[tac_plus] Cisco Nexus Authorization problem
John Fraizer
john at op-sec.us
Mon Aug 17 20:46:05 UTC 2015
Ahhh... That makes sense.
As a matter of personal opinion, I always enable exec and command auth on
the console with fallback to "none" on our production equipment. That way,
as long as the TACACS+ infrastructure is available, the policy I set in
do_auth.ini is enforced. If TACACS+ isn't available, we log in as a
defined "local" user and enable manually. It keeps honest people honest.
;-)
The EOS AAA config I sent you is from my lab which doesn't have console
auth enabled for various reasons. [ I'm on vacation and didn't feel like
jumping through all VPN + 2FA hoops necessary to log into one of the
production EOS devices. ;-) ]
Glad its working for you now and it wasn't a bug!
--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/
On Mon, Aug 17, 2015 at 3:14 PM, <Kevin.Cruse at instinet.com> wrote:
> I was connecting to console which does not have authorization enabled.
> It's working now. Thanks for your help!
>
>
>
> [image: Inactive hide details for John Fraizer ---08/17/2015 02:23:34
> PM---Kevin, I'm not using defined tacacs+ groups in our configura]John
> Fraizer ---08/17/2015 02:23:34 PM---Kevin, I'm not using defined tacacs+
> groups in our configuration so, that is a
>
> From: John Fraizer <john at op-sec.us>
> To: "Kevin.Cruse at Instinet.com" <Kevin.Cruse at instinet.com>,
> Cc: Daniel Schmidt <daniel.schmidt at wyo.gov>, "tac_plus at shrubbery.net" <
> tac_plus at shrubbery.net>
> Date: 08/17/2015 02:23 PM
>
> Subject: Re: [tac_plus] Cisco Nexus Authorization problem
> ------------------------------
>
>
>
> Kevin,
>
> I'm not using defined tacacs+ groups in our configuration so, that is a
> variable that could be triggering a bug in AAA authorization but, your
> config is very similar to what we're using:
>
> !
> tacacs-server key 7 <redacted>
> tacacs-server host x.x.x.a
> tacacs-server host x.x.x.b
> !
> aaa authentication login default group tacacs+ local
> aaa authentication enable default group tacacs+ local
> aaa authorization exec default group tacacs+ local
> aaa authorization commands all default group tacacs+ none
> aaa accounting exec default start-stop group tacacs+
> aaa accounting system default start-stop group tacacs+
> aaa accounting commands all default stop-only group tacacs+
> !
>
> Please note though that based on what you sent in your original email,
> your EOS device is not sending AUTH requests for commands. I only see ACCT
> records being sent:
>
> Here is the AUTH request coming from your Cisco:
>
> session request from *test.router.com* <http://test.router.com/> sock=5
> connect from *test.router.com* <http://test.router.com/> [10.11.128.30]
> Waiting for packet
> Read AUTHOR size=104
> validation request from *test.router.com* <http://test.router.com/>
> PACKET: key=password
> version 192 (0xc0), type 2, seq no 1, flags 0x1
> session_id *4255328848* <4255328848> (0xfda32a50), Data length 92
> (0x5c)
> End header
> type=AUTHOR, priv_lvl=15, authen=1
> method=none
> svc=0 user_len=6 port_len=6 rem_addr_len=14
> arg_cnt=4
> User:
> testuser
> port:
> tty130
> rem_addr:
> 10.12.144.108
> arg[0]: size=13
> service=shell
> arg[1]: size=13
> cmd=configure
> arg[2]: size=16
> cmd-arg=terminal
> arg[3]: size=12
> cmd-arg=<cr>
> End packet
> Writing AUTHOR/FAIL size=18
> PACKET: key=password
> version 192 (0xc0), type 2, seq no 2, flags 0x1
> session_id *4255328848* <4255328848> (0xfda32a50), Data length 6 (0x6)
> End header
> type=AUTHOR/REPLY status=16 (AUTHOR/FAIL)
> msg_len=0, data_len=0 arg_cnt=0
> msg:
