[tac_plus] Cisco Nexus Authorization problem

John Fraizer john at op-sec.us
Mon Aug 17 20:46:05 UTC 2015


Ahhh... That makes sense.

As a matter of personal opinion, I always enable exec and command auth on
the console with fallback to "none" on our production equipment. That way,
as long as the TACACS+ infrastructure is available, the policy I set in
do_auth.ini is enforced.  If TACACS+ isn't available, we log in as a
defined "local" user and enable manually.  It keeps honest people honest.
;-)

The EOS AAA config I sent you is from my lab which doesn't have console
auth enabled for various reasons.  [ I'm on vacation and didn't feel like
jumping through all VPN + 2FA hoops necessary to log into one of the
production EOS devices. ;-) ]

Glad its working for you now and it wasn't a bug!

--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/



On Mon, Aug 17, 2015 at 3:14 PM, <Kevin.Cruse at instinet.com> wrote:

> I was connecting to console which does not have authorization enabled.
> It's working now. Thanks for your help!
>
>
>
> [image: Inactive hide details for John Fraizer ---08/17/2015 02:23:34
> PM---Kevin, I'm not using defined tacacs+ groups in our configura]John
> Fraizer ---08/17/2015 02:23:34 PM---Kevin, I'm not using defined tacacs+
> groups in our configuration so, that is a
>
> From: John Fraizer <john at op-sec.us>
> To: "Kevin.Cruse at Instinet.com" <Kevin.Cruse at instinet.com>,
> Cc: Daniel Schmidt <daniel.schmidt at wyo.gov>, "tac_plus at shrubbery.net" <
> tac_plus at shrubbery.net>
> Date: 08/17/2015 02:23 PM
>
> Subject: Re: [tac_plus] Cisco Nexus Authorization problem
> ------------------------------
>
>
>
> Kevin,
>
> I'm not using defined tacacs+ groups in our configuration so, that is a
> variable that could be triggering a bug in AAA authorization but, your
> config is very similar to what we're using:
>
> !
> tacacs-server key 7 <redacted>
> tacacs-server host x.x.x.a
> tacacs-server host x.x.x.b
> !
> aaa authentication login default group tacacs+ local
> aaa authentication enable default group tacacs+ local
> aaa authorization exec default group tacacs+ local
> aaa authorization commands all default group tacacs+ none
> aaa accounting exec default start-stop group tacacs+
> aaa accounting system default start-stop group tacacs+
> aaa accounting commands all default stop-only group tacacs+
> !
>
> Please note though that based on what you sent in your original email,
> your EOS device is not sending AUTH requests for commands.  I only see ACCT
> records being sent:
>
> Here is the AUTH request coming from your Cisco:
>
>    session request from *test.router.com* <http://test.router.com/> sock=5
>    connect from *test.router.com* <http://test.router.com/> [10.11.128.30]
>    Waiting for packet
>    Read AUTHOR size=104
>    validation request from *test.router.com* <http://test.router.com/>
>    PACKET: key=password
>    version 192 (0xc0), type 2, seq no 1, flags 0x1
>    session_id *4255328848* <4255328848> (0xfda32a50), Data length 92
>    (0x5c)
>    End header
>    type=AUTHOR, priv_lvl=15, authen=1
>    method=none
>    svc=0 user_len=6 port_len=6 rem_addr_len=14
>    arg_cnt=4
>    User:
>    testuser
>    port:
>    tty130
>    rem_addr:
>    10.12.144.108
>    arg[0]: size=13
>    service=shell
>    arg[1]: size=13
>    cmd=configure
>    arg[2]: size=16
>    cmd-arg=terminal
>    arg[3]: size=12
>    cmd-arg=<cr>
>    End packet
>    Writing AUTHOR/FAIL size=18
>    PACKET: key=password
>    version 192 (0xc0), type 2, seq no 2, flags 0x1
>    session_id *4255328848* <4255328848> (0xfda32a50), Data length 6 (0x6)
>    End header
>    type=AUTHOR/REPLY status=16 (AUTHOR/FAIL)
>    msg_len=0, data_len=0 arg_cnt=0
>    msg:
>    data:
>    End packet
