From mahafaye at gmail.com Thu Jul 2 14:42:36 2015 From: mahafaye at gmail.com (Mohamed Faye) Date: Thu, 2 Jul 2015 14:42:36 +0000 Subject: [tac_plus] tac_plus error Message-ID: Hi All, I need help with my tac_plus i started instaling it yesterday after following a blog which was ok but i ran into the below errror and since then am not seeing any logging for the tac_plus root at tacacs-srv:~# tail -f /var/log/tac_plus.log Wed Jul 1 18:19:01 2015 [1620]: session.peerip is 192.168.70.5 Wed Jul 1 18:19:01 2015 [1759]: connect from 192.168.70.5 [192.168.70.5] Wed Jul 1 18:19:06 2015 [1759]: Error 192.168.70.5: Illegal major version specified: found 13 wanted 192 Regards, Mohamed -------------- next part -------------- An HTML attachment was scrubbed... URL: From acruhl at gmail.com Thu Jul 2 17:57:59 2015 From: acruhl at gmail.com (Andy Ruhl) Date: Thu, 2 Jul 2015 10:57:59 -0700 Subject: [tac_plus] tac_plus error In-Reply-To: References: Message-ID: On Thu, Jul 2, 2015 at 7:42 AM, Mohamed Faye wrote: > Hi All, > > I need help with my tac_plus i started instaling it yesterday after > following a blog which was ok but i ran into the below errror and since > then am not seeing any logging for the tac_plus > > root at tacacs-srv:~# tail -f /var/log/tac_plus.log > Wed Jul 1 18:19:01 2015 [1620]: session.peerip is 192.168.70.5 > Wed Jul 1 18:19:01 2015 [1759]: connect from 192.168.70.5 [192.168.70.5] > Wed Jul 1 18:19:06 2015 [1759]: Error 192.168.70.5: Illegal major version > specified: found 13 wanted 192 Try starting it up in the foreground with debugging on, something like this: tac_plus -g -d 8 -C /etc/tac_plus.conf Then let the machine connect again and send the output. I don't know that much about tac_plus but maybe someone else will see the problem. Andy From heas at shrubbery.net Thu Jul 2 18:10:15 2015 From: heas at shrubbery.net (heasley) Date: Thu, 2 Jul 2015 18:10:15 +0000 Subject: [tac_plus] tac_plus error In-Reply-To: References: Message-ID: <20150702181014.GC90995@shrubbery.net> Thu, Jul 02, 2015 at 02:42:36PM +0000, Mohamed Faye: > Hi All, > > I need help with my tac_plus i started instaling it yesterday after > following a blog which was ok but i ran into the below errror and since > then am not seeing any logging for the tac_plus > > root at tacacs-srv:~# tail -f /var/log/tac_plus.log > Wed Jul 1 18:19:01 2015 [1620]: session.peerip is 192.168.70.5 > Wed Jul 1 18:19:01 2015 [1759]: connect from 192.168.70.5 [192.168.70.5] > Wed Jul 1 18:19:06 2015 [1759]: Error 192.168.70.5: Illegal major version > specified: found 13 wanted 192 you didnt mention what the client is, but I suspect a client bug or a misconfigured encryption key. From mahafaye at gmail.com Thu Jul 2 18:09:38 2015 From: mahafaye at gmail.com (Mohamed Faye) Date: Thu, 2 Jul 2015 18:09:38 +0000 Subject: [tac_plus] tac_plus error In-Reply-To: References: Message-ID: Hi Andy, Below is what i got after running the command. root at tacacs-srv:~# tac_plus -g -d 8 -C /etc/tacacs/tac_plus.conf Reading config Version F4.0.4.26 Initialized 1 tac_plus server F4.0.4.26 starting get_socket: bind 49 Address already in use root at tacacs-srv:~# On Thu, Jul 2, 2015 at 5:57 PM, Andy Ruhl wrote: > On Thu, Jul 2, 2015 at 7:42 AM, Mohamed Faye wrote: > > Hi All, > > > > I need help with my tac_plus i started instaling it yesterday after > > following a blog which was ok but i ran into the below errror and since > > then am not seeing any logging for the tac_plus > > > > root at tacacs-srv:~# tail -f /var/log/tac_plus.log > > Wed Jul 1 18:19:01 2015 [1620]: session.peerip is 192.168.70.5 > > Wed Jul 1 18:19:01 2015 [1759]: connect from 192.168.70.5 [192.168.70.5] > > Wed Jul 1 18:19:06 2015 [1759]: Error 192.168.70.5: Illegal major > version > > specified: found 13 wanted 192 > > Try starting it up in the foreground with debugging on, something like > this: > > tac_plus -g -d 8 -C /etc/tac_plus.conf > > Then let the machine connect again and send the output. > > I don't know that much about tac_plus but maybe someone else will see > the problem. > > Andy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From acruhl at gmail.com Thu Jul 2 18:21:21 2015 From: acruhl at gmail.com (Andy Ruhl) Date: Thu, 2 Jul 2015 11:21:21 -0700 Subject: [tac_plus] tac_plus error In-Reply-To: References: Message-ID: On Thu, Jul 2, 2015 at 11:09 AM, Mohamed Faye wrote: > Hi Andy, > > Below is what i got after running the command. > > root at tacacs-srv:~# tac_plus -g -d 8 -C /etc/tacacs/tac_plus.conf > Reading config > Version F4.0.4.26 Initialized 1 > tac_plus server F4.0.4.26 starting > get_socket: bind 49 Address already in use > root at tacacs-srv:~# You have to stop your currently running tac_plus instance. The reason it can't bind to port 49 is because another tac_plus is already running. Andy From mahafaye at gmail.com Thu Jul 2 18:21:32 2015 From: mahafaye at gmail.com (Mohamed Faye) Date: Thu, 2 Jul 2015 18:21:32 +0000 Subject: [tac_plus] tac_plus error In-Reply-To: <20150702181014.GC90995@shrubbery.net> References: <20150702181014.GC90995@shrubbery.net> Message-ID: am using a Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(55)SE5, RELEASE S OFTWARE (fc1). and my tac_plus version is Version F4.0.4.26 right now am not even seeing anything coming into the tac_plus server when i do tail -f /var/log/tac_plus.conf thanks Mohamed On Thu, Jul 2, 2015 at 6:10 PM, heasley wrote: > Thu, Jul 02, 2015 at 02:42:36PM +0000, Mohamed Faye: > > Hi All, > > > > I need help with my tac_plus i started instaling it yesterday after > > following a blog which was ok but i ran into the below errror and since > > then am not seeing any logging for the tac_plus > > > > root at tacacs-srv:~# tail -f /var/log/tac_plus.log > > Wed Jul 1 18:19:01 2015 [1620]: session.peerip is 192.168.70.5 > > Wed Jul 1 18:19:01 2015 [1759]: connect from 192.168.70.5 [192.168.70.5] > > Wed Jul 1 18:19:06 2015 [1759]: Error 192.168.70.5: Illegal major > version > > specified: found 13 wanted 192 > > you didnt mention what the client is, but I suspect a client bug or a > misconfigured encryption key. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mahafaye at gmail.com Thu Jul 2 18:32:03 2015 From: mahafaye at gmail.com (Mohamed Faye) Date: Thu, 2 Jul 2015 18:32:03 +0000 Subject: [tac_plus] tac_plus error In-Reply-To: References: Message-ID: i have started it properly now but am not receiving any log from the switch to the tac_plus server. see below. root at tacacs-srv:~# tac_plus -g -d 8 -C /etc/tacacs/tac_plus.conf Reading config Version F4.0.4.26 Initialized 1 tac_plus server F4.0.4.26 starting uid=0 euid=0 gid=0 egid=0 s=4 On Thu, Jul 2, 2015 at 6:21 PM, Andy Ruhl wrote: > On Thu, Jul 2, 2015 at 11:09 AM, Mohamed Faye wrote: > > Hi Andy, > > > > Below is what i got after running the command. > > > > root at tacacs-srv:~# tac_plus -g -d 8 -C /etc/tacacs/tac_plus.conf > > Reading config > > Version F4.0.4.26 Initialized 1 > > tac_plus server F4.0.4.26 starting > > get_socket: bind 49 Address already in use > > root at tacacs-srv:~# > > You have to stop your currently running tac_plus instance. The reason > it can't bind to port 49 is because another tac_plus is already > running. > > Andy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mahafaye at gmail.com Tue Jul 7 18:39:31 2015 From: mahafaye at gmail.com (Mohamed Faye) Date: Tue, 7 Jul 2015 18:39:31 +0000 Subject: [tac_plus] tac_plus error In-Reply-To: References: Message-ID: Hi All, I got my tacacs working now but i have few other problems along side it. 1. tacacs is not using the /etc/passwd to authenticate users. 2. its saying "% Authorization failed." Regards, Mohamed On Thu, Jul 2, 2015 at 6:32 PM, Mohamed Faye wrote: > i have started it properly now but am not receiving any log from the > switch to the tac_plus server. see below. > > root at tacacs-srv:~# tac_plus -g -d 8 -C /etc/tacacs/tac_plus.conf > Reading config > Version F4.0.4.26 Initialized 1 > tac_plus server F4.0.4.26 starting > uid=0 euid=0 gid=0 egid=0 s=4 > > On Thu, Jul 2, 2015 at 6:21 PM, Andy Ruhl wrote: > >> On Thu, Jul 2, 2015 at 11:09 AM, Mohamed Faye wrote: >> > Hi Andy, >> > >> > Below is what i got after running the command. >> > >> > root at tacacs-srv:~# tac_plus -g -d 8 -C /etc/tacacs/tac_plus.conf >> > Reading config >> > Version F4.0.4.26 Initialized 1 >> > tac_plus server F4.0.4.26 starting >> > get_socket: bind 49 Address already in use >> > root at tacacs-srv:~# >> >> You have to stop your currently running tac_plus instance. The reason >> it can't bind to port 49 is because another tac_plus is already >> running. >> >> Andy >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Kevin.Cruse at Instinet.com Thu Jul 16 21:39:43 2015 From: Kevin.Cruse at Instinet.com (Kevin.Cruse at Instinet.com) Date: Thu, 16 Jul 2015 17:39:43 -0400 Subject: [tac_plus] Cisco Nexus Authorization problem Message-ID: Hello I have configured TACPLUS to work with cisco nexus device. I am able to successfully authenticate, however, I am able to run all commands on router. It seems the router is not restricted to the commands specified in my group config. Has anyone gotten Cisco nexus to work properly with tacplus? I need to limit certain users and cannot get this working properly. Any help is greatly appreciated!!! Thanks. Group Config: group = snm { default service = deny service = shell { set shell:roles="\"network-admin\"" default command = deny default attribute = deny set priv-lvl = 15 cmd = configure {deny .*} cmd = clear { permit "counters" permit "qos stat" permit "mls qos int" } cmd = disable {permit .*} cmd = enable {permit .*} cmd = end {permit .*} cmd = exit {permit .*} cmd = logout {permit .*} cmd = ping {permit .*} cmd = set { permit "length 0" } cmd = show { deny "controllers vip" permit .* } cmd = skip-page-display {permit .*} cmd = terminal { permit "length 0" } cmd = write { permit "network" permit "terminal" permit "memory" } } } user = testuser { member = snm } Session output from router: telnet labrouter Trying labrouter... Connected to labrouter. Escape character is '^]'. User Access Verification login: testuser Password: Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Copyright (c) 2002-2014, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php LABROUTER# configure <------------------------------------------------------------ This should be denied Enter configuration commands, one per line. End with CNTL/Z. LABROUTER(config)# interface ethernet 1/1 configure <------------------------------------------------------------ This should be denied LABROUTER(config-if)# shut <------------------------------------------------------------ This should be denied LABROUTER(config-if)# no shut <------------------------------------------------------------ This should be denied LABROUTER(config-if)# end LABROUTER# ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: From aaron.wasserott at viawest.com Fri Jul 17 01:26:26 2015 From: aaron.wasserott at viawest.com (Aaron Wasserott) Date: Fri, 17 Jul 2015 01:26:26 +0000 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: References: Message-ID: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B92A28@mbx030-w1-co-6.exch030.domain.local> Try changing "service = shell" to "service = exec" and see if that works. I have NX-OS working fine using that. Also, I have never seen the shell service used in real-world examples for network devices. But reading the manpage it appears it should work to prevent them from entering configuration mode, as long as your AAA commands are set right. service=shell for exec startup, and also for command authorizations. Requires: aaa authorization exec tacacs+ Whether authorization happens, and at which prompt level, depends on the aaa authorization settings. It's possible to only restrict exec level commands, and prevent them from entering the 'conf t' command. But if you want them in conf t mode but restrict their commands at that level, you need to enable something like this: aaa authorization config-commands default group myTacacsGroup local If changing the service doesn't work, include the AAA commands on your NX-OS switches. -----Original Message----- From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Kevin.Cruse at Instinet.com Sent: Thursday, July 16, 2015 3:40 PM To: tac_plus at shrubbery.net Subject: [tac_plus] Cisco Nexus Authorization problem Hello I have configured TACPLUS to work with cisco nexus device. I am able to successfully authenticate, however, I am able to run all commands on router. It seems the router is not restricted to the commands specified in my group config. Has anyone gotten Cisco nexus to work properly with tacplus? I need to limit certain users and cannot get this working properly. Any help is greatly appreciated!!! Thanks. Group Config: group = snm { default service = deny service = shell { set shell:roles="\"network-admin\"" default command = deny default attribute = deny set priv-lvl = 15 cmd = configure {deny .*} cmd = clear { permit "counters" permit "qos stat" permit "mls qos int" } cmd = disable {permit .*} cmd = enable {permit .*} cmd = end {permit .*} cmd = exit {permit .*} cmd = logout {permit .*} cmd = ping {permit .*} cmd = set { permit "length 0" } cmd = show { deny "controllers vip" permit .* } cmd = skip-page-display {permit .*} cmd = terminal { permit "length 0" } cmd = write { permit "network" permit "terminal" permit "memory" } } } user = testuser { member = snm } Session output from router: telnet labrouter Trying labrouter... Connected to labrouter. Escape character is '^]'. User Access Verification login: testuser Password: Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Copyright (c) 2002-2014, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php LABROUTER# configure <------------------------------------------------------------ This should be denied Enter configuration commands, one per line. End with CNTL/Z. LABROUTER(config)# interface ethernet 1/1 configure <------------------------------------------------------------ This should be denied LABROUTER(config-if)# shut <------------------------------------------------------------ This should be denied LABROUTER(config-if)# no shut <------------------------------------------------------------ This should be denied LABROUTER(config-if)# end LABROUTER# ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. From alan.mckinnon at gmail.com Fri Jul 17 08:31:12 2015 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Fri, 17 Jul 2015 10:31:12 +0200 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: References: Message-ID: <55A8BD50.3070404@gmail.com> On 16/07/2015 23:39, Kevin.Cruse at Instinet.com wrote: > > > Hello > > I have configured TACPLUS to work with cisco nexus device. I am able to > successfully authenticate, however, I am able to run all commands on > router. It seems the router is not restricted to the commands specified in > my group config. Has anyone gotten Cisco nexus to work properly with > tacplus? I need to limit certain users and cannot get this working > properly. Any help is greatly appreciated!!! Thanks. I couldn't get command auth to work properly on Nexus either. Also, my colleagues in NetOps assured me the command list was more complex and more involved and trickier for NX-OS than plain ios. Our solution was to implement the roles we needed on the Nexus itself and send the role as an AV pair back from the tacacs server. The architecture of the 5000 and 9000 we used made this simple to manage. > > Group Config: > > group = snm { > default service = deny > service = shell { > set shell:roles="\"network-admin\"" > default command = deny > default attribute = deny > set priv-lvl = 15 > cmd = configure {deny .