[tac_plus] Cisco Nexus Authorization problem
Kevin.Cruse at Instinet.com
Kevin.Cruse at Instinet.com
Mon Aug 17 20:52:24 UTC 2015
Yes - we do the same in our production environment. I was working within
lab and had different config. Thanks again for your help.
From: John Fraizer <john at op-sec.us>
To: "Kevin.Cruse at Instinet.com" <Kevin.Cruse at instinet.com>,
Cc: Daniel Schmidt <daniel.schmidt at wyo.gov>,
"tac_plus at shrubbery.net" <tac_plus at shrubbery.net>
Date: 08/17/2015 04:46 PM
Subject: Re: [tac_plus] Cisco Nexus Authorization problem
Ahhh... That makes sense.
As a matter of personal opinion, I always enable exec and command auth on
the console with fallback to "none" on our production equipment. That way,
as long as the TACACS+ infrastructure is available, the policy I set in
do_auth.ini is enforced. If TACACS+ isn't available, we log in as a
defined "local" user and enable manually. It keeps honest people
honest. ;-)
The EOS AAA config I sent you is from my lab which doesn't have console
auth enabled for various reasons. [ I'm on vacation and didn't feel like
jumping through all VPN + 2FA hoops necessary to log into one of the
production EOS devices. ;-) ]
Glad its working for you now and it wasn't a bug!
--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/
On Mon, Aug 17, 2015 at 3:14 PM, <Kevin.Cruse at instinet.com> wrote:
I was connecting to console which does not have authorization enabled.
It's working now. Thanks for your help!
Inactive hide details for John Fraizer ---08/17/2015 02:23:34 PM---Kevin,
I'm not using defined tacacs+ groups in our configuraJohn Fraizer
---08/17/2015 02:23:34 PM---Kevin, I'm not using defined tacacs+ groups
in our configuration so, that is a
From: John Fraizer <john at op-sec.us>
To: "Kevin.Cruse at Instinet.com" <Kevin.Cruse at instinet.com>,
Cc: Daniel Schmidt <daniel.schmidt at wyo.gov>, "tac_plus at shrubbery.net" <
tac_plus at shrubbery.net>
Date: 08/17/2015 02:23 PM
Subject: Re: [tac_plus] Cisco Nexus Authorization problem
Kevin,
I'm not using defined tacacs+ groups in our configuration so, that is a
variable that could be triggering a bug in AAA authorization but, your
config is very similar to what we're using:
!
tacacs-server key 7 <redacted>
tacacs-server host x.x.x.a
tacacs-server host x.x.x.b
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization commands all default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa accounting commands all default stop-only group tacacs+
!
Please note though that based on what you sent in your original email,
your EOS device is not sending AUTH requests for commands. I only see
ACCT records being sent:
Here is the AUTH request coming from your Cisco:
session request from test.router.com sock=5
connect from test.router.com [10.11.128.30]
Waiting for packet
Read AUTHOR size=104
validation request from test.router.com
PACKET: key=password
version 192 (0xc0), type 2, seq no 1, flags 0x1
session_id 4255328848 (0xfda32a50), Data length 92 (0x5c)
End header
type=AUTHOR, priv_lvl=15, authen=1
method=none
svc=0 user_len=6 port_len=6 rem_addr_len=14
arg_cnt=4
User:
testuser
port:
tty130
rem_addr:
10.12.144.108
arg[0]: size=13
service=shell
arg[1]: size=13
cmd=configure
arg[2]: size=16
cmd-arg=terminal
arg[3]: size=12
cmd-arg=<cr>
End packet
Writing AUTHOR/FAIL size=18
PACKET: key=password
version 192 (0xc0), type 2, seq no 2, flags 0x1
session_id 4255328848 (0xfda32a50), Data length 6 (0x6)
End header
type=AUTHOR/REPLY status=16 (AUTHOR/FAIL)
msg_len=0, data_len=0 arg_cnt=0
msg:
data:
End packet
authorization query for 'testuser' tty130 from test.router.com
rejected
test.router.com: disconnect
...vs the ACCT record being sent by the EOS device(s):
session request from Aristalab-1.router.com sock=5
connect from Aristalab-1.router.com [10.15.10.18]
Waiting for packet
Read ACCT size=132
validation request from Aristalab-1.router.com
PACKET: key=password
version 192 (0xc0), type 3, seq no 1, flags 0x1
session_id 1288212585 (0x4cc89069), Data length 120 (0x78)
End header
ACCT, flags=0x4 method=6 priv_lvl=15
type=1 svc=1
user_len=6 port_len=5 rem_addr_len=0
arg_cnt=6
User:
testuser
port:
ttyS0
rem_addr:
arg[0]: size=10
task_id=23
arg[1]: size=13
service=shell
arg[2]: size=11
priv-lvl=15
arg[3]: size=21
start_time=1439828061
arg[4]: size=12
timezone=UTC
arg[5]: size=27
cmd=configure terminal <cr>
End packet
Writing ACCT size=17
PACKET: key=password
version 192 (0xc0), type 3, seq no 2, flags 0x1
session_id 1288212585 (0x4cc89069), Data length 5 (0x5)
End header
ACCT/REPLY status=1
msg_len=0 data_len=0
msg:
data:
End packet
Aristalab-1.router.com: disconnect
So, in effect, where the Cisco device is asking permission to execute the
command, the EOS device is simply informing the TACACS+ server that the
command was executed. It's a matter of ACCOUNT vs AUTHORIZE.