>    authorization query for 'testuser' tty130 from *test.router.com*
>    <http://test.router.com/> rejected
> *test.router.com* <http://test.router.com/>: disconnect
>
>
> ...vs the ACCT record being sent by the EOS device(s):
>
>    session request from *Aristalab-1.router.com*
>    <http://aristalab-1.router.com/> sock=5
>    connect from *Aristalab-1.router.com* <http://aristalab-1.router.com/>
>     [10.15.10.18]
>    Waiting for packet
>    Read ACCT size=132
>    validation request from *Aristalab-1.router.com*
>    <http://aristalab-1.router.com/>
>    PACKET: key=password
>    version 192 (0xc0), type 3, seq no 1, flags 0x1
>    session_id 1288212585 (0x4cc89069), Data length 120 (0x78)
>    End header
>    ACCT, flags=0x4 method=6 priv_lvl=15
>    type=1 svc=1
>    user_len=6 port_len=5 rem_addr_len=0
>    arg_cnt=6
>    User:
>    testuser
>    port:
>    ttyS0
>    rem_addr:
>    arg[0]: size=10
>    task_id=23
>    arg[1]: size=13
>    service=shell
>    arg[2]: size=11
>    priv-lvl=15
>    arg[3]: size=21
>    start_time=1439828061
>    arg[4]: size=12
>    timezone=UTC
>    arg[5]: size=27
>    cmd=configure terminal <cr>
>    End packet
>    Writing ACCT size=17
>    PACKET: key=password
>    version 192 (0xc0), type 3, seq no 2, flags 0x1
>    session_id 1288212585 (0x4cc89069), Data length 5 (0x5)
>    End header
>    ACCT/REPLY status=1
>    msg_len=0 data_len=0
>    msg:
>    data:
>    End packet
> *Aristalab-1.router.com* <http://aristalab-1.router.com/>: disconnect
>
>
> So, in effect, where the Cisco device is asking permission to execute the
> command, the EOS device is simply informing the TACACS+ server  that the
> command was executed.  It's a matter of ACCOUNT vs AUTHORIZE.
>
> You might want to update your ticket with Arista to include that
> information.  You may also want to try enumerating your TACACS+ servers the
> way I have vs. using a AAA group just to rule that variable out as the
> vector that is triggering a bug.  I understand that if you've got a large
> EOS deployment, it is non-trivial to push AAA config changes to them all
> but, trust me - it can be done.  I've got a fleet > 2000 EOS devices and I
> just updated their AAA config a few weeks ago.
>
> The safest way to do it would be as follows:
>
> (1) Enumerate the TACACS+ servers outside of the group:
> !
> tacacs-server key 7 <redacted>
> tacacs-server host x.x.x.a
> tacacs-server host x.x.x.b
> !
> Then, update your aaa auth commands as follows:
>
> !
> aaa authorization exec default group tacacs+ local
> aaa authorization commands all default group tacacs+ none
> !
>
> Please let me know if this helps and also update me if Arista identifies a
> bug.  That's information I'd like to have in our "tribal knowledge" store.
>
>
> --
> John Fraizer
> LinkedIn profile: *http://www.linkedin.com/in/johnfraizer/*
> <http://www.linkedin.com/in/johnfraizer/>
>
>
>
> On Mon, Aug 17, 2015 at 2:03 PM, <*Kevin.Cruse at instinet.com*
> <Kevin.Cruse at instinet.com>> wrote:
>
>    John,
>
>    Here is the configuration from arista:
>
>    Arista1#sh run | i aaa
>    aaa group server tacacs+ CiscoACS
>    aaa authentication login default group CiscoACS local
>    aaa authorization exec default group CiscoACS local
>    aaa authorization commands all default group CiscoACS local
>    aaa accounting exec default start-stop group CiscoACS
>    aaa accounting commands all default start-stop group CiscoACS
>    no aaa root
>    Arista1#
>
>
>    Just fyi - I've configured the command "#aaa authorization
>    config-commands" as well, for some reason it does not show up in
>    configuration. I opened a ticket with arista and they've confirmed it
>    should still work which makes sense as i'm seeing the commands sent to
>    tacplus.