> data:
> End packet
> authorization query for 'testuser' tty130 from *test.router.com*
> <http://test.router.com/> rejected
> *test.router.com* <http://test.router.com/>: disconnect
>
>
> ...vs the ACCT record being sent by the EOS device(s):
>
> session request from *Aristalab-1.router.com*
> <http://aristalab-1.router.com/> sock=5
> connect from *Aristalab-1.router.com* <http://aristalab-1.router.com/>
> [10.15.10.18]
> Waiting for packet
> Read ACCT size=132
> validation request from *Aristalab-1.router.com*
> <http://aristalab-1.router.com/>
> PACKET: key=password
> version 192 (0xc0), type 3, seq no 1, flags 0x1
> session_id 1288212585 (0x4cc89069), Data length 120 (0x78)
> End header
> ACCT, flags=0x4 method=6 priv_lvl=15
> type=1 svc=1
> user_len=6 port_len=5 rem_addr_len=0
> arg_cnt=6
> User:
> testuser
> port:
> ttyS0
> rem_addr:
> arg[0]: size=10
> task_id=23
> arg[1]: size=13
> service=shell
> arg[2]: size=11
> priv-lvl=15
> arg[3]: size=21
> start_time=1439828061
> arg[4]: size=12
> timezone=UTC
> arg[5]: size=27
> cmd=configure terminal <cr>
> End packet
> Writing ACCT size=17
> PACKET: key=password
> version 192 (0xc0), type 3, seq no 2, flags 0x1
> session_id 1288212585 (0x4cc89069), Data length 5 (0x5)
> End header
> ACCT/REPLY status=1
> msg_len=0 data_len=0
> msg:
> data:
> End packet
> *Aristalab-1.router.com* <http://aristalab-1.router.com/>: disconnect
>
>
> So, in effect, where the Cisco device is asking permission to execute the
> command, the EOS device is simply informing the TACACS+ server that the
> command was executed. It's a matter of ACCOUNT vs AUTHORIZE.
>
> You might want to update your ticket with Arista to include that
> information. You may also want to try enumerating your TACACS+ servers the
> way I have vs. using a AAA group just to rule that variable out as the
> vector that is triggering a bug. I understand that if you've got a large
> EOS deployment, it is non-trivial to push AAA config changes to them all
> but, trust me - it can be done. I've got a fleet > 2000 EOS devices and I
> just updated their AAA config a few weeks ago.
>
> The safest way to do it would be as follows:
>
> (1) Enumerate the TACACS+ servers outside of the group:
> !
> tacacs-server key 7 <redacted>
> tacacs-server host x.x.x.a
> tacacs-server host x.x.x.b
> !
> Then, update your aaa auth commands as follows:
>
> !
> aaa authorization exec default group tacacs+ local
> aaa authorization commands all default group tacacs+ none
> !
>
> Please let me know if this helps and also update me if Arista identifies a
> bug. That's information I'd like to have in our "tribal knowledge" store.
>
>
> --
> John Fraizer
> LinkedIn profile: *http://www.linkedin.com/in/johnfraizer/*
> <http://www.linkedin.com/in/johnfraizer/>
>
>
>
> On Mon, Aug 17, 2015 at 2:03 PM, <*Kevin.Cruse at instinet.com*
> <Kevin.Cruse at instinet.com>> wrote:
>
> John,
>
> Here is the configuration from arista:
>
> Arista1#sh run | i aaa
> aaa group server tacacs+ CiscoACS
> aaa authentication login default group CiscoACS local
> aaa authorization exec default group CiscoACS local
> aaa authorization commands all default group CiscoACS local
> aaa accounting exec default start-stop group CiscoACS
> aaa accounting commands all default start-stop group CiscoACS
> no aaa root
> Arista1#
>
>
> Just fyi - I've configured the command "#aaa authorization
> config-commands" as well, for some reason it does not show up in
> configuration. I opened a ticket with arista and they've confirmed it
> should still work which makes sense as i'm seeing the commands sent to
> tacplus.
