[tac_plus] Cisco Nexus Authorization problem
Aaron Wasserott
aaron.wasserott at viawest.com
Thu Jul 23 16:41:35 UTC 2015
This email dist-list is for the shrubbery version of tac_plus.
http://www.shrubbery.net/tac_plus/
Reading the web page from where the MAVIS version is located I notice this:
http://www.pro-bono-publico.de/projects/index.html
tac_plus<http://www.pro-bono-publico.de/projects/tac_plus.html> [pdf]<http://www.pro-bono-publico.de/projects/pdf/tac_plus.pdf> is an event-driven TACACS+ daemon which utilizes the MAVIS backend for authentication ***and authorization*** (and may get its user data from various<http://www.pro-bono-publico.de/projects/unpacked/mavis/perl/> sources<http://www.pro-bono-publico.de/projects/unpacked/mavis/>, including PAM, LDAP, RADIUS and ActiveDirectory<http://www.pro-bono-publico.de/projects/howto-tac_plus-ads.html>; suitable schema files<http://www.pro-bono-publico.de/projects/unpacked/mavis/perl/> for OpenLDAP are included). Supported features include IPv6, single-connection and much more.
Makes sense that some things won’t work the same across both version.
From: Kevin.Cruse at Instinet.com [mailto:Kevin.Cruse at Instinet.com]
Sent: Thursday, July 23, 2015 10:35 AM
To: Aaron Wasserott
Cc: tac_plus at shrubbery.net
Subject: RE: [tac_plus] Cisco Nexus Authorization problem
I don't think mavvis build likes 'after authorization' I get an error when calling it. I used this documentation when setting up tac_plus:
http://sysmagazine.com/posts/217669/
error with above setup:
/usr/local/etc/tac_plus.cfg:449: Unrecognized keyword 'after' (user/group: snm)
8334: /usr/local/etc/tac_plus.cfg:449: Unrecognized keyword 'after' (user/group: snm)
I tried same configuration in native tac_plus setup and there was no error. I am trying to get tac_plus to work with PAM but kept running into issues and it was not working seamlessly which is why i setup the mavvis version. I am working on getting PAM to work properly with native tac_plus since the mavvis build seems to introduce more problems then fixes.
[Inactive hide details for Aaron Wasserott ---07/23/2015 11:18:53 AM---It doesn’t look like Mavis would interfere with authoriz]Aaron Wasserott ---07/23/2015 11:18:53 AM---It doesn’t look like Mavis would interfere with authorization. Based on your configs authorization s
From: Aaron Wasserott <aaron.wasserott at viawest.com<mailto:aaron.wasserott at viawest.com>>
To: "Kevin.Cruse at Instinet.com<mailto:Kevin.Cruse at Instinet.com>" <Kevin.Cruse at Instinet.com<mailto:Kevin.Cruse at Instinet.com>>,
Cc: "tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>" <tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>>
Date: 07/23/2015 11:18 AM
Subject: RE: [tac_plus] Cisco Nexus Authorization problem
________________________________
It doesn’t look like Mavis would interfere with authorization. Based on your configs authorization should still be handled by tac_plus itself.
Linking tac_plus.conf to do_auth is done with the stanza “after authorization“ inside a user or group definition.
John Fraizer did a good write-up of how to use do_auth here:
http://www.shrubbery.net/pipermail/tac_plus/2015-April/001622.html
Locate your source for tac_plus and find the do_auth.py file. Inside that are some good instructions for setting it up. The web page for do_auth is here and has some specific examples:
http://www.tacacs.org/
From: Kevin.Cruse at Instinet.com<mailto:Kevin.Cruse at Instinet.com> [mailto:Kevin.Cruse at Instinet.com]
Sent: Thursday, July 23, 2015 8:59 AM
To: Aaron Wasserott
Cc: tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>
Subject: RE: [tac_plus] Cisco Nexus Authorization problem
I am using the mavis backend and wonder if that is the problem? How do i configure do_auth? I am using tac_plus version 201503121920. I cannot find great example of how to use do_auth with existing configuration ie how do i tell the config file to use do_auth?
id = tac_plus {
debug = AUTHEN ACCT MAVIS PACKET
access log = /var/log/tac_plus/access/%Y%m%d.log
authentication log = /var/log/tac_plus/auth/%Y%m%d.log
accounting log = /var/log/tac_plus/acct/%Y%m%d.log
authorization log = /var/log/tac_plus/authorization/%Y%m%d.log
mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "server:389"
setenv LDAP_BASE = "dc=domain,dc=corp,dc=local"
setenv LDAP_SCOPE = sub
#setenv LDAP_FILTER = "(&(objectclass=user) (sAMAccountName = % s))"
setenv LDAP_USER = "svcTacacs"
setenv LDAP_PASSWD = "T at c@c$!"