>
>
>    Arista1#sh ver
>    Arista DCS-7124SX-F
>    Software image version: 4.13.11M
>
>
>    Kevin
>
>
>
>
>
>    [image: Inactive hide details for John Fraizer ---08/17/2015 12:58:52
>    PM---What version of EOS are you running on your Arista device(s)]John
>    Fraizer ---08/17/2015 12:58:52 PM---What version of EOS are you running on
>    your Arista device(s)? Take a look at the "tab completion" av
>
>    From: John Fraizer <*john at op-sec.us* <john at op-sec.us>>
>    To: "Kevin.Cruse at Instinet.com" <*Kevin.Cruse at instinet.com*
>    <Kevin.Cruse at instinet.com>>,
>    Cc: Daniel Schmidt <*daniel.schmidt at wyo.gov* <daniel.schmidt at wyo.gov>>,
>    "*tac_plus at shrubbery.net* <tac_plus at shrubbery.net>" <
>    *tac_plus at shrubbery.net* <tac_plus at shrubbery.net>>
>    Date: 08/17/2015 12:58 PM
>
>
>    Subject: Re: [tac_plus] Cisco Nexus Authorization problem
>    ------------------------------
>
>
>
>    What version of EOS are you running on your Arista device(s)?
>
>    Take a look at the "tab completion" available for "aaa
>    authorization".  Also, if you can provide the output of "show run | i aaa",
>    it will be easier to help you.
>
>    Initially, it looks as if your Arista devices are not configure to
>    authorize commands.  Note that the packet dump shows "ACCT" type for
>    "enable" and "configure terminal" vs. "AUTHOR".
>
>    --
>    John Fraizer
>    LinkedIn profile: *http://www.linkedin.com/in/johnfraizer/*
>    <http://www.linkedin.com/in/johnfraizer/>
>
>
>
>    On Mon, Aug 17, 2015 at 12:21 PM, <*Kevin.Cruse at instinet.com*
>    <Kevin.Cruse at instinet.com>> wrote:
>       I am having a strange issue where cisco devices are being
>       authorized by do_auth properly, however, arista devices are not.  The
>       arista device is sending command to tacplus but daemont does not send
>       command to do_auth. I can confirm since there is no update to do_auth log
>       when sending commands from arista. any ideas?  Everything seems to be
>       working fine except arista, this is my last hurdle!
>
>
>       CISCO
>
>       connect from *test.router.com* <http://test.router.com/>
>        [10.11.128.30]
>       Waiting for packet
>       Read ACCT size=137
>       validation request from *test.router.com* <http://test.router.com/>
>       PACKET: key=password
>       version 192 (0xc0), type 3, seq no 1, flags 0x1
>       session_id 677254324 (0x285e14b4), Data length 125 (0x7d)
>       End header
>       ACCT, flags=0x4 method=6 priv_lvl=1
>       type=1 svc=1
>       user_len=6 port_len=6 rem_addr_len=14
>       arg_cnt=6
>       User:
>       testuser
>       port:
>       tty130
>       rem_addr:
>       10.12.144.108
>       arg[0]: size=13
>       task_id=41325
>       arg[1]: size=12
>       timezone=EDT
>       arg[2]: size=13
>       service=shell
>       arg[3]: size=21
>       start_time=1439827839
>       arg[4]: size=10
>       priv-lvl=0
>       arg[5]: size=15
>       cmd=enable <cr>
>       End packet
>       Writing ACCT size=17
>       PACKET: key=password
>       version 192 (0xc0), type 3, seq no 2, flags 0x1
>       session_id 677254324 (0x285e14b4), Data length 5 (0x5)
>       End header
>       ACCT/REPLY status=1
>       msg_len=0 data_len=0
>       msg:
>       data:
>       End packet
> *test.router.com* <http://test.router.com/>: disconnect
>
>
>       session request from *test.router.com* <http://test.router.com/>
>        sock=5
>       connect from *test.router.com* <http://test.router.com/>
>        [10.11.128.30]
>       Waiting for packet
>       Read AUTHOR size=104
>       validation request from *test.router.com* <http://test.router.com/>
>       PACKET: key=password
>       version 192 (0xc0), type 2, seq no 1, flags 0x1
>       session_id *4255328848* <4255328848> (0xfda32a50), Data length 92
>       (0x5c)
>       End header
>       type=AUTHOR, priv_lvl=15, authen=1
>       method=none