>
>
> Arista1#sh ver
> Arista DCS-7124SX-F
> Software image version: 4.13.11M
>
>
> Kevin
>
>
>
>
>
> [image: Inactive hide details for John Fraizer ---08/17/2015 12:58:52
> PM---What version of EOS are you running on your Arista device(s)]John
> Fraizer ---08/17/2015 12:58:52 PM---What version of EOS are you running on
> your Arista device(s)? Take a look at the "tab completion" av
>
> From: John Fraizer <*john at op-sec.us* <john at op-sec.us>>
> To: "Kevin.Cruse at Instinet.com" <*Kevin.Cruse at instinet.com*
> <Kevin.Cruse at instinet.com>>,
> Cc: Daniel Schmidt <*daniel.schmidt at wyo.gov* <daniel.schmidt at wyo.gov>>,
> "*tac_plus at shrubbery.net* <tac_plus at shrubbery.net>" <
> *tac_plus at shrubbery.net* <tac_plus at shrubbery.net>>
> Date: 08/17/2015 12:58 PM
>
>
> Subject: Re: [tac_plus] Cisco Nexus Authorization problem
> ------------------------------
>
>
>
> What version of EOS are you running on your Arista device(s)?
>
> Take a look at the "tab completion" available for "aaa
> authorization". Also, if you can provide the output of "show run | i aaa",
> it will be easier to help you.
>
> Initially, it looks as if your Arista devices are not configure to
> authorize commands. Note that the packet dump shows "ACCT" type for
> "enable" and "configure terminal" vs. "AUTHOR".
>
> --
> John Fraizer
> LinkedIn profile: *http://www.linkedin.com/in/johnfraizer/*
> <http://www.linkedin.com/in/johnfraizer/>
>
>
>
> On Mon, Aug 17, 2015 at 12:21 PM, <*Kevin.Cruse at instinet.com*
> <Kevin.Cruse at instinet.com>> wrote:
> I am having a strange issue where cisco devices are being
> authorized by do_auth properly, however, arista devices are not. The
> arista device is sending command to tacplus but daemont does not send
> command to do_auth. I can confirm since there is no update to do_auth log
> when sending commands from arista. any ideas? Everything seems to be
> working fine except arista, this is my last hurdle!
>
>
> CISCO
>
> connect from *test.router.com* <http://test.router.com/>
> [10.11.128.30]
> Waiting for packet
> Read ACCT size=137
> validation request from *test.router.com* <http://test.router.com/>
> PACKET: key=password
> version 192 (0xc0), type 3, seq no 1, flags 0x1
> session_id 677254324 (0x285e14b4), Data length 125 (0x7d)
> End header
> ACCT, flags=0x4 method=6 priv_lvl=1
> type=1 svc=1
> user_len=6 port_len=6 rem_addr_len=14
> arg_cnt=6
> User:
> testuser
> port:
> tty130
> rem_addr:
> 10.12.144.108
> arg[0]: size=13
> task_id=41325
> arg[1]: size=12
> timezone=EDT
> arg[2]: size=13
> service=shell
> arg[3]: size=21
> start_time=1439827839
> arg[4]: size=10
> priv-lvl=0
> arg[5]: size=15
> cmd=enable <cr>
> End packet
> Writing ACCT size=17
> PACKET: key=password
> version 192 (0xc0), type 3, seq no 2, flags 0x1
> session_id 677254324 (0x285e14b4), Data length 5 (0x5)
> End header
> ACCT/REPLY status=1
> msg_len=0 data_len=0
> msg:
> data:
> End packet
> *test.router.com* <http://test.router.com/>: disconnect
>
>
> session request from *test.router.com* <http://test.router.com/>
> sock=5
> connect from *test.router.com* <http://test.router.com/>
> [10.11.128.30]
> Waiting for packet
> Read AUTHOR size=104
> validation request from *test.router.com* <http://test.router.com/>
