[tac_plus] Cisco Nexus Authorization problem
Kevin.Cruse at Instinet.com
Kevin.Cruse at Instinet.com
Wed Jul 22 18:44:03 UTC 2015
Aaron
Do you have experience with Arista? It seems I am having similar problem
with this device. Authentication works fine, but once i login and send
enable password I can run any command i'd like. It's not restricting access
to my preconfigured commands:
Arista1#sh run | i aaa
aaa group server tacacs+ CiscoACS
aaa authentication login default group CiscoACS local
aaa authorization exec default group CiscoACS local
aaa authorization commands all default group CiscoACS local
aaa accounting exec default start-stop group CiscoACS
aaa accounting commands all default start-stop group CiscoACS
no aaa root
-----
user = testuser {
login = clear "test123"
pap = clear "test123"
member = snm
}
group = snm {
default service = deny
service = shell {
set shell:roles="\"network-admin\""
default command = deny
default attribute = deny
set priv-lvl = 15
cmd = configure {deny .*}
cmd = clear {
permit "counters"
permit "qos stat"
permit "mls qos int"
}
cmd = disable {permit .*}
cmd = enable {permit .*}
cmd = end {permit .*}
cmd = exit {permit .*}
cmd = logout {permit .*}
cmd = ping {permit .*}
cmd = set {
permit "length 0"
}
cmd = show {
deny "controllers vip"
permit .*
}
cmd = skip-page-display {permit .*}
cmd = terminal {
permit "length 0"
}
cmd = write {
permit "network"
permit "terminal"
permit "memory"
}
}
}
----
Arista1 login: testuser
Password:
Last login: Wed Jul 22 18:49:42 on ttyS0
Arista1>en
Password:
Arista1#conf t <--- This command should be restricted
Arista1(config)#interface eth 10 <--- This command should be restricted
Arista1(config-if-Et10)#shut <--- This command should be restricted
Arista1(config-if-Et10)#end
Arista1#exit
From: Aaron Wasserott <aaron.wasserott at viawest.com>
To: "Kevin.Cruse at Instinet.com" <Kevin.Cruse at Instinet.com>,
"tac_plus at shrubbery.net" <tac_plus at shrubbery.net>,
Date: 07/16/2015 09:26 PM
Subject: RE: [tac_plus] Cisco Nexus Authorization problem
Try changing "service = shell" to "service = exec" and see if that works. I
have NX-OS working fine using that. Also, I have never seen the shell
service used in real-world examples for network devices. But reading the
manpage it appears it should work to prevent them from entering
configuration mode, as long as your AAA commands are set right.
service=shell
for exec startup, and also for command authorizations.
Requires: aaa authorization exec tacacs+
Whether authorization happens, and at which prompt level, depends on the
aaa authorization settings. It's possible to only restrict exec level
commands, and prevent them from entering the 'conf t' command. But if you
want them in conf t mode but restrict their commands at that level, you
need to enable something like this:
aaa authorization config-commands default group myTacacsGroup local
If changing the service doesn't work, include the AAA commands on your
NX-OS switches.
-----Original Message-----
From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of
Kevin.Cruse at Instinet.com
Sent: Thursday, July 16, 2015 3:40 PM
To: tac_plus at shrubbery.net
Subject: [tac_plus] Cisco Nexus Authorization problem
Hello
I have configured TACPLUS to work with cisco nexus device. I am able to
successfully authenticate, however, I am able to run all commands on
router. It seems the router is not restricted to the commands specified in
my group config. Has anyone gotten Cisco nexus to work properly with
tacplus? I need to limit certain users and cannot get this working
properly. Any help is greatly appreciated!!! Thanks.
Group Config:
group = snm {
default service = deny
service = shell {
set shell:roles="\"network-admin\""
default command = deny
default attribute = deny
set priv-lvl = 15
cmd = configure {deny .*}
cmd = clear {
permit "counters"
permit "qos stat"
permit "mls qos int"
}
cmd = disable {permit .*}
cmd = enable {permit .*}
cmd = end {permit .*}
cmd = exit {permit .*}
cmd = logout {permit .*}
cmd = ping {permit .*}
cmd = set {
permit "length 0"
}
cmd = show {
deny "controllers vip"
permit .*
}
cmd = skip-page-display {permit .*}
cmd = terminal {
permit "length 0"
}
cmd = write {
permit "network"
permit "terminal"
permit "memory"
}
}
}
user = testuser {
member = snm
}
Session output from router:
telnet labrouter
Trying labrouter...
Connected to labrouter.
Escape character is '^]'.
User Access Verification
login: testuser
Password:
Cisco Nexus Operating System (NX-OS) Software TAC support:
http://www.cisco.com/tac Copyright (c) 2002-2014, Cisco Systems, Inc. All
rights reserved.
The copyrights to certain works contained in this software are owned by
other third parties and used and distributed under license. Certain
components of this software are licensed under the GNU General Public
License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL)
Version 2.1. A copy of each such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php
LABROUTER# configure
<------------------------------------------------------------ This should
be denied Enter configuration commands, one per line. End with CNTL/Z.
LABROUTER(config)# interface ethernet 1/1 configure
<------------------------------------------------------------ This should
be denied LABROUTER(config-if)# shut
<------------------------------------------------------------ This should
be denied LABROUTER(config-if)# no shut
<------------------------------------------------------------ This should
be denied LABROUTER(config-if)# end LABROUTER#
=========================================================================================================
<<<< Disclaimer >>>> This message is intended solely for use by the
named addressee(s). If you receive this transmission in error, please
immediately notify the sender and destroy this message in its entirety,
whether in electronic or hard copy format. Any unauthorized use (and
reliance thereon), copying, disclosure, retention, or distribution of this
transmission or the material in this transmission is forbidden. We reserve
the right to monitor and archive electronic communications. This material
does not constitute an offer or solicitation with respect to the purchase
or sale of any security. It should not be construed to contain any
recommendation regarding any security or strategy. Any views expressed are
those of the individual sender, except where the message states otherwise
and the sender is authorized to state them to be the views of any such
entity. This communication is provided on an “as is” basis. It contains
material that is owned by Instinet Incorporated, its subsidiaries or its or
their licensors, and may not, in whole or in part, be (i) copied,
photocopied or duplicated in any form, by any means, or (ii) redistributed,
posted, published, excerpted, or quoted without Instinet Incorporated's
prior written consent. Please access the following link for important
information and instructions:
http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt
Securities products and services are provided by locally registered
brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty
Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian
Securities & Investments Commission; Instinet Canada Limited, member
IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the
Securities and Futures Commission of Hong Kong; Instinet Singapore Services
Private Limited, regulated by the Monetary Authority of Singapore, trading
member of The Singapore Exchange Securities Trading Private Limited and
clearing member of The Central Depository (Pte) Limited; and Instinet, LLC,
member SIPC.
=========================================================================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://www.shrubbery.net/pipermail/tac_plus/attachments/20150716/5c309608/attachment.html
>
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo/tac_plus
This message contains information that may be confidential, privileged or
otherwise protected by law from disclosure. It is intended for the
exclusive use of the addressee(s). Unless you are the addressee or
authorized agent of the addressee, you may not review, copy, distribute or
disclose to anyone the message or any information contained within. If you
have received this message in error, please contact the sender by
electronic reply and immediately delete all copies of the message.
========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an “as is” basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC.
=========================================================================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150722/04a4b782/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150722/04a4b782/attachment.gif>
More information about the tac_plus
mailing list