setenv AD_GROUP_PREFIX = "prv-AMS_Tacacs"
setenv EXPAND_AD_GROUP_MEMBERSHIP = 1
setenv FLAG_USE_MEMBEROF = 1
#setenv REQUIRE_TACACS_GROUP_PREFIX = 1
#setenv FLAG_USE_MEMBEROF = 1
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
login backend = mavis
user backend = mavis
pap backend = mavis
host = world {
address = ::/0
prompt = "This is a protected device. Unauthorized access is prohibited\n"
enable 15 = clear secret
key = password
}
group = admin {
message = "[Admin Privileges]"
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
cmd = debug{deny .*}
}
}
[Inactive hide details for Aaron Wasserott ---07/22/2015 03:28:27 PM---Kevin, I just tested this and it works for me. User can r]Aaron Wasserott ---07/22/2015 03:28:27 PM---Kevin, I just tested this and it works for me. User can run show commands, but not enter conf t mode
From: Aaron Wasserott <aaron.wasserott at viawest.com<mailto:aaron.wasserott at viawest.com>>
To: "Kevin.Cruse at Instinet.com<mailto:Kevin.Cruse at Instinet.com>" <Kevin.Cruse at Instinet.com<mailto:Kevin.Cruse at Instinet.com>>,
Cc: "tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>" <tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>>
Date: 07/22/2015 03:28 PM
Subject: RE: [tac_plus] Cisco Nexus Authorization problem
________________________________
Kevin,
I just tested this and it works for me. User can run show commands, but not enter conf t mode.
Arista DCS-7050S-52-R running code 4.8.3. In production we run do_auth. It comes bundled with the latest version of tac_plus and makes tweaking authorization a lot easier. It’s more scalable, syntax is cleaner, and it has its own authorization logs which are easier to read.
# tac_plus.conf
group = tier1 {
default service = permit
login = PAM
pap = PAM
default command = deny
cmd = show {permit .*}
service = exec {
priv-lvl = 15
}
service = raccess {
priv-lvl = 0
}
}
user = first.last {
member = tier1
}
# switch AAA commands
aaa group server tacacs+ TacGroup
aaa authentication login default group TacGroup local
aaa authorization exec default group TacGroup none
aaa authorization commands 15 default group TacGroup none
aaa accounting exec default start-stop group TacGroup
aaa accounting commands 15 default start-stop group TacGroup
no aaa root
-Aaron
From: Kevin.Cruse at Instinet.com<mailto:Kevin.Cruse at Instinet.com> [mailto:Kevin.Cruse at Instinet.com]
Sent: Wednesday, July 22, 2015 12:44 PM
To: Aaron Wasserott
Cc: tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>
Subject: RE: [tac_plus] Cisco Nexus Authorization problem
Aaron
Do you have experience with Arista? It seems I am having similar problem with this device. Authentication works fine, but once i login and send enable password I can run any command i'd like. It's not restricting access to my preconfigured commands:
Arista1#sh run | i aaa
aaa group server tacacs+ CiscoACS
aaa authentication login default group CiscoACS local
aaa authorization exec default group CiscoACS local
aaa authorization commands all default group CiscoACS local
aaa accounting exec default start-stop group CiscoACS
aaa accounting commands all default start-stop group CiscoACS
no aaa root
-----
user = testuser {
login = clear "test123"
pap = clear "test123"
member = snm
}
group = snm {
default service = deny
service = shell {
set shell:roles="\"network-admin\""
default command = deny
default attribute = deny
set priv-lvl = 15
cmd = configure {deny .*}
cmd = clear {
permit "counters"
permit "qos stat"
permit "mls qos int"
}
cmd = disable {permit .*}
cmd = enable {permit .*}
cmd = end {permit .*}
cmd = exit {permit .*}
cmd = logout {permit .*}
cmd = ping {permit .*}
cmd = set {
permit "length 0"
}
cmd = show {
deny "controllers vip"
permit .*
}
cmd = skip-page-display {permit .*}
cmd = terminal {
permit "length 0"
}
cmd = write {
permit "network"
permit "terminal"
permit "memory"
}
}
}
----
Arista1 login: testuser
Password:
Last login: Wed Jul 22 18:49:42 on ttyS0
Arista1>en
Password:
Arista1#conf t <--- This command should be restricted
Arista1(config)#interface eth 10 <--- This command should be restricted
Arista1(config-if-Et10)#shut <--- This command should be restricted
Arista1(config-if-Et10)#end
Arista1#exit
[Inactive hide details for Aaron Wasserott ---07/16/2015 09:26:32 PM---Try changing "service = shell" to "service = exec" and se]Aaron Wasserott ---07/16/2015 09:26:32 PM---Try changing "service = shell" to "service = exec" and see if that works. I have NX-OS working fine
From: Aaron Wasserott <aaron.wasserott at viawest.com<mailto:aaron.wasserott at viawest.com>>
To: "Kevin.Cruse at Instinet.com<mailto:Kevin.Cruse at Instinet.com>" <Kevin.Cruse at Instinet.com<mailto:Kevin.Cruse at Instinet.com>>, "tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>" <tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>>,
Date: 07/16/2015 09:26 PM
Subject: RE: [tac_plus] Cisco Nexus Authorization problem
________________________________
Try changing "service = shell" to "service = exec" and see if that works. I have NX-OS working fine using that. Also, I have never seen the shell service used in real-world examples for network devices. But reading the manpage it appears it should work to prevent them from entering configuration mode, as long as your AAA commands are set right.