> PACKET: key=password
> version 192 (0xc0), type 2, seq no 1, flags 0x1
> session_id *4255328848* <4255328848> (0xfda32a50), Data length 92
> (0x5c)
> End header
> type=AUTHOR, priv_lvl=15, authen=1
> method=none
> svc=0 user_len=6 port_len=6 rem_addr_len=14
> arg_cnt=4
> User:
> testuser
> port:
> tty130
> rem_addr:
> 10.12.144.108
> arg[0]: size=13
> service=shell
> arg[1]: size=13
> cmd=configure
> arg[2]: size=16
> cmd-arg=terminal
> arg[3]: size=12
> cmd-arg=<cr>
> End packet
> Writing AUTHOR/FAIL size=18
> PACKET: key=password
> version 192 (0xc0), type 2, seq no 2, flags 0x1
> session_id *4255328848* <4255328848> (0xfda32a50), Data length 6
> (0x6)
> End header
> type=AUTHOR/REPLY status=16 (AUTHOR/FAIL)
> msg_len=0, data_len=0 arg_cnt=0
> msg:
> data:
> End packet
> authorization query for 'testuser' tty130 from *test.router.com*
> <http://test.router.com/> rejected
> *test.router.com* <http://test.router.com/>: disconnect
>
>
> ARISTA
>
> connect from *Aristalab-1.router.com*
> <http://aristalab-1.router.com/> [10.15.10.18]
> Waiting for packet
> Read ACCT size=119
> validation request from *Aristalab-1.router.com*
> <http://aristalab-1.router.com/>
> PACKET: key=password
> version 192 (0xc0), type 3, seq no 1, flags 0x1
> session_id 1744489531 (0x67facc3b), Data length 107 (0x6b)
> End header
> ACCT, flags=0x4 method=6 priv_lvl=1
> type=1 svc=1
> user_len=6 port_len=5 rem_addr_len=0
> arg_cnt=6
> User:
> testuser
> port:
> ttyS0
> rem_addr:
> arg[0]: size=10
> task_id=22
> arg[1]: size=13
> service=shell
> arg[2]: size=10
> priv-lvl=1
> arg[3]: size=21
> start_time=1439828055
> arg[4]: size=12
> timezone=UTC
> arg[5]: size=15
> cmd=enable <cr>
> End packet
> Writing ACCT size=17
> PACKET: key=password
> version 192 (0xc0), type 3, seq no 2, flags 0x1
> session_id 1744489531 (0x67facc3b), Data length 5 (0x5)
> End header
> ACCT/REPLY status=1
> msg_len=0 data_len=0
> msg:
> data:
> End packet
> *Aristalab-1.router.com* <http://aristalab-1.router.com/>: disconnect
>
>
> session request from *Aristalab-1.router.com*
> <http://aristalab-1.router.com/> sock=5
> connect from *Aristalab-1.router.com*
> <http://aristalab-1.router.com/> [10.15.10.18]
> Waiting for packet
> Read ACCT size=132
> validation request from *Aristalab-1.router.com*
> <http://aristalab-1.router.com/>
> PACKET: key=password
> version 192 (0xc0), type 3, seq no 1, flags 0x1
> session_id 1288212585 (0x4cc89069), Data length 120 (0x78)
> End header
> ACCT, flags=0x4 method=6 priv_lvl=15
> type=1 svc=1
> user_len=6 port_len=5 rem_addr_len=0
> arg_cnt=6
> User:
> testuser
> port:
> ttyS0
> rem_addr:
> arg[0]: size=10
> task_id=23
> arg[1]: size=13
> service=shell
> arg[2]: size=11
> priv-lvl=15
> arg[3]: size=21
> start_time=1439828061
> arg[4]: size=12
> timezone=UTC
> arg[5]: size=27
> cmd=configure terminal <cr>
> End packet
> Writing ACCT size=17
> PACKET: key=password
> version 192 (0xc0), type 3, seq no 2, flags 0x1
> session_id 1288212585 (0x4cc89069), Data length 5 (0x5)
> End header
> ACCT/REPLY status=1
> msg_len=0 data_len=0
> msg:
> data:
> End packet
> *Aristalab-1.router.com* <http://aristalab-1.router.com/>: disconnect
>
>
> tac_plus.cfg:
>
>