You might want to update your ticket with Arista to include that
information. You may also want to try enumerating your TACACS+ servers
the way I have vs. using a AAA group just to rule that variable out as
the vector that is triggering a bug. I understand that if you've got a
large EOS deployment, it is non-trivial to push AAA config changes to
them all but, trust me - it can be done. I've got a fleet > 2000 EOS
devices and I just updated their AAA config a few weeks ago.
The safest way to do it would be as follows:
(1) Enumerate the TACACS+ servers outside of the group:
!
tacacs-server key 7 <redacted>
tacacs-server host x.x.x.a
tacacs-server host x.x.x.b
!
Then, update your aaa auth commands as follows:
!
aaa authorization exec default group tacacs+ local
aaa authorization commands all default group tacacs+ none
!
Please let me know if this helps and also update me if Arista identifies
a bug. That's information I'd like to have in our "tribal knowledge"
store.
--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/
On Mon, Aug 17, 2015 at 2:03 PM, <Kevin.Cruse at instinet.com> wrote:
John,
Here is the configuration from arista:
Arista1#sh run | i aaa
aaa group server tacacs+ CiscoACS
aaa authentication login default group CiscoACS local
aaa authorization exec default group CiscoACS local
aaa authorization commands all default group CiscoACS local
aaa accounting exec default start-stop group CiscoACS
aaa accounting commands all default start-stop group CiscoACS
no aaa root
Arista1#
Just fyi - I've configured the command "#aaa authorization
config-commands" as well, for some reason it does not show up in
configuration. I opened a ticket with arista and they've confirmed
it should still work which makes sense as i'm seeing the commands
sent to tacplus.
Arista1#sh ver
Arista DCS-7124SX-F
Software image version: 4.13.11M
Kevin
Inactive hide details for John Fraizer ---08/17/2015 12:58:52
PM---What version of EOS are you running on your Arista device(s)
John Fraizer ---08/17/2015 12:58:52 PM---What version of EOS are
you running on your Arista device(s)? Take a look at the "tab
completion" av
From: John Fraizer <john at op-sec.us>
To: "Kevin.Cruse at Instinet.com" <Kevin.Cruse at instinet.com>,
Cc: Daniel Schmidt <daniel.schmidt at wyo.gov>, "
tac_plus at shrubbery.net" <tac_plus at shrubbery.net>
Date: 08/17/2015 12:58 PM
Subject: Re: [tac_plus] Cisco Nexus Authorization problem
What version of EOS are you running on your Arista device(s)?
Take a look at the "tab completion" available for "aaa
authorization". Also, if you can provide the output of "show run |
i aaa", it will be easier to help you.
Initially, it looks as if your Arista devices are not configure to
authorize commands. Note that the packet dump shows "ACCT" type
for "enable" and "configure terminal" vs. "AUTHOR".
--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/
On Mon, Aug 17, 2015 at 12:21 PM, <Kevin.Cruse at instinet.com> wrote:
I am having a strange issue where cisco devices are being
authorized by do_auth properly, however, arista devices are
not. The arista device is sending command to tacplus but
daemont does not send command to do_auth. I can confirm since
there is no update to do_auth log when sending commands from
arista. any ideas? Everything seems to be working fine
except arista, this is my last hurdle!