>       svc=0 user_len=6 port_len=6 rem_addr_len=14
>       arg_cnt=4
>       User:
>       testuser
>       port:
>       tty130
>       rem_addr:
>       10.12.144.108
>       arg[0]: size=13
>       service=shell
>       arg[1]: size=13
>       cmd=configure
>       arg[2]: size=16
>       cmd-arg=terminal
>       arg[3]: size=12
>       cmd-arg=<cr>
>       End packet
>       Writing AUTHOR/FAIL size=18
>       PACKET: key=password
>       version 192 (0xc0), type 2, seq no 2, flags 0x1
>       session_id *4255328848* <4255328848> (0xfda32a50), Data length 6
>       (0x6)
>       End header
>       type=AUTHOR/REPLY status=16 (AUTHOR/FAIL)
>       msg_len=0, data_len=0 arg_cnt=0
>       msg:
>       data:
>       End packet
>       authorization query for 'testuser' tty130 from *test.router.com*
>       <http://test.router.com/> rejected
> *test.router.com* <http://test.router.com/>: disconnect
>
>
>       ARISTA
>
>       connect from *Aristalab-1.router.com*
>       <http://aristalab-1.router.com/> [10.15.10.18]
>       Waiting for packet
>       Read ACCT size=119
>       validation request from *Aristalab-1.router.com*
>       <http://aristalab-1.router.com/>
>       PACKET: key=password
>       version 192 (0xc0), type 3, seq no 1, flags 0x1
>       session_id 1744489531 (0x67facc3b), Data length 107 (0x6b)
>       End header
>       ACCT, flags=0x4 method=6 priv_lvl=1
>       type=1 svc=1
>       user_len=6 port_len=5 rem_addr_len=0
>       arg_cnt=6
>       User:
>       testuser
>       port:
>       ttyS0
>       rem_addr:
>       arg[0]: size=10
>       task_id=22
>       arg[1]: size=13
>       service=shell
>       arg[2]: size=10
>       priv-lvl=1
>       arg[3]: size=21
>       start_time=1439828055
>       arg[4]: size=12
>       timezone=UTC
>       arg[5]: size=15
>       cmd=enable <cr>
>       End packet
>       Writing ACCT size=17
>       PACKET: key=password
>       version 192 (0xc0), type 3, seq no 2, flags 0x1
>       session_id 1744489531 (0x67facc3b), Data length 5 (0x5)
>       End header
>       ACCT/REPLY status=1
>       msg_len=0 data_len=0
>       msg:
>       data:
>       End packet
> *Aristalab-1.router.com* <http://aristalab-1.router.com/>: disconnect
>
>
>       session request from *Aristalab-1.router.com*
>       <http://aristalab-1.router.com/> sock=5
>       connect from *Aristalab-1.router.com*
>       <http://aristalab-1.router.com/> [10.15.10.18]
>       Waiting for packet
>       Read ACCT size=132
>       validation request from *Aristalab-1.router.com*
>       <http://aristalab-1.router.com/>
>       PACKET: key=password
>       version 192 (0xc0), type 3, seq no 1, flags 0x1
>       session_id 1288212585 (0x4cc89069), Data length 120 (0x78)
>       End header
>       ACCT, flags=0x4 method=6 priv_lvl=15
>       type=1 svc=1
>       user_len=6 port_len=5 rem_addr_len=0
>       arg_cnt=6
>       User:
>       testuser
>       port:
>       ttyS0
>       rem_addr:
>       arg[0]: size=10
>       task_id=23
>       arg[1]: size=13
>       service=shell
>       arg[2]: size=11
>       priv-lvl=15
>       arg[3]: size=21
>       start_time=1439828061
>       arg[4]: size=12
>       timezone=UTC
>       arg[5]: size=27
>       cmd=configure terminal <cr>
>       End packet
>       Writing ACCT size=17
>       PACKET: key=password
>       version 192 (0xc0), type 3, seq no 2, flags 0x1
>       session_id 1288212585 (0x4cc89069), Data length 5 (0x5)
>       End header
>       ACCT/REPLY status=1
>       msg_len=0 data_len=0
>       msg:
>       data:
>       End packet
> *Aristalab-1.router.com* <http://aristalab-1.router.com/>: disconnect
>
>
>       tac_plus.cfg:
>
>
>        group = snm {
>               default service = permit
>               service = exec {
>               priv-lvl = 15
>               }
>               after authorization "/usr/bin/python
>       /usr/local/sbin/tacplus/do_auth.py -i $address -fix_crs_bug -u $user -d