> group = snm {
> default service = permit
> service = exec {
> priv-lvl = 15
> }
> after authorization "/usr/bin/python
> /usr/local/sbin/tacplus/do_auth.py -i $address -fix_crs_bug -u $user -d
> $name -l /var/log/tacacs/do_auth_log.txt -f
> /usr/local/sbin/tacplus/do_auth.ini"
>
> }
>
>
>
> do_auth.ini:
>
>
> [snm]
> host_allow =
> .*
> device_permit =
> .*
> command_deny =
> configure.*
> show controllers vip.*
> command_permit =
> show ip.*
> show interface.*
> clear counters.*
> clear qos stat.*
> clear mls qos int.*
> disable.*
> enable.*
> end.*
> exit.*
> logout.*
> ping.*
> set length.*
> show.*
> skip-page-display.*
> write network.*
> write terminal.*
> write memory.*
> terminal length.*
>
>
>
>
>
> [image: Inactive hide details for John Fraizer ---08/07/2015
> 12:54:36 PM---Here is one problem: *cmd exit does not exist, denied by def]John
> Fraizer ---08/07/2015 12:54:36 PM---Here is one problem: *cmd exit does not
> exist, denied by default*
>
> From: John Fraizer <*john at op-sec.us* <john at op-sec.us>>
> To: "Kevin.Cruse at Instinet.com" <*Kevin.Cruse at instinet.com*
> <Kevin.Cruse at instinet.com>>,
> Cc: Daniel Schmidt <*daniel.schmidt at wyo.gov*
> <daniel.schmidt at wyo.gov>>, "*tac_plus at shrubbery.net*
> <tac_plus at shrubbery.net>" <*tac_plus at shrubbery.net*
> <tac_plus at shrubbery.net>>
> Date: 08/07/2015 12:54 PM
>
>
> Subject: Re: [tac_plus] Cisco Nexus Authorization problem
>
> ------------------------------
>
>
>
> Here is one problem:
>
> * cmd exit does not exist, denied by default*
>
> It looks like you've got default service = deny in your
> tac_plus.conf. To use do_auth, you need default service = permit.
>
> Your after auth line doesn't look right either.
>
> * /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l
> /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini*
>
> You're not giving it the device address or the address of the user
> attempting to auth. Try changing the after authorization line in
> tac_plus.conf to:
>
> * after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py
> -i $address -u $user -d $name -l /tmp/do_auth.log -f
> /usr/local/sbin/tacplus/do_auth.ini"*
>
> Note that this will create a do_auth specific log in
> /tmp/do_auth.log but, right now - we'll need that for debugging purposes.
>
> Also remember, you'll need to restart tac_plus for this change to
> take effect.
>
> Here is an example tac_plus group that I know to work properly with
> do_auth.py on CatOS, IOS, IOS-XR, NX-OS, EOS and JUNOS:
>
> group = doauthaccess {
> default service = permit
>
> service = exec {
> priv-lvl = 1
> optional idletime = 30
> optional acl = 2
> shell:roles="\"network-operator vdc-operator\""
> }
>
> service = junos-exec {
> bug-fix = "first pair is lost"
> local-user-name = "remote"
> allow-commands = "(.*exit)|(show cli auth.*)"
> deny-commands = ".*"
> allow-configuration = ""
> deny-configuration = ""
> }
> after authorization "/usr/bin/python
> /usr/local/sbin/tacplus/do_auth.py -i $address -u $user -d $name -l
> /tmp/do_auth.log -f /usr/local/sbin/tacplus/do_auth.ini"
> * }*
>
>
> One more thing... Looking at your do_auth.ini, you seem to have a
> space between the commands and ".*" which should not be there.
