm not sure when this command became available in EOS but, at least in
4.14.5F, you will get what you want with:
aaa authorization commands all default group tacacs+ none
--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/
On Thu, Aug 6, 2015 at 1:58 PM, <Kevin.Cruse at instinet.com> wrote:
tried that! arista only takes this command with no arguments:
aaa authorization config-commands
it still didn't work.
fyi - i just tried same config with cisco router and it works perfectly,
running 4.13.11M of EOS.
From: Daniel Schmidt <daniel.schmidt at wyo.gov>
To: Kevin.Cruse at instinet.com,
Cc: Aaron Wasserott <aaron.wasserott at viawest.com>,
"tac_plus at shrubbery.net" <tac_plus at shrubbery.net>
Date: 08/06/2015 04:09 PM
Subject: Re: [tac_plus] Cisco Nexus Authorization problem
This part of the email looks interesting:
But if you
want them in conf t mode but restrict their commands at that level, you
need to enable something like this:
aaa authorization config-commands default group myTacacsGroup local
========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an “as is” basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC.
=========================================================================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150807/3f4d77e7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150807/3f4d77e7/attachment.gif>
More information about the tac_plus
mailing list