*} > cmd = clear { > permit "counters" > permit "qos stat" > permit "mls qos int" > } > cmd = disable {permit .*} > cmd = enable {permit .*} > cmd = end {permit .*} > cmd = exit {permit .*} > cmd = logout {permit .*} > cmd = ping {permit .*} > cmd = set { > permit "length 0" > } > cmd = show { > deny "controllers vip" > permit .* > } > cmd = skip-page-display {permit .*} > cmd = terminal { > permit "length 0" > } > cmd = write { > permit "network" > permit "terminal" > permit "memory" > } > } > } > > > user = testuser { > > member = snm > } > > > Session output from router: > > telnet labrouter > Trying labrouter... > Connected to labrouter. > Escape character is '^]'. > User Access Verification > login: testuser > Password: > Cisco Nexus Operating System (NX-OS) Software > TAC support: http://www.cisco.com/tac > Copyright (c) 2002-2014, Cisco Systems, Inc. All rights reserved. > The copyrights to certain works contained in this software are > owned by other third parties and used and distributed under > license. Certain components of this software are licensed under > the GNU General Public License (GPL) version 2.0 or the GNU > Lesser General Public License (LGPL) Version 2.1. A copy of each > such license is available at > http://www.opensource.org/licenses/gpl-2.0.php and > http://www.opensource.org/licenses/lgpl-2.1.php > LABROUTER# configure > <------------------------------------------------------------ This should > be denied > Enter configuration commands, one per line. End with CNTL/Z. > LABROUTER(config)# interface ethernet 1/1 configure > <------------------------------------------------------------ This should > be denied > LABROUTER(config-if)# shut > <------------------------------------------------------------ This should > be denied > LABROUTER(config-if)# no shut > <------------------------------------------------------------ This should > be denied > LABROUTER(config-if)# end > LABROUTER# > > ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communicat i on is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Sing a pore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. > > ========================================================================================================= > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- Alan McKinnon alan.mckinnon at gmail.com From daniel.schmidt at wyo.gov Fri Jul 17 15:40:07 2015 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Fri, 17 Jul 2015 09:40:07 -0600 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: <55A8BD50.3070404@gmail.com> References: <55A8BD50.3070404@gmail.com> Message-ID: Alan has a good point, even the built in roles work well on the nexus. Side note: do_auth makes either solution easier. On Fri, Jul 17, 2015 at 2:31 AM, Alan McKinnon wrote: > On 16/07/2015 23:39, Kevin.Cruse at Instinet.com wrote: > > > > > > Hello > > > > I have configured TACPLUS to work with cisco nexus device. I am able to > > successfully authenticate, however, I am able to run all commands on > > router. It seems the router is not restricted to the commands specified > in > > my group config. Has anyone gotten Cisco nexus to work properly with > > tacplus? I need to limit certain users and cannot get this working > > properly. Any help is greatly appreciated!!! Thanks. > > I couldn't get command auth to work properly on Nexus either. Also, my > colleagues in NetOps assured me the command list was more complex and > more involved and trickier for NX-OS than plain ios. > > Our solution was to implement the roles we needed on the Nexus itself > and send the role as an AV pair back from the tacacs server. The > architecture of the 5000 and 9000 we used made this simple to manage. > > > > > > Group Config: > > > > group = snm { > > default service = deny > > service = shell { > > set shell:roles="\"network-admin\"" > > default command = deny > > default attribute = deny > > set priv-lvl = 15 > > cmd = configure {deny .*} > > cmd = clear { > > permit "counters" > > permit "qos stat" > > permit "mls qos int" > > } > > cmd = disable {permit .*} > > cmd = enable {permit .*} > > cmd = end {permit .*} > > cmd = exit {permit .*} > > cmd = logout {permit .*} > > cmd = ping {permit .*} > > cmd = set { > > permit "length 0" > > } > > cmd = show { > > deny "controllers vip" > > permit .* > > } > > cmd = skip-page-display {permit .*} > > cmd = terminal { > > permit "length 0" > > } > > cmd = write { > > permit "network" > > permit "terminal" > > permit "memory" > > } > > } > > } > > > > > > user = testuser { > > > > member = snm > > } > > > > > > Session output from router: > > > > telnet labrouter > > Trying labrouter... > > Connected to labrouter. > > Escape character is '^]'. > > User Access Verification > > login: testuser > > Password: > > Cisco Nexus Operating System (NX-OS) Software > > TAC support: http://www.cisco.com/tac > > Copyright (c) 2002-2014, Cisco Systems, Inc. All rights reserved. > > The copyrights to certain works contained in this software are > > owned by other third parties and used and distributed under > > license. Certain components of this software are licensed under > > the GNU General Public License (GPL) version 2.0 or the GNU > > Lesser General Public License (LGPL) Version 2.1. A copy of each > > such license is available at > > http://www.opensource.org/licenses/gpl-2.0.php and > > http://www.opensource.org/licenses/lgpl-2.1.php > > LABROUTER# configure > > <------------------------------------------------------------ This should > > be denied > > Enter configuration commands, one per line. End with CNTL/Z. > > LABROUTER(config)# interface ethernet 1/1 configure > > <------------------------------------------------------------ This should > > be denied > > LABROUTER(config-if)# shut > > <------------------------------------------------------------ This should > > be denied > > LABROUTER(config-if)# no shut > > <------------------------------------------------------------ This should > > be denied > > LABROUTER(config-if)# end > > LABROUTER# > > > > > ========================================================================================================= > <<<< Disclaimer >>>> This message is intended solely for use by the named > addressee(s). If you receive this transmission in error, please immediately > notify the sender and destroy this message in its entirety, whether in > electronic or hard copy format. Any unauthorized use (and reliance > thereon), copying, disclosure, retention, or distribution of this > transmission or the material in this transmission is forbidden. We reserve > the right to monitor and archive electronic communications. This material > does not constitute an offer or solicitation with respect to the purchase > or sale of any security. It should not be construed to contain any > recommendation regarding any security or strategy. Any views expressed are > those of the individual sender, except where the message states otherwise > and the sender is authorized to state them to be the views of any such > entity. This communicat > i > on is provided on an ?as is? basis. It contains material that is owned by > Instinet Incorporated, its subsidiaries or its or their licensors, and may > not, in whole or in part, be (i) copied, photocopied or duplicated in any > form, by any means, or (ii) redistributed, posted, published, excerpted, or > quoted without Instinet Incorporated's prior written consent. Please access > the following link for important information and instructions: > http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt > Securities products and services are provided by locally registered > brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty > Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian > Securities & Investments Commission; Instinet Canada Limited, member > IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the > Securities and Futures Commission of Hong Kong; Instinet Singapore Services > Private Limited, regulated by the Monetary Authority of Sing > a > pore, trading member of The Singapore Exchange Securities Trading Private > Limited and clearing member of The Central Depository (Pte) Limited; and > Instinet, LLC, member SIPC. > > > > > ========================================================================================================= > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20150716/5c309608/attachment.html > > > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo/tac_plus > > > > > -- > Alan McKinnon > alan.mckinnon at gmail.com > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Kevin.Cruse at Instinet.com Mon Jul 20 21:43:35 2015 From: Kevin.Cruse at Instinet.com (Kevin.Cruse at Instinet.com) Date: Mon, 20 Jul 2015 17:43:35 -0400 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B92A28@mbx030-w1-co-6.exch030.domain.local> References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B92A28@mbx030-w1-co-6.exch030.domain.local> Message-ID: Aaron, Thank you for the prompt response! I was able to get it working with your suggestion! From: Aaron Wasserott To: "Kevin.Cruse at Instinet.com" , "tac_plus at shrubbery.net" , Date: 07/16/2015 09:26 PM Subject: RE: [tac_plus] Cisco Nexus Authorization problem Try changing "service = shell" to "service = exec" and see if that works. I have NX-OS working fine using that. Also, I have never seen the shell service used in real-world examples for network devices. But reading the manpage it appears it should work to prevent them from entering configuration mode, as long as your AAA commands are set right. service=shell for exec startup, and also for command authorizations. Requires: aaa authorization exec tacacs+ Whether authorization happens, and at which prompt level, depends on the aaa authorization settings. It's possible to only restrict exec level commands, and prevent them from entering the 'conf t' command. But if you want them in conf t mode but restrict their commands at that level, you need to enable something like this: aaa authorization config-commands default group myTacacsGroup local If changing the service doesn't work, include the AAA commands on your NX-OS switches. -----Original Message----- From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Kevin.Cruse at Instinet.com Sent: Thursday, July 16, 2015 3:40 PM To: tac_plus at shrubbery.net Subject: [tac_plus] Cisco Nexus Authorization problem Hello I have configured TACPLUS to work with cisco nexus device. I am able to successfully authenticate, however, I am able to run all commands on router. It seems the router is not restricted to the commands specified in my group config. Has anyone gotten Cisco nexus to work properly with tacplus? I need to limit certain users and cannot get this working properly. Any help is greatly appreciated!!! Thanks. Group Config: group = snm { default service = deny service = shell { set shell:roles="\"network-admin\"" default command = deny default attribute = deny set priv-lvl = 15 cmd = configure {deny .*} cmd = clear { permit "counters" permit "qos stat" permit "mls qos int" } cmd = disable {permit .*} cmd = enable {permit .*} cmd = end {permit .*} cmd = exit {permit .*} cmd = logout {permit .*} cmd = ping {permit .*} cmd = set { permit "length 0" } cmd = show { deny "controllers vip" permit .* } cmd = skip-page-display {permit .*} cmd = terminal { permit "length 0" } cmd = write { permit "network" permit "terminal" permit "memory" } } } user = testuser { member = snm } Session output from router: telnet labrouter Trying labrouter... Connected to labrouter. Escape character is '^]'. User Access Verification login: testuser Password: Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Copyright (c) 2002-2014, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php LABROUTER# configure <------------------------------------------------------------ This should be denied Enter configuration commands, one per line. End with CNTL/Z. LABROUTER(config)# interface ethernet 1/1 configure <------------------------------------------------------------ This should be denied LABROUTER(config-if)# shut <------------------------------------------------------------ This should be denied LABROUTER(config-if)# no shut <------------------------------------------------------------ This should be denied LABROUTER(config-if)# end LABROUTER# ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: < http://www.shrubbery.net/pipermail/tac_plus/attachments/20150716/5c309608/attachment.html > _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From Kevin.Cruse at Instinet.com Wed Jul 22 18:44:03 2015 From: Kevin.Cruse at Instinet.com (Kevin.Cruse at Instinet.com) Date: Wed, 22 Jul 2015 14:44:03 -0400 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B92A28@mbx030-w1-co-6.exch030.domain.local> References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B92A28@mbx030-w1-co-6.exch030.domain.local> Message-ID: Aaron Do you have experience with Arista? It seems I am having similar problem with this device. Authentication works fine, but once i login and send enable password I can run any command i'd like. It's not restricting access to my preconfigured commands: Arista1#sh run | i aaa aaa group server tacacs+ CiscoACS aaa authentication login default group CiscoACS local aaa authorization exec default group CiscoACS local aaa authorization commands all default group CiscoACS local aaa accounting exec default start-stop group CiscoACS aaa accounting commands all default start-stop group CiscoACS no aaa root ----- user = testuser { login = clear "test123" pap = clear "test123" member = snm } group = snm { default service = deny service = shell { set shell:roles="\"network-admin\"" default command = deny default attribute = deny set priv-lvl = 15 cmd = configure {deny .*} cmd = clear { permit "counters" permit "qos stat" permit "mls qos int" } cmd = disable {permit .*} cmd = enable {permit .*} cmd = end {permit .*} cmd = exit {permit .*} cmd = logout {permit .*} cmd = ping {permit .*} cmd = set { permit "length 0" } cmd = show { deny "controllers vip" permit .* } cmd = skip-page-display {permit .*} cmd = terminal { permit "length 0" } cmd = write { permit "network" permit "terminal" permit "memory" } } } ---- Arista1 login: testuser Password: Last login: Wed Jul 22 18:49:42 on ttyS0 Arista1>en Password: Arista1#conf t <--- This command should be restricted Arista1(config)#interface eth 10 <--- This command should be restricted Arista1(config-if-Et10)#shut <--- This command should be restricted Arista1(config-if-Et10)#end Arista1#exit From: Aaron Wasserott To: "Kevin.Cruse at Instinet.com" , "tac_plus at shrubbery.net" , Date: 07/16/2015 09:26 PM Subject: RE: [tac_plus] Cisco Nexus Authorization problem Try changing "service = shell" to "service = exec" and see if that works. I have NX-OS working fine using that. Also, I have never seen the shell service used in real-world examples for network devices. But reading the manpage it appears it should work to prevent them from entering configuration mode, as long as your AAA commands are set right. service=shell for exec startup, and also for command authorizations. Requires: aaa authorization exec tacacs+ Whether authorization happens, and at which prompt level, depends on the aaa authorization settings. It's possible to only restrict exec level commands, and prevent them from entering the 'conf t' command. But if you want them in conf t mode but restrict their commands at that level, you need to enable something like this: aaa authorization config-commands default group myTacacsGroup local If changing the service doesn't work, include the AAA commands on your NX-OS switches. -----Original Message----- From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Kevin.Cruse at Instinet.com Sent: Thursday, July 16, 2015 3:40 PM To: tac_plus at shrubbery.net Subject: [tac_plus] Cisco Nexus Authorization problem Hello I have configured TACPLUS to work with cisco nexus device. I am able to successfully authenticate, however, I am able to run all commands on router. It seems the router is not restricted to the commands specified in my group config. Has anyone gotten Cisco nexus to work properly with tacplus? I need to limit certain users and cannot get this working properly. Any help is greatly appreciated!!! Thanks. Group Config: group = snm { default service = deny service = shell { set shell:roles="\"network-admin\"" default command = deny default attribute = deny set priv-lvl = 15 cmd = configure {deny .