>
> For example:
>
> exit .*
>
> ...should be:
>
> exit.*
>
>
> I posted a complete working tac_plus.conf and do_auth.ini along
> with the AAA config I use on devices the other day. Take a look at that
> post as well.
>
>
> --
> John Fraizer
> LinkedIn profile: *http://www.linkedin.com/in/johnfraizer/*
> <http://www.linkedin.com/in/johnfraizer/>
>
>
>
> On Fri, Aug 7, 2015 at 5:16 AM, <*Kevin.Cruse at instinet.com*
> <Kevin.Cruse at instinet.com>> wrote:
> I will try upgrading to 4.14.5F and see what happens! thanks
>
> wondering if you are familiar with this error in do_auth
> execution, I am permitting exit in do_auth.ini. seems to be some issue with
> do_auth script:
>
> Reading config
> Version F4.0.4.28 Initialized 1
> tac_plus server F4.0.4.28 starting
> socket FD 4 AF 2
> uid=0 euid=0 gid=0 egid=0 s=23660848
> connect from router1 [172.28.10.124]
> Start authorization request
> do_author: user='testuser'
> user 'testuser' found
> authorize_cmd: user=testuser, cmd=exit
> cmd exit does not exist, denied by default
> After authorization call: /usr/bin/python
> /usr/local/sbin/tacplus/do_auth.py -u $user -l
> /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini
>
>
> * substitute: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user
> -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini
> Dollar substitution: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u
> testuser -l /var/log/tacacs/do_auth_log.txt -f
> /usr/local/sbin/tacplus/do_auth.ini pid 24672 child exited status 1*
> cmd /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user
> -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini
> returns 1 (unconditional deny)
> authorization query for 'testuser' tty130 from router1 rejected
> connect from router1 [1.1.1.1]
>
>
> do_auth.ini:
>
> [users]
> testuser =
> snm
> [snm]
> command_deny =
> configure .*
> show controllers vip .*
> command_permit =
> show ip .*
> show interface .*
> clear counters .*
> clear qos stat .*
> clear mls qos int .*
> disable .*
> enable .*
> end .*
> exit .*
> logout .*
> ping .*
> set length .*
> show .*
> skip-page-display .*
> write network .*
> write terminal .*
> write memory .*
>
>
>
>
> [image: Inactive hide details for John Fraizer ---08/06/2015
> 06:54:05 PM---I'm not sure when this command became available in EOS but,]John
> Fraizer ---08/06/2015 06:54:05 PM---I'm not sure when this command became
> available in EOS but, at least in 4.14.5F, you will get what y
>
> From: John Fraizer <*john at op-sec.us* <john at op-sec.us>>
> To: "Kevin.Cruse at Instinet.com" <*Kevin.Cruse at instinet.com*
> <Kevin.Cruse at instinet.com>>,
> Cc: Daniel Schmidt <*daniel.schmidt at wyo.gov*
> <daniel.schmidt at wyo.gov>>, "*tac_plus at shrubbery.net*
> <tac_plus at shrubbery.net>" <*tac_plus at shrubbery.net*
> <tac_plus at shrubbery.net>>
> Date: 08/06/2015 06:54 PM
> Subject: Re: [tac_plus] Cisco Nexus Authorization problem
> ------------------------------
>
>
>
>
> I'm not sure when this command became available in EOS but, at
> least in 4.14.5F, you will get what you want with:
>
> aaa authorization commands all default group tacacs+ none
>
>
> --
> John Fraizer
> LinkedIn profile: *http://www.linkedin.com/in/johnfraizer/*
> <http://www.linkedin.com/in/johnfraizer/>
>
>
>
> On Thu, Aug 6, 2015 at 1:58 PM, <*Kevin.Cruse at instinet.com*
> <Kevin.Cruse at instinet.com>> wrote:
> tried that! arista only takes this command with no arguments:
>
> aaa authorization config-commands
>
> it still didn't work.