>       $name -l /var/log/tacacs/do_auth_log.txt -f
>       /usr/local/sbin/tacplus/do_auth.ini"
>
>        }
>
>
>
>       do_auth.ini:
>
>
>       [snm]
>       host_allow =
>               .*
>       device_permit =
>               .*
>       command_deny =
>               configure.*
>               show controllers vip.*
>       command_permit =
>               show ip.*
>               show interface.*
>               clear counters.*
>               clear qos stat.*
>               clear mls qos int.*
>               disable.*
>               enable.*
>               end.*
>               exit.*
>               logout.*
>               ping.*
>               set length.*
>               show.*
>               skip-page-display.*
>               write network.*
>               write terminal.*
>               write memory.*
>               terminal length.*
>
>
>
>
>
>       [image: Inactive hide details for John Fraizer ---08/07/2015
>       12:54:36 PM---Here is one problem: *cmd exit does not exist, denied by def]John
>       Fraizer ---08/07/2015 12:54:36 PM---Here is one problem: *cmd exit does not
>       exist, denied by default*
>
>       From: John Fraizer <*john at op-sec.us* <john at op-sec.us>>
>       To: "Kevin.Cruse at Instinet.com" <*Kevin.Cruse at instinet.com*
>       <Kevin.Cruse at instinet.com>>,
>       Cc: Daniel Schmidt <*daniel.schmidt at wyo.gov*
>       <daniel.schmidt at wyo.gov>>, "*tac_plus at shrubbery.net*
>       <tac_plus at shrubbery.net>" <*tac_plus at shrubbery.net*
>       <tac_plus at shrubbery.net>>
>       Date: 08/07/2015 12:54 PM
>
>
>       Subject: Re: [tac_plus] Cisco Nexus Authorization problem
>
>       ------------------------------
>
>
>
>       Here is one problem:
>
> * cmd exit does not exist, denied by default*
>
>       It looks like you've got default service = deny in your
>       tac_plus.conf.  To use do_auth, you need default service = permit.
>
>       Your after auth line doesn't look right either.
>
> * /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l
>       /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini*
>
>       You're not giving it the device address or the address of the user
>       attempting to auth.  Try changing the after authorization line in
>       tac_plus.conf to:
>
> * after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py
>       -i $address -u $user -d $name -l /tmp/do_auth.log -f
>       /usr/local/sbin/tacplus/do_auth.ini"*
>
>       Note that this will create a do_auth specific log in
>       /tmp/do_auth.log but, right now - we'll need that for debugging purposes.
>
>       Also remember, you'll need to restart tac_plus for this change to
>       take effect.
>
>       Here is an example tac_plus group that I know to work properly with
>       do_auth.py on CatOS, IOS, IOS-XR, NX-OS, EOS and JUNOS:
>
>       group = doauthaccess {
>               default service = permit
>
>               service = exec {
>                       priv-lvl = 1
>                       optional idletime = 30
>                       optional acl = 2
>                       shell:roles="\"network-operator vdc-operator\""
>                       }
>
>               service = junos-exec {
>                       bug-fix = "first pair is lost"
>                       local-user-name = "remote"
>                       allow-commands = "(.*exit)|(show cli auth.*)"
>                       deny-commands = ".*"
>                       allow-configuration = ""
>                       deny-configuration = ""
>                       }
>       after authorization "/usr/bin/python
>       /usr/local/sbin/tacplus/do_auth.py -i $address -u $user -d $name -l
>       /tmp/do_auth.log -f /usr/local/sbin/tacplus/do_auth.ini"
> * }*
>
>
>       One more thing... Looking at your do_auth.ini, you seem to have a
>       space between the commands and ".*" which should not be there.
