[tac_plus] Cisco Nexus Authorization problem

Kevin.Cruse at Instinet.com Kevin.Cruse at Instinet.com
Mon Aug 17 16:21:41 UTC 2015


I am having a strange issue where cisco devices are being authorized by
do_auth properly, however, arista devices are not.  The arista device is
sending command to tacplus but daemont does not send command to do_auth. I
can confirm since there is no update to do_auth log when sending commands
from arista. any ideas?  Everything seems to be working fine except arista,
this is my last hurdle!


CISCO

connect from test.router.com [10.11.128.30]
Waiting for packet
Read ACCT size=137
validation request from test.router.com
PACKET: key=password
version 192 (0xc0), type 3, seq no 1, flags 0x1
session_id 677254324 (0x285e14b4), Data length 125 (0x7d)
End header
ACCT, flags=0x4 method=6 priv_lvl=1
type=1 svc=1
user_len=6 port_len=6 rem_addr_len=14
arg_cnt=6
User:
testuser
port:
tty130
rem_addr:
10.12.144.108
arg[0]: size=13
task_id=41325
arg[1]: size=12
timezone=EDT
arg[2]: size=13
service=shell
arg[3]: size=21
start_time=1439827839
arg[4]: size=10
priv-lvl=0
arg[5]: size=15
cmd=enable <cr>
End packet
Writing ACCT size=17
PACKET: key=password
version 192 (0xc0), type 3, seq no 2, flags 0x1
session_id 677254324 (0x285e14b4), Data length 5 (0x5)
End header
ACCT/REPLY status=1
msg_len=0 data_len=0
msg:
data:
End packet
test.router.com: disconnect


session request from test.router.com sock=5
connect from test.router.com [10.11.128.30]
Waiting for packet
Read AUTHOR size=104
validation request from test.router.com
PACKET: key=password
version 192 (0xc0), type 2, seq no 1, flags 0x1
session_id 4255328848 (0xfda32a50), Data length 92 (0x5c)
End header
type=AUTHOR, priv_lvl=15, authen=1
method=none
svc=0 user_len=6 port_len=6 rem_addr_len=14
arg_cnt=4
User:
testuser
port:
tty130
rem_addr:
10.12.144.108
arg[0]: size=13
service=shell
arg[1]: size=13
cmd=configure
arg[2]: size=16
cmd-arg=terminal
arg[3]: size=12
cmd-arg=<cr>
End packet
Writing AUTHOR/FAIL size=18
PACKET: key=password
version 192 (0xc0), type 2, seq no 2, flags 0x1
session_id 4255328848 (0xfda32a50), Data length 6 (0x6)
End header
type=AUTHOR/REPLY status=16 (AUTHOR/FAIL)
msg_len=0, data_len=0 arg_cnt=0
msg:
data:
End packet
authorization query for 'testuser' tty130 from test.router.com rejected
test.router.com: disconnect


ARISTA

connect from Aristalab-1.router.com [10.15.10.18]
Waiting for packet
Read ACCT size=119
validation request from Aristalab-1.router.com
PACKET: key=password
version 192 (0xc0), type 3, seq no 1, flags 0x1
session_id 1744489531 (0x67facc3b), Data length 107 (0x6b)
End header
ACCT, flags=0x4 method=6 priv_lvl=1
type=1 svc=1
user_len=6 port_len=5 rem_addr_len=0
arg_cnt=6
User:
testuser
port:
ttyS0
rem_addr:
arg[0]: size=10
task_id=22
arg[1]: size=13
service=shell
arg[2]: size=10
priv-lvl=1
arg[3]: size=21
start_time=1439828055
arg[4]: size=12
timezone=UTC
arg[5]: size=15
cmd=enable <cr>
End packet
Writing ACCT size=17
PACKET: key=password
version 192 (0xc0), type 3, seq no 2, flags 0x1
session_id 1744489531 (0x67facc3b), Data length 5 (0x5)
End header
ACCT/REPLY status=1
msg_len=0 data_len=0
msg:
data:
End packet
Aristalab-1.router.com: disconnect