>
> fyi - i just tried same config with cisco router and it works
> perfectly,
> running 4.13.11M of EOS.
>
>
>
> From: Daniel Schmidt <*daniel.schmidt at wyo.gov*
> <daniel.schmidt at wyo.gov>>
> To: *Kevin.Cruse at instinet.com* <Kevin.Cruse at instinet.com>,
> Cc: Aaron Wasserott <*aaron.wasserott at viawest.com*
> <aaron.wasserott at viawest.com>>,
> "*tac_plus at shrubbery.net* <tac_plus at shrubbery.net>"
> <*tac_plus at shrubbery.net* <tac_plus at shrubbery.net>>
> Date: 08/06/2015 04:09 PM
> Subject: Re: [tac_plus] Cisco Nexus Authorization
> problem
>
>
>
> This part of the email looks interesting:
>
> But if you
> want them in conf t mode but restrict their commands at that
> level, you
> need to enable something like this:
>
> aaa authorization config-commands default group myTacacsGroup
> local
>
>
> *
> =========================================================================================================
> *
>
> *<<<< Disclaimer >>>>*
>
> *This message is intended solely for use by the named
> addressee(s). If you receive this transmission in error, please immediately
> notify the sender and destroy this message in its entirety, whether in
> electronic or hard copy format. Any unauthorized use (and reliance
> thereon), copying, disclosure, retention, or distribution of this
> transmission or the material in this transmission is forbidden. We reserve
> the right to monitor and archive electronic communications. This material
> does not constitute an offer or solicitation with respect to the purchase
> or sale of any security. It should not be construed to contain any
> recommendation regarding any security or strategy. Any views expressed are
> those of the individual sender, except where the message states otherwise
> and the sender is authorized to state them to be the views of any such
> entity. This communication is provided on an “as is” basis. It contains
> material that is owned by Instinet Incorporated, its subsidiaries or its or
> their licensors, and may not, in whole or in part, be (i) copied,
> photocopied or duplicated in any form, by any means, or (ii) redistributed,
> posted, published, excerpted, or quoted without Instinet Incorporated's
> prior written consent. Please access the following link for important
> information and instructions: *
> *http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt*
> <http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt>
>
>
> *Securities products and services are provided by locally
> registered brokerage subsidiaries of Instinet Incorporated: Instinet
> Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the
> Australian Securities & Investments Commission; Instinet Canada Limited,
> member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by
> the Securities and Futures Commission of Hong Kong; Instinet Singapore
> Services Private Limited, regulated by the Monetary Authority of Singapore,
> trading member of The Singapore Exchange Securities Trading Private Limited
> and clearing member of The Central Depository (Pte) Limited; and Instinet,
> LLC, member SIPC. *
>
>
>
> *
> =========================================================================================================
> *
>
>
>
>
> *
> =========================================================================================================
> *
>
> *<<<< Disclaimer >>>>*
>
> *This message is intended solely for use by the named addressee(s).
> If you receive this transmission in error, please immediately notify the
> sender and destroy this message in its entirety, whether in electronic or
> hard copy format. Any unauthorized use (and reliance thereon), copying,
> disclosure, retention, or distribution of this transmission or the material
> in this transmission is forbidden. We reserve the right to monitor and
> archive electronic communications. This material does not constitute an
> offer or solicitation with respect to the purchase or sale of any security.
> It should not be construed to contain any recommendation regarding any
> security or strategy. Any views expressed are those of the individual
> sender, except where the message states otherwise and the sender is
> authorized to state them to be the views of any such entity. This
> communication is provided on an “as is” basis. It contains material that is
> owned by Instinet Incorporated, its subsidiaries or its or their licensors,
> and may not, in whole or in part, be (i) copied, photocopied or duplicated
> in any form, by any means, or (ii) redistributed, posted, published,
> excerpted, or quoted without Instinet Incorporated's prior written consent.