CISCO
connect from test.router.com [10.11.128.30]
Waiting for packet
Read ACCT size=137
validation request from test.router.com
PACKET: key=password
version 192 (0xc0), type 3, seq no 1, flags 0x1
session_id 677254324 (0x285e14b4), Data length 125 (0x7d)
End header
ACCT, flags=0x4 method=6 priv_lvl=1
type=1 svc=1
user_len=6 port_len=6 rem_addr_len=14
arg_cnt=6
User:
testuser
port:
tty130
rem_addr:
10.12.144.108
arg[0]: size=13
task_id=41325
arg[1]: size=12
timezone=EDT
arg[2]: size=13
service=shell
arg[3]: size=21
start_time=1439827839
arg[4]: size=10
priv-lvl=0
arg[5]: size=15
cmd=enable <cr>
End packet
Writing ACCT size=17
PACKET: key=password
version 192 (0xc0), type 3, seq no 2, flags 0x1
session_id 677254324 (0x285e14b4), Data length 5 (0x5)
End header
ACCT/REPLY status=1
msg_len=0 data_len=0
msg:
data:
End packet
test.router.com: disconnect
session request from test.router.com sock=5
connect from test.router.com [10.11.128.30]
Waiting for packet
Read AUTHOR size=104
validation request from test.router.com
PACKET: key=password
version 192 (0xc0), type 2, seq no 1, flags 0x1
session_id 4255328848 (0xfda32a50), Data length 92 (0x5c)
End header
type=AUTHOR, priv_lvl=15, authen=1
method=none
svc=0 user_len=6 port_len=6 rem_addr_len=14
arg_cnt=4
User:
testuser
port:
tty130
rem_addr:
10.12.144.108
arg[0]: size=13
service=shell
arg[1]: size=13
cmd=configure
arg[2]: size=16
cmd-arg=terminal
arg[3]: size=12
cmd-arg=<cr>
End packet
Writing AUTHOR/FAIL size=18
PACKET: key=password
version 192 (0xc0), type 2, seq no 2, flags 0x1
session_id 4255328848 (0xfda32a50), Data length 6 (0x6)
End header
type=AUTHOR/REPLY status=16 (AUTHOR/FAIL)
msg_len=0, data_len=0 arg_cnt=0
msg:
data:
End packet
authorization query for 'testuser' tty130 from
test.router.com rejected
test.router.com: disconnect
ARISTA
connect from Aristalab-1.router.com [10.15.10.18]
Waiting for packet
Read ACCT size=119
validation request from Aristalab-1.router.com
PACKET: key=password
version 192 (0xc0), type 3, seq no 1, flags 0x1
session_id 1744489531 (0x67facc3b), Data length 107 (0x6b)
End header
ACCT, flags=0x4 method=6 priv_lvl=1
type=1 svc=1
user_len=6 port_len=5 rem_addr_len=0
arg_cnt=6
User:
testuser
port:
ttyS0
rem_addr:
arg[0]: size=10
task_id=22
arg[1]: size=13
service=shell
arg[2]: size=10
priv-lvl=1
arg[3]: size=21
start_time=1439828055
arg[4]: size=12
timezone=UTC
arg[5]: size=15
cmd=enable <cr>
End packet
Writing ACCT size=17
PACKET: key=password
version 192 (0xc0), type 3, seq no 2, flags 0x1
session_id 1744489531 (0x67facc3b), Data length 5 (0x5)
End header
ACCT/REPLY status=1
msg_len=0 data_len=0
msg:
data:
End packet
Aristalab-1.router.com: disconnect
session request from Aristalab-1.router.com sock=5
connect from Aristalab-1.router.com [10.15.10.18]
Waiting for packet
Read ACCT size=132
validation request from Aristalab-1.router.com
PACKET: key=password
version 192 (0xc0), type 3, seq no 1, flags 0x1
session_id 1288212585 (0x4cc89069), Data length 120 (0x78)
End header
ACCT, flags=0x4 method=6 priv_lvl=15
type=1 svc=1
user_len=6 port_len=5 rem_addr_len=0
arg_cnt=6
User:
testuser
port:
ttyS0
rem_addr:
arg[0]: size=10
task_id=23
arg[1]: size=13
service=shell
arg[2]: size=11
priv-lvl=15
arg[3]: size=21
start_time=1439828061
arg[4]: size=12
timezone=UTC
arg[5]: size=27
cmd=configure terminal <cr>
End packet
Writing ACCT size=17
PACKET: key=password
version 192 (0xc0), type 3, seq no 2, flags 0x1