service=shell
for exec startup, and also for command authorizations. Requires: aaa authorization exec tacacs+
Whether authorization happens, and at which prompt level, depends on the aaa authorization settings. It's possible to only restrict exec level commands, and prevent them from entering the 'conf t' command. But if you want them in conf t mode but restrict their commands at that level, you need to enable something like this:
aaa authorization config-commands default group myTacacsGroup local
If changing the service doesn't work, include the AAA commands on your NX-OS switches.
-----Original Message-----
From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Kevin.Cruse at Instinet.com<mailto:Kevin.Cruse at Instinet.com>
Sent: Thursday, July 16, 2015 3:40 PM
To: tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>
Subject: [tac_plus] Cisco Nexus Authorization problem
Hello
I have configured TACPLUS to work with cisco nexus device. I am able to successfully authenticate, however, I am able to run all commands on router. It seems the router is not restricted to the commands specified in my group config. Has anyone gotten Cisco nexus to work properly with tacplus? I need to limit certain users and cannot get this working properly. Any help is greatly appreciated!!! Thanks.
Group Config:
group = snm {
default service = deny
service = shell {
set shell:roles="\"network-admin\""
default command = deny
default attribute = deny
set priv-lvl = 15
cmd = configure {deny .*}
cmd = clear {
permit "counters"
permit "qos stat"
permit "mls qos int"
}
cmd = disable {permit .*}
cmd = enable {permit .*}
cmd = end {permit .*}
cmd = exit {permit .*}
cmd = logout {permit .*}
cmd = ping {permit .*}
cmd = set {
permit "length 0"
}
cmd = show {
deny "controllers vip"
permit .*
}
cmd = skip-page-display {permit .*}
cmd = terminal {
permit "length 0"
}
cmd = write {
permit "network"
permit "terminal"
permit "memory"
}
}
}
user = testuser {
member = snm
}
Session output from router:
telnet labrouter
Trying labrouter...
Connected to labrouter.
Escape character is '^]'.
User Access Verification
login: testuser
Password:
Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Copyright (c) 2002-2014, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php
LABROUTER# configure
<------------------------------------------------------------ This should be denied Enter configuration commands, one per line. End with CNTL/Z.
LABROUTER(config)# interface ethernet 1/1 configure
<------------------------------------------------------------ This should be denied LABROUTER(config-if)# shut
<------------------------------------------------------------ This should be denied LABROUTER(config-if)# no shut
<------------------------------------------------------------ This should be denied LABROUTER(config-if)# end LABROUTER#
========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an “as is” basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC.
=========================================================================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150716/5c309608/attachment.html>
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>
http://www.shrubbery.net/mailman/listinfo/tac_plus
This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message.
=========================================================================================================
<<<< Disclaimer >>>>
This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an “as is” basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt<%20http:/instinet.com/includes/index.jsp?thePage=/html/le_index.txt>
Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC.
=========================================================================================================
This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message.
=========================================================================================================
<<<< Disclaimer >>>>
This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an “as is” basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt<%20http:/instinet.com/includes/index.jsp?thePage=/html/le_index.txt>
Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC.
=========================================================================================================
This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message.
=========================================================================================================
<<<< Disclaimer >>>>
This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an “as is” basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt<%20http:/instinet.com/includes/index.jsp?thePage=/html/le_index.txt>
Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC.
=========================================================================================================
This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150723/df180380/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 105 bytes
Desc: image001.gif
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150723/df180380/attachment.gif>
More information about the tac_plus
mailing list