>
>       For example:
>
>       exit .*
>
>       ...should be:
>
>       exit.*
>
>
>       I posted a complete working tac_plus.conf and do_auth.ini along
>       with the AAA config I use on devices the other day.  Take a look at that
>       post as well.
>
>
>       --
>       John Fraizer
>       LinkedIn profile: *http://www.linkedin.com/in/johnfraizer/*
>       <http://www.linkedin.com/in/johnfraizer/>
>
>
>
>       On Fri, Aug 7, 2015 at 5:16 AM, <*Kevin.Cruse at instinet.com*
>       <Kevin.Cruse at instinet.com>> wrote:
>          I will try upgrading to 4.14.5F and see what happens! thanks
>
>          wondering if you are familiar with this error in do_auth
>          execution, I am permitting exit in do_auth.ini. seems to be some issue with
>          do_auth script:
>
>          Reading config
>          Version F4.0.4.28 Initialized 1
>          tac_plus server F4.0.4.28 starting
>          socket FD 4 AF 2
>          uid=0 euid=0 gid=0 egid=0 s=23660848
>          connect from router1 [172.28.10.124]
>          Start authorization request
>          do_author: user='testuser'
>          user 'testuser' found
>          authorize_cmd: user=testuser, cmd=exit
>          cmd exit does not exist, denied by default
>          After authorization call: /usr/bin/python
>          /usr/local/sbin/tacplus/do_auth.py -u $user -l
>          /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini
>
>
> * substitute: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user
>          -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini
>          Dollar substitution: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u
>          testuser -l /var/log/tacacs/do_auth_log.txt -f
>          /usr/local/sbin/tacplus/do_auth.ini pid 24672 child exited status 1*
>          cmd /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user
>          -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini
>          returns 1 (unconditional deny)
>          authorization query for 'testuser' tty130 from router1 rejected
>          connect from router1 [1.1.1.1]
>
>
>          do_auth.ini:
>
>          [users]
>          testuser =
>                  snm
>          [snm]
>          command_deny =
>                  configure .*
>                  show controllers vip .*
>          command_permit =
>                  show ip .*
>                  show interface .*
>                  clear counters .*
>                  clear qos stat .*
>                  clear mls qos int .*
>                  disable .*
>                  enable .*
>                  end .*
>                  exit .*
>                  logout .*
>                  ping .*
>                  set length .*
>                  show .*
>                  skip-page-display .*
>                  write network .*
>                  write terminal .*
>                  write memory .*
>
>
>
>
>          [image: Inactive hide details for John Fraizer ---08/06/2015
>          06:54:05 PM---I'm not sure when this command became available in EOS but,]John
>          Fraizer ---08/06/2015 06:54:05 PM---I'm not sure when this command became
>          available in EOS but, at least in 4.14.5F, you will get what y
>
>          From: John Fraizer <*john at op-sec.us* <john at op-sec.us>>
>          To: "Kevin.Cruse at Instinet.com" <*Kevin.Cruse at instinet.com*
>          <Kevin.Cruse at instinet.com>>,
>          Cc: Daniel Schmidt <*daniel.schmidt at wyo.gov*
>          <daniel.schmidt at wyo.gov>>, "*tac_plus at shrubbery.net*
>          <tac_plus at shrubbery.net>" <*tac_plus at shrubbery.net*
>          <tac_plus at shrubbery.net>>
>          Date: 08/06/2015 06:54 PM
>          Subject: Re: [tac_plus] Cisco Nexus Authorization problem
>          ------------------------------
>
>
>
>
>          I'm not sure when this command became available in EOS but, at
>          least in 4.14.5F, you will get what you want with:
>
>          aaa authorization commands all default group tacacs+ none
>
>
>          --
>          John Fraizer
>          LinkedIn profile: *http://www.linkedin.com/in/johnfraizer/*
>          <http://www.linkedin.com/in/johnfraizer/>
>
>
>
>          On Thu, Aug 6, 2015 at 1:58 PM, <*Kevin.Cruse at instinet.com*
>          <Kevin.Cruse at instinet.com>> wrote:
>             tried that! arista only takes this command with no arguments:
>
>             aaa authorization config-commands
>
>             it still didn't work.