> Please access the following link for important information and
> instructions: *
> *http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt*
> <http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt>
>
> *Securities products and services are provided by locally
> registered brokerage subsidiaries of Instinet Incorporated: Instinet
> Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the
> Australian Securities & Investments Commission; Instinet Canada Limited,
> member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by
> the Securities and Futures Commission of Hong Kong; Instinet Singapore
> Services Private Limited, regulated by the Monetary Authority of Singapore,
> trading member of The Singapore Exchange Securities Trading Private Limited
> and clearing member of The Central Depository (Pte) Limited; and Instinet,
> LLC, member SIPC. *
>
>
>
> *
> =========================================================================================================
> *
>
>
>
>
> *
> =========================================================================================================
> *
>
> *<<<< Disclaimer >>>>*
>
> *This message is intended solely for use by the named addressee(s). If
> you receive this transmission in error, please immediately notify the
> sender and destroy this message in its entirety, whether in electronic or
> hard copy format. Any unauthorized use (and reliance thereon), copying,
> disclosure, retention, or distribution of this transmission or the material
> in this transmission is forbidden. We reserve the right to monitor and
> archive electronic communications. This material does not constitute an
> offer or solicitation with respect to the purchase or sale of any security.
> It should not be construed to contain any recommendation regarding any
> security or strategy. Any views expressed are those of the individual
> sender, except where the message states otherwise and the sender is
> authorized to state them to be the views of any such entity. This
> communication is provided on an “as is” basis. It contains material that is
> owned by Instinet Incorporated, its subsidiaries or its or their licensors,
> and may not, in whole or in part, be (i) copied, photocopied or duplicated
> in any form, by any means, or (ii) redistributed, posted, published,
> excerpted, or quoted without Instinet Incorporated's prior written consent.
> Please access the following link for important information and
> instructions: *
> *http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt*
> <http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt>
>
> *Securities products and services are provided by locally registered
> brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty
> Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian
> Securities & Investments Commission; Instinet Canada Limited, member
> IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the
> Securities and Futures Commission of Hong Kong; Instinet Singapore Services
> Private Limited, regulated by the Monetary Authority of Singapore, trading
> member of The Singapore Exchange Securities Trading Private Limited and
> clearing member of The Central Depository (Pte) Limited; and Instinet, LLC,
> member SIPC. *
>
>
>
> *
> =========================================================================================================
> *
>
>
>
>
>
> =========================================================================================================
>
>
> *<<<< Disclaimer >>>>*
>
> This message is intended solely for use by the named addressee(s). If you
> receive this transmission in error, please immediately notify the sender
> and destroy this message in its entirety, whether in electronic or hard
> copy format. Any unauthorized use (and reliance thereon), copying,
> disclosure, retention, or distribution of this transmission or the material
> in this transmission is forbidden. We reserve the right to monitor and
> archive electronic communications. This material does not constitute an
> offer or solicitation with respect to the purchase or sale of any security.
> It should not be construed to contain any recommendation regarding any
> security or strategy. Any views expressed are those of the individual
> sender, except where the message states otherwise and the sender is
> authorized to state them to be the views of any such entity. This
> communication is provided on an “as is” basis. It contains material that is
> owned by Instinet Incorporated, its subsidiaries or its or their licensors,
> and may not, in whole or in part, be (i) copied, photocopied or duplicated
> in any form, by any means, or (ii) redistributed, posted, published,
> excerpted, or quoted without Instinet Incorporated's prior written consent.
> Please access the following link for important information and
> instructions:
> http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt
>
> Securities products and services are provided by locally registered
> brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty
> Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian
> Securities & Investments Commission; Instinet Canada Limited, member
> IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the
> Securities and Futures Commission of Hong Kong; Instinet Singapore Services
> Private Limited, regulated by the Monetary Authority of Singapore, trading
> member of The Singapore Exchange Securities Trading Private Limited and
> clearing member of The Central Depository (Pte) Limited; and Instinet, LLC,
> member SIPC.
>
>
>
> =========================================================================================================
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150817/37b196fd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150817/37b196fd/attachment.gif>
More information about the tac_plus
mailing list