[tac_plus] Cisco Nexus Authorization problem

John Fraizer john at op-sec.us
Mon Aug 17 16:58:27 UTC 2015


What version of EOS are you running on your Arista device(s)?

Take a look at the "tab completion" available for "aaa authorization".
Also, if you can provide the output of "show run | i aaa", it will be
easier to help you.

Initially, it looks as if your Arista devices are not configure to
authorize commands.  Note that the packet dump shows "ACCT" type for
"enable" and "configure terminal" vs. "AUTHOR".

--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/



On Mon, Aug 17, 2015 at 12:21 PM, <Kevin.Cruse at instinet.com> wrote:

> I am having a strange issue where cisco devices are being authorized by
> do_auth properly, however, arista devices are not.  The arista device is
> sending command to tacplus but daemont does not send command to do_auth. I
> can confirm since there is no update to do_auth log when sending commands
> from arista. any ideas?  Everything seems to be working fine except arista,
> this is my last hurdle!
>
>
> CISCO
>
> connect from test.router.com [10.11.128.30]
> Waiting for packet
> Read ACCT size=137
> validation request from test.router.com
> PACKET: key=password
> version 192 (0xc0), type 3, seq no 1, flags 0x1
> session_id 677254324 (0x285e14b4), Data length 125 (0x7d)
> End header
> ACCT, flags=0x4 method=6 priv_lvl=1
> type=1 svc=1
> user_len=6 port_len=6 rem_addr_len=14
> arg_cnt=6
> User:
> testuser
> port:
> tty130
> rem_addr:
> 10.12.144.108
> arg[0]: size=13
> task_id=41325
> arg[1]: size=12
> timezone=EDT
> arg[2]: size=13
> service=shell
> arg[3]: size=21
> start_time=1439827839
> arg[4]: size=10
> priv-lvl=0
> arg[5]: size=15
> cmd=enable <cr>
> End packet
> Writing ACCT size=17
> PACKET: key=password
> version 192 (0xc0), type 3, seq no 2, flags 0x1
> session_id 677254324 (0x285e14b4), Data length 5 (0x5)
> End header
> ACCT/REPLY status=1
> msg_len=0 data_len=0
> msg:
> data:
> End packet
> test.router.com: disconnect
>
>
> session request from test.router.com sock=5
> connect from test.router.com [10.11.128.30]
> Waiting for packet
> Read AUTHOR size=104
> validation request from test.router.com
> PACKET: key=password
> version 192 (0xc0), type 2, seq no 1, flags 0x1
> session_id 4255328848 (0xfda32a50), Data length 92 (0x5c)
> End header
> type=AUTHOR, priv_lvl=15, authen=1
> method=none
> svc=0 user_len=6 port_len=6 rem_addr_len=14
> arg_cnt=4
> User:
> testuser
> port:
> tty130
> rem_addr:
> 10.12.144.108
> arg[0]: size=13
> service=shell
> arg[1]: size=13
> cmd=configure
> arg[2]: size=16
> cmd-arg=terminal
> arg[3]: size=12
> cmd-arg=<cr>
> End packet
> Writing AUTHOR/FAIL size=18
> PACKET: key=password
> version 192 (0xc0), type 2, seq no 2, flags 0x1
> session_id 4255328848 (0xfda32a50), Data length 6 (0x6)
> End header
> type=AUTHOR/REPLY status=16 (AUTHOR/FAIL)
> msg_len=0, data_len=0 arg_cnt=0
> msg:
> data:
> End packet
> authorization query for 'testuser' tty130 from test.router.com rejected
> test.router.com: disconnect
>
>
> ARISTA
>
> connect from Aristalab-1.router.com [10.15.10.18]
> Waiting for packet
> Read ACCT size=119
> validation request from Aristalab-1.router.com
> PACKET: key=password
> version 192 (0xc0), type 3, seq no 1, flags 0x1
> session_id 1744489531 (0x67facc3b), Data length 107 (0x6b)
> End header
> ACCT, flags=0x4 method=6 priv_lvl=1
> type=1 svc=1
> user_len=6 port_len=5 rem_addr_len=0
> arg_cnt=6
> User:
> testuser
> port:
> ttyS0
> rem_addr:
> arg[0]: size=10
> task_id=22
> arg[1]: size=13
> service=shell
> arg[2]: size=10
> priv-lvl=1
> arg[3]: size=21
> start_time=1439828055
> arg[4]: size=12
> timezone=UTC
> arg[5]: size=15
> cmd=enable <cr>
> End packet
> Writing ACCT size=17
> PACKET: key=password
> version 192 (0xc0), type 3, seq no 2, flags 0x1
> session_id 1744489531 (0x67facc3b), Data length 5 (0x5)
> End header
> ACCT/REPLY status=1
> msg_len=0 data_len=0
> msg:
> data:
> End packet
> Aristalab-1.router.com: disconnect
>
>
> session request from Aristalab-1.router.com sock=5
> connect from Aristalab-1.router.com [10.15.10.18]
> Waiting for packet
> Read ACCT size=132
> validation request from Aristalab-1.router.com
> PACKET: key=password
> version 192 (0xc0), type 3, seq no 1, flags 0x1
> session_id 1288212585 (0x4cc89069), Data length 120 (0x78)
> End header
> ACCT, flags=0x4 method=6 priv_lvl=15
> type=1 svc=1
> user_len=6 port_len=5 rem_addr_len=0
> arg_cnt=6
> User:
> testuser
> port:
> ttyS0
> rem_addr:
> arg[0]: size=10
> task_id=23
> arg[1]: size=13
> service=shell
> arg[2]: size=11
> priv-lvl=15
> arg[3]: size=21