>
>             fyi - i just tried same config with cisco router and it works
>             perfectly,
>             running 4.13.11M of EOS.
>
>
>
>             From:   Daniel Schmidt <*daniel.schmidt at wyo.gov*
>             <daniel.schmidt at wyo.gov>>
>             To:     *Kevin.Cruse at instinet.com* <Kevin.Cruse at instinet.com>,
>             Cc:     Aaron Wasserott <*aaron.wasserott at viawest.com*
>             <aaron.wasserott at viawest.com>>,
>                         "*tac_plus at shrubbery.net* <tac_plus at shrubbery.net>"
>             <*tac_plus at shrubbery.net* <tac_plus at shrubbery.net>>
>             Date:   08/06/2015 04:09 PM
>             Subject:        Re: [tac_plus] Cisco Nexus Authorization
>             problem
>
>
>
>             This part of the email looks interesting:
>
>             But if you
>             want them in conf t mode but restrict their commands at that
>             level, you
>             need to enable something like this:
>
>             aaa authorization config-commands default group myTacacsGroup
>             local
>
>
> *
>          =========================================================================================================
>          *
>
>          *<<<< Disclaimer >>>>*
>
>          *This message is intended solely for use by the named
>          addressee(s). If you receive this transmission in error, please immediately
>          notify the sender and destroy this message in its entirety, whether in
>          electronic or hard copy format. Any unauthorized use (and reliance
>          thereon), copying, disclosure, retention, or distribution of this
>          transmission or the material in this transmission is forbidden. We reserve
>          the right to monitor and archive electronic communications. This material
>          does not constitute an offer or solicitation with respect to the purchase
>          or sale of any security. It should not be construed to contain any
>          recommendation regarding any security or strategy. Any views expressed are
>          those of the individual sender, except where the message states otherwise
>          and the sender is authorized to state them to be the views of any such
>          entity. This communication is provided on an “as is” basis. It contains
>          material that is owned by Instinet Incorporated, its subsidiaries or its or
>          their licensors, and may not, in whole or in part, be (i) copied,
>          photocopied or duplicated in any form, by any means, or (ii) redistributed,
>          posted, published, excerpted, or quoted without Instinet Incorporated's
>          prior written consent. Please access the following link for important
>          information and instructions: *
>          *http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt*
>          <http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt>
>
>
>          *Securities products and services are provided by locally
>          registered brokerage subsidiaries of Instinet Incorporated: Instinet
>          Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the
>          Australian Securities & Investments Commission; Instinet Canada Limited,
>          member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by
>          the Securities and Futures Commission of Hong Kong; Instinet Singapore
>          Services Private Limited, regulated by the Monetary Authority of Singapore,
>          trading member of The Singapore Exchange Securities Trading Private Limited
>          and clearing member of The Central Depository (Pte) Limited; and Instinet,
>          LLC, member SIPC. *
>
>
>
> *
>          =========================================================================================================
>          *
>
>
>
>
> *
>       =========================================================================================================
>       *
>
>       *<<<< Disclaimer >>>>*
>
>       *This message is intended solely for use by the named addressee(s).
>       If you receive this transmission in error, please immediately notify the
>       sender and destroy this message in its entirety, whether in electronic or
>       hard copy format. Any unauthorized use (and reliance thereon), copying,
>       disclosure, retention, or distribution of this transmission or the material
>       in this transmission is forbidden. We reserve the right to monitor and
>       archive electronic communications. This material does not constitute an
>       offer or solicitation with respect to the purchase or sale of any security.
>       It should not be construed to contain any recommendation regarding any
>       security or strategy. Any views expressed are those of the individual
>       sender, except where the message states otherwise and the sender is
>       authorized to state them to be the views of any such entity. This
>       communication is provided on an “as is” basis. It contains material that is
>       owned by Instinet Incorporated, its subsidiaries or its or their licensors,
>       and may not, in whole or in part, be (i) copied, photocopied or duplicated
>       in any form, by any means, or (ii) redistributed, posted, published,
>       excerpted, or quoted without Instinet Incorporated's prior written consent.
>       Please access the following link for important information and
>       instructions: *
>       *http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt*
>       <http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt>
>
>       *Securities products and services are provided by locally
>       registered brokerage subsidiaries of Instinet Incorporated: Instinet
>       Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the
>       Australian Securities & Investments Commission; Instinet Canada Limited,
>       member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by
>       the Securities and Futures Commission of Hong Kong; Instinet Singapore
>       Services Private Limited, regulated by the Monetary Authority of Singapore,
>       trading member of The Singapore Exchange Securities Trading Private Limited
>       and clearing member of The Central Depository (Pte) Limited; and Instinet,
>       LLC, member SIPC. *
>
>
>
> *
>       =========================================================================================================
>       *
>
>
>
>
> *
>    =========================================================================================================
>    *
>
>    *<<<< Disclaimer >>>>*
>
>    *This message is intended solely for use by the named addressee(s). If
>    you receive this transmission in error, please immediately notify the
>    sender and destroy this message in its entirety, whether in electronic or
>    hard copy format. Any unauthorized use (and reliance thereon), copying,
>    disclosure, retention, or distribution of this transmission or the material
>    in this transmission is forbidden. We reserve the right to monitor and
>    archive electronic communications. This material does not constitute an
>    offer or solicitation with respect to the purchase or sale of any security.
>    It should not be construed to contain any recommendation regarding any
>    security or strategy. Any views expressed are those of the individual
>    sender, except where the message states otherwise and the sender is
>    authorized to state them to be the views of any such entity. This
>    communication is provided on an “as is” basis. It contains material that is
>    owned by Instinet Incorporated, its subsidiaries or its or their licensors,
>    and may not, in whole or in part, be (i) copied, photocopied or duplicated
>    in any form, by any means, or (ii) redistributed, posted, published,
>    excerpted, or quoted without Instinet Incorporated's prior written consent.
>    Please access the following link for important information and
>    instructions: *
>    *http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt*
>    <http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt>
>
>    *Securities products and services are provided by locally registered
>    brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty
>    Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian
>    Securities & Investments Commission; Instinet Canada Limited, member
>    IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the
>    Securities and Futures Commission of Hong Kong; Instinet Singapore Services
>    Private Limited, regulated by the Monetary Authority of Singapore, trading
>    member of The Singapore Exchange Securities Trading Private Limited and
>    clearing member of The Central Depository (Pte) Limited; and Instinet, LLC,
>    member SIPC. *
>
>
>
> *
>    =========================================================================================================
>    *
>
>
>
>
>
> =========================================================================================================
>
>
> *<<<< Disclaimer >>>>*
>
> This message is intended solely for use by the named addressee(s). If you
> receive this transmission in error, please immediately notify the sender
> and destroy this message in its entirety, whether in electronic or hard
> copy format. Any unauthorized use (and reliance thereon), copying,
> disclosure, retention, or distribution of this transmission or the material
> in this transmission is forbidden. We reserve the right to monitor and
> archive electronic communications. This material does not constitute an
> offer or solicitation with respect to the purchase or sale of any security.
> It should not be construed to contain any recommendation regarding any
> security or strategy. Any views expressed are those of the individual
> sender, except where the message states otherwise and the sender is
> authorized to state them to be the views of any such entity. This
> communication is provided on an “as is” basis. It contains material that is
> owned by Instinet Incorporated, its subsidiaries or its or their licensors,
> and may not, in whole or in part, be (i) copied, photocopied or duplicated
> in any form, by any means, or (ii) redistributed, posted, published,
> excerpted, or quoted without Instinet Incorporated's prior written consent.
> Please access the following link for important information and
> instructions:
> http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt
>
> Securities products and services are provided by locally registered
> brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty
> Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian
> Securities & Investments Commission; Instinet Canada Limited, member
> IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the
> Securities and Futures Commission of Hong Kong; Instinet Singapore Services
> Private Limited, regulated by the Monetary Authority of Singapore, trading
> member of The Singapore Exchange Securities Trading Private Limited and
> clearing member of The Central Depository (Pte) Limited; and Instinet, LLC,
> member SIPC.
>
>
>
> =========================================================================================================
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150817/37b196fd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150817/37b196fd/attachment.gif>


More information about the tac_plus mailing list