*} cmd = clear { permit "counters" permit "qos stat" permit "mls qos int" } cmd = disable {permit .*} cmd = enable {permit .*} cmd = end {permit .*} cmd = exit {permit .*} cmd = logout {permit .*} cmd = ping {permit .*} cmd = set { permit "length 0" } cmd = show { deny "controllers vip" permit .* } cmd = skip-page-display {permit .*} cmd = terminal { permit "length 0" } cmd = write { permit "network" permit "terminal" permit "memory" } } } user = testuser { member = snm } Session output from router: telnet labrouter Trying labrouter... Connected to labrouter. Escape character is '^]'. User Access Verification login: testuser Password: Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Copyright (c) 2002-2014, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php LABROUTER# configure <------------------------------------------------------------ This should be denied Enter configuration commands, one per line. End with CNTL/Z. LABROUTER(config)# interface ethernet 1/1 configure <------------------------------------------------------------ This should be denied LABROUTER(config-if)# shut <------------------------------------------------------------ This should be denied LABROUTER(config-if)# no shut <------------------------------------------------------------ This should be denied LABROUTER(config-if)# end LABROUTER# ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: < http://www.shrubbery.net/pipermail/tac_plus/attachments/20150716/5c309608/attachment.html > _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From aaron.wasserott at viawest.com Wed Jul 22 19:28:20 2015 From: aaron.wasserott at viawest.com (Aaron Wasserott) Date: Wed, 22 Jul 2015 19:28:20 +0000 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B92A28@mbx030-w1-co-6.exch030.domain.local> Message-ID: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> Kevin, I just tested this and it works for me. User can run show commands, but not enter conf t mode. Arista DCS-7050S-52-R running code 4.8.3. In production we run do_auth. It comes bundled with the latest version of tac_plus and makes tweaking authorization a lot easier. It?s more scalable, syntax is cleaner, and it has its own authorization logs which are easier to read. # tac_plus.conf group = tier1 { default service = permit login = PAM pap = PAM default command = deny cmd = show {permit .*} service = exec { priv-lvl = 15 } service = raccess { priv-lvl = 0 } } user = first.last { member = tier1 } # switch AAA commands aaa group server tacacs+ TacGroup aaa authentication login default group TacGroup local aaa authorization exec default group TacGroup none aaa authorization commands 15 default group TacGroup none aaa accounting exec default start-stop group TacGroup aaa accounting commands 15 default start-stop group TacGroup no aaa root -Aaron From: Kevin.Cruse at Instinet.com [mailto:Kevin.Cruse at Instinet.com] Sent: Wednesday, July 22, 2015 12:44 PM To: Aaron Wasserott Cc: tac_plus at shrubbery.net Subject: RE: [tac_plus] Cisco Nexus Authorization problem Aaron Do you have experience with Arista? It seems I am having similar problem with this device. Authentication works fine, but once i login and send enable password I can run any command i'd like. It's not restricting access to my preconfigured commands: Arista1#sh run | i aaa aaa group server tacacs+ CiscoACS aaa authentication login default group CiscoACS local aaa authorization exec default group CiscoACS local aaa authorization commands all default group CiscoACS local aaa accounting exec default start-stop group CiscoACS aaa accounting commands all default start-stop group CiscoACS no aaa root ----- user = testuser { login = clear "test123" pap = clear "test123" member = snm } group = snm { default service = deny service = shell { set shell:roles="\"network-admin\"" default command = deny default attribute = deny set priv-lvl = 15 cmd = configure {deny .*} cmd = clear { permit "counters" permit "qos stat" permit "mls qos int" } cmd = disable {permit .*} cmd = enable {permit .*} cmd = end {permit .*} cmd = exit {permit .*} cmd = logout {permit .*} cmd = ping {permit .*} cmd = set { permit "length 0" } cmd = show { deny "controllers vip" permit .* } cmd = skip-page-display {permit .*} cmd = terminal { permit "length 0" } cmd = write { permit "network" permit "terminal" permit "memory" } } } ---- Arista1 login: testuser Password: Last login: Wed Jul 22 18:49:42 on ttyS0 Arista1>en Password: Arista1#conf t <--- This command should be restricted Arista1(config)#interface eth 10 <--- This command should be restricted Arista1(config-if-Et10)#shut <--- This command should be restricted Arista1(config-if-Et10)#end Arista1#exit [Inactive hide details for Aaron Wasserott ---07/16/2015 09:26:32 PM---Try changing "service = shell" to "service = exec" and se]Aaron Wasserott ---07/16/2015 09:26:32 PM---Try changing "service = shell" to "service = exec" and see if that works. I have NX-OS working fine From: Aaron Wasserott > To: "Kevin.Cruse at Instinet.com" >, "tac_plus at shrubbery.net" >, Date: 07/16/2015 09:26 PM Subject: RE: [tac_plus] Cisco Nexus Authorization problem ________________________________ Try changing "service = shell" to "service = exec" and see if that works. I have NX-OS working fine using that. Also, I have never seen the shell service used in real-world examples for network devices. But reading the manpage it appears it should work to prevent them from entering configuration mode, as long as your AAA commands are set right. service=shell for exec startup, and also for command authorizations. Requires: aaa authorization exec tacacs+ Whether authorization happens, and at which prompt level, depends on the aaa authorization settings. It's possible to only restrict exec level commands, and prevent them from entering the 'conf t' command. But if you want them in conf t mode but restrict their commands at that level, you need to enable something like this: aaa authorization config-commands default group myTacacsGroup local If changing the service doesn't work, include the AAA commands on your NX-OS switches. -----Original Message----- From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Kevin.Cruse at Instinet.com Sent: Thursday, July 16, 2015 3:40 PM To: tac_plus at shrubbery.net Subject: [tac_plus] Cisco Nexus Authorization problem Hello I have configured TACPLUS to work with cisco nexus device. I am able to successfully authenticate, however, I am able to run all commands on router. It seems the router is not restricted to the commands specified in my group config. Has anyone gotten Cisco nexus to work properly with tacplus? I need to limit certain users and cannot get this working properly. Any help is greatly appreciated!!! Thanks. Group Config: group = snm { default service = deny service = shell { set shell:roles="\"network-admin\"" default command = deny default attribute = deny set priv-lvl = 15 cmd = configure {deny .*} cmd = clear { permit "counters" permit "qos stat" permit "mls qos int" } cmd = disable {permit .*} cmd = enable {permit .*} cmd = end {permit .*} cmd = exit {permit .*} cmd = logout {permit .*} cmd = ping {permit .*} cmd = set { permit "length 0" } cmd = show { deny "controllers vip" permit .* } cmd = skip-page-display {permit .*} cmd = terminal { permit "length 0" } cmd = write { permit "network" permit "terminal" permit "memory" } } } user = testuser { member = snm } Session output from router: telnet labrouter Trying labrouter... Connected to labrouter. Escape character is '^]'. User Access Verification login: testuser Password: Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Copyright (c) 2002-2014, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php LABROUTER# configure <------------------------------------------------------------ This should be denied Enter configuration commands, one per line. End with CNTL/Z. LABROUTER(config)# interface ethernet 1/1 configure <------------------------------------------------------------ This should be denied LABROUTER(config-if)# shut <------------------------------------------------------------ This should be denied LABROUTER(config-if)# no shut <------------------------------------------------------------ This should be denied LABROUTER(config-if)# end LABROUTER# ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt<%20http:/instinet.com/includes/index.jsp?thePage=/html/le_index.txt> Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.gif Type: image/gif Size: 105 bytes Desc: image001.gif URL: From Kevin.Cruse at Instinet.com Thu Jul 23 14:59:05 2015 From: Kevin.Cruse at Instinet.com (Kevin.Cruse at Instinet.com) Date: Thu, 23 Jul 2015 10:59:05 -0400 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B92A28@mbx030-w1-co-6.exch030.domain.local> <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> Message-ID: I am using the mavis backend and wonder if that is the problem? How do i configure do_auth? I am using tac_plus version 201503121920. I cannot find great example of how to use do_auth with existing configuration ie how do i tell the config file to use do_auth? id = tac_plus { debug = AUTHEN ACCT MAVIS PACKET access log = /var/log/tac_plus/access/%Y%m%d.log authentication log = /var/log/tac_plus/auth/%Y%m%d.log accounting log = /var/log/tac_plus/acct/%Y%m%d.log authorization log = /var/log/tac_plus/authorization/%Y%m%d.log mavis module = external { setenv LDAP_SERVER_TYPE = "microsoft" setenv LDAP_HOSTS = "server:389" setenv LDAP_BASE = "dc=domain,dc=corp,dc=local" setenv LDAP_SCOPE = sub #setenv LDAP_FILTER = "(&(objectclass=user) (sAMAccountName = % s))" setenv LDAP_USER = "svcTacacs" setenv LDAP_PASSWD = "T at c@c$!" setenv AD_GROUP_PREFIX = "prv-AMS_Tacacs" setenv EXPAND_AD_GROUP_MEMBERSHIP = 1 setenv FLAG_USE_MEMBEROF = 1 #setenv REQUIRE_TACACS_GROUP_PREFIX = 1 #setenv FLAG_USE_MEMBEROF = 1 exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl } login backend = mavis user backend = mavis pap backend = mavis host = world { address = ::/0 prompt = "This is a protected device. Unauthorized access is prohibited\n" enable 15 = clear secret key = password } group = admin { message = "[Admin Privileges]" default service = permit service = shell { default command = permit default attribute = permit set priv-lvl = 15 cmd = debug{deny .*} } } From: Aaron Wasserott To: "Kevin.Cruse at Instinet.com" , Cc: "tac_plus at shrubbery.net" Date: 07/22/2015 03:28 PM Subject: RE: [tac_plus] Cisco Nexus Authorization problem Kevin, I just tested this and it works for me. User can run show commands, but not enter conf t mode. Arista DCS-7050S-52-R running code 4.8.3. In production we run do_auth. It comes bundled with the latest version of tac_plus and makes tweaking authorization a lot easier. It?s more scalable, syntax is cleaner, and it has its own authorization logs which are easier to read. # tac_plus.conf group = tier1 { default service = permit login = PAM pap = PAM default command = deny cmd = show {permit .*} service = exec { priv-lvl = 15 } service = raccess { priv-lvl = 0 } } user = first.last { member = tier1 } # switch AAA commands aaa group server tacacs+ TacGroup aaa authentication login default group TacGroup local aaa authorization exec default group TacGroup none aaa authorization commands 15 default group TacGroup none aaa accounting exec default start-stop group TacGroup aaa accounting commands 15 default start-stop group TacGroup no aaa root -Aaron From: Kevin.Cruse at Instinet.com [mailto:Kevin.Cruse at Instinet.com] Sent: Wednesday, July 22, 2015 12:44 PM To: Aaron Wasserott Cc: tac_plus at shrubbery.net Subject: RE: [tac_plus] Cisco Nexus Authorization problem Aaron Do you have experience with Arista? It seems I am having similar problem with this device. Authentication works fine, but once i login and send enable password I can run any command i'd like. It's not restricting access to my preconfigured commands: Arista1#sh run | i aaa aaa group server tacacs+ CiscoACS aaa authentication login default group CiscoACS local aaa authorization exec default group CiscoACS local aaa authorization commands all default group CiscoACS local aaa accounting exec default start-stop group CiscoACS aaa accounting commands all default start-stop group CiscoACS no aaa root ----- user = testuser { login = clear "test123" pap = clear "test123" member = snm } group = snm { default service = deny service = shell { set shell:roles="\"network-admin\"" default command = deny default attribute = deny set priv-lvl = 15 cmd = configure {deny .*} cmd = clear { permit "counters" permit "qos stat" permit "mls qos int" } cmd = disable {permit .*} cmd = enable {permit .*} cmd = end {permit .*} cmd = exit {permit .*} cmd = logout {permit .*} cmd = ping {permit .*} cmd = set { permit "length 0" } cmd = show { deny "controllers vip" permit .* } cmd = skip-page-display {permit .*} cmd = terminal { permit "length 0" } cmd = write { permit "network" permit "terminal" permit "memory" } } } ---- Arista1 login: testuser Password: Last login: Wed Jul 22 18:49:42 on ttyS0 Arista1>en Password: Arista1#conf t <--- This command should be restricted Arista1(config)#interface eth 10 <--- This command should be restricted Arista1(config-if-Et10)#shut <--- This command should be restricted Arista1(config-if-Et10)#end Arista1#exit Inactive hide details for Aaron Wasserott ---07/16/2015 09:26:32 PM---Try changing "service = shell" to "service = exec" and seAaron Wasserott ---07/16/2015 09:26:32 PM---Try changing "service = shell" to "service = exec" and see if that works. I have NX-OS working fine From: Aaron Wasserott To: "Kevin.Cruse at Instinet.com" , " tac_plus at shrubbery.net" , Date: 07/16/2015 09:26 PM Subject: RE: [tac_plus] Cisco Nexus Authorization problem Try changing "service = shell" to "service = exec" and see if that works. I have NX-OS working fine using that. Also, I have never seen the shell service used in real-world examples for network devices. But reading the manpage it appears it should work to prevent them from entering configuration mode, as long as your AAA commands are set right. service=shell for exec startup, and also for command authorizations. Requires: aaa authorization exec tacacs+ Whether authorization happens, and at which prompt level, depends on the aaa authorization settings. It's possible to only restrict exec level commands, and prevent them from entering the 'conf t' command. But if you want them in conf t mode but restrict their commands at that level, you need to enable something like this: aaa authorization config-commands default group myTacacsGroup local If changing the service doesn't work, include the AAA commands on your NX-OS switches. -----Original Message----- From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Kevin.Cruse at Instinet.com Sent: Thursday, July 16, 2015 3:40 PM To: tac_plus at shrubbery.net Subject: [tac_plus] Cisco Nexus Authorization problem Hello I have configured TACPLUS to work with cisco nexus device. I am able to successfully authenticate, however, I am able to run all commands on router. It seems the router is not restricted to the commands specified in my group config. Has anyone gotten Cisco nexus to work properly with tacplus? I need to limit certain users and cannot get this working properly. Any help is greatly appreciated!!! Thanks. Group Config: group = snm { default service = deny service = shell { set shell:roles="\"network-admin\"" default command = deny default attribute = deny set priv-lvl = 15 cmd = configure {deny .