session_id 1288212585 (0x4cc89069), Data length 5 (0x5)
End header
ACCT/REPLY status=1
msg_len=0 data_len=0
msg:
data:
End packet
Aristalab-1.router.com: disconnect
tac_plus.cfg:
group = snm {
default service = permit
service = exec {
priv-lvl = 15
}
after authorization
"/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i
$address -fix_crs_bug -u $user -d $name
-l /var/log/tacacs/do_auth_log.txt
-f /usr/local/sbin/tacplus/do_auth.ini"
}
do_auth.ini:
[snm]
host_allow =
.*
device_permit =
.*
command_deny =
configure.*
show controllers vip.*
command_permit =
show ip.*
show interface.*
clear counters.*
clear qos stat.*
clear mls qos int.*
disable.*
enable.*
end.*
exit.*
logout.*
ping.*
set length.*
show.*
skip-page-display.*
write network.*
write terminal.*
write memory.*
terminal length.*
Inactive hide details for John Fraizer ---08/07/2015 12:54:36
PM---Here is one problem: *cmd exit does not exist, denied by
defJohn Fraizer ---08/07/2015 12:54:36 PM---Here is one
problem: *cmd exit does not exist, denied by default*
From: John Fraizer <john at op-sec.us>
To: "Kevin.Cruse at Instinet.com" <Kevin.Cruse at instinet.com>,
Cc: Daniel Schmidt <daniel.schmidt at wyo.gov>, "
tac_plus at shrubbery.net" <tac_plus at shrubbery.net>
Date: 08/07/2015 12:54 PM
Subject: Re: [tac_plus] Cisco Nexus Authorization problem
Here is one problem:
cmd exit does not exist, denied by default
It looks like you've got default service = deny in your
tac_plus.conf. To use do_auth, you need default service =
permit.
Your after auth line doesn't look right either.
/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user
-l /var/log/tacacs/do_auth_log.txt
-f /usr/local/sbin/tacplus/do_auth.ini
You're not giving it the device address or the address of the
user attempting to auth. Try changing the after
authorization line in tac_plus.conf to:
after authorization
"/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i
$address -u $user -d $name -l /tmp/do_auth.log
-f /usr/local/sbin/tacplus/do_auth.ini"
Note that this will create a do_auth specific log
in /tmp/do_auth.log but, right now - we'll need that for
debugging purposes.
Also remember, you'll need to restart tac_plus for this
change to take effect.
Here is an example tac_plus group that I know to work
properly with do_auth.py on CatOS, IOS, IOS-XR, NX-OS, EOS
and JUNOS:
group = doauthaccess {
default service = permit
service = exec {
priv-lvl = 1
optional idletime = 30
optional acl = 2
shell:roles="\"network-operator vdc-operator
\""
}
service = junos-exec {
bug-fix = "first pair is lost"
local-user-name = "remote"
allow-commands = "(.*exit)|(show cli auth.*)"
deny-commands = ".*"
allow-configuration = ""
deny-configuration = ""
}
after authorization
"/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i
$address -u $user -d $name -l /tmp/do_auth.log
-f /usr/local/sbin/tacplus/do_auth.ini"
}
One more thing... Looking at your do_auth.ini, you seem to
have a space between the commands and ".*" which should not
be there.
For example:
exit .*
...should be:
exit.*
I posted a complete working tac_plus.conf and do_auth.ini
along with the AAA config I use on devices the other day.
Take a look at that post as well.
--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/
On Fri, Aug 7, 2015 at 5:16 AM, <Kevin.Cruse at instinet.com>
wrote:
I will try upgrading to 4.14.5F and see what happens!
thanks
wondering if you are familiar with this error in
do_auth execution, I am permitting exit in do_auth.ini.