session request from Aristalab-1.router.com sock=5
connect from Aristalab-1.router.com [10.15.10.18]
Waiting for packet
Read ACCT size=132
validation request from Aristalab-1.router.com
PACKET: key=password
version 192 (0xc0), type 3, seq no 1, flags 0x1
session_id 1288212585 (0x4cc89069), Data length 120 (0x78)
End header
ACCT, flags=0x4 method=6 priv_lvl=15
type=1 svc=1
user_len=6 port_len=5 rem_addr_len=0
arg_cnt=6
User:
testuser
port:
ttyS0
rem_addr:
arg[0]: size=10
task_id=23
arg[1]: size=13
service=shell
arg[2]: size=11
priv-lvl=15
arg[3]: size=21
start_time=1439828061
arg[4]: size=12
timezone=UTC
arg[5]: size=27
cmd=configure terminal <cr>
End packet
Writing ACCT size=17
PACKET: key=password
version 192 (0xc0), type 3, seq no 2, flags 0x1
session_id 1288212585 (0x4cc89069), Data length 5 (0x5)
End header
ACCT/REPLY status=1
msg_len=0 data_len=0
msg:
data:
End packet
Aristalab-1.router.com: disconnect


tac_plus.cfg:


 group = snm {
        default service = permit
        service = exec {
        priv-lvl = 15
        }
        after authorization
"/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address
-fix_crs_bug -u $user -d $name -l /var/log/tacacs/do_auth_log.txt
-f /usr/local/sbin/tacplus/do_auth.ini"

 }



do_auth.ini:


[snm]
host_allow =
        .*
device_permit =
        .*
command_deny =
        configure.*
        show controllers vip.*
command_permit =
        show ip.*
        show interface.*
        clear counters.*
        clear qos stat.*
        clear mls qos int.*
        disable.*
        enable.*
        end.*
        exit.*
        logout.*
        ping.*
        set length.*
        show.*
        skip-page-display.*
        write network.*
        write terminal.*
        write memory.*
        terminal length.*







From:	John Fraizer <john at op-sec.us>
To:	"Kevin.Cruse at Instinet.com" <Kevin.Cruse at instinet.com>,
Cc:	Daniel Schmidt <daniel.schmidt at wyo.gov>,
            "tac_plus at shrubbery.net" <tac_plus at shrubbery.net>
Date:	08/07/2015 12:54 PM
Subject:	Re: [tac_plus] Cisco Nexus Authorization problem



Here is one problem:

cmd exit does not exist, denied by default

It looks like you've got default service = deny in your tac_plus.conf.  To
use do_auth, you need default service = permit.

Your after auth line doesn't look right either.

/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user
-l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini

You're not giving it the device address or the address of the user
attempting to auth.  Try changing the after authorization line in
tac_plus.conf to:

after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i
$address -u $user -d $name -l /tmp/do_auth.log
-f /usr/local/sbin/tacplus/do_auth.ini"

Note that this will create a do_auth specific log in /tmp/do_auth.log but,
right now - we'll need that for debugging purposes.

Also remember, you'll need to restart tac_plus for this change to take
effect.

Here is an example tac_plus group that I know to work properly with
do_auth.py on CatOS, IOS, IOS-XR, NX-OS, EOS and JUNOS:

group = doauthaccess {
        default service = permit

        service = exec {
                priv-lvl = 1
                optional idletime = 30
                optional acl = 2
                shell:roles="\"network-operator vdc-operator\""
                }

        service = junos-exec {
                bug-fix = "first pair is lost"
                local-user-name = "remote"
                allow-commands = "(.*exit)|(show cli auth.*)"
                deny-commands = ".*"
                allow-configuration = ""
                deny-configuration = ""
                }
after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i
$address -u $user -d $name -l /tmp/do_auth.log
-f /usr/local/sbin/tacplus/do_auth.ini"
}


One more thing... Looking at your do_auth.ini, you seem to have a space
between the commands and ".*" which should not be there.

For example:

exit .*

...should be:

exit.*


I posted a complete working tac_plus.conf and do_auth.ini along with the
AAA config I use on devices the other day.  Take a look at that post as
well.


--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/



On Fri, Aug 7, 2015 at 5:16 AM, <Kevin.Cruse at instinet.com> wrote:
  I will try upgrading to 4.14.5F and see what happens! thanks

  wondering if you are familiar with this error in do_auth execution, I am
  permitting exit in do_auth.ini. seems to be some issue with do_auth
  script:

  Reading config
  Version F4.0.4.28 Initialized 1
  tac_plus server F4.0.4.28 starting
  socket FD 4 AF 2
  uid=0 euid=0 gid=0 egid=0 s=23660848
  connect from router1 [172.28.10.124]
  Start authorization request
  do_author: user='testuser'
  user 'testuser' found
  authorize_cmd: user=testuser, cmd=exit
  cmd exit does not exist, denied by default
  After authorization
  call: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user
  -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini
  substitute: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user
  -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini
  Dollar substitution: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py
  -u testuser -l /var/log/tacacs/do_auth_log.txt
  -f /usr/local/sbin/tacplus/do_auth.ini
  pid 24672 child exited status 1
  cmd /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user
  -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini
  returns 1 (unconditional deny)
  authorization query for 'testuser' tty130 from router1 rejected
  connect from router1 [1.1.1.1]


  do_auth.ini:

  [users]
  testuser =
          snm
  [snm]
  command_deny =
          configure .*
          show controllers vip .*
  command_permit =
          show ip .*
          show interface .*
          clear counters .*
          clear qos stat .*
          clear mls qos int .*
          disable .*
          enable .*
          end .*
          exit .*
          logout .*
          ping .*
          set length .*
          show .*
          skip-page-display .*
          write network .*
          write terminal .*
          write memory .*




  Inactive hide details for John Fraizer ---08/06/2015 06:54:05 PM---I'm
  not sure when this command became available in EOS but, John Fraizer
  ---08/06/2015 06:54:05 PM---I'm not sure when this command became
  available in EOS but, at least in 4.14.5F, you will get what y

  From: John Fraizer <john at op-sec.us>
  To: "Kevin.Cruse at Instinet.com" <Kevin.Cruse at instinet.com>,
  Cc: Daniel Schmidt <daniel.schmidt at wyo.gov>, "tac_plus at shrubbery.net" <
  tac_plus at shrubbery.net>
  Date: 08/06/2015 06:54 PM
  Subject: Re: [tac_plus] Cisco Nexus Authorization problem




  I'm not sure when this command became available in EOS but, at least in
  4.14.5F, you will get what you want with:

  aaa authorization commands all default group tacacs+ none


  --
  John Fraizer
  LinkedIn profile: http://www.linkedin.com/in/johnfraizer/



  On Thu, Aug 6, 2015 at 1:58 PM, <Kevin.Cruse at instinet.com> wrote:
        tried that! arista only takes this command with no arguments:

        aaa authorization config-commands

        it still didn't work.

        fyi - i just tried same config with cisco router and it works
        perfectly,
        running 4.13.11M of EOS.



        From:   Daniel Schmidt <daniel.schmidt at wyo.gov>
        To:     Kevin.Cruse at instinet.com,
        Cc:     Aaron Wasserott <aaron.wasserott at viawest.com>,
                    "tac_plus at shrubbery.net" <tac_plus at shrubbery.net>
        Date:   08/06/2015 04:09 PM
        Subject:        Re: [tac_plus] Cisco Nexus Authorization problem



        This part of the email looks interesting:

        But if you
        want them in conf t mode but restrict their commands at that level,
        you
        need to enable something like this:

        aaa authorization config-commands default group myTacacsGroup local



  =========================================================================================================



  <<<< Disclaimer >>>>


  This message is intended solely for use by the named addressee(s). If you
  receive this transmission in error, please immediately notify the sender
  and destroy this message in its entirety, whether in electronic or hard
  copy format. Any unauthorized use (and reliance thereon), copying,
  disclosure, retention, or distribution of this transmission or the
  material in this transmission is forbidden. We reserve the right to
  monitor and archive electronic communications. This material does not
  constitute an offer or solicitation with respect to the purchase or sale
  of any security. It should not be construed to contain any recommendation
  regarding any security or strategy. Any views expressed are those of the
  individual sender, except where the message states otherwise and the
  sender is authorized to state them to be the views of any such entity.
  This communication is provided on an “as is” basis. It contains material
  that is owned by Instinet Incorporated, its subsidiaries or its or their
  licensors, and may not, in whole or in part, be (i) copied, photocopied
  or duplicated in any form, by any means, or (ii) redistributed, posted,
  published, excerpted, or quoted without Instinet Incorporated's prior
  written consent. Please access the following link for important
  information and instructions:
  http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt


  Securities products and services are provided by locally registered
  brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty
  Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian
  Securities & Investments Commission; Instinet Canada Limited, member
  IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the
  Securities and Futures Commission of Hong Kong; Instinet Singapore
  Services Private Limited, regulated by the Monetary Authority of
  Singapore, trading member of The Singapore Exchange Securities Trading
  Private Limited and clearing member of The Central Depository (Pte)
  Limited; and Instinet, LLC, member SIPC.




  =========================================================================================================







=========================================================================================================  <<<< Disclaimer >>>>   This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an “as is” basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions:  http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt   Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC.  

=========================================================================================================  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150817/9d8fc68f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150817/9d8fc68f/attachment.gif>


More information about the tac_plus mailing list