*} cmd = clear { permit "counters" permit "qos stat" permit "mls qos int" } cmd = disable {permit .*} cmd = enable {permit .*} cmd = end {permit .*} cmd = exit {permit .*} cmd = logout {permit .*} cmd = ping {permit .*} cmd = set { permit "length 0" } cmd = show { deny "controllers vip" permit .* } cmd = skip-page-display {permit .*} cmd = terminal { permit "length 0" } cmd = write { permit "network" permit "terminal" permit "memory" } } } user = testuser { member = snm } Session output from router: telnet labrouter Trying labrouter... Connected to labrouter. Escape character is '^]'. User Access Verification login: testuser Password: Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Copyright (c) 2002-2014, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php LABROUTER# configure <------------------------------------------------------------ This should be denied Enter configuration commands, one per line. End with CNTL/Z. LABROUTER(config)# interface ethernet 1/1 configure <------------------------------------------------------------ This should be denied LABROUTER(config-if)# shut <------------------------------------------------------------ This should be denied LABROUTER(config-if)# no shut <------------------------------------------------------------ This should be denied LABROUTER(config-if)# end LABROUTER# ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: < http://www.shrubbery.net/pipermail/tac_plus/attachments/20150716/5c309608/attachment.html > _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From aaron.wasserott at viawest.com Thu Jul 23 15:18:25 2015 From: aaron.wasserott at viawest.com (Aaron Wasserott) Date: Thu, 23 Jul 2015 15:18:25 +0000 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B92A28@mbx030-w1-co-6.exch030.domain.local> <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> Message-ID: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B95086@mbx030-w1-co-6.exch030.domain.local> It doesn?t look like Mavis would interfere with authorization. Based on your configs authorization should still be handled by tac_plus itself. Linking tac_plus.conf to do_auth is done with the stanza ?after authorization? inside a user or group definition. John Fraizer did a good write-up of how to use do_auth here: http://www.shrubbery.net/pipermail/tac_plus/2015-April/001622.html Locate your source for tac_plus and find the do_auth.py file. Inside that are some good instructions for setting it up. The web page for do_auth is here and has some specific examples: http://www.tacacs.org/ From: Kevin.Cruse at Instinet.com [mailto:Kevin.Cruse at Instinet.com] Sent: Thursday, July 23, 2015 8:59 AM To: Aaron Wasserott Cc: tac_plus at shrubbery.net Subject: RE: [tac_plus] Cisco Nexus Authorization problem I am using the mavis backend and wonder if that is the problem? How do i configure do_auth? I am using tac_plus version 201503121920. I cannot find great example of how to use do_auth with existing configuration ie how do i tell the config file to use do_auth? id = tac_plus { debug = AUTHEN ACCT MAVIS PACKET access log = /var/log/tac_plus/access/%Y%m%d.log authentication log = /var/log/tac_plus/auth/%Y%m%d.log accounting log = /var/log/tac_plus/acct/%Y%m%d.log authorization log = /var/log/tac_plus/authorization/%Y%m%d.log mavis module = external { setenv LDAP_SERVER_TYPE = "microsoft" setenv LDAP_HOSTS = "server:389" setenv LDAP_BASE = "dc=domain,dc=corp,dc=local" setenv LDAP_SCOPE = sub #setenv LDAP_FILTER = "(&(objectclass=user) (sAMAccountName = % s))" setenv LDAP_USER = "svcTacacs" setenv LDAP_PASSWD = "T at c@c$!" setenv AD_GROUP_PREFIX = "prv-AMS_Tacacs" setenv EXPAND_AD_GROUP_MEMBERSHIP = 1 setenv FLAG_USE_MEMBEROF = 1 #setenv REQUIRE_TACACS_GROUP_PREFIX = 1 #setenv FLAG_USE_MEMBEROF = 1 exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl } login backend = mavis user backend = mavis pap backend = mavis host = world { address = ::/0 prompt = "This is a protected device. Unauthorized access is prohibited\n" enable 15 = clear secret key = password } group = admin { message = "[Admin Privileges]" default service = permit service = shell { default command = permit default attribute = permit set priv-lvl = 15 cmd = debug{deny .*} } } [Inactive hide details for Aaron Wasserott ---07/22/2015 03:28:27 PM---Kevin, I just tested this and it works for me. User can r]Aaron Wasserott ---07/22/2015 03:28:27 PM---Kevin, I just tested this and it works for me. User can run show commands, but not enter conf t mode From: Aaron Wasserott > To: "Kevin.Cruse at Instinet.com" >, Cc: "tac_plus at shrubbery.net" > Date: 07/22/2015 03:28 PM Subject: RE: [tac_plus] Cisco Nexus Authorization problem ________________________________ Kevin, I just tested this and it works for me. User can run show commands, but not enter conf t mode. Arista DCS-7050S-52-R running code 4.8.3. In production we run do_auth. It comes bundled with the latest version of tac_plus and makes tweaking authorization a lot easier. It?s more scalable, syntax is cleaner, and it has its own authorization logs which are easier to read. # tac_plus.conf group = tier1 { default service = permit login = PAM pap = PAM default command = deny cmd = show {permit .*} service = exec { priv-lvl = 15 } service = raccess { priv-lvl = 0 } } user = first.last { member = tier1 } # switch AAA commands aaa group server tacacs+ TacGroup aaa authentication login default group TacGroup local aaa authorization exec default group TacGroup none aaa authorization commands 15 default group TacGroup none aaa accounting exec default start-stop group TacGroup aaa accounting commands 15 default start-stop group TacGroup no aaa root -Aaron From: Kevin.Cruse at Instinet.com [mailto:Kevin.Cruse at Instinet.com] Sent: Wednesday, July 22, 2015 12:44 PM To: Aaron Wasserott Cc: tac_plus at shrubbery.net Subject: RE: [tac_plus] Cisco Nexus Authorization problem Aaron Do you have experience with Arista? It seems I am having similar problem with this device. Authentication works fine, but once i login and send enable password I can run any command i'd like. It's not restricting access to my preconfigured commands: Arista1#sh run | i aaa aaa group server tacacs+ CiscoACS aaa authentication login default group CiscoACS local aaa authorization exec default group CiscoACS local aaa authorization commands all default group CiscoACS local aaa accounting exec default start-stop group CiscoACS aaa accounting commands all default start-stop group CiscoACS no aaa root ----- user = testuser { login = clear "test123" pap = clear "test123" member = snm } group = snm { default service = deny service = shell { set shell:roles="\"network-admin\"" default command = deny default attribute = deny set priv-lvl = 15 cmd = configure {deny .*} cmd = clear { permit "counters" permit "qos stat" permit "mls qos int" } cmd = disable {permit .*} cmd = enable {permit .*} cmd = end {permit .*} cmd = exit {permit .*} cmd = logout {permit .*} cmd = ping {permit .*} cmd = set { permit "length 0" } cmd = show { deny "controllers vip" permit .* } cmd = skip-page-display {permit .*} cmd = terminal { permit "length 0" } cmd = write { permit "network" permit "terminal" permit "memory" } } } ---- Arista1 login: testuser Password: Last login: Wed Jul 22 18:49:42 on ttyS0 Arista1>en Password: Arista1#conf t <--- This command should be restricted Arista1(config)#interface eth 10 <--- This command should be restricted Arista1(config-if-Et10)#shut <--- This command should be restricted Arista1(config-if-Et10)#end Arista1#exit [Inactive hide details for Aaron Wasserott ---07/16/2015 09:26:32 PM---Try changing "service = shell" to "service = exec" and se]Aaron Wasserott ---07/16/2015 09:26:32 PM---Try changing "service = shell" to "service = exec" and see if that works. I have NX-OS working fine From: Aaron Wasserott > To: "Kevin.Cruse at Instinet.com" >, "tac_plus at shrubbery.net" >, Date: 07/16/2015 09:26 PM Subject: RE: [tac_plus] Cisco Nexus Authorization problem ________________________________ Try changing "service = shell" to "service = exec" and see if that works. I have NX-OS working fine using that. Also, I have never seen the shell service used in real-world examples for network devices. But reading the manpage it appears it should work to prevent them from entering configuration mode, as long as your AAA commands are set right. service=shell for exec startup, and also for command authorizations. Requires: aaa authorization exec tacacs+ Whether authorization happens, and at which prompt level, depends on the aaa authorization settings. It's possible to only restrict exec level commands, and prevent them from entering the 'conf t' command. But if you want them in conf t mode but restrict their commands at that level, you need to enable something like this: aaa authorization config-commands default group myTacacsGroup local If changing the service doesn't work, include the AAA commands on your NX-OS switches. -----Original Message----- From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Kevin.Cruse at Instinet.com Sent: Thursday, July 16, 2015 3:40 PM To: tac_plus at shrubbery.net Subject: [tac_plus] Cisco Nexus Authorization problem Hello I have configured TACPLUS to work with cisco nexus device. I am able to successfully authenticate, however, I am able to run all commands on router. It seems the router is not restricted to the commands specified in my group config. Has anyone gotten Cisco nexus to work properly with tacplus? I need to limit certain users and cannot get this working properly. Any help is greatly appreciated!!! Thanks. Group Config: group = snm { default service = deny service = shell { set shell:roles="\"network-admin\"" default command = deny default attribute = deny set priv-lvl = 15 cmd = configure {deny .*} cmd = clear { permit "counters" permit "qos stat" permit "mls qos int" } cmd = disable {permit .*} cmd = enable {permit .*} cmd = end {permit .*} cmd = exit {permit .*} cmd = logout {permit .*} cmd = ping {permit .*} cmd = set { permit "length 0" } cmd = show { deny "controllers vip" permit .* } cmd = skip-page-display {permit .*} cmd = terminal { permit "length 0" } cmd = write { permit "network" permit "terminal" permit "memory" } } } user = testuser { member = snm } Session output from router: telnet labrouter Trying labrouter... Connected to labrouter. Escape character is '^]'. User Access Verification login: testuser Password: Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Copyright (c) 2002-2014, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php LABROUTER# configure <------------------------------------------------------------ This should be denied Enter configuration commands, one per line. End with CNTL/Z. LABROUTER(config)# interface ethernet 1/1 configure <------------------------------------------------------------ This should be denied LABROUTER(config-if)# shut <------------------------------------------------------------ This should be denied LABROUTER(config-if)# no shut <------------------------------------------------------------ This should be denied LABROUTER(config-if)# end LABROUTER# ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt<%20http:/instinet.com/includes/index.jsp?thePage=/html/le_index.txt> Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt<%20http:/instinet.com/includes/index.jsp?thePage=/html/le_index.txt> Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.gif Type: image/gif Size: 105 bytes Desc: image001.gif URL: From Kevin.Cruse at Instinet.com Thu Jul 23 16:34:48 2015 From: Kevin.Cruse at Instinet.com (Kevin.Cruse at Instinet.com) Date: Thu, 23 Jul 2015 12:34:48 -0400 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B95086@mbx030-w1-co-6.exch030.domain.local> References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B92A28@mbx030-w1-co-6.exch030.domain.local> <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B95086@mbx030-w1-co-6.exch030.domain.local> Message-ID: I don't think mavvis build likes 'after authorization' I get an error when calling it. I used this documentation when setting up tac_plus: http://sysmagazine.com/posts/217669/ error with above setup: /usr/local/etc/tac_plus.cfg:449: Unrecognized keyword 'after' (user/group: snm) 8334: /usr/local/etc/tac_plus.cfg:449: Unrecognized keyword 'after' (user/group: snm) I tried same configuration in native tac_plus setup and there was no error. I am trying to get tac_plus to work with PAM but kept running into issues and it was not working seamlessly which is why i setup the mavvis version. I am working on getting PAM to work properly with native tac_plus since the mavvis build seems to introduce more problems then fixes. From: Aaron Wasserott To: "Kevin.Cruse at Instinet.com" , Cc: "tac_plus at shrubbery.net" Date: 07/23/2015 11:18 AM Subject: RE: [tac_plus] Cisco Nexus Authorization problem It doesn?t look like Mavis would interfere with authorization. Based on your configs authorization should still be handled by tac_plus itself. Linking tac_plus.conf to do_auth is done with the stanza ?after authorization? inside a user or group definition. John Fraizer did a good write-up of how to use do_auth here: http://www.shrubbery.net/pipermail/tac_plus/2015-April/001622.html Locate your source for tac_plus and find the do_auth.py file. Inside that are some good instructions for setting it up. The web page for do_auth is here and has some specific examples: http://www.tacacs.org/ From: Kevin.Cruse at Instinet.com [mailto:Kevin.Cruse at Instinet.com] Sent: Thursday, July 23, 2015 8:59 AM To: Aaron Wasserott Cc: tac_plus at shrubbery.net Subject: RE: [tac_plus] Cisco Nexus Authorization problem I am using the mavis backend and wonder if that is the problem? How do i configure do_auth? I am using tac_plus version 201503121920. I cannot find great example of how to use do_auth with existing configuration ie how do i tell the config file to use do_auth? id = tac_plus { debug = AUTHEN ACCT MAVIS PACKET access log = /var/log/tac_plus/access/%Y%m%d.log authentication log = /var/log/tac_plus/auth/%Y%m%d.log accounting log = /var/log/tac_plus/acct/%Y%m%d.log authorization log = /var/log/tac_plus/authorization/%Y%m%d.log mavis module = external { setenv LDAP_SERVER_TYPE = "microsoft" setenv LDAP_HOSTS = "server:389" setenv LDAP_BASE = "dc=domain,dc=corp,dc=local" setenv LDAP_SCOPE = sub #setenv LDAP_FILTER = "(&(objectclass=user) (sAMAccountName = % s))" setenv LDAP_USER = "svcTacacs" setenv LDAP_PASSWD = "T at c@c$!" setenv AD_GROUP_PREFIX = "prv-AMS_Tacacs" setenv EXPAND_AD_GROUP_MEMBERSHIP = 1 setenv FLAG_USE_MEMBEROF = 1 #setenv REQUIRE_TACACS_GROUP_PREFIX = 1 #setenv FLAG_USE_MEMBEROF = 1 exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl } login backend = mavis user backend = mavis pap backend = mavis host = world { address = ::/0 prompt = "This is a protected device. Unauthorized access is prohibited\n" enable 15 = clear secret key = password } group = admin { message = "[Admin Privileges]" default service = permit service = shell { default command = permit default attribute = permit set priv-lvl = 15 cmd = debug{deny .