[tac_plus] Cisco Nexus Authorization problem

John Fraizer john at op-sec.us
Fri Aug 7 16:54:12 UTC 2015


Here is one problem:

*cmd exit does not exist, denied by default*

It looks like you've got default service = deny in your tac_plus.conf.  To
use do_auth, you need default service = permit.

Your after auth line doesn't look right either.

*/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l
/var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini*

You're not giving it the device address or the address of the user
attempting to auth.  Try changing the after authorization line in
tac_plus.conf to:

*after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i
$address -u $user -d $name -l /tmp/do_auth.log -f
/usr/local/sbin/tacplus/do_auth.ini"*

Note that this will create a do_auth specific log in /tmp/do_auth.log but,
right now - we'll need that for debugging purposes.

Also remember, you'll need to restart tac_plus for this change to take
effect.

Here is an example tac_plus group that I know to work properly with
do_auth.py on CatOS, IOS, IOS-XR, NX-OS, EOS and JUNOS:

group = doauthaccess {
        default service = permit

        service = exec {
                priv-lvl = 1
                optional idletime = 30
                optional acl = 2
                shell:roles="\"network-operator vdc-operator\""
                }

        service = junos-exec {
                bug-fix = "first pair is lost"
                local-user-name = "remote"
                allow-commands = "(.*exit)|(show cli auth.*)"
                deny-commands = ".*"
                allow-configuration = ""
                deny-configuration = ""
                }
after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i
$address -u $user -d $name -l /tmp/do_auth.log -f
/usr/local/sbin/tacplus/do_auth.ini"
*}*


One more thing... Looking at your do_auth.ini, you seem to have a space
between the commands and ".*" which should not be there.

For example:

exit .*

...should be:

exit.*


I posted a complete working tac_plus.conf and do_auth.ini along with the
AAA config I use on devices the other day.  Take a look at that post as
well.


--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/



On Fri, Aug 7, 2015 at 5:16 AM, <Kevin.Cruse at instinet.com> wrote:

> I will try upgrading to 4.14.5F and see what happens! thanks
>
> wondering if you are familiar with this error in do_auth execution, I am
> permitting exit in do_auth.ini. seems to be some issue with do_auth script:
>
> Reading config
> Version F4.0.4.28 Initialized 1
> tac_plus server F4.0.4.28 starting
> socket FD 4 AF 2
> uid=0 euid=0 gid=0 egid=0 s=23660848
> connect from router1 [172.28.10.124]
> Start authorization request
> do_author: user='testuser'
> user 'testuser' found
> authorize_cmd: user=testuser, cmd=exit
> cmd exit does not exist, denied by default
> After authorization call: /usr/bin/python
> /usr/local/sbin/tacplus/do_auth.py -u $user -l
> /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini
> *substitute: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user
> -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini*
> *Dollar substitution: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py
> -u testuser -l /var/log/tacacs/do_auth_log.txt -f
> /usr/local/sbin/tacplus/do_auth.ini*
> *pid 24672 child exited status 1*
> cmd /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l
> /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini
> returns 1 (unconditional deny)
> authorization query for 'testuser' tty130 from router1 rejected
> connect from router1 [1.1.1.1]
>
>
> do_auth.ini:
>
> [users]
> testuser =
>         snm
> [snm]
> command_deny =
>         configure .*
>         show controllers vip .*
> command_permit =
>         show ip .*
>         show interface .*
>         clear counters .*
>         clear qos stat .*
>         clear mls qos int .*
>         disable .*
>         enable .*
>         end .*
>         exit .*
>         logout .*
>         ping .*
>         set length .*
>         show .*
>         skip-page-display .*
>         write network .*
>         write terminal .*
>         write memory .*
>
>
>
>
> [image: Inactive hide details for John Fraizer ---08/06/2015 06:54:05
> PM---I'm not sure when this command became available in EOS but,]John
> Fraizer ---08/06/2015 06:54:05 PM---I'm not sure when this command became
> available in EOS but, at least in 4.14.5F, you will get what y
>
> From: John Fraizer <john at op-sec.us>
> To: "Kevin.Cruse at Instinet.com" <Kevin.Cruse at instinet.com>,
> Cc: Daniel Schmidt <daniel.schmidt at wyo.gov>, "tac_plus at shrubbery.net" <
> tac_plus at shrubbery.net>
> Date: 08/06/2015 06:54 PM
> Subject: Re: [tac_plus] Cisco Nexus Authorization problem
> ------------------------------
>
>
>
> I'm not sure when this command became available in EOS but, at least in
> 4.14.5F, you will get what you want with:
>
> aaa authorization commands all default group tacacs+ none
>
>
> --
> John Fraizer
> LinkedIn profile: *http://www.linkedin.com/in/johnfraizer/*
> <http://www.linkedin.com/in/johnfraizer/>
>
>
>
> On Thu, Aug 6, 2015 at 1:58 PM, <*Kevin.Cruse at instinet.com*
> <Kevin.Cruse at instinet.com>> wrote:
>
>    tried that! arista only takes this command with no arguments:
>
>    aaa authorization config-commands
>
>    it still didn't work.
>
>    fyi - i just tried same config with cisco router and it works
>    perfectly,
>    running 4.13.11M of EOS.
>
>
>
>    From:   Daniel Schmidt <*daniel.schmidt at wyo.gov*
>    <daniel.schmidt at wyo.gov>>
>    To:     *Kevin.Cruse at instinet.com* <Kevin.Cruse at instinet.com>,
>    Cc:     Aaron Wasserott <*aaron.wasserott at viawest.com*
>    <aaron.wasserott at viawest.com>>,
>                "*tac_plus at shrubbery.net* <tac_plus at shrubbery.net>" <
>    *tac_plus at shrubbery.net* <tac_plus at shrubbery.net>>
>    Date:   08/06/2015 04:09 PM
>    Subject:        Re: [tac_plus] Cisco Nexus Authorization problem
>
>
>
>    This part of the email looks interesting:
>
>    But if you
>    want them in conf t mode but restrict their commands at that level, you
>    need to enable something like this:
>
>    aaa authorization config-commands default group myTacacsGroup local
>
>
>
>
> =========================================================================================================
>
>
> *<<<< Disclaimer >>>>*
>
> This message is intended solely for use by the named addressee(s). If you
> receive this transmission in error, please immediately notify the sender
> and destroy this message in its entirety, whether in electronic or hard
> copy format. Any unauthorized use (and reliance thereon), copying,
> disclosure, retention, or distribution of this transmission or the material
> in this transmission is forbidden. We reserve the right to monitor and
> archive electronic communications. This material does not constitute an
> offer or solicitation with respect to the purchase or sale of any security.
> It should not be construed to contain any recommendation regarding any
> security or strategy. Any views expressed are those of the individual
> sender, except where the message states otherwise and the sender is
> authorized to state them to be the views of any such entity. This
> communication is provided on an “as is” basis. It contains material that is
> owned by Instinet Incorporated, its subsidiaries or its or their licensors,
> and may not, in whole or in part, be (i) copied, photocopied or duplicated
> in any form, by any means, or (ii) redistributed, posted, published,
> excerpted, or quoted without Instinet Incorporated's prior written consent.
> Please access the following link for important information and
> instructions:
> http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt
>
> Securities products and services are provided by locally registered
> brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty
> Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian
> Securities & Investments Commission; Instinet Canada Limited, member
> IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the
> Securities and Futures Commission of Hong Kong; Instinet Singapore Services
> Private Limited, regulated by the Monetary Authority of Singapore, trading
> member of The Singapore Exchange Securities Trading Private Limited and
> clearing member of The Central Depository (Pte) Limited; and Instinet, LLC,
> member SIPC.
>
>
>
> =========================================================================================================
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150807/e931b9b0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150807/e931b9b0/attachment.gif>


More information about the tac_plus mailing list