> start_time=1439828061
> arg[4]: size=12
> timezone=UTC
> arg[5]: size=27
> cmd=configure terminal <cr>
> End packet
> Writing ACCT size=17
> PACKET: key=password
> version 192 (0xc0), type 3, seq no 2, flags 0x1
> session_id 1288212585 (0x4cc89069), Data length 5 (0x5)
> End header
> ACCT/REPLY status=1
> msg_len=0 data_len=0
> msg:
> data:
> End packet
> Aristalab-1.router.com: disconnect
>
>
> tac_plus.cfg:
>
>
>  group = snm {
>         default service = permit
>         service = exec {
>         priv-lvl = 15
>         }
>         after authorization "/usr/bin/python
> /usr/local/sbin/tacplus/do_auth.py -i $address -fix_crs_bug -u $user -d
> $name -l /var/log/tacacs/do_auth_log.txt -f
> /usr/local/sbin/tacplus/do_auth.ini"
>
>  }
>
>
>
> do_auth.ini:
>
>
> [snm]
> host_allow =
>         .*
> device_permit =
>         .*
> command_deny =
>         configure.*
>         show controllers vip.*
> command_permit =
>         show ip.*
>         show interface.*
>         clear counters.*
>         clear qos stat.*
>         clear mls qos int.*
>         disable.*
>         enable.*
>         end.*
>         exit.*
>         logout.*
>         ping.*
>         set length.*
>         show.*
>         skip-page-display.*
>         write network.*
>         write terminal.*
>         write memory.*
>         terminal length.*
>
>
>
>
>
> [image: Inactive hide details for John Fraizer ---08/07/2015 12:54:36
> PM---Here is one problem: *cmd exit does not exist, denied by def]John
> Fraizer ---08/07/2015 12:54:36 PM---Here is one problem: *cmd exit does not
> exist, denied by default*
>
> From: John Fraizer <john at op-sec.us>
> To: "Kevin.Cruse at Instinet.com" <Kevin.Cruse at instinet.com>,
> Cc: Daniel Schmidt <daniel.schmidt at wyo.gov>, "tac_plus at shrubbery.net" <
> tac_plus at shrubbery.net>
> Date: 08/07/2015 12:54 PM
>
> Subject: Re: [tac_plus] Cisco Nexus Authorization problem
> ------------------------------
>
>
>
> Here is one problem:
>
> *cmd exit does not exist, denied by default*
>
> It looks like you've got default service = deny in your tac_plus.conf.  To
> use do_auth, you need default service = permit.
>
> Your after auth line doesn't look right either.
>
> */usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l
> /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini*
>
> You're not giving it the device address or the address of the user
> attempting to auth.  Try changing the after authorization line in
> tac_plus.conf to:
>
> *after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py
> -i $address -u $user -d $name -l /tmp/do_auth.log -f
> /usr/local/sbin/tacplus/do_auth.ini"*
>
> Note that this will create a do_auth specific log in /tmp/do_auth.log but,
> right now - we'll need that for debugging purposes.
>
> Also remember, you'll need to restart tac_plus for this change to take
> effect.
>
> Here is an example tac_plus group that I know to work properly with
> do_auth.py on CatOS, IOS, IOS-XR, NX-OS, EOS and JUNOS:
>
> group = doauthaccess {
>         default service = permit
>
>         service = exec {
>                 priv-lvl = 1
>                 optional idletime = 30
>                 optional acl = 2
>                 shell:roles="\"network-operator vdc-operator\""
>                 }
>
>         service = junos-exec {
>                 bug-fix = "first pair is lost"
>                 local-user-name = "remote"
>                 allow-commands = "(.*exit)|(show cli auth.*)"
>                 deny-commands = ".*"
>                 allow-configuration = ""
>                 deny-configuration = ""
>                 }
> after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i
> $address -u $user -d $name -l /tmp/do_auth.log -f
> /usr/local/sbin/tacplus/do_auth.ini"
> *}*
>
>
> One more thing... Looking at your do_auth.ini, you seem to have a space
> between the commands and ".*" which should not be there.
>
> For example:
>
> exit .*
>
> ...should be:
>
> exit.*
>
>
> I posted a complete working tac_plus.conf and do_auth.ini along with the
> AAA config I use on devices the other day.  Take a look at that post as
> well.
>
>
> --
> John Fraizer
> LinkedIn profile: *http://www.linkedin.com/in/johnfraizer/*
> <http://www.linkedin.com/in/johnfraizer/>
>
>
>
> On Fri, Aug 7, 2015 at 5:16 AM, <*Kevin.Cruse at instinet.com*
> <Kevin.Cruse at instinet.com>> wrote:
>
>    I will try upgrading to 4.14.5F and see what happens! thanks
>
>    wondering if you are familiar with this error in do_auth execution, I
>    am permitting exit in do_auth.ini. seems to be some issue with do_auth
>    script:
>
>    Reading config
>    Version F4.0.4.28 Initialized 1
>    tac_plus server F4.0.4.28 starting
>    socket FD 4 AF 2
>    uid=0 euid=0 gid=0 egid=0 s=23660848
>    connect from router1 [172.28.10.124]
>    Start authorization request
>    do_author: user='testuser'
>    user 'testuser' found
>    authorize_cmd: user=testuser, cmd=exit
>    cmd exit does not exist, denied by default
>    After authorization call: /usr/bin/python
>    /usr/local/sbin/tacplus/do_auth.py -u $user -l
>    /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini
>
>
> * substitute: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user
>    -l /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini
>    Dollar substitution: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u
>    testuser -l /var/log/tacacs/do_auth_log.txt -f
>    /usr/local/sbin/tacplus/do_auth.ini pid 24672 child exited status 1*
>    cmd /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -u $user -l
>    /var/log/tacacs/do_auth_log.txt -f /usr/local/sbin/tacplus/do_auth.ini
>    returns 1 (unconditional deny)
>    authorization query for 'testuser' tty130 from router1 rejected
>    connect from router1 [1.1.1.1]
>
>
>    do_auth.ini:
>
>    [users]
>    testuser =
>            snm
>    [snm]
>    command_deny =
>            configure .*
>            show controllers vip .*
>    command_permit =
>            show ip .*
>            show interface .*
>            clear counters .*
>            clear qos stat .*
>            clear mls qos int .*
>            disable .*
>            enable .*
>            end .*
>            exit .*
>            logout .*
>            ping .*
>            set length .*
>            show .*
>            skip-page-display .*
>            write network .*
>            write terminal .*
>            write memory .*
>
>
>
>
>    [image: Inactive hide details for John Fraizer ---08/06/2015 06:54:05
>    PM---I'm not sure when this command became available in EOS but,]John
>    Fraizer ---08/06/2015 06:54:05 PM---I'm not sure when this command became
>    available in EOS but, at least in 4.14.5F, you will get what y
>
>    From: John Fraizer <*john at op-sec.us* <john at op-sec.us>>
>    To: "Kevin.Cruse at Instinet.com" <*Kevin.Cruse at instinet.com*
>    <Kevin.Cruse at instinet.com>>,
>    Cc: Daniel Schmidt <*daniel.schmidt at wyo.gov* <daniel.schmidt at wyo.gov>>,
>    "*tac_plus at shrubbery.net* <tac_plus at shrubbery.net>" <
>    *tac_plus at shrubbery.net* <tac_plus at shrubbery.net>>
>    Date: 08/06/2015 06:54 PM
>    Subject: Re: [tac_plus] Cisco Nexus Authorization problem
>    ------------------------------
>
>
>
>
>    I'm not sure when this command became available in EOS but, at least
>    in 4.14.5F, you will get what you want with:
>
>    aaa authorization commands all default group tacacs+ none
>
>
>    --
>    John Fraizer
>    LinkedIn profile: *http://www.linkedin.com/in/johnfraizer/*
>    <http://www.linkedin.com/in/johnfraizer/>
>
>
>
>    On Thu, Aug 6, 2015 at 1:58 PM, <*Kevin.Cruse at instinet.com*
>    <Kevin.Cruse at instinet.com>> wrote:
>       tried that! arista only takes this command with no arguments:
>
>       aaa authorization config-commands
>
>       it still didn't work.
>
>       fyi - i just tried same config with cisco router and it works
>       perfectly,
>       running 4.13.11M of EOS.
>
>
>
>       From:   Daniel Schmidt <*daniel.schmidt at wyo.gov*
>       <daniel.schmidt at wyo.gov>>
>       To:     *Kevin.Cruse at instinet.com* <Kevin.Cruse at instinet.com>,
>       Cc:     Aaron Wasserott <*aaron.wasserott at viawest.com*
>       <aaron.wasserott at viawest.com>>,
>                   "*tac_plus at shrubbery.net* <tac_plus at shrubbery.net>" <
>       *tac_plus at shrubbery.net* <tac_plus at shrubbery.net>>
>       Date:   08/06/2015 04:09 PM
>       Subject:        Re: [tac_plus] Cisco Nexus Authorization problem
>
>
>
>       This part of the email looks interesting:
>
>       But if you
>       want them in conf t mode but restrict their commands at that level,
>       you
>       need to enable something like this:
>
>       aaa authorization config-commands default group myTacacsGroup local
>
>
> *
>    =========================================================================================================
>    *
>
>    *<<<< Disclaimer >>>>*
>
>    *This message is intended solely for use by the named addressee(s). If
>    you receive this transmission in error, please immediately notify the
>    sender and destroy this message in its entirety, whether in electronic or
>    hard copy format. Any unauthorized use (and reliance thereon), copying,
>    disclosure, retention, or distribution of this transmission or the material
>    in this transmission is forbidden. We reserve the right to monitor and
>    archive electronic communications. This material does not constitute an
>    offer or solicitation with respect to the purchase or sale of any security.
>    It should not be construed to contain any recommendation regarding any
>    security or strategy. Any views expressed are those of the individual
>    sender, except where the message states otherwise and the sender is
>    authorized to state them to be the views of any such entity. This
>    communication is provided on an “as is” basis. It contains material that is
>    owned by Instinet Incorporated, its subsidiaries or its or their licensors,
>    and may not, in whole or in part, be (i) copied, photocopied or duplicated
>    in any form, by any means, or (ii) redistributed, posted, published,
>    excerpted, or quoted without Instinet Incorporated's prior written consent.
>    Please access the following link for important information and
>    instructions: *
>    *http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt*
>    <http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt>
>
>    *Securities products and services are provided by locally registered
>    brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty
>    Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian
>    Securities & Investments Commission; Instinet Canada Limited, member
>    IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the
>    Securities and Futures Commission of Hong Kong; Instinet Singapore Services
>    Private Limited, regulated by the Monetary Authority of Singapore, trading
>    member of The Singapore Exchange Securities Trading Private Limited and
>    clearing member of The Central Depository (Pte) Limited; and Instinet, LLC,
>    member SIPC. *
>
>
>
> *
>    =========================================================================================================
>    *
>
>
>
>
>
> =========================================================================================================
>
>
> *<<<< Disclaimer >>>>*
>
> This message is intended solely for use by the named addressee(s). If you
> receive this transmission in error, please immediately notify the sender
> and destroy this message in its entirety, whether in electronic or hard
> copy format. Any unauthorized use (and reliance thereon), copying,
> disclosure, retention, or distribution of this transmission or the material
> in this transmission is forbidden. We reserve the right to monitor and
> archive electronic communications. This material does not constitute an
> offer or solicitation with respect to the purchase or sale of any security.
> It should not be construed to contain any recommendation regarding any
> security or strategy. Any views expressed are those of the individual
> sender, except where the message states otherwise and the sender is
> authorized to state them to be the views of any such entity. This
> communication is provided on an “as is” basis. It contains material that is
> owned by Instinet Incorporated, its subsidiaries or its or their licensors,
> and may not, in whole or in part, be (i) copied, photocopied or duplicated
> in any form, by any means, or (ii) redistributed, posted, published,
> excerpted, or quoted without Instinet Incorporated's prior written consent.
> Please access the following link for important information and
> instructions:
> http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt
>
> Securities products and services are provided by locally registered
> brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty
> Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian
> Securities & Investments Commission; Instinet Canada Limited, member
> IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the
> Securities and Futures Commission of Hong Kong; Instinet Singapore Services
> Private Limited, regulated by the Monetary Authority of Singapore, trading
> member of The Singapore Exchange Securities Trading Private Limited and
> clearing member of The Central Depository (Pte) Limited; and Instinet, LLC,
> member SIPC.
>
>
>
> =========================================================================================================
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150817/22a7dd7f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150817/22a7dd7f/attachment.gif>


More information about the tac_plus mailing list