*} } } Inactive hide details for Aaron Wasserott ---07/22/2015 03:28:27 PM---Kevin, I just tested this and it works for me. User can rAaron Wasserott ---07/22/2015 03:28:27 PM---Kevin, I just tested this and it works for me. User can run show commands, but not enter conf t mode From: Aaron Wasserott To: "Kevin.Cruse at Instinet.com" , Cc: "tac_plus at shrubbery.net" Date: 07/22/2015 03:28 PM Subject: RE: [tac_plus] Cisco Nexus Authorization problem Kevin, I just tested this and it works for me. User can run show commands, but not enter conf t mode. Arista DCS-7050S-52-R running code 4.8.3. In production we run do_auth. It comes bundled with the latest version of tac_plus and makes tweaking authorization a lot easier. It?s more scalable, syntax is cleaner, and it has its own authorization logs which are easier to read. # tac_plus.conf group = tier1 { default service = permit login = PAM pap = PAM default command = deny cmd = show {permit .*} service = exec { priv-lvl = 15 } service = raccess { priv-lvl = 0 } } user = first.last { member = tier1 } # switch AAA commands aaa group server tacacs+ TacGroup aaa authentication login default group TacGroup local aaa authorization exec default group TacGroup none aaa authorization commands 15 default group TacGroup none aaa accounting exec default start-stop group TacGroup aaa accounting commands 15 default start-stop group TacGroup no aaa root -Aaron From: Kevin.Cruse at Instinet.com [mailto:Kevin.Cruse at Instinet.com] Sent: Wednesday, July 22, 2015 12:44 PM To: Aaron Wasserott Cc: tac_plus at shrubbery.net Subject: RE: [tac_plus] Cisco Nexus Authorization problem Aaron Do you have experience with Arista? It seems I am having similar problem with this device. Authentication works fine, but once i login and send enable password I can run any command i'd like. It's not restricting access to my preconfigured commands: Arista1#sh run | i aaa aaa group server tacacs+ CiscoACS aaa authentication login default group CiscoACS local aaa authorization exec default group CiscoACS local aaa authorization commands all default group CiscoACS local aaa accounting exec default start-stop group CiscoACS aaa accounting commands all default start-stop group CiscoACS no aaa root ----- user = testuser { login = clear "test123" pap = clear "test123" member = snm } group = snm { default service = deny service = shell { set shell:roles="\"network-admin\"" default command = deny default attribute = deny set priv-lvl = 15 cmd = configure {deny .*} cmd = clear { permit "counters" permit "qos stat" permit "mls qos int" } cmd = disable {permit .*} cmd = enable {permit .*} cmd = end {permit .*} cmd = exit {permit .*} cmd = logout {permit .*} cmd = ping {permit .*} cmd = set { permit "length 0" } cmd = show { deny "controllers vip" permit .* } cmd = skip-page-display {permit .*} cmd = terminal { permit "length 0" } cmd = write { permit "network" permit "terminal" permit "memory" } } } ---- Arista1 login: testuser Password: Last login: Wed Jul 22 18:49:42 on ttyS0 Arista1>en Password: Arista1#conf t <--- This command should be restricted Arista1(config)#interface eth 10 <--- This command should be restricted Arista1(config-if-Et10)#shut <--- This command should be restricted Arista1(config-if-Et10)#end Arista1#exit Inactive hide details for Aaron Wasserott ---07/16/2015 09:26:32 PM---Try changing "service = shell" to "service = exec" and seAaron Wasserott ---07/16/2015 09:26:32 PM---Try changing "service = shell" to "service = exec" and see if that works. I have NX-OS working fine From: Aaron Wasserott To: "Kevin.Cruse at Instinet.com" , " tac_plus at shrubbery.net" , Date: 07/16/2015 09:26 PM Subject: RE: [tac_plus] Cisco Nexus Authorization problem Try changing "service = shell" to "service = exec" and see if that works. I have NX-OS working fine using that. Also, I have never seen the shell service used in real-world examples for network devices. But reading the manpage it appears it should work to prevent them from entering configuration mode, as long as your AAA commands are set right. service=shell for exec startup, and also for command authorizations. Requires: aaa authorization exec tacacs+ Whether authorization happens, and at which prompt level, depends on the aaa authorization settings. It's possible to only restrict exec level commands, and prevent them from entering the 'conf t' command. But if you want them in conf t mode but restrict their commands at that level, you need to enable something like this: aaa authorization config-commands default group myTacacsGroup local If changing the service doesn't work, include the AAA commands on your NX-OS switches. -----Original Message----- From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Kevin.Cruse at Instinet.com Sent: Thursday, July 16, 2015 3:40 PM To: tac_plus at shrubbery.net Subject: [tac_plus] Cisco Nexus Authorization problem Hello I have configured TACPLUS to work with cisco nexus device. I am able to successfully authenticate, however, I am able to run all commands on router. It seems the router is not restricted to the commands specified in my group config. Has anyone gotten Cisco nexus to work properly with tacplus? I need to limit certain users and cannot get this working properly. Any help is greatly appreciated!!! Thanks. Group Config: group = snm { default service = deny service = shell { set shell:roles="\"network-admin\"" default command = deny default attribute = deny set priv-lvl = 15 cmd = configure {deny .*} cmd = clear { permit "counters" permit "qos stat" permit "mls qos int" } cmd = disable {permit .*} cmd = enable {permit .*} cmd = end {permit .*} cmd = exit {permit .*} cmd = logout {permit .*} cmd = ping {permit .*} cmd = set { permit "length 0" } cmd = show { deny "controllers vip" permit .* } cmd = skip-page-display {permit .*} cmd = terminal { permit "length 0" } cmd = write { permit "network" permit "terminal" permit "memory" } } } user = testuser { member = snm } Session output from router: telnet labrouter Trying labrouter... Connected to labrouter. Escape character is '^]'. User Access Verification login: testuser Password: Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Copyright (c) 2002-2014, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php LABROUTER# configure <------------------------------------------------------------ This should be denied Enter configuration commands, one per line. End with CNTL/Z. LABROUTER(config)# interface ethernet 1/1 configure <------------------------------------------------------------ This should be denied LABROUTER(config-if)# shut <------------------------------------------------------------ This should be denied LABROUTER(config-if)# no shut <------------------------------------------------------------ This should be denied LABROUTER(config-if)# end LABROUTER# ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: < http://www.shrubbery.net/pipermail/tac_plus/attachments/20150716/5c309608/attachment.html > _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From aaron.wasserott at viawest.com Thu Jul 23 16:41:35 2015 From: aaron.wasserott at viawest.com (Aaron Wasserott) Date: Thu, 23 Jul 2015 16:41:35 +0000 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B92A28@mbx030-w1-co-6.exch030.domain.local> <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B95086@mbx030-w1-co-6.exch030.domain.local> Message-ID: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B9526E@mbx030-w1-co-6.exch030.domain.local> This email dist-list is for the shrubbery version of tac_plus. http://www.shrubbery.net/tac_plus/ Reading the web page from where the MAVIS version is located I notice this: http://www.pro-bono-publico.de/projects/index.html tac_plus [pdf] is an event-driven TACACS+ daemon which utilizes the MAVIS backend for authentication ***and authorization*** (and may get its user data from various sources, including PAM, LDAP, RADIUS and ActiveDirectory; suitable schema files for OpenLDAP are included). Supported features include IPv6, single-connection and much more. Makes sense that some things won?t work the same across both version. From: Kevin.Cruse at Instinet.com [mailto:Kevin.Cruse at Instinet.com] Sent: Thursday, July 23, 2015 10:35 AM To: Aaron Wasserott Cc: tac_plus at shrubbery.net Subject: RE: [tac_plus] Cisco Nexus Authorization problem I don't think mavvis build likes 'after authorization' I get an error when calling it. I used this documentation when setting up tac_plus: http://sysmagazine.com/posts/217669/ error with above setup: /usr/local/etc/tac_plus.cfg:449: Unrecognized keyword 'after' (user/group: snm) 8334: /usr/local/etc/tac_plus.cfg:449: Unrecognized keyword 'after' (user/group: snm) I tried same configuration in native tac_plus setup and there was no error. I am trying to get tac_plus to work with PAM but kept running into issues and it was not working seamlessly which is why i setup the mavvis version. I am working on getting PAM to work properly with native tac_plus since the mavvis build seems to introduce more problems then fixes. [Inactive hide details for Aaron Wasserott ---07/23/2015 11:18:53 AM---It doesn?t look like Mavis would interfere with authoriz]Aaron Wasserott ---07/23/2015 11:18:53 AM---It doesn?t look like Mavis would interfere with authorization. Based on your configs authorization s From: Aaron Wasserott > To: "Kevin.Cruse at Instinet.com" >, Cc: "tac_plus at shrubbery.net" > Date: 07/23/2015 11:18 AM Subject: RE: [tac_plus] Cisco Nexus Authorization problem ________________________________ It doesn?t look like Mavis would interfere with authorization. Based on your configs authorization should still be handled by tac_plus itself. Linking tac_plus.conf to do_auth is done with the stanza ?after authorization? inside a user or group definition. John Fraizer did a good write-up of how to use do_auth here: http://www.shrubbery.net/pipermail/tac_plus/2015-April/001622.html Locate your source for tac_plus and find the do_auth.py file. Inside that are some good instructions for setting it up. The web page for do_auth is here and has some specific examples: http://www.tacacs.org/ From: Kevin.Cruse at Instinet.com [mailto:Kevin.Cruse at Instinet.com] Sent: Thursday, July 23, 2015 8:59 AM To: Aaron Wasserott Cc: tac_plus at shrubbery.net Subject: RE: [tac_plus] Cisco Nexus Authorization problem I am using the mavis backend and wonder if that is the problem? How do i configure do_auth? I am using tac_plus version 201503121920. I cannot find great example of how to use do_auth with existing configuration ie how do i tell the config file to use do_auth? id = tac_plus { debug = AUTHEN ACCT MAVIS PACKET access log = /var/log/tac_plus/access/%Y%m%d.log authentication log = /var/log/tac_plus/auth/%Y%m%d.log accounting log = /var/log/tac_plus/acct/%Y%m%d.log authorization log = /var/log/tac_plus/authorization/%Y%m%d.log mavis module = external { setenv LDAP_SERVER_TYPE = "microsoft" setenv LDAP_HOSTS = "server:389" setenv LDAP_BASE = "dc=domain,dc=corp,dc=local" setenv LDAP_SCOPE = sub #setenv LDAP_FILTER = "(&(objectclass=user) (sAMAccountName = % s))" setenv LDAP_USER = "svcTacacs" setenv LDAP_PASSWD = "T at c@c$!" setenv AD_GROUP_PREFIX = "prv-AMS_Tacacs" setenv EXPAND_AD_GROUP_MEMBERSHIP = 1 setenv FLAG_USE_MEMBEROF = 1 #setenv REQUIRE_TACACS_GROUP_PREFIX = 1 #setenv FLAG_USE_MEMBEROF = 1 exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl } login backend = mavis user backend = mavis pap backend = mavis host = world { address = ::/0 prompt = "This is a protected device. Unauthorized access is prohibited\n" enable 15 = clear secret key = password } group = admin { message = "[Admin Privileges]" default service = permit service = shell { default command = permit default attribute = permit set priv-lvl = 15 cmd = debug{deny .*} } } [Inactive hide details for Aaron Wasserott ---07/22/2015 03:28:27 PM---Kevin, I just tested this and it works for me. User can r]Aaron Wasserott ---07/22/2015 03:28:27 PM---Kevin, I just tested this and it works for me. User can run show commands, but not enter conf t mode From: Aaron Wasserott > To: "Kevin.Cruse at Instinet.com" >, Cc: "tac_plus at shrubbery.net" > Date: 07/22/2015 03:28 PM Subject: RE: [tac_plus] Cisco Nexus Authorization problem ________________________________ Kevin, I just tested this and it works for me. User can run show commands, but not enter conf t mode. Arista DCS-7050S-52-R running code 4.8.3. In production we run do_auth. It comes bundled with the latest version of tac_plus and makes tweaking authorization a lot easier. It?s more scalable, syntax is cleaner, and it has its own authorization logs which are easier to read. # tac_plus.conf group = tier1 { default service = permit login = PAM pap = PAM default command = deny cmd = show {permit .*} service = exec { priv-lvl = 15 } service = raccess { priv-lvl = 0 } } user = first.last { member = tier1 } # switch AAA commands aaa group server tacacs+ TacGroup aaa authentication login default group TacGroup local aaa authorization exec default group TacGroup none aaa authorization commands 15 default group TacGroup none aaa accounting exec default start-stop group TacGroup aaa accounting commands 15 default start-stop group TacGroup no aaa root -Aaron From: Kevin.Cruse at Instinet.com [mailto:Kevin.Cruse at Instinet.com] Sent: Wednesday, July 22, 2015 12:44 PM To: Aaron Wasserott Cc: tac_plus at shrubbery.net Subject: RE: [tac_plus] Cisco Nexus Authorization problem Aaron Do you have experience with Arista? It seems I am having similar problem with this device. Authentication works fine, but once i login and send enable password I can run any command i'd like. It's not restricting access to my preconfigured commands: Arista1#sh run | i aaa aaa group server tacacs+ CiscoACS aaa authentication login default group CiscoACS local aaa authorization exec default group CiscoACS local aaa authorization commands all default group CiscoACS local aaa accounting exec default start-stop group CiscoACS aaa accounting commands all default start-stop group CiscoACS no aaa root ----- user = testuser { login = clear "test123" pap = clear "test123" member = snm } group = snm { default service = deny service = shell { set shell:roles="\"network-admin\"" default command = deny default attribute = deny set priv-lvl = 15 cmd = configure {deny .*} cmd = clear { permit "counters" permit "qos stat" permit "mls qos int" } cmd = disable {permit .*} cmd = enable {permit .*} cmd = end {permit .*} cmd = exit {permit .*} cmd = logout {permit .*} cmd = ping {permit .*} cmd = set { permit "length 0" } cmd = show { deny "controllers vip" permit .* } cmd = skip-page-display {permit .