seems to be some issue with do_auth script:
Reading config
Version F4.0.4.28 Initialized 1
tac_plus server F4.0.4.28 starting
socket FD 4 AF 2
uid=0 euid=0 gid=0 egid=0 s=23660848
connect from router1 [172.28.10.124]
Start authorization request
do_author: user='testuser'
user 'testuser' found
authorize_cmd: user=testuser, cmd=exit
cmd exit does not exist, denied by default
After authorization
call: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py
-u $user -l /var/log/tacacs/do_auth_log.txt
-f /usr/local/sbin/tacplus/do_auth.ini
substitute: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py
-u $user -l /var/log/tacacs/do_auth_log.txt
-f /usr/local/sbin/tacplus/do_auth.ini
Dollar
substitution: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py
-u testuser -l /var/log/tacacs/do_auth_log.txt
-f /usr/local/sbin/tacplus/do_auth.ini
pid 24672 child exited status 1
cmd /usr/bin/python /usr/local/sbin/tacplus/do_auth.py
-u $user -l /var/log/tacacs/do_auth_log.txt
-f /usr/local/sbin/tacplus/do_auth.ini returns 1
(unconditional deny)
authorization query for 'testuser' tty130 from router1
rejected
connect from router1 [1.1.1.1]
do_auth.ini:
[users]
testuser =
snm
[snm]
command_deny =
configure .*
show controllers vip .*
command_permit =
show ip .*
show interface .*
clear counters .*
clear qos stat .*
clear mls qos int .*
disable .*
enable .*
end .*
exit .*
logout .*
ping .*
set length .*
show .*
skip-page-display .*
write network .*
write terminal .*
write memory .*
Inactive hide details for John Fraizer ---08/06/2015
06:54:05 PM---I'm not sure when this command became
available in EOS but, John Fraizer ---08/06/2015
06:54:05 PM---I'm not sure when this command became
available in EOS but, at least in 4.14.5F, you will get
what y
From: John Fraizer <john at op-sec.us>
To: "Kevin.Cruse at Instinet.com" <
Kevin.Cruse at instinet.com>,
Cc: Daniel Schmidt <daniel.schmidt at wyo.gov>, "
tac_plus at shrubbery.net" <tac_plus at shrubbery.net>
Date: 08/06/2015 06:54 PM
Subject: Re: [tac_plus] Cisco Nexus Authorization
problem
I'm not sure when this command became available in EOS
but, at least in 4.14.5F, you will get what you want
with:
aaa authorization commands all default group tacacs+
none
--
John Fraizer
LinkedIn profile:
http://www.linkedin.com/in/johnfraizer/
On Thu, Aug 6, 2015 at 1:58 PM, <
Kevin.Cruse at instinet.com> wrote:
tried that! arista only takes this command with
no arguments:
aaa authorization config-commands
it still didn't work.
fyi - i just tried same config with cisco router
and it works perfectly,
running 4.13.11M of EOS.
From: Daniel Schmidt <daniel.schmidt at wyo.gov>
To: Kevin.Cruse at instinet.com,
Cc: Aaron Wasserott <
aaron.wasserott at viawest.com>,
"tac_plus at shrubbery.net" <
tac_plus at shrubbery.net>
Date: 08/06/2015 04:09 PM
Subject: Re: [tac_plus] Cisco Nexus
Authorization problem
This part of the email looks interesting:
But if you
want them in conf t mode but restrict their
commands at that level, you
need to enable something like this:
aaa authorization config-commands default group
myTacacsGroup local
=========================================================================================================
<<<< Disclaimer >>>>
This message is intended solely for use by the named
addressee(s). If you receive this transmission in
error, please immediately notify the sender and destroy
this message in its entirety, whether in electronic or
hard copy format. Any unauthorized use (and reliance
thereon), copying, disclosure, retention, or
distribution of this transmission or the material in
this transmission is forbidden. We reserve the right to
monitor and archive electronic communications. This
material does not constitute an offer or solicitation
with respect to the purchase or sale of any security.
It should not be construed to contain any
recommendation regarding any security or strategy. Any
views expressed are those of the individual sender,
except where the message states otherwise and the
sender is authorized to state them to be the views of
any such entity. This communication is provided on an
“as is” basis. It contains material that is owned by
Instinet Incorporated, its subsidiaries or its or their
licensors, and may not, in whole or in part, be (i)
copied, photocopied or duplicated in any form, by any
means, or (ii) redistributed, posted, published,
excerpted, or quoted without Instinet Incorporated's
prior written consent. Please access the following link
for important information and instructions:
http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt
Securities products and services are provided by
locally registered brokerage subsidiaries of Instinet
Incorporated: Instinet Australia Pty Limited (ACN: 131
253 686 AFSL No: 327834), regulated by the Australian
Securities & Investments Commission; Instinet Canada
Limited, member IIROC/CIPF; Instinet Pacific Limited,
authorized and regulated by the Securities and Futures
Commission of Hong Kong; Instinet Singapore Services
Private Limited, regulated by the Monetary Authority of
Singapore, trading member of The Singapore Exchange
Securities Trading Private Limited and clearing member
of The Central Depository (Pte) Limited; and Instinet,
LLC, member SIPC.
=========================================================================================================
=========================================================================================================
<<<< Disclaimer >>>>
This message is intended solely for use by the named
addressee(s). If you receive this transmission in error,
please immediately notify the sender and destroy this message
in its entirety, whether in electronic or hard copy format.
Any unauthorized use (and reliance thereon), copying,
disclosure, retention, or distribution of this transmission
or the material in this transmission is forbidden. We reserve
the right to monitor and archive electronic communications.
This material does not constitute an offer or solicitation
with respect to the purchase or sale of any security. It
should not be construed to contain any recommendation
regarding any security or strategy. Any views expressed are
those of the individual sender, except where the message
states otherwise and the sender is authorized to state them
to be the views of any such entity. This communication is
provided on an “as is” basis. It contains material that is
owned by Instinet Incorporated, its subsidiaries or its or
their licensors, and may not, in whole or in part, be (i)
copied, photocopied or duplicated in any form, by any means,
or (ii) redistributed, posted, published, excerpted, or
quoted without Instinet Incorporated's prior written consent.
Please access the following link for important information
and instructions:
http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt
Securities products and services are provided by locally
registered brokerage subsidiaries of Instinet Incorporated:
Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No:
327834), regulated by the Australian Securities & Investments
Commission; Instinet Canada Limited, member IIROC/CIPF;
Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet
Singapore Services Private Limited, regulated by the Monetary
Authority of Singapore, trading member of The Singapore
Exchange Securities Trading Private Limited and clearing
member of The Central Depository (Pte) Limited; and Instinet,
LLC, member SIPC.
=========================================================================================================
=========================================================================================================
<<<< Disclaimer >>>>
This message is intended solely for use by the named addressee(s).
If you receive this transmission in error, please immediately
notify the sender and destroy this message in its entirety, whether
in electronic or hard copy format. Any unauthorized use (and
reliance thereon), copying, disclosure, retention, or distribution
of this transmission or the material in this transmission is
forbidden. We reserve the right to monitor and archive electronic
communications. This material does not constitute an offer or
solicitation with respect to the purchase or sale of any security.
It should not be construed to contain any recommendation regarding
any security or strategy. Any views expressed are those of the
individual sender, except where the message states otherwise and
the sender is authorized to state them to be the views of any such
entity. This communication is provided on an “as is” basis. It
contains material that is owned by Instinet Incorporated, its
subsidiaries or its or their licensors, and may not, in whole or in
part, be (i) copied, photocopied or duplicated in any form, by any
means, or (ii) redistributed, posted, published, excerpted, or
quoted without Instinet Incorporated's prior written consent.
Please access the following link for important information and
instructions:
http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt
Securities products and services are provided by locally registered
brokerage subsidiaries of Instinet Incorporated: Instinet Australia
Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the
Australian Securities & Investments Commission; Instinet Canada
Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized
and regulated by the Securities and Futures Commission of Hong
Kong; Instinet Singapore Services Private Limited, regulated by the
Monetary Authority of Singapore, trading member of The Singapore
Exchange Securities Trading Private Limited and clearing member of
The Central Depository (Pte) Limited; and Instinet, LLC, member
SIPC.
=========================================================================================================
=========================================================================================================
<<<< Disclaimer >>>>
This message is intended solely for use by the named addressee(s). If you
receive this transmission in error, please immediately notify the sender
and destroy this message in its entirety, whether in electronic or hard
copy format. Any unauthorized use (and reliance thereon), copying,
disclosure, retention, or distribution of this transmission or the
material in this transmission is forbidden. We reserve the right to
monitor and archive electronic communications. This material does not
constitute an offer or solicitation with respect to the purchase or sale
of any security. It should not be construed to contain any recommendation
regarding any security or strategy. Any views expressed are those of the
individual sender, except where the message states otherwise and the
sender is authorized to state them to be the views of any such entity.
This communication is provided on an “as is” basis. It contains material
that is owned by Instinet Incorporated, its subsidiaries or its or their
licensors, and may not, in whole or in part, be (i) copied, photocopied
or duplicated in any form, by any means, or (ii) redistributed, posted,
published, excerpted, or quoted without Instinet Incorporated's prior
written consent. Please access the following link for important
information and instructions:
http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt
Securities products and services are provided by locally registered
brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty
Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian
Securities & Investments Commission; Instinet Canada Limited, member
IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the
Securities and Futures Commission of Hong Kong; Instinet Singapore
Services Private Limited, regulated by the Monetary Authority of
Singapore, trading member of The Singapore Exchange Securities Trading
Private Limited and clearing member of The Central Depository (Pte)
Limited; and Instinet, LLC, member SIPC.
=========================================================================================================
========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an “as is” basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC.
=========================================================================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150817/14d2376d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150817/14d2376d/attachment.gif>
More information about the tac_plus
mailing list