[tac_plus] Cisco Nexus Authorization problem

[John Fraizer]

I use the following AAA for config on a few thousand Arista devices:

!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization commands all default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa accounting commands all default stop-only group tacacs+
!


And I use this config for tac_plus (Works for CatOS, IOS, EOS, Nexus &
Junos):

#
# Default group to run all command authentication through do_auth.
#
group = doauthaccess {
        default service = permit

        service = exec {
                priv-lvl = 1
                optional idletime = 30
                optional acl = 2
                shell:roles="\"network-operator vdc-operator\""
                }

        service = junos-exec {
                bug-fix = "first pair is lost"
                local-user-name = "remote"
                allow-commands = "(.*exit)|(show cli auth.*)"
                deny-commands = ".*"
                allow-configuration = ""
                deny-configuration = ".*"
                }

    after authorization "/usr/bin/python /opt/sbin/do_auth.py -i $address
-u $user -d $name -l /opt/log/do_auth.log -f /opt/etc/tacacs/do_auth.ini"
}

#
# Default user - Used when no user specific stanza exists in tac_plus.conf.
#
user = DEFAULT {
    member = doauthaccess
    login = PAM
}






My do_auth.ini is set up as such:

[users]

default =
     no_authority

joeengineer =
    engineering

rancid =
    rancid_group

#
# Default group
#
[no_authority]
host_deny =

host_allow =
        .*
device_deny =

device_permit =
        .*

command_deny =
        .*

command_permit =
        exit.*

av_pairs =
        priv-lvl=0
        shell:roles="network-operator vdc-operator"
        local-user-name = remote
        allow-commands = (.*exit)|(show cli auth.*)
        deny-commands = .*
        allow-configuration =
        deny-configuration =


#
# Rancid Group
#
[rancid_group]
host_deny =

host_allow =
        .*

device_deny =

device_permit =
        .*

command_deny =
        enable password.*
        enable secret.*

command_permit =
        show.*
        dir.*
        more.*
        copy .*
        terminal .*
        enable.*
        write t.*
        set length .*
        set logging session disable.*
        exit.*

av_pairs =
        priv-lvl=15
        shell:roles="network-admin vdc-admin"
        local-user-name = network
        allow-commands = (.*copy .*)|(.*show .*)|(.*write .*)|(.*exit)
        deny-commands = .*
        allow-configuration =
        deny-configuation = .*

#
# Engineering Group
#
[engineering]

host_deny =

host_allow =
        .*

device_deny =

device_permit =
        .*

command_deny =

command_permit =
        .*

av_pairs =
        priv-lvl=15
        shell:roles="network-admin vdc-admin"
        local-user-name = remote
        allow-commands = .*
        deny-commands =
        allow-configuration = .*
        deny-configuration =


--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150723/193aab11/attachment.html>