*} cmd = terminal { permit "length 0" } cmd = write { permit "network" permit "terminal" permit "memory" } } } ---- Arista1 login: testuser Password: Last login: Wed Jul 22 18:49:42 on ttyS0 Arista1>en Password: Arista1#conf t <--- This command should be restricted Arista1(config)#interface eth 10 <--- This command should be restricted Arista1(config-if-Et10)#shut <--- This command should be restricted Arista1(config-if-Et10)#end Arista1#exit [Inactive hide details for Aaron Wasserott ---07/16/2015 09:26:32 PM---Try changing "service = shell" to "service = exec" and se]Aaron Wasserott ---07/16/2015 09:26:32 PM---Try changing "service = shell" to "service = exec" and see if that works. I have NX-OS working fine From: Aaron Wasserott > To: "Kevin.Cruse at Instinet.com" >, "tac_plus at shrubbery.net" >, Date: 07/16/2015 09:26 PM Subject: RE: [tac_plus] Cisco Nexus Authorization problem ________________________________ Try changing "service = shell" to "service = exec" and see if that works. I have NX-OS working fine using that. Also, I have never seen the shell service used in real-world examples for network devices. But reading the manpage it appears it should work to prevent them from entering configuration mode, as long as your AAA commands are set right. service=shell for exec startup, and also for command authorizations. Requires: aaa authorization exec tacacs+ Whether authorization happens, and at which prompt level, depends on the aaa authorization settings. It's possible to only restrict exec level commands, and prevent them from entering the 'conf t' command. But if you want them in conf t mode but restrict their commands at that level, you need to enable something like this: aaa authorization config-commands default group myTacacsGroup local If changing the service doesn't work, include the AAA commands on your NX-OS switches. -----Original Message----- From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Kevin.Cruse at Instinet.com Sent: Thursday, July 16, 2015 3:40 PM To: tac_plus at shrubbery.net Subject: [tac_plus] Cisco Nexus Authorization problem Hello I have configured TACPLUS to work with cisco nexus device. I am able to successfully authenticate, however, I am able to run all commands on router. It seems the router is not restricted to the commands specified in my group config. Has anyone gotten Cisco nexus to work properly with tacplus? I need to limit certain users and cannot get this working properly. Any help is greatly appreciated!!! Thanks. Group Config: group = snm { default service = deny service = shell { set shell:roles="\"network-admin\"" default command = deny default attribute = deny set priv-lvl = 15 cmd = configure {deny .*} cmd = clear { permit "counters" permit "qos stat" permit "mls qos int" } cmd = disable {permit .*} cmd = enable {permit .*} cmd = end {permit .*} cmd = exit {permit .*} cmd = logout {permit .*} cmd = ping {permit .*} cmd = set { permit "length 0" } cmd = show { deny "controllers vip" permit .* } cmd = skip-page-display {permit .*} cmd = terminal { permit "length 0" } cmd = write { permit "network" permit "terminal" permit "memory" } } } user = testuser { member = snm } Session output from router: telnet labrouter Trying labrouter... Connected to labrouter. Escape character is '^]'. User Access Verification login: testuser Password: Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Copyright (c) 2002-2014, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php LABROUTER# configure <------------------------------------------------------------ This should be denied Enter configuration commands, one per line. End with CNTL/Z. LABROUTER(config)# interface ethernet 1/1 configure <------------------------------------------------------------ This should be denied LABROUTER(config-if)# shut <------------------------------------------------------------ This should be denied LABROUTER(config-if)# no shut <------------------------------------------------------------ This should be denied LABROUTER(config-if)# end LABROUTER# ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt<%20http:/instinet.com/includes/index.jsp?thePage=/html/le_index.txt> Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt<%20http:/instinet.com/includes/index.jsp?thePage=/html/le_index.txt> Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt<%20http:/instinet.com/includes/index.jsp?thePage=/html/le_index.txt> Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.gif Type: image/gif Size: 105 bytes Desc: image001.gif URL: From Kevin.Cruse at Instinet.com Thu Jul 23 19:11:14 2015 From: Kevin.Cruse at Instinet.com (Kevin.Cruse at Instinet.com) Date: Thu, 23 Jul 2015 15:11:14 -0400 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B9526E@mbx030-w1-co-6.exch030.domain.local> References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B92A28@mbx030-w1-co-6.exch030.domain.local> <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B95086@mbx030-w1-co-6.exch030.domain.local> <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B9526E@mbx030-w1-co-6.exch030.domain.local> Message-ID: Do you know of any good documentation to get tac_plus working with PAM? I am using this but it's not the most elaborate. http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.html From: Aaron Wasserott To: "Kevin.Cruse at Instinet.com" , Cc: "tac_plus at shrubbery.net" Date: 07/23/2015 12:41 PM Subject: RE: [tac_plus] Cisco Nexus Authorization problem This email dist-list is for the shrubbery version of tac_plus. http://www.shrubbery.net/tac_plus/ Reading the web page from where the MAVIS version is located I notice this: http://www.pro-bono-publico.de/projects/index.html tac_plus [pdf] is an event-driven TACACS+ daemon which utilizes the MAVIS backend for authentication ***and authorization*** (and may get its user data from various sources, including PAM, LDAP, RADIUS and ActiveDirectory; suitable schema files for OpenLDAP are included). Supported features include IPv6, single-connection and much more. Makes sense that some things won?t work the same across both version. From: Kevin.Cruse at Instinet.com [mailto:Kevin.Cruse at Instinet.com] Sent: Thursday, July 23, 2015 10:35 AM To: Aaron Wasserott Cc: tac_plus at shrubbery.net Subject: RE: [tac_plus] Cisco Nexus Authorization problem I don't think mavvis build likes 'after authorization' I get an error when calling it. I used this documentation when setting up tac_plus: http://sysmagazine.com/posts/217669/ error with above setup: /usr/local/etc/tac_plus.cfg:449: Unrecognized keyword 'after' (user/group: snm) 8334: /usr/local/etc/tac_plus.cfg:449: Unrecognized keyword 'after' (user/group: snm) I tried same configuration in native tac_plus setup and there was no error. I am trying to get tac_plus to work with PAM but kept running into issues and it was not working seamlessly which is why i setup the mavvis version. I am working on getting PAM to work properly with native tac_plus since the mavvis build seems to introduce more problems then fixes. Inactive hide details for Aaron Wasserott ---07/23/2015 11:18:53 AM---It doesn?t look like Mavis would interfere with authorizAaron Wasserott ---07/23/2015 11:18:53 AM---It doesn?t look like Mavis would interfere with authorization. Based on your configs authorization s From: Aaron Wasserott To: "Kevin.Cruse at Instinet.com" , Cc: "tac_plus at shrubbery.net" Date: 07/23/2015 11:18 AM Subject: RE: [tac_plus] Cisco Nexus Authorization problem It doesn?t look like Mavis would interfere with authorization. Based on your configs authorization should still be handled by tac_plus itself. Linking tac_plus.conf to do_auth is done with the stanza ?after authorization? inside a user or group definition. John Fraizer did a good write-up of how to use do_auth here: http://www.shrubbery.net/pipermail/tac_plus/2015-April/001622.html Locate your source for tac_plus and find the do_auth.py file. Inside that are some good instructions for setting it up. The web page for do_auth is here and has some specific examples: http://www.tacacs.org/ From: Kevin.Cruse at Instinet.com [mailto:Kevin.Cruse at Instinet.com] Sent: Thursday, July 23, 2015 8:59 AM To: Aaron Wasserott Cc: tac_plus at shrubbery.net Subject: RE: [tac_plus] Cisco Nexus Authorization problem I am using the mavis backend and wonder if that is the problem? How do i configure do_auth? I am using tac_plus version 201503121920. I cannot find great example of how to use do_auth with existing configuration ie how do i tell the config file to use do_auth? id = tac_plus { debug = AUTHEN ACCT MAVIS PACKET access log = /var/log/tac_plus/access/%Y%m%d.log authentication log = /var/log/tac_plus/auth/%Y%m%d.log accounting log = /var/log/tac_plus/acct/%Y%m%d.log authorization log = /var/log/tac_plus/authorization/%Y%m%d.log mavis module = external { setenv LDAP_SERVER_TYPE = "microsoft" setenv LDAP_HOSTS = "server:389" setenv LDAP_BASE = "dc=domain,dc=corp,dc=local" setenv LDAP_SCOPE = sub #setenv LDAP_FILTER = "(&(objectclass=user) (sAMAccountName = % s))" setenv LDAP_USER = "svcTacacs" setenv LDAP_PASSWD = "T at c@c$!" setenv AD_GROUP_PREFIX = "prv-AMS_Tacacs" setenv EXPAND_AD_GROUP_MEMBERSHIP = 1 setenv FLAG_USE_MEMBEROF = 1 #setenv REQUIRE_TACACS_GROUP_PREFIX = 1 #setenv FLAG_USE_MEMBEROF = 1 exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl } login backend = mavis user backend = mavis pap backend = mavis host = world { address = ::/0 prompt = "This is a protected device. Unauthorized access is prohibited\n" enable 15 = clear secret key = password } group = admin { message = "[Admin Privileges]" default service = permit service = shell { default command = permit default attribute = permit set priv-lvl = 15 cmd = debug{deny .*} } } Inactive hide details for Aaron Wasserott ---07/22/2015 03:28:27 PM---Kevin, I just tested this and it works for me. User can rAaron Wasserott ---07/22/2015 03:28:27 PM---Kevin, I just tested this and it works for me. User can run show commands, but not enter conf t mode From: Aaron Wasserott To: "Kevin.Cruse at Instinet.com" , Cc: "tac_plus at shrubbery.net" Date: 07/22/2015 03:28 PM Subject: RE: [tac_plus] Cisco Nexus Authorization problem Kevin, I just tested this and it works for me. User can run show commands, but not enter conf t mode. Arista DCS-7050S-52-R running code 4.8.3. In production we run do_auth. It comes bundled with the latest version of tac_plus and makes tweaking authorization a lot easier. It?s more scalable, syntax is cleaner, and it has its own authorization logs which are easier to read. # tac_plus.conf group = tier1 { default service = permit login = PAM pap = PAM default command = deny cmd = show {permit .*} service = exec { priv-lvl = 15 } service = raccess { priv-lvl = 0 } } user = first.last { member = tier1 } # switch AAA commands aaa group server tacacs+ TacGroup aaa authentication login default group TacGroup local aaa authorization exec default group TacGroup none aaa authorization commands 15 default group TacGroup none aaa accounting exec default start-stop group TacGroup aaa accounting commands 15 default start-stop group TacGroup no aaa root -Aaron From: Kevin.Cruse at Instinet.com [mailto:Kevin.Cruse at Instinet.com] Sent: Wednesday, July 22, 2015 12:44 PM To: Aaron Wasserott Cc: tac_plus at shrubbery.net Subject: RE: [tac_plus] Cisco Nexus Authorization problem Aaron Do you have experience with Arista? It seems I am having similar problem with this device. Authentication works fine, but once i login and send enable password I can run any command i'd like. It's not restricting access to my preconfigured commands: Arista1#sh run | i aaa aaa group server tacacs+ CiscoACS aaa authentication login default group CiscoACS local aaa authorization exec default group CiscoACS local aaa authorization commands all default group CiscoACS local aaa accounting exec default start-stop group CiscoACS aaa accounting commands all default start-stop group CiscoACS no aaa root ----- user = testuser { login = clear "test123" pap = clear "test123" member = snm } group = snm { default service = deny service = shell { set shell:roles="\"network-admin\"" default command = deny default attribute = deny set priv-lvl = 15 cmd = configure {deny .*} cmd = clear { permit "counters" permit "qos stat" permit "mls qos int" } cmd = disable {permit .*} cmd = enable {permit .*} cmd = end {permit .*} cmd = exit {permit .*} cmd = logout {permit .*} cmd = ping {permit .*} cmd = set { permit "length 0" } cmd = show { deny "controllers vip" permit .* } cmd = skip-page-display {permit .*} cmd = terminal { permit "length 0" } cmd = write { permit "network" permit "terminal" permit "memory" } } } ---- Arista1 login: testuser Password: Last login: Wed Jul 22 18:49:42 on ttyS0 Arista1>en Password: Arista1#conf t <--- This command should be restricted Arista1(config)#interface eth 10 <--- This command should be restricted Arista1(config-if-Et10)#shut <--- This command should be restricted Arista1(config-if-Et10)#end Arista1#exit Inactive hide details for Aaron Wasserott ---07/16/2015 09:26:32 PM---Try changing "service = shell" to "service = exec" and seAaron Wasserott ---07/16/2015 09:26:32 PM---Try changing "service = shell" to "service = exec" and see if that works. I have NX-OS working fine From: Aaron Wasserott To: "Kevin.Cruse at Instinet.com" , " tac_plus at shrubbery.net" , Date: 07/16/2015 09:26 PM Subject: RE: [tac_plus] Cisco Nexus Authorization problem Try changing "service = shell" to "service = exec" and see if that works. I have NX-OS working fine using that. Also, I have never seen the shell service used in real-world examples for network devices. But reading the manpage it appears it should work to prevent them from entering configuration mode, as long as your AAA commands are set right. service=shell for exec startup, and also for command authorizations. Requires: aaa authorization exec tacacs+ Whether authorization happens, and at which prompt level, depends on the aaa authorization settings. It's possible to only restrict exec level commands, and prevent them from entering the 'conf t' command. But if you want them in conf t mode but restrict their commands at that level, you need to enable something like this: aaa authorization config-commands default group myTacacsGroup local If changing the service doesn't work, include the AAA commands on your NX-OS switches. -----Original Message----- From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Kevin.Cruse at Instinet.com Sent: Thursday, July 16, 2015 3:40 PM To: tac_plus at shrubbery.net Subject: [tac_plus] Cisco Nexus Authorization problem Hello I have configured TACPLUS to work with cisco nexus device. I am able to successfully authenticate, however, I am able to run all commands on router. It seems the router is not restricted to the commands specified in my group config. Has anyone gotten Cisco nexus to work properly with tacplus? I need to limit certain users and cannot get this working properly. Any help is greatly appreciated!!! Thanks. Group Config: group = snm { default service = deny service = shell { set shell:roles="\"network-admin\"" default command = deny default attribute = deny set priv-lvl = 15 cmd = configure {deny .*} cmd = clear { permit "counters" permit "qos stat" permit "mls qos int" } cmd = disable {permit .*} cmd = enable {permit .*} cmd = end {permit .*} cmd = exit {permit .*} cmd = logout {permit .*} cmd = ping {permit .*} cmd = set { permit "length 0" } cmd = show { deny "controllers vip" permit .* } cmd = skip-page-display {permit .*} cmd = terminal { permit "length 0" } cmd = write { permit "network" permit "terminal" permit "memory" } } } user = testuser { member = snm } Session output from router: telnet labrouter Trying labrouter... Connected to labrouter. Escape character is '^]'. User Access Verification login: testuser Password: Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Copyright (c) 2002-2014, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php LABROUTER# configure <------------------------------------------------------------ This should be denied Enter configuration commands, one per line. End with CNTL/Z. LABROUTER(config)# interface ethernet 1/1 configure <------------------------------------------------------------ This should be denied LABROUTER(config-if)# shut <------------------------------------------------------------ This should be denied LABROUTER(config-if)# no shut <------------------------------------------------------------ This should be denied LABROUTER(config-if)# end LABROUTER# ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: < http://www.shrubbery.net/pipermail/tac_plus/attachments/20150716/5c309608/attachment.html > _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From john at op-sec.us Thu Jul 23 22:36:47 2015 From: john at op-sec.us (John Fraizer) Date: Thu, 23 Jul 2015 15:36:47 -0700 Subject: [tac_plus] Cisco Nexus Authorization problem In-Reply-To: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> References: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B92A28@mbx030-w1-co-6.exch030.domain.local> <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B94B85@mbx030-w1-co-6.exch030.domain.local> Message-ID: I use the following AAA for config on a few thousand Arista devices: ! aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ local aaa authorization exec default group tacacs+ local aaa authorization commands all default group tacacs+ none aaa accounting exec default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ aaa accounting commands all default stop-only group tacacs+ ! And I use this config for tac_plus (Works for CatOS, IOS, EOS, Nexus & Junos): # # Default group to run all command authentication through do_auth. # group = doauthaccess { default service = permit service = exec { priv-lvl = 1 optional idletime = 30 optional acl = 2 shell:roles="\"network-operator vdc-operator\"" } service = junos-exec { bug-fix = "first pair is lost" local-user-name = "remote" allow-commands = "(.*exit)|(show cli auth.*)" deny-commands = ".*" allow-configuration = "" deny-configuration = ".*" } after authorization "/usr/bin/python /opt/sbin/do_auth.py -i $address -u $user -d $name -l /opt/log/do_auth.log -f /opt/etc/tacacs/do_auth.ini" } # # Default user - Used when no user specific stanza exists in tac_plus.conf. # user = DEFAULT { member = doauthaccess login = PAM } My do_auth.ini is set up as such: [users] default = no_authority joeengineer = engineering rancid = rancid_group # # Default group # [no_authority] host_deny = host_allow = .* device_deny = device_permit = .* command_deny = .* command_permit = exit.* av_pairs = priv-lvl=0 shell:roles="network-operator vdc-operator" local-user-name = remote allow-commands = (.*exit)|(show cli auth.*) deny-commands = .* allow-configuration = deny-configuration = # # Rancid Group # [rancid_group] host_deny = host_allow = .* device_deny = device_permit = .* command_deny = enable password.* enable secret.* command_permit = show.* dir.* more.* copy .* terminal .* enable.* write t.* set length .* set logging session disable.* exit.* av_pairs = priv-lvl=15 shell:roles="network-admin vdc-admin" local-user-name = network allow-commands = (.*copy .*)|(.*show .*)|(.*write .*)|(.*exit) deny-commands = .* allow-configuration = deny-configuation = .* # # Engineering Group # [engineering] host_deny = host_allow = .* device_deny = device_permit = .* command_deny = command_permit = .* av_pairs = priv-lvl=15 shell:roles="network-admin vdc-admin" local-user-name = remote allow-commands = .* deny-commands = allow-configuration = .* deny-configuration = -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From john at op-sec.us Thu Jul 23 22:51:10 2015 From: john at op-sec.us (John Fraizer) Date: Thu, 23 Jul 2015 15:51:10 -0700 Subject: [tac_plus] Work around for BUG in Arista EOS <=4.9.1 Message-ID: There is a bug in Arista EOS <=4.9.1 which causes it to flip it's lid when it receives TAC_PLUS_AUTHOR_STATUS_PASS_REPL in an Authorization response. The bug manifests itself as tac_plus and do_auth.py both agreeing that the request was authorized but, the EOS device displaying "Authorization denied:" and dropping the login. After some troubleshooting to determine what was actually tickling this bug, I found that when using an after authorization script with tac_plus, it will return TAC_PLUS_AUTHOR_STATUS_PASS_REPL wherein when you don't use an after authorization script, tac_plus will return TAC_PLUS_AUTHOR_STATUS_PASS_ADD. I write a quick and dirty patch that seems to work just fine in my environment and I thought I would pass it along to the community in case you have any vintage EOS devices in your stable and want to use after authorization. (If you're not using do_auth.py, you don't know what you're missing!) This patch is against stock Shrubbery.net F4.0.4.28: $ cat arista-bug-fix.diff *** do_author.c.orig 2015-07-23 11:51:33.641510860 -0700 --- do_author.c 2015-07-23 12:13:11.667818482 -0700 *************** *** 325,359 **** --- 325,388 ---- case 2: /* Use replacement AV pairs from program */ if (debug & DEBUG_AUTHOR_FLAG) report(LOG_DEBUG, "cmd %s returns 2 (replace & continue)", after); /* Free any existing AV output pairs */ if (data->num_out_args) { for (i = 0; i < data->num_out_args; i++) { free(data->output_args[i]); } free(data->output_args); data->output_args = NULL; } + /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * + * Arista EOS versions 4.9.1 and below do not support the * + * TAC_AUTHOR_STATUS_PASS_REPL status. When they receive * + * this status in an authorization reply, they flip their * + * lidz and return "Authorization denied:" to the user * + * and dump them out of the session. This presents a * + * problem for organizations who desire to use after * + * authorization scripts to change AV PAIRS, etc if they * + * have equipment running older EOS code. * + * * + * After finally tracking down the root cause of this * + * undesired behavior, the "fix" is very simple: "Lie to * + * everybody and send TAC_AUTHOR_STATUS_PASS_ADD any time * + * we would normally send TAC_AUTHOR_STATUS_PASS_REPL." * + * * + * This nasty hack was conceived and written by: * + * John Fraizer * + * 23 July 2015 * + * * + * No Warranty is Expressed or Implied! * + * Individual mileage may vary with driving conditions and * + * driving style. Always use the manufacturers * + * recommended tire inflation! * + * * + * Semper Fi! * + * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * + + if (debug & DEBUG_AUTHOR_FLAG) { report(LOG_DEBUG, "status is now AUTHOR_STATUS_PASS_REPL"); } data->status = AUTHOR_STATUS_PASS_REPL; + */ data->output_args = out_args; data->num_out_args = out_cnt; return; } } /* Return a pointer to the value part of an attr=value string */ static char * value(char *s) { while (*s != '\0' && *s != '=' && *s != '*') s++; if (*s != '\0') return(++s); return(NULL); -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From john at op-sec.us Fri Jul 24 00:06:24 2015 From: john at op-sec.us (John Fraizer) Date: Thu, 23 Jul 2015 17:06:24 -0700 Subject: [tac_plus] Work around for BUG in Arista EOS <=4.9.1 In-Reply-To: References: Message-ID: Your patch is functionally identical to mine. Mine just has the obligatory long comment detailing why it's there and what it does. John Fraizer --Sent from my Android phone. Please excuse any typos. On Jul 23, 2015 4:55 PM, "Hans van den Bogert" wrote: > reminds me of what I had to do, forgot the hardware. If needed, let me > know and I?ll look it up (not arista IIRC). I patched it even more ugly > probably: > > https://github.com/hansbogert/tacacs-plus/commit/88b4aac5ba53916bf78ea6ae0eaaf83e5221304c > > On 24 Jul 2015, at 00:51, John Fraizer wrote: > > > There is a bug in Arista EOS <=4.9.1 which causes it to flip it's lid > when > > it receives TAC_PLUS_AUTHOR_STATUS_PASS_REPL in an Authorization > response. > > The bug manifests itself as tac_plus and do_auth.py both agreeing that > the > > request was authorized but, the EOS device displaying "Authorization > > denied:" and dropping the login. > > > > After some troubleshooting to determine what was actually tickling this > > bug, I found that when using an after authorization script with tac_plus, > > it will return TAC_PLUS_AUTHOR_STATUS_PASS_REPL wherein when you don't > use > > an after authorization script, tac_plus will return > > TAC_PLUS_AUTHOR_STATUS_PASS_ADD. > > > > I write a quick and dirty patch that seems to work just fine in my > > environment and I thought I would pass it along to the community in case > > you have any vintage EOS devices in your stable and want to use after > > authorization. (If you're not using do_auth.py, you don't know what > you're > > missing!) > > > > This patch is against stock Shrubbery.net F4.0.4.28: > > > > $ cat arista-bug-fix.diff > > *** do_author.c.orig 2015-07-23 11:51:33.641510860 -0700 > > --- do_author.c 2015-07-23 12:13:11.667818482 -0700 > > *************** > > *** 325,359 **** > > --- 325,388 ---- > > case 2: > > /* Use replacement AV pairs from program */ > > if (debug & DEBUG_AUTHOR_FLAG) > > report(LOG_DEBUG, "cmd %s returns 2 (replace & continue)", > > after); > > > > /* Free any existing AV output pairs */ > > if (data->num_out_args) { > > for (i = 0; i < data->num_out_args; i++) { > > free(data->output_args[i]); > > } > > free(data->output_args); > > data->output_args = NULL; > > } > > > > + /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * > > + * Arista EOS versions 4.9.1 and below do not support the * > > + * TAC_AUTHOR_STATUS_PASS_REPL status. When they receive * > > + * this status in an authorization reply, they flip their * > > + * lidz and return "Authorization denied:" to the user * > > + * and dump them out of the session. This presents a * > > + * problem for organizations who desire to use after * > > + * authorization scripts to change AV PAIRS, etc if they * > > + * have equipment running older EOS code. * > > + * * > > + * After finally tracking down the root cause of this * > > + * undesired behavior, the "fix" is very simple: "Lie to * > > + * everybody and send TAC_AUTHOR_STATUS_PASS_ADD any time * > > + * we would normally send TAC_AUTHOR_STATUS_PASS_REPL." * > > + * * > > + * This nasty hack was conceived and written by: * > > + * John Fraizer * > > + * 23 July 2015 * > > + * * > > + * No Warranty is Expressed or Implied! * > > + * Individual mileage may vary with driving conditions and * > > + * driving style. Always use the manufacturers * > > + * recommended tire inflation! * > > + * * > > + * Semper Fi! * > > + * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * > > + > > + > > if (debug & DEBUG_AUTHOR_FLAG) { > > report(LOG_DEBUG, "status is now AUTHOR_STATUS_PASS_REPL"); > > } > > > > data->status = AUTHOR_STATUS_PASS_REPL; > > + */ > > data->output_args = out_args; > > data->num_out_args = out_cnt; > > return; > > } > > } > > > > /* Return a pointer to the value part of an attr=value string */ > > static char * > > value(char *s) > > { > > while (*s != '\0' && *s != '=' && *s != '*') > > s++; > > if (*s != '\0') > > return(++s); > > return(NULL); > > > > > > > > > > > > > > -- > > John Fraizer > > LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20150723/2e4bb442/attachment.html > > > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo/tac_plus > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From hansbogert at gmail.com Thu Jul 23 23:55:29 2015 From: hansbogert at gmail.com (Hans van den Bogert) Date: Fri, 24 Jul 2015 01:55:29 +0200 Subject: [tac_plus] Work around for BUG in Arista EOS <=4.9.1 In-Reply-To: References: Message-ID: reminds me of what I had to do, forgot the hardware. If needed, let me know and I?ll look it up (not arista IIRC). I patched it even more ugly probably: https://github.com/hansbogert/tacacs-plus/commit/88b4aac5ba53916bf78ea6ae0eaaf83e5221304c On 24 Jul 2015, at 00:51, John Fraizer wrote: > There is a bug in Arista EOS <=4.9.1 which causes it to flip it's lid when > it receives TAC_PLUS_AUTHOR_STATUS_PASS_REPL in an Authorization response. > The bug manifests itself as tac_plus and do_auth.py both agreeing that the > request was authorized but, the EOS device displaying "Authorization > denied:" and dropping the login. > > After some troubleshooting to determine what was actually tickling this > bug, I found that when using an after authorization script with tac_plus, > it will return TAC_PLUS_AUTHOR_STATUS_PASS_REPL wherein when you don't use > an after authorization script, tac_plus will return > TAC_PLUS_AUTHOR_STATUS_PASS_ADD. > > I write a quick and dirty patch that seems to work just fine in my > environment and I thought I would pass it along to the community in case > you have any vintage EOS devices in your stable and want to use after > authorization. (If you're not using do_auth.py, you don't know what you're > missing!) > > This patch is against stock Shrubbery.net F4.0.4.28: > > $ cat arista-bug-fix.diff > *** do_author.c.orig 2015-07-23 11:51:33.641510860 -0700 > --- do_author.c 2015-07-23 12:13:11.667818482 -0700 > *************** > *** 325,359 **** > --- 325,388 ---- > case 2: > /* Use replacement AV pairs from program */ > if (debug & DEBUG_AUTHOR_FLAG) > report(LOG_DEBUG, "cmd %s returns 2 (replace & continue)", > after); > > /* Free any existing AV output pairs */ > if (data->num_out_args) { > for (i = 0; i < data->num_out_args; i++) { > free(data->output_args[i]); > } > free(data->output_args); > data->output_args = NULL; > } > > + /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * > + * Arista EOS versions 4.9.1 and below do not support the * > + * TAC_AUTHOR_STATUS_PASS_REPL status. When they receive * > + * this status in an authorization reply, they flip their * > + * lidz and return "Authorization denied:" to the user * > + * and dump them out of the session. This presents a * > + * problem for organizations who desire to use after * > + * authorization scripts to change AV PAIRS, etc if they * > + * have equipment running older EOS code. * > + * * > + * After finally tracking down the root cause of this * > + * undesired behavior, the "fix" is very simple: "Lie to * > + * everybody and send TAC_AUTHOR_STATUS_PASS_ADD any time * > + * we would normally send TAC_AUTHOR_STATUS_PASS_REPL." * > + * * > + * This nasty hack was conceived and written by: * > + * John Fraizer * > + * 23 July 2015 * > + * * > + * No Warranty is Expressed or Implied! * > + * Individual mileage may vary with driving conditions and * > + * driving style. Always use the manufacturers * > + * recommended tire inflation! * > + * * > + * Semper Fi! * > + * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * > + > + > if (debug & DEBUG_AUTHOR_FLAG) { > report(LOG_DEBUG, "status is now AUTHOR_STATUS_PASS_REPL"); > } > > data->status = AUTHOR_STATUS_PASS_REPL; > + */ > data->output_args = out_args; > data->num_out_args = out_cnt; > return; > } > } > > /* Return a pointer to the value part of an attr=value string */ > static char * > value(char *s) > { > while (*s != '\0' && *s != '=' && *s != '*') > s++; > if (*s != '\0') > return(++s); > return(NULL); > > > > > > > -- > John Fraizer > LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus From usaf23 at gmail.com Thu Jul 23 19:29:14 2015 From: usaf23 at gmail.com (Nathan Ollis) Date: Thu, 23 Jul 2015 19:29:14 +0000 Subject: [tac_plus] Tacspoof.pl Message-ID: Running Ubuntu 14.04 for months...now setting up logging to an external syslog server. From everything I have found online, tacspoof.pl should be included in the package...but I cannot for the life of me find it. Any suggestions? Thanks!! Nathan -------------- next part -------------- An HTML attachment was scrubbed... URL: From john.chase at rakuten.com Fri Jul 24 19:48:03 2015 From: john.chase at rakuten.com (Chase, John) Date: Fri, 24 Jul 2015 19:48:03 +0000 Subject: [tac_plus] TACACS Solution? Message-ID: Good day I am in preparation of replacing our existing Cisco TAC product with something new due to the EOL of Windows 2003. I was wondering if your TAC_Plus solution is PCI compliant? Thank you John Chase Rakuten USA, Americas Development Unit System Administrator 85 Enterprise | Suite 100 Aliso Viejo, CA 92656 P: 949.448.5461 [Description: Description: Description: Z:\Rakuten USA\rakuten_logo R.jpg] NOTICE: This email contains confidential and/or proprietary information, some or all of which may be legally privileged. It is intended only for the named recipient. If an addressing or transmission error has misdirected the email, please notify the author with a reply email message. If you are not the named recipient, you must not use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer system. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 2533 bytes Desc: image001.jpg URL: From heas at shrubbery.net Fri Jul 24 20:28:07 2015 From: heas at shrubbery.net (heasley) Date: Fri, 24 Jul 2015 20:28:07 +0000 Subject: [tac_plus] TACACS Solution? In-Reply-To: References: Message-ID: <20150724202807.GA77474@shrubbery.net> Fri, Jul 24, 2015 at 07:48:03PM +0000, Chase, John: > Good day I am in preparation of replacing our existing Cisco TAC product with something new due to the EOL of Windows 2003. I was wondering if your TAC_Plus solution is PCI compliant? yes, it can run over PCI busses. > Thank you > > John Chase > Rakuten USA, Americas Development Unit > System Administrator > 85 Enterprise | Suite 100 > Aliso Viejo, CA 92656 > P: 949.448.5461 > [Description: Description: Description: Z:\Rakuten USA\rakuten_logo R.jpg] > NOTICE: This email contains confidential and/or proprietary information, some or all of which may be legally privileged. It is intended only for the named recipient. If an addressing or transmission error has misdirected the email, please notify the author with a reply email message. If you are not the named recipient, you must not use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer system. > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: image001.jpg > Type: image/jpeg > Size: 2533 bytes > Desc: image001.jpg > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus From matta at surveymonkey.com Fri Jul 24 20:33:39 2015 From: matta at surveymonkey.com (Matt Almgren) Date: Fri, 24 Jul 2015 20:33:39 +0000 Subject: [tac_plus] TACACS Solution? In-Reply-To: References: Message-ID: Sorry, hit send before it was time. The PCI 3.0 requirement is : 1.2.2 Secure and synchronize router configuration files. 1.2.2.a Examine router configuration files to verify they are secured from unauthorized access. 1.2.2.b Examine router configurations to verify they are synchronized?for example, the running (or active) configuration matches the start-up configuration (used when machines are booted) While the running (or active) router configuration files include the current, secure settings, the startup files (which are used when routers are restarted or booted) must be updated with the same secure settings to ensure these settings are applied when the start-up configuration is run. Because they only run occasionally, start-up configuration files are often forgotten and are not updated. When a router re-starts and loads a start-up configuration that has not been updated with the same secure settings as those in the running configuration, it may result in weaker rules that allow malicious individuals into the network. Unless I?m missing something, that?s all our auditor told us we need to be concerned with. TAC+ handles all of it nicely. ? Matt From: Matt Almgren > Date: Friday, July 24, 2015 at 1:28 PM To: "Chase, John" >, "tac_plus at shrubbery.net" > Subject: Re: [tac_plus] TACACS Solution? That?s an interesting question. TAC+ s the medium/method that is used as the medium for the PCI requirement. PCI states that configurations have to be backed up to a secure location. There?s no mention of ?what? software is used, as long as the above holds true. 1.2.2 Secure and synchronize router configuration files. From: , John > Date: Friday, July 24, 2015 at 12:48 PM To: "tac_plus at shrubbery.net" > Subject: [tac_plus] TACACS Solution? Good day I am in preparation of replacing our existing Cisco TAC product with something new due to the EOL of Windows 2003. I was wondering if your TAC_Plus solution is PCI compliant? Thank you John Chase Rakuten USA, Americas Development Unit System Administrator 85 Enterprise | Suite 100 Aliso Viejo, CA 92656 P: 949.448.5461 [Description: Description: Description: Z:\Rakuten USA\rakuten_logo R.jpg] NOTICE: This email contains confidential and/or proprietary information, some or all of which may be legally privileged. It is intended only for the named recipient. If an addressing or transmission error has misdirected the email, please notify the author with a reply email message. If you are not the named recipient, you must not use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer system. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 2533 bytes Desc: image001.jpg URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus -------------- next part -------------- An HTML attachment was scrubbed... URL: From matta at surveymonkey.com Fri Jul 24 20:28:09 2015 From: matta at surveymonkey.com (Matt Almgren) Date: Fri, 24 Jul 2015 20:28:09 +0000 Subject: [tac_plus] TACACS Solution? Message-ID: That?s an interesting question. TAC+ s the medium/method that is used as the medium for the PCI requirement. PCI states that configurations have to be backed up to a secure location. There?s no mention of ?what? software is used, as long as the above holds true. 1.2.2 Secure and synchronize router configuration files. From: , John > Date: Friday, July 24, 2015 at 12:48 PM To: "tac_plus at shrubbery.net" > Subject: [tac_plus] TACACS Solution? Good day I am in preparation of replacing our existing Cisco TAC product with something new due to the EOL of Windows 2003. I was wondering if your TAC_Plus solution is PCI compliant? Thank you John Chase Rakuten USA, Americas Development Unit System Administrator 85 Enterprise | Suite 100 Aliso Viejo, CA 92656 P: 949.448.5461 [Description: Description: Description: Z:\Rakuten USA\rakuten_logo R.jpg] NOTICE: This email contains confidential and/or proprietary information, some or all of which may be legally privileged. It is intended only for the named recipient. If an addressing or transmission error has misdirected the email, please notify the author with a reply email message. If you are not the named recipient, you must not use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer system. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 2533 bytes Desc: image001.jpg URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus -------------- next part -------------- An HTML attachment was scrubbed... URL: From aaron.wasserott at viawest.com Fri Jul 24 20:49:02 2015 From: aaron.wasserott at viawest.com (Aaron Wasserott) Date: Fri, 24 Jul 2015 20:49:02 +0000 Subject: [tac_plus] TACACS Solution? In-Reply-To: References: Message-ID: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05B95B37@mbx030-w1-co-6.exch030.domain.local> We use the shrubbery version of tac_plus within our PCI environment and have always passed our audits. The only thing auditors don't like is that since it's not a commercial software product, there are no security vulnerability announcements and patches. With the proper network hardening, it is easy to document an exception for it. I.e., put your tacacs server into a dedicated security zone, only permit network devices to contact the tacacs server over port 49, restrict user login to tacacs server, file permissions, etc. And we use RANCID for network device configuration backup, also without any PCI audit issue. -----Original Message----- From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Matt Almgren Sent: Friday, July 24, 2015 2:28 PM To: Chase, John; tac_plus at shrubbery.net Subject: Re: [tac_plus] TACACS Solution? That's an interesting question. TAC+ s the medium/method that is used as the medium for the PCI requirement. PCI states that configurations have to be backed up to a secure location. There's no mention of "what" software is used, as long as the above holds true. 1.2.2 Secure and synchronize router configuration files. From: , John > Date: Friday, July 24, 2015 at 12:48 PM To: "tac_plus at shrubbery.net" > Subject: [tac_plus] TACACS Solution? Good day I am in preparation of replacing our existing Cisco TAC product with something new due to the EOL of Windows 2003. I was wondering if your TAC_Plus solution is PCI compliant? Thank you John Chase Rakuten USA, Americas Development Unit System Administrator 85 Enterprise | Suite 100 Aliso Viejo, CA 92656 P: 949.448.5461 [Description: Description: Description: Z:\Rakuten USA\rakuten_logo R.jpg] NOTICE: This email contains confidential and/or proprietary information, some or all of which may be legally privileged. It is intended only for the named recipient. If an addressing or transmission error has misdirected the email, please notify the author with a reply email message. If you are not the named recipient, you must not use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer system. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 2533 bytes Desc: image001.jpg URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus -------------- next part -------------- An HTML attachment was scrubbed... URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. From john at op-sec.us Fri Jul 24 21:15:24 2015 From: john at op-sec.us (John Fraizer) Date: Fri, 24 Jul 2015 14:15:24 -0700 Subject: [tac_plus] TACACS Solution? In-Reply-To: References: Message-ID: TAC_PLUS is a TACACS+ daemon. It is going to provide a AAA (Authentication, Authorization & Accounting) solution for you. It does NOT synchronize or examine router/switch configurations. For that, you will need something else - such as RANCID. On Fri, Jul 24, 2015 at 1:33 PM, Matt Almgren wrote: > 1.2.2 Secure and synchronize router configuration files. > 1.2.2.a Examine router configuration files to verify they are secured from unauthorized access. > 1.2.2.b Examine router configurations to verify they are synchronized?for example, the running (or active) configuration matches the start-up configuration (used when machines are booted) > > While the running (or active) router configuration files include the current, secure settings, the startup files (which are used when routers are restarted or booted) must be updated with the same secure settings to ensure these settings are applied when the start-up configuration is run. Because they only run occasionally, start-up configuration files are often forgotten and are not updated. When a router re-starts and loads a start-up configuration that has not been updated with the same secure settings as those in the running configuration, it may result in weaker rules that allow malicious individuals into the network. > > Unless I?m missing something, that?s all our auditor told us we need to be concerned with. TAC+ handles all of it nicely. -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ From matta at surveymonkey.com Fri Jul 24 21:37:20 2015 From: matta at surveymonkey.com (Matt Almgren) Date: Fri, 24 Jul 2015 21:37:20 +0000 Subject: [tac_plus] TACACS Solution? In-Reply-To: References: Message-ID: Yup Yup, I realized after sending that and reading John?s reply. We use them both, so I got them mixed up. Thanks, Matt From: John Fraizer > Date: Friday, July 24, 2015 at 2:15 PM To: Matt Almgren > Cc: "Chase, John" >, "tac_plus at shrubbery.net" > Subject: Re: [tac_plus] TACACS Solution? TAC_PLUS is a TACACS+ daemon. It is going to provide a AAA (Authentication, Authorization & Accounting) solution for you. It does NOT synchronize or examine router/switch configurations. For that, you will need something else - such as RANCID. On Fri, Jul 24, 2015 at 1:33 PM, Matt Almgren > wrote: 1.2.2 Secure and synchronize router configuration files. 1.2.2.a Examine router configuration files to verify they are secured from unauthorized access. 1.2.2.b Examine router configurations to verify they are synchronized?for example, the running (or active) configuration matches the start-up configuration (used when machines are booted) While the running (or active) router configuration files include the current, secure settings, the startup files (which are used when routers are restarted or booted) must be updated with the same secure settings to ensure these settings are applied when the start-up configuration is run. Because they only run occasionally, start-up configuration files are often forgotten and are not updated. When a router re-starts and loads a start-up configuration that has not been updated with the same secure settings as those in the running configuration, it may result in weaker rules that allow malicious individuals into the network. Unless I?m missing something, that?s all our auditor told us we need to be concerned with. TAC+ handles all of it nicely. -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From john.chase at rakuten.com Fri Jul 24 20:36:28 2015 From: john.chase at rakuten.com (Chase, John) Date: Fri, 24 Jul 2015 20:36:28 +0000 Subject: [tac_plus] TACACS Solution? In-Reply-To: References: Message-ID: Ok thanks Matt, I appreciate the feedback. -John From: Matt Almgren [mailto:matta at surveymonkey.com] Sent: Friday, July 24, 2015 1:34 PM To: Chase, John; tac_plus at shrubbery.net Subject: Re: [tac_plus] TACACS Solution? Sorry, hit send before it was time. The PCI 3.0 requirement is : 1.2.2 Secure and synchronize router configuration files. 1.2.2.a Examine router configuration files to verify they are secured from unauthorized access. 1.2.2.b Examine router configurations to verify they are synchronized-for example, the running (or active) configuration matches the start-up configuration (used when machines are booted) While the running (or active) router configuration files include the current, secure settings, the startup files (which are used when routers are restarted or booted) must be updated with the same secure settings to ensure these settings are applied when the start-up configuration is run. Because they only run occasionally, start-up configuration files are often forgotten and are not updated. When a router re-starts and loads a start-up configuration that has not been updated with the same secure settings as those in the running configuration, it may result in weaker rules that allow malicious individuals into the network. Unless I'm missing something, that's all our auditor told us we need to be concerned with. TAC+ handles all of it nicely. - Matt From: Matt Almgren > Date: Friday, July 24, 2015 at 1:28 PM To: "Chase, John" >, "tac_plus at shrubbery.net" > Subject: Re: [tac_plus] TACACS Solution? That's an interesting question. TAC+ s the medium/method that is used as the medium for the PCI requirement. PCI states that configurations have to be backed up to a secure location. There's no mention of "what" software is used, as long as the above holds true. 1.2.2 Secure and synchronize router configuration files. From: , John > Date: Friday, July 24, 2015 at 12:48 PM To: "tac_plus at shrubbery.net" > Subject: [tac_plus] TACACS Solution? Good day I am in preparation of replacing our existing Cisco TAC product with something new due to the EOL of Windows 2003. I was wondering if your TAC_Plus solution is PCI compliant? Thank you John Chase Rakuten USA, Americas Development Unit System Administrator 85 Enterprise | Suite 100 Aliso Viejo, CA 92656 P: 949.448.5461 [Description: Description: Description: Z:\Rakuten USA\rakuten_logo R.jpg] NOTICE: This email contains confidential and/or proprietary information, some or all of which may be legally privileged. It is intended only for the named recipient. If an addressing or transmission error has misdirected the email, please notify the author with a reply email message. If you are not the named recipient, you must not use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer system. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 2533 bytes Desc: image001.jpg URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus -------------- next part -------------- An HTML attachment was scrubbed... URL: