From john at op-sec.us Tue Oct 6 23:56:42 2015 From: john at op-sec.us (John Fraizer) Date: Tue, 6 Oct 2015 16:56:42 -0700 Subject: [tac_plus] Odd issue with NXOS + do_auth Message-ID: I'm seeing strangeness with NXOS using tac_plus + doauth. If a user connects via SSH, everything works perfectly. If a user connects via the console, they can authenticate but, the NXOS apparently isn't sending the username when it requests the shell and I get this in the logs: 2015-10-06 16:54:23,901 [CRITICAL]: Username not provided. Argument -u/--username is required! When I do a show priv, I get level -1 and feature privilege: Disabled. It shows the same when connected via SSH. Does anyone have any ideas about what might be causing this and how I might remedy the issue? -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Wed Oct 7 17:08:17 2015 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Wed, 7 Oct 2015 11:08:17 -0600 Subject: [tac_plus] Odd issue with NXOS + do_auth In-Reply-To: References: Message-ID: Do you have aaa on the line? On Tue, Oct 6, 2015 at 5:56 PM, John Fraizer wrote: > I'm seeing strangeness with NXOS using tac_plus + doauth. > > If a user connects via SSH, everything works perfectly. > If a user connects via the console, they can authenticate but, the NXOS > apparently isn't sending the username when it requests the shell and I get > this in the logs: > > 2015-10-06 16:54:23,901 [CRITICAL]: Username not provided. Argument > -u/--username is required! > > When I do a show priv, I get level -1 and feature privilege: Disabled. > It shows the same when connected via SSH. > > Does anyone have any ideas about what might be causing this and how I might > remedy the issue? > > > -- > John Fraizer > LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20151006/ba1ff567/attachment.html > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From john at op-sec.us Wed Oct 7 23:50:07 2015 From: john at op-sec.us (John Fraizer) Date: Wed, 7 Oct 2015 16:50:07 -0700 Subject: [tac_plus] Odd issue with NXOS + do_auth In-Reply-To: References: Message-ID: Turned out to be that the person who deployed the devices didn't have: feature privilege ...in the config. Oddly enough, things worked via SSH. The problem only showed up when connecting via console. -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Wed, Oct 7, 2015 at 10:08 AM, Daniel Schmidt wrote: > Do you have aaa on the line? > > On Tue, Oct 6, 2015 at 5:56 PM, John Fraizer wrote: > >> I'm seeing strangeness with NXOS using tac_plus + doauth. >> >> If a user connects via SSH, everything works perfectly. >> If a user connects via the console, they can authenticate but, the NXOS >> apparently isn't sending the username when it requests the shell and I get >> this in the logs: >> >> 2015-10-06 16:54:23,901 [CRITICAL]: Username not provided. Argument >> -u/--username is required! >> >> When I do a show priv, I get level -1 and feature privilege: Disabled. >> It shows the same when connected via SSH. >> >> Does anyone have any ideas about what might be causing this and how I >> might >> remedy the issue? >> >> >> -- >> John Fraizer >> LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: < >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20151006/ba1ff567/attachment.html >> > >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus >> > > > > E-Mail to and from me, in connection with the transaction > of public business, is subject to the Wyoming Public Records > Act and may be disclosed to third parties. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From MKannachari at infinera.com Mon Oct 19 10:52:29 2015 From: MKannachari at infinera.com (Manoj Kannachari) Date: Mon, 19 Oct 2015 10:52:29 +0000 Subject: [tac_plus] Unable to get details in the log for authentication failure. Message-ID: Hi I installed tacacs+ server from shrubbery with following configuration details: #key key = "cisco" #user details user=cisco { default service = permit member = admingroup login = cleartext cisco } #group details # admin group group = admingroup { default service = permit service = exec { priv-lvl = 15 } } #Enable password setup for users: user = $enable$ { login = cleartext HD.Hw0OHKmO/c } I ran the server with logs enabled using: tac_plus -C etc/tacacs/tac_plus.conf -d 16. When I am trying to connect to the server using my client with above credentials , all I can see in tac_plus.log is Oct 19 21:36:27 in-sjain-dt tac_plus[14792]: Reading config Oct 19 21:36:27 in-sjain-dt tac_plus[14792]: Version F4.0.4.28 Initialized 1 Oct 19 21:38:01 in-sjain-dt tac_plus[14815]: connect from x.x.x.x [x.x.x.x] Oct 19 21:38:01 in-sjain-dt tac_plus[14815]: login failure: cisco x.x.x.x(x.x.x.x) InfiTac Without detailed logs I am not able to decipher the cause of failure. Would you provide me details on anything that is missing ? How can I =increase the debug print level so as to get detailed logs? Thanks Manoj -------------- next part -------------- An HTML attachment was scrubbed... URL: From MKannachari at infinera.com Mon Oct 19 10:57:32 2015 From: MKannachari at infinera.com (Manoj Kannachari) Date: Mon, 19 Oct 2015 10:57:32 +0000 Subject: [tac_plus] Unable to get details in the log for authentication failure. Message-ID: <3cb4f9b0bcbc4cac96b79343cd2cffaa@sv-ex13-prd2.infinera.com> More details from the log: Mon Oct 19 21:36:27 2015 [14792]: Reading config Mon Oct 19 21:36:27 2015 [14792]: Version F4.0.4.28 Initialized 1 Mon Oct 19 21:36:27 2015 [14792]: tac_plus server F4.0.4.28 starting Mon Oct 19 21:36:27 2015 [14793]: Backgrounded Mon Oct 19 21:36:27 2015 [14794]: socket FD 0 AF 2 Mon Oct 19 21:36:27 2015 [14794]: socket FD 2 AF 10 Mon Oct 19 21:36:27 2015 [14794]: uid=0 euid=0 gid=0 egid=0 s=31384336 Mon Oct 19 21:38:01 2015 [14815]: connect from x.x.x.x [x.x.x.x] Mon Oct 19 21:38:01 2015 [14815]: pap-login query for 'cisco' port InfiTac from x.x.x.x rejected Mon Oct 19 21:38:01 2015 [14815]: login failure: cisco x.x.x.x (x.x.x.x) InfiTac How can I =increase the debug print level so as to get detailed logs? Thanks Manoj From: Manoj Kannachari Sent: Monday, October 19, 2015 4:22 PM To: 'tac_plus at shrubbery.net' Subject: Unable to get details in the log for authentication failure. Hi I installed tacacs+ server from shrubbery with following configuration details: #key key = "cisco" #user details user=cisco { default service = permit member = admingroup login = cleartext cisco } #group details # admin group group = admingroup { default service = permit service = exec { priv-lvl = 15 } } #Enable password setup for users: user = $enable$ { login = cleartext HD.Hw0OHKmO/c } I ran the server with logs enabled using: tac_plus -C etc/tacacs/tac_plus.conf -d 16. When I am trying to connect to the server using my client with above credentials , all I can see in tac_plus.log is Oct 19 21:36:27 in-sjain-dt tac_plus[14792]: Reading config Oct 19 21:36:27 in-sjain-dt tac_plus[14792]: Version F4.0.4.28 Initialized 1 Oct 19 21:38:01 in-sjain-dt tac_plus[14815]: connect from x.x.x.x [x.x.x.x] Oct 19 21:38:01 in-sjain-dt tac_plus[14815]: login failure: cisco x.x.x.x(x.x.x.x) InfiTac Without detailed logs I am not able to decipher the cause of failure. Would you provide me details on anything that is missing ? How can I =increase the debug print level so as to get detailed logs? Thanks Manoj -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Mon Oct 19 22:54:48 2015 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Tue, 20 Oct 2015 00:54:48 +0200 Subject: [tac_plus] Unable to get details in the log for authentication failure. In-Reply-To: <3cb4f9b0bcbc4cac96b79343cd2cffaa@sv-ex13-prd2.infinera.com> References: <3cb4f9b0bcbc4cac96b79343cd2cffaa@sv-ex13-prd2.infinera.com> Message-ID: <562574B8.7010306@gmail.com> On 19/10/2015 12:57, Manoj Kannachari wrote: > More details from the log: > > Mon Oct 19 21:36:27 2015 [14792]: Reading config > Mon Oct 19 21:36:27 2015 [14792]: Version F4.0.4.28 Initialized 1 > Mon Oct 19 21:36:27 2015 [14792]: tac_plus server F4.0.4.28 starting > Mon Oct 19 21:36:27 2015 [14793]: Backgrounded > Mon Oct 19 21:36:27 2015 [14794]: socket FD 0 AF 2 > Mon Oct 19 21:36:27 2015 [14794]: socket FD 2 AF 10 > Mon Oct 19 21:36:27 2015 [14794]: uid=0 euid=0 gid=0 egid=0 s=31384336 > Mon Oct 19 21:38:01 2015 [14815]: connect from x.x.x.x [x.x.x.x] > Mon Oct 19 21:38:01 2015 [14815]: pap-login query for 'cisco' port InfiTac from x.x.x.x rejected > Mon Oct 19 21:38:01 2015 [14815]: login failure: cisco x.x.x.x (x.x.x.x) InfiTac > > > > How can I =increase the debug print level so as to get detailed logs? man tac_plus The -d values are listed there. It's a bit-wise field so just keep adding more -d options till the logs start telling you what you want. Caveat: Above -d 32 things start to get very verbose very quick. > > Thanks > Manoj > From: Manoj Kannachari > Sent: Monday, October 19, 2015 4:22 PM > To: 'tac_plus at shrubbery.net' > Subject: Unable to get details in the log for authentication failure. > > Hi > I installed tacacs+ server from shrubbery with following configuration details: > #key > key = "cisco" > #user details > user=cisco { > default service = permit > member = admingroup > login = cleartext cisco > } > #group details > # admin group > group = admingroup { > default service = permit > service = exec { > priv-lvl = 15 > } > } > #Enable password setup for users: > user = $enable$ { > login = cleartext HD.Hw0OHKmO/c > } > I ran the server with logs enabled using: tac_plus -C etc/tacacs/tac_plus.conf -d 16. > When I am trying to connect to the server using my client with above credentials , all I can see in tac_plus.log is > > > Oct 19 21:36:27 in-sjain-dt tac_plus[14792]: Reading config > Oct 19 21:36:27 in-sjain-dt tac_plus[14792]: Version F4.0.4.28 Initialized 1 > Oct 19 21:38:01 in-sjain-dt tac_plus[14815]: connect from x.x.x.x [x.x.x.x] > Oct 19 21:38:01 in-sjain-dt tac_plus[14815]: login failure: cisco x.x.x.x(x.x.x.x) InfiTac > > Without detailed logs I am not able to decipher the cause of failure. Would you provide me details on anything that is missing ? > How can I =increase the debug print level so as to get detailed logs? > > Thanks > Manoj > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- Alan McKinnon alan.mckinnon at gmail.com From matta at surveymonkey.com Tue Oct 20 20:12:59 2015 From: matta at surveymonkey.com (Matt Almgren) Date: Tue, 20 Oct 2015 20:12:59 +0000 Subject: [tac_plus] TAC+ and Solarwinds Orion NCM don't play well together Message-ID: So we moved away from Rancid for something that is more PCI compliant. So far so good, until very recently we see this problem. I have 26 juniper devices in a job in Orion NCM. For some reason, for the last week, the daily backup job reports that 8-10 devices were ?unable to login? or ?connection refused?. However, when I switch Orion NCM to use local Admin logins on the Junipers versus TAC+ accounts, I see no errors. Something with the communication between the network devices and TAC+ isn?t playing nice together. I?ve tried the following: Increased the SSH Timeout settings on Orion to 120 seconds. Decreased the # of concurrent connections from default 11 to 1. Reinstalled Orion Job Engine + other tweaks on the Orion NCM side. Tried only Juniper devices, or only Arista devices, or 8 instead of 27 devices = all had mixed failures. None of the failures are consistent. Job 1 has 8/27 failures. Job 2 has 10/27 failures with some that failed in the first job passing in this one. Etc? Remember, local NAS accounts setup in Orion work just fine ? TAC+ isn?t even talked to when this happens. Is there any tuning I can do to the TAC+ server to make sure its able to handle the connections? What debug log level should I be looking at to get the best information? I?ve tried 24, 60, and even the higher ones, but they?re too noisy. ? Matt Almgren, Sr. Network Engineer [cid:29988614-ECDA-44BA-8377-ABD3ACFBCD1C] 101 Lytton Avenue, Palo Alto, CA 94301 m: 408.499.9669 www.surveymonkey.com -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 7B2F1B3D-E309-404C-ADEF-2AE84F8259F4[35].png Type: image/png Size: 8698 bytes Desc: 7B2F1B3D-E309-404C-ADEF-2AE84F8259F4[35].png URL: From heas at shrubbery.net Wed Oct 21 00:01:54 2015 From: heas at shrubbery.net (Heasley) Date: Tue, 20 Oct 2015 17:01:54 -0700 Subject: [tac_plus] TAC+ and Solarwinds Orion NCM don't play well together In-Reply-To: References: Message-ID: > Am 20.10.2015 um 13:12 schrieb Matt Almgren : > > So we moved away from Rancid for something that is more PCI compliant. So far so good, until very recently we see this problem. > > I have 26 juniper devices in a job in Orion NCM. For some reason, for the last week, the daily backup job reports that 8-10 devices were ?unable to login? or ?connection refused?. However, when I switch Orion NCM to use local Admin logins on the Junipers versus TAC+ accounts, I see no errors. Something with the communication between the network devices and TAC+ isn?t playing nice together. > > I?ve tried the following: > > Increased the SSH Timeout settings on Orion to 120 seconds. > Decreased the # of concurrent connections from default 11 to 1. > Reinstalled Orion Job Engine + other tweaks on the Orion NCM side. > Tried only Juniper devices, or only Arista devices, or 8 instead of 27 devices = all had mixed failures. > How many concurrent jobs did you use eirh rancid? > None of the failures are consistent. Job 1 has 8/27 failures. Job 2 has 10/27 failures with some that failed in the first job passing in this one. Etc? > > Remember, local NAS accounts setup in Orion work just fine ? TAC+ isn?t even talked to when this happens. > > Is there any tuning I can do to the TAC+ server to make sure its able to handle the connections? What debug log level should I be looking at to get the best information? I?ve tried 24, 60, and even the higher ones, but they?re too noisy. > > > ? > Matt Almgren, Sr. Network Engineer > [cid:29988614-ECDA-44BA-8377-ABD3ACFBCD1C] > 101 Lytton Avenue, Palo Alto, CA 94301 > m: 408.499.9669 > www.surveymonkey.com > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: 7B2F1B3D-E309-404C-ADEF-2AE84F8259F4[35].png > Type: image/png > Size: 8698 bytes > Desc: 7B2F1B3D-E309-404C-ADEF-2AE84F8259F4[35].png > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus From daniel.schmidt at wyo.gov Wed Oct 21 17:32:00 2015 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Wed, 21 Oct 2015 11:32:00 -0600 Subject: [tac_plus] TAC+ and Solarwinds Orion NCM don't play well together In-Reply-To: References: Message-ID: Rancid isn't PCI compliant, but TAC+ is? On Tue, Oct 20, 2015 at 6:01 PM, Heasley wrote: > > > > Am 20.10.2015 um 13:12 schrieb Matt Almgren : > > > > So we moved away from Rancid for something that is more PCI compliant. > So far so good, until very recently we see this problem. > > > > I have 26 juniper devices in a job in Orion NCM. For some reason, for > the last week, the daily backup job reports that 8-10 devices were ?unable > to login? or ?connection refused?. However, when I switch Orion NCM to use > local Admin logins on the Junipers versus TAC+ accounts, I see no errors. > Something with the communication between the network devices and TAC+ > isn?t playing nice together. > > > > I?ve tried the following: > > > > Increased the SSH Timeout settings on Orion to 120 seconds. > > Decreased the # of concurrent connections from default 11 to 1. > > Reinstalled Orion Job Engine + other tweaks on the Orion NCM side. > > Tried only Juniper devices, or only Arista devices, or 8 instead of 27 > devices = all had mixed failures. > > > > How many concurrent jobs did you use eirh rancid? > > > None of the failures are consistent. Job 1 has 8/27 failures. Job 2 > has 10/27 failures with some that failed in the first job passing in this > one. Etc? > > > > Remember, local NAS accounts setup in Orion work just fine ? TAC+ isn?t > even talked to when this happens. > > > > Is there any tuning I can do to the TAC+ server to make sure its able to > handle the connections? What debug log level should I be looking at to > get the best information? I?ve tried 24, 60, and even the higher ones, but > they?re too noisy. > > > > > > ? > > Matt Almgren, Sr. Network Engineer > > [cid:29988614-ECDA-44BA-8377-ABD3ACFBCD1C] > > 101 Lytton Avenue, Palo Alto, CA 94301 > > m: 408.499.9669 > > www.surveymonkey.com > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20151020/1db9bcf7/attachment.html > > > > -------------- next part -------------- > > A non-text attachment was scrubbed... > > Name: 7B2F1B3D-E309-404C-ADEF-2AE84F8259F4[35].png > > Type: image/png > > Size: 8698 bytes > > Desc: 7B2F1B3D-E309-404C-ADEF-2AE84F8259F4[35].png > > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20151020/1db9bcf7/attachment.png > > > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo/tac_plus > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Wed Oct 21 21:47:47 2015 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Wed, 21 Oct 2015 23:47:47 +0200 Subject: [tac_plus] TAC+ and Solarwinds Orion NCM don't play well together In-Reply-To: References: Message-ID: <56280803.7030205@gmail.com> On 21/10/2015 19:32, Daniel Schmidt wrote: > Rancid isn't PCI compliant, but TAC+ is? And in what way is Rancid not PCI compliant? My reading of PCI is that it has a narrow well-defined scope, and rancid is not in it, despite what those with agendas claim. > > On Tue, Oct 20, 2015 at 6:01 PM, Heasley wrote: > >> >> >>> Am 20.10.2015 um 13:12 schrieb Matt Almgren : >>> >>> So we moved away from Rancid for something that is more PCI compliant. >> So far so good, until very recently we see this problem. >>> >>> I have 26 juniper devices in a job in Orion NCM. For some reason, for >> the last week, the daily backup job reports that 8-10 devices were ?unable >> to login? or ?connection refused?. However, when I switch Orion NCM to use >> local Admin logins on the Junipers versus TAC+ accounts, I see no errors. >> Something with the communication between the network devices and TAC+ >> isn?t playing nice together. >>> >>> I?ve tried the following: >>> >>> Increased the SSH Timeout settings on Orion to 120 seconds. >>> Decreased the # of concurrent connections from default 11 to 1. >>> Reinstalled Orion Job Engine + other tweaks on the Orion NCM side. >>> Tried only Juniper devices, or only Arista devices, or 8 instead of 27 >> devices = all had mixed failures. >>> >> >> How many concurrent jobs did you use eirh rancid? >> >>> None of the failures are consistent. Job 1 has 8/27 failures. Job 2 >> has 10/27 failures with some that failed in the first job passing in this >> one. Etc? >>> >>> Remember, local NAS accounts setup in Orion work just fine ? TAC+ isn?t >> even talked to when this happens. >>> >>> Is there any tuning I can do to the TAC+ server to make sure its able to >> handle the connections? What debug log level should I be looking at to >> get the best information? I?ve tried 24, 60, and even the higher ones, but >> they?re too noisy. >>> >>> >>> ? >>> Matt Almgren, Sr. Network Engineer >>> [cid:29988614-ECDA-44BA-8377-ABD3ACFBCD1C] >>> 101 Lytton Avenue, Palo Alto, CA 94301 >>> m: 408.499.9669 >>> www.surveymonkey.com >>> -------------- next part -------------- >>> An HTML attachment was scrubbed... >>> URL: < >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20151020/1db9bcf7/attachment.html >>> >>> -------------- next part -------------- >>> A non-text attachment was scrubbed... >>> Name: 7B2F1B3D-E309-404C-ADEF-2AE84F8259F4[35].png >>> Type: image/png >>> Size: 8698 bytes >>> Desc: 7B2F1B3D-E309-404C-ADEF-2AE84F8259F4[35].png >>> URL: < >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20151020/1db9bcf7/attachment.png >>> >>> _______________________________________________ >>> tac_plus mailing list >>> tac_plus at shrubbery.net >>> http://www.shrubbery.net/mailman/listinfo/tac_plus >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus >> > -- Alan McKinnon alan.mckinnon at gmail.com From aaron.wasserott at viawest.com Wed Oct 21 22:08:08 2015 From: aaron.wasserott at viawest.com (Aaron Wasserott) Date: Wed, 21 Oct 2015 22:08:08 +0000 Subject: [tac_plus] TAC+ and Solarwinds Orion NCM don't play well together In-Reply-To: <56280803.7030205@gmail.com> References: <56280803.7030205@gmail.com> Message-ID: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05C3C38F@mbx030-w1-co-6.exch030.domain.local> We have been using RANCID for years in our PCI/HIPAA service provider network with no issues from either our internal SecOps folks or our auditors. The problem is that you have to perform configuration management/backups, and once you say you use RANCID, it gets included in the scope of the compliant environment. There are only a few special things I can think of, beyond the typical hardening of a Linux OS and access restrictions, that should be taken into consideration for RANCID: - mask passwords from RANCID pulled configs --- particularly important if RANCID is emailing out detected changes - make sure .cloginrc has proper/strict permissions - use a dedicated account on your network devices for RANCID --- only permit login with that account from your RANCID server --- restrict authorization for that account to only the necessary show/get commands The only thing I have seen security people not like about it, is that since its FLOSS, there are not security alerts provided by a vendor and corresponding patches. Should be able to easily document the explanation for this however by patching the underlying perl and expect packages where necessary, and through the restrictions listed above. -----Original Message----- From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon Sent: Wednesday, October 21, 2015 3:48 PM To: tac_plus at shrubbery.net Subject: Re: [tac_plus] TAC+ and Solarwinds Orion NCM don't play well together On 21/10/2015 19:32, Daniel Schmidt wrote: > Rancid isn't PCI compliant, but TAC+ is? And in what way is Rancid not PCI compliant? My reading of PCI is that it has a narrow well-defined scope, and rancid is not in it, despite what those with agendas claim. > > On Tue, Oct 20, 2015 at 6:01 PM, Heasley wrote: > >> >> >>> Am 20.10.2015 um 13:12 schrieb Matt Almgren : >>> >>> So we moved away from Rancid for something that is more PCI compliant. >> So far so good, until very recently we see this problem. >>> >>> I have 26 juniper devices in a job in Orion NCM. For some reason, >>> for >> the last week, the daily backup job reports that 8-10 devices were >> ?unable to login? or ?connection refused?. However, when I switch >> Orion NCM to use local Admin logins on the Junipers versus TAC+ accounts, I see no errors. >> Something with the communication between the network devices and >> TAC+ isn?t playing nice together. >>> >>> I?ve tried the following: >>> >>> Increased the SSH Timeout settings on Orion to 120 seconds. >>> Decreased the # of concurrent connections from default 11 to 1. >>> Reinstalled Orion Job Engine + other tweaks on the Orion NCM side. >>> Tried only Juniper devices, or only Arista devices, or 8 instead of >>> 27 >> devices = all had mixed failures. >>> >> >> How many concurrent jobs did you use eirh rancid? >> >>> None of the failures are consistent. Job 1 has 8/27 failures. Job >>> 2 >> has 10/27 failures with some that failed in the first job passing in >> this one. Etc? >>> >>> Remember, local NAS accounts setup in Orion work just fine ? TAC+ >>> isn?t >> even talked to when this happens. >>> >>> Is there any tuning I can do to the TAC+ server to make sure its >>> able to >> handle the connections? What debug log level should I be looking at to >> get the best information? I?ve tried 24, 60, and even the higher >> ones, but they?re too noisy. >>> >>> >>> ? >>> Matt Almgren, Sr. Network Engineer >>> [cid:29988614-ECDA-44BA-8377-ABD3ACFBCD1C] >>> 101 Lytton Avenue, Palo Alto, CA 94301 >>> m: 408.499.9669 >>> www.surveymonkey.com >>> -------------- next part -------------- An HTML attachment was >>> scrubbed... >>> URL: < >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20151020/1db9 >> bcf7/attachment.html >>> >>> -------------- next part -------------- A non-text attachment was >>> scrubbed... >>> Name: 7B2F1B3D-E309-404C-ADEF-2AE84F8259F4[35].png >>> Type: image/png >>> Size: 8698 bytes >>> Desc: 7B2F1B3D-E309-404C-ADEF-2AE84F8259F4[35].png >>> URL: < >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20151020/1db9 >> bcf7/attachment.png >>> >>> _______________________________________________ >>> tac_plus mailing list >>> tac_plus at shrubbery.net >>> http://www.shrubbery.net/mailman/listinfo/tac_plus >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus >> > -- Alan McKinnon alan.mckinnon at gmail.com _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. From alan.mckinnon at gmail.com Wed Oct 21 22:23:38 2015 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Thu, 22 Oct 2015 00:23:38 +0200 Subject: [tac_plus] TAC+ and Solarwinds Orion NCM don't play well together In-Reply-To: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05C3C38F@mbx030-w1-co-6.exch030.domain.local> References: <56280803.7030205@gmail.com> <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05C3C38F@mbx030-w1-co-6.exch030.domain.local> Message-ID: <5628106A.6000300@gmail.com> That's how I use rancid too. I haven't locked down the rancid user account on Tacacs as well as I could have, mostly because no-one ever asked and the only way to get the password is to be on the rancid server itself, and su to rancid. If an auditor ever asks, it's an hour's work to change it. The only sensible query I've ever had is the presence of secrets in the output file, and they are there because Cisco put them there. Redacting them out along with all other sensitive information has completely satisfied every auditor thus far. On 22/10/2015 00:08, Aaron Wasserott wrote: > We have been using RANCID for years in our PCI/HIPAA service provider network with no issues from either our internal SecOps folks or our auditors. The problem is that you have to perform configuration management/backups, and once you say you use RANCID, it gets included in the scope of the compliant environment. > > There are only a few special things I can think of, beyond the typical hardening of a Linux OS and access restrictions, that should be taken into consideration for RANCID: > > - mask passwords from RANCID pulled configs > --- particularly important if RANCID is emailing out detected changes > - make sure .cloginrc has proper/strict permissions > - use a dedicated account on your network devices for RANCID > --- only permit login with that account from your RANCID server > --- restrict authorization for that account to only the necessary show/get commands > > The only thing I have seen security people not like about it, is that since its FLOSS, there are not security alerts provided by a vendor and corresponding patches. Should be able to easily document the explanation for this however by patching the underlying perl and expect packages where necessary, and through the restrictions listed above. > > -----Original Message----- > From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon > Sent: Wednesday, October 21, 2015 3:48 PM > To: tac_plus at shrubbery.net > Subject: Re: [tac_plus] TAC+ and Solarwinds Orion NCM don't play well together > > On 21/10/2015 19:32, Daniel Schmidt wrote: >> Rancid isn't PCI compliant, but TAC+ is? > > > > And in what way is Rancid not PCI compliant? > > My reading of PCI is that it has a narrow well-defined scope, and rancid is not in it, despite what those with agendas claim. > > > > >> >> On Tue, Oct 20, 2015 at 6:01 PM, Heasley wrote: >> >>> >>> >>>> Am 20.10.2015 um 13:12 schrieb Matt Almgren : >>>> >>>> So we moved away from Rancid for something that is more PCI compliant. >>> So far so good, until very recently we see this problem. >>>> >>>> I have 26 juniper devices in a job in Orion NCM. For some reason, >>>> for >>> the last week, the daily backup job reports that 8-10 devices were >>> ?unable to login? or ?connection refused?. However, when I switch >>> Orion NCM to use local Admin logins on the Junipers versus TAC+ accounts, I see no errors. >>> Something with the communication between the network devices and >>> TAC+ isn?t playing nice together. >>>> >>>> I?ve tried the following: >>>> >>>> Increased the SSH Timeout settings on Orion to 120 seconds. >>>> Decreased the # of concurrent connections from default 11 to 1. >>>> Reinstalled Orion Job Engine + other tweaks on the Orion NCM side. >>>> Tried only Juniper devices, or only Arista devices, or 8 instead of >>>> 27 >>> devices = all had mixed failures. >>>> >>> >>> How many concurrent jobs did you use eirh rancid? >>> >>>> None of the failures are consistent. Job 1 has 8/27 failures. Job >>>> 2 >>> has 10/27 failures with some that failed in the first job passing in >>> this one. Etc? >>>> >>>> Remember, local NAS accounts setup in Orion work just fine ? TAC+ >>>> isn?t >>> even talked to when this happens. >>>> >>>> Is there any tuning I can do to the TAC+ server to make sure its >>>> able to >>> handle the connections? What debug log level should I be looking at to >>> get the best information? I?ve tried 24, 60, and even the higher >>> ones, but they?re too noisy. >>>> >>>> >>>> ? >>>> Matt Almgren, Sr. Network Engineer >>>> [cid:29988614-ECDA-44BA-8377-ABD3ACFBCD1C] >>>> 101 Lytton Avenue, Palo Alto, CA 94301 >>>> m: 408.499.9669 >>>> www.surveymonkey.com >>>> -------------- next part -------------- An HTML attachment was >>>> scrubbed... >>>> URL: < >>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20151020/1db9 >>> bcf7/attachment.html >>>> >>>> -------------- next part -------------- A non-text attachment was >>>> scrubbed... >>>> Name: 7B2F1B3D-E309-404C-ADEF-2AE84F8259F4[35].png >>>> Type: image/png >>>> Size: 8698 bytes >>>> Desc: 7B2F1B3D-E309-404C-ADEF-2AE84F8259F4[35].png >>>> URL: < >>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20151020/1db9 >>> bcf7/attachment.png >>>> >>>> _______________________________________________ >>>> tac_plus mailing list >>>> tac_plus at shrubbery.net >>>> http://www.shrubbery.net/mailman/listinfo/tac_plus >>> _______________________________________________ >>> tac_plus mailing list >>> tac_plus at shrubbery.net >>> http://www.shrubbery.net/mailman/listinfo/tac_plus >>> >> > > > -- > Alan McKinnon > alan.mckinnon at gmail.com > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- Alan McKinnon alan.mckinnon at gmail.com From eric.freeman at tbwachiat.com Thu Oct 22 15:52:55 2015 From: eric.freeman at tbwachiat.com (Eric Freeman) Date: Thu, 22 Oct 2015 11:52:55 -0400 Subject: [tac_plus] accounting logging question Message-ID: Please let me know if you need more information. When I try to log accounting packets so I can capture what commands were run on the HP switch I receive an error in my tacacs log. Below is information which hopefully you will find useful. Please let me know if you have any ideas why it isn't logging the commands in my tacacs log. I have attached my tacacs config and the relevant config on my HP switch. I have also attached some of the log from the tacacs application Hi, I am running tacacs F4.0.4.28 on Red Hat 7.1 I have tacacs running on an HP 7510 cat /etc/redhat-release CentOS Linux release 7.1.1503 (Core) Thu Oct 22 11:11:08 2015 [13661]: Reading config Thu Oct 22 11:11:08 2015 [13661]: Version F4.0.4.28 Initialized 1 Thu Oct 22 11:11:08 2015 [13661]: tac_plus server F4.0.4.28 starting Thu Oct 22 11:11:08 2015 [13662]: Backgrounded Thu Oct 22 11:11:08 2015 [13663]: socket FD 0 AF 2 Thu Oct 22 11:11:08 2015 [13663]: uid=0 euid=0 gid=0 egid=0 s=36031184 From /var/log/tac_plus.log Thu Oct 22 11:21:10 2015 [13726]: Error 10.89.64.17: acct minimum payload: 198, got: 188 I am using tacacs to authenticate to an HP Switch <7thFloorHP-Bertha>dis version HP Comware Platform Software Comware Software, Version 5.20.105, Release 6708P10 Copyright (c) 2010-2015 Hewlett-Packard Development Company, L.P. Thank you, Eric *Eric Freeman* Technical Director/NA for TBWA\Chiat\Day TBWA\Chiat\Day New York 488 Madison Ave. New York NY 10022 United States of America Tel: +12128041324 Twitter: @tbwachiatny http://www.tbwachiatdayny.com/ -- This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is privileged, confidential and/or otherwise protected from disclosure. If you received this e-mail in error, any review, use, dissemination, distribution or copying of this e-mail is strictly prohibited. Please notify us immediately of the error via e-mail to disclaimer at email-abuse.com and please delete the e-mail from your system, retaining no copies in any media. We appreciate your cooperation. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- key="" accounting file = /var/log/tac_pluscct.log acl = XXXX { permit = $ deny = .* } group = XXXX { default service = permit acl = XXXX login = } user = XXXX { member = XXXX login = } user = XXXX { login = service = shell { } } user = XXXX { login = service = shell { } } user = rancid { login = service = shell { } } ##### ENABLE PASSWORD! user = { login = } user = { login = } hwtacacs scheme tacacs primary authentication 10.89.68.20 secondary authentication 10.89.4.7 primary accounting 10.89.68.20 key authentication cipher user-name-format without-domain domain tacacs authentication default hwtacacs-scheme tacacs local authorization default none accounting default hwtacacs-scheme tacacs local access-limit disable state active idle-cut disable self-service-url disable accounting optional Thu Oct 22 11:11:08 2015 [13661]: Reading config Thu Oct 22 11:11:08 2015 [13661]: Version F4.0.4.28 Initialized 1 Thu Oct 22 11:11:08 2015 [13661]: tac_plus server F4.0.4.28 starting Thu Oct 22 11:11:08 2015 [13662]: Backgrounded Thu Oct 22 11:11:08 2015 [13663]: socket FD 0 AF 2 Thu Oct 22 11:11:08 2015 [13663]: uid=0 euid=0 gid=0 egid=0 s=36031184hu Oct 22 11:15:54 2015 [13709]: connect from 10.89.64.17 [10.89.64.17] Thu Oct 22 11:15:54 2015 [13709]: login query for 'efreeman' port vty1 from 10.89.64.17 ac cepted Thu Oct 22 11:15:54 2015 [13710]: connect from 10.89.64.17 [10.89.64.17] Thu Oct 22 11:15:54 2015 [13710]: Error 10.89.64.17: acct minimum payload: 71, got: 68 Thu Oct 22 11:16:00 2015 [13711]: connect from 10.89.64.17 [10.89.64.17] Thu Oct 22 11:16:00 2015 [13711]: enable query for 'efreeman' unknown from 10.89.64.17 acc epted From heas at shrubbery.net Thu Oct 22 18:05:39 2015 From: heas at shrubbery.net (heasley) Date: Thu, 22 Oct 2015 18:05:39 +0000 Subject: [tac_plus] accounting logging question In-Reply-To: References: Message-ID: <20151022180539.GD63710@shrubbery.net> Thu, Oct 22, 2015 at 11:52:55AM -0400, Eric Freeman: > Please let me know if you need more information. When I try to log > accounting packets so I can capture what commands were run on the HP switch > I receive an error in my tacacs log. Below is information which hopefully > you will find useful. enable accounting debugging, and if necessary packet debugging. its not sending a proper accounting record. > Thu Oct 22 11:21:10 2015 [13726]: Error 10.89.64.17: acct minimum payload: > 198, got: 188 From eric.freeman at tbwachiat.com Thu Oct 22 18:13:16 2015 From: eric.freeman at tbwachiat.com (Eric Freeman) Date: Thu, 22 Oct 2015 14:13:16 -0400 Subject: [tac_plus] accounting logging question In-Reply-To: <20151022180539.GD63710@shrubbery.net> References: <20151022180539.GD63710@shrubbery.net> Message-ID: Thank you. Are you suggesting for me to do this on my HP switch? *Eric Freeman* Technical Director/NA for TBWA\Chiat\Day TBWA\Chiat\Day New York 488 Madison Ave. New York NY 10022 United States of America Tel: +12128041324 Twitter: @tbwachiatny http://www.tbwachiatdayny.com/ On Thu, Oct 22, 2015 at 2:05 PM, heasley wrote: > Thu, Oct 22, 2015 at 11:52:55AM -0400, Eric Freeman: > > Please let me know if you need more information. When I try to log > > accounting packets so I can capture what commands were run on the HP > switch > > I receive an error in my tacacs log. Below is information which hopefully > > you will find useful. > > enable accounting debugging, and if necessary packet debugging. its > not sending a proper accounting record. > > > Thu Oct 22 11:21:10 2015 [13726]: Error 10.89.64.17: acct minimum > payload: > > 198, got: 188 > -- This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is privileged, confidential and/or otherwise protected from disclosure. If you received this e-mail in error, any review, use, dissemination, distribution or copying of this e-mail is strictly prohibited. Please notify us immediately of the error via e-mail to disclaimer at email-abuse.com and please delete the e-mail from your system, retaining no copies in any media. We appreciate your cooperation. -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Thu Oct 22 22:51:41 2015 From: heas at shrubbery.net (Heasley) Date: Thu, 22 Oct 2015 15:51:41 -0700 Subject: [tac_plus] accounting logging question In-Reply-To: References: <20151022180539.GD63710@shrubbery.net> Message-ID: <179AD03B-4D49-4F21-AF41-CAFA72F05580@shrubbery.net> > Am 22.10.2015 um 11:13 schrieb Eric Freeman : > > Thank you. Are you suggesting for me to do this on my HP switch? > > Both; whatever it takes to debug it > > > > > > > Eric Freeman > Technical Director/NA for TBWA\Chiat\Day > > TBWA\Chiat\Day New York > 488 Madison Ave. > New York NY 10022 > United States of America > Tel: +12128041324 > > Twitter: @tbwachiatny > http://www.tbwachiatdayny.com/ > >> On Thu, Oct 22, 2015 at 2:05 PM, heasley wrote: >> Thu, Oct 22, 2015 at 11:52:55AM -0400, Eric Freeman: >> > Please let me know if you need more information. When I try to log >> > accounting packets so I can capture what commands were run on the HP switch >> > I receive an error in my tacacs log. Below is information which hopefully >> > you will find useful. >> >> enable accounting debugging, and if necessary packet debugging. its >> not sending a proper accounting record. >> >> > Thu Oct 22 11:21:10 2015 [13726]: Error 10.89.64.17: acct minimum payload: >> > 198, got: 188 > > > This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is privileged, confidential and/or otherwise protected from disclosure. If you received this e-mail in error, any review, use, dissemination, distribution or copying of this e-mail is strictly prohibited. Please notify us immediately of the error via e-mail to disclaimer at email-abuse.com and please delete the e-mail from your system, retaining no copies in any media. We appreciate your cooperation. -------------- next part -------------- An HTML attachment was scrubbed... URL: From matta at surveymonkey.com Fri Oct 23 07:40:08 2015 From: matta at surveymonkey.com (Matt Almgren) Date: Fri, 23 Oct 2015 07:40:08 +0000 Subject: [tac_plus] TAC+ and Solarwinds Orion NCM don't play well together In-Reply-To: References: , Message-ID: We have TACACS configured with likewise and Pam authentication. There's no clear text passwords stored in the clear like Rancid. -- iMatt > On Oct 21, 2015, at 10:32 AM, Daniel Schmidt wrote: > > Rancid isn't PCI compliant, but TAC+ is? > >> On Tue, Oct 20, 2015 at 6:01 PM, Heasley wrote: >> >> >> >>> Am 20.10.2015 um 13:12 schrieb Matt Almgren : >>> >>> So we moved away from Rancid for something that is more PCI compliant. >> So far so good, until very recently we see this problem. >>> >>> I have 26 juniper devices in a job in Orion NCM. For some reason, for >> the last week, the daily backup job reports that 8-10 devices were ?unable >> to login? or ?connection refused?. However, when I switch Orion NCM to use >> local Admin logins on the Junipers versus TAC+ accounts, I see no errors. >> Something with the communication between the network devices and TAC+ >> isn?t playing nice together. >>> >>> I?ve tried the following: >>> >>> Increased the SSH Timeout settings on Orion to 120 seconds. >>> Decreased the # of concurrent connections from default 11 to 1. >>> Reinstalled Orion Job Engine + other tweaks on the Orion NCM side. >>> Tried only Juniper devices, or only Arista devices, or 8 instead of 27 >> devices = all had mixed failures. >> >> How many concurrent jobs did you use eirh rancid? >> >>> None of the failures are consistent. Job 1 has 8/27 failures. Job 2 >> has 10/27 failures with some that failed in the first job passing in this >> one. Etc? >>> >>> Remember, local NAS accounts setup in Orion work just fine ? TAC+ isn?t >> even talked to when this happens. >>> >>> Is there any tuning I can do to the TAC+ server to make sure its able to >> handle the connections? What debug log level should I be looking at to >> get the best information? I?ve tried 24, 60, and even the higher ones, but >> they?re too noisy. >>> >>> >>> ? >>> Matt Almgren, Sr. Network Engineer >>> [cid:29988614-ECDA-44BA-8377-ABD3ACFBCD1C] >>> 101 Lytton Avenue, Palo Alto, CA 94301 >>> m: 408.499.9669 >>> www.surveymonkey.com >>> -------------- next part -------------- >>> An HTML attachment was scrubbed... >>> URL: < >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20151020/1db9bcf7/attachment.html >>> >>> -------------- next part -------------- >>> A non-text attachment was scrubbed... >>> Name: 7B2F1B3D-E309-404C-ADEF-2AE84F8259F4[35].png >>> Type: image/png >>> Size: 8698 bytes >>> Desc: 7B2F1B3D-E309-404C-ADEF-2AE84F8259F4[35].png >>> URL: < >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20151020/1db9bcf7/attachment.png >>> >>> _______________________________________________ >>> tac_plus mailing list >>> tac_plus at shrubbery.net >>> http://www.shrubbery.net/mailman/listinfo/tac_plus >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus > > -- > > E-Mail to and from me, in connection with the transaction > of public business, is subject to the Wyoming Public Records > Act and may be disclosed to third parties. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus From alan.mckinnon at gmail.com Fri Oct 23 07:54:35 2015 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Fri, 23 Oct 2015 09:54:35 +0200 Subject: [tac_plus] TAC+ and Solarwinds Orion NCM don't play well together In-Reply-To: References: <56280803.7030205@gmail.com> Message-ID: <5629E7BB.8060108@gmail.com> On 23/10/2015 09:41, Matt Almgren wrote: > Rancid stores passwords in the clear. TACACS does not when you use LDAP/PAM authentication. Any automated system that logs into things with a password must somehow store it in the clear. Even if you encrypt it, the software still needs an unlock key and to get that, it's secret must be in the clear somehow. If you use ssh keys the software needs the passphrase and the same problem applies, or the key is not passphrase protected which is effectively the same as a password in the clear. The best protection is a secured rancid server with restricted access. Of course none of this applies if you are dealing with an auditor who is only looking for a reason to tick or not tick a check box on a form. > > -- iMatt > >> On Oct 21, 2015, at 2:48 PM, Alan McKinnon wrote: >> >>> On 21/10/2015 19:32, Daniel Schmidt wrote: >>> Rancid isn't PCI compliant, but TAC+ is? >> >> >> >> And in what way is Rancid not PCI compliant? >> >> My reading of PCI is that it has a narrow well-defined scope, and rancid >> is not in it, despite what those with agendas claim. >> >> >> >> >>> >>>> On Tue, Oct 20, 2015 at 6:01 PM, Heasley wrote: >>>> >>>> >>>> >>>>> Am 20.10.2015 um 13:12 schrieb Matt Almgren : >>>>> >>>>> So we moved away from Rancid for something that is more PCI compliant. >>>> So far so good, until very recently we see this problem. >>>>> >>>>> I have 26 juniper devices in a job in Orion NCM. For some reason, for >>>> the last week, the daily backup job reports that 8-10 devices were ?unable >>>> to login? or ?connection refused?. However, when I switch Orion NCM to use >>>> local Admin logins on the Junipers versus TAC+ accounts, I see no errors. >>>> Something with the communication between the network devices and TAC+ >>>> isn?t playing nice together. >>>>> >>>>> I?ve tried the following: >>>>> >>>>> Increased the SSH Timeout settings on Orion to 120 seconds. >>>>> Decreased the # of concurrent connections from default 11 to 1. >>>>> Reinstalled Orion Job Engine + other tweaks on the Orion NCM side. >>>>> Tried only Juniper devices, or only Arista devices, or 8 instead of 27 >>>> devices = all had mixed failures. >>>> >>>> How many concurrent jobs did you use eirh rancid? >>>> >>>>> None of the failures are consistent. Job 1 has 8/27 failures. Job 2 >>>> has 10/27 failures with some that failed in the first job passing in this >>>> one. Etc? >>>>> >>>>> Remember, local NAS accounts setup in Orion work just fine ? TAC+ isn?t >>>> even talked to when this happens. >>>>> >>>>> Is there any tuning I can do to the TAC+ server to make sure its able to >>>> handle the connections? What debug log level should I be looking at to >>>> get the best information? I?ve tried 24, 60, and even the higher ones, but >>>> they?re too noisy. >>>>> >>>>> >>>>> ? >>>>> Matt Almgren, Sr. Network Engineer >>>>> [cid:29988614-ECDA-44BA-8377-ABD3ACFBCD1C] >>>>> 101 Lytton Avenue, Palo Alto, CA 94301 >>>>> m: 408.499.9669 >>>>> www.surveymonkey.com >>>>> -------------- next part -------------- >>>>> An HTML attachment was scrubbed... >>>>> URL: < >>>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20151020/1db9bcf7/attachment.html >>>>> >>>>> -------------- next part -------------- >>>>> A non-text attachment was scrubbed... >>>>> Name: 7B2F1B3D-E309-404C-ADEF-2AE84F8259F4[35].png >>>>> Type: image/png >>>>> Size: 8698 bytes >>>>> Desc: 7B2F1B3D-E309-404C-ADEF-2AE84F8259F4[35].png >>>>> URL: < >>>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20151020/1db9bcf7/attachment.png >>>>> >>>>> _______________________________________________ >>>>> tac_plus mailing list >>>>> tac_plus at shrubbery.net >>>>> http://www.shrubbery.net/mailman/listinfo/tac_plus >>>> _______________________________________________ >>>> tac_plus mailing list >>>> tac_plus at shrubbery.net >>>> http://www.shrubbery.net/mailman/listinfo/tac_plus >> >> >> -- >> Alan McKinnon >> alan.mckinnon at gmail.com >> >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus -- Alan McKinnon alan.mckinnon at gmail.com From matta at surveymonkey.com Fri Oct 23 07:46:53 2015 From: matta at surveymonkey.com (Matt Almgren) Date: Fri, 23 Oct 2015 07:46:53 +0000 Subject: [tac_plus] TAC+ and Solarwinds Orion NCM don't play well together In-Reply-To: <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05C3C38F@mbx030-w1-co-6.exch030.domain.local> References: <56280803.7030205@gmail.com>, <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05C3C38F@mbx030-w1-co-6.exch030.domain.local> Message-ID: "make sure .cloginrc has proper/strict permissions" This is the one that our auditor says goes against PCI rules. The file itself has passwords in clear text. If an attacker gets root on that box, your network devices can be compromised. I don't want to argue the risks involved here, as they are high, but very low probability. The idea is to limit the attackers ability to compromise more than just one system. But still passwords in the clear is failing PCI requirements. -- iMatt > On Oct 21, 2015, at 3:08 PM, Aaron Wasserott wrote: > > make sure .cloginrc has proper/strict permissions From matta at surveymonkey.com Fri Oct 23 07:41:11 2015 From: matta at surveymonkey.com (Matt Almgren) Date: Fri, 23 Oct 2015 07:41:11 +0000 Subject: [tac_plus] TAC+ and Solarwinds Orion NCM don't play well together In-Reply-To: <56280803.7030205@gmail.com> References: , <56280803.7030205@gmail.com> Message-ID: Rancid stores passwords in the clear. TACACS does not when you use LDAP/PAM authentication. -- iMatt > On Oct 21, 2015, at 2:48 PM, Alan McKinnon wrote: > >> On 21/10/2015 19:32, Daniel Schmidt wrote: >> Rancid isn't PCI compliant, but TAC+ is? > > > > And in what way is Rancid not PCI compliant? > > My reading of PCI is that it has a narrow well-defined scope, and rancid > is not in it, despite what those with agendas claim. > > > > >> >>> On Tue, Oct 20, 2015 at 6:01 PM, Heasley wrote: >>> >>> >>> >>>> Am 20.10.2015 um 13:12 schrieb Matt Almgren : >>>> >>>> So we moved away from Rancid for something that is more PCI compliant. >>> So far so good, until very recently we see this problem. >>>> >>>> I have 26 juniper devices in a job in Orion NCM. For some reason, for >>> the last week, the daily backup job reports that 8-10 devices were ?unable >>> to login? or ?connection refused?. However, when I switch Orion NCM to use >>> local Admin logins on the Junipers versus TAC+ accounts, I see no errors. >>> Something with the communication between the network devices and TAC+ >>> isn?t playing nice together. >>>> >>>> I?ve tried the following: >>>> >>>> Increased the SSH Timeout settings on Orion to 120 seconds. >>>> Decreased the # of concurrent connections from default 11 to 1. >>>> Reinstalled Orion Job Engine + other tweaks on the Orion NCM side. >>>> Tried only Juniper devices, or only Arista devices, or 8 instead of 27 >>> devices = all had mixed failures. >>> >>> How many concurrent jobs did you use eirh rancid? >>> >>>> None of the failures are consistent. Job 1 has 8/27 failures. Job 2 >>> has 10/27 failures with some that failed in the first job passing in this >>> one. Etc? >>>> >>>> Remember, local NAS accounts setup in Orion work just fine ? TAC+ isn?t >>> even talked to when this happens. >>>> >>>> Is there any tuning I can do to the TAC+ server to make sure its able to >>> handle the connections? What debug log level should I be looking at to >>> get the best information? I?ve tried 24, 60, and even the higher ones, but >>> they?re too noisy. >>>> >>>> >>>> ? >>>> Matt Almgren, Sr. Network Engineer >>>> [cid:29988614-ECDA-44BA-8377-ABD3ACFBCD1C] >>>> 101 Lytton Avenue, Palo Alto, CA 94301 >>>> m: 408.499.9669 >>>> www.surveymonkey.com >>>> -------------- next part -------------- >>>> An HTML attachment was scrubbed... >>>> URL: < >>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20151020/1db9bcf7/attachment.html >>>> >>>> -------------- next part -------------- >>>> A non-text attachment was scrubbed... >>>> Name: 7B2F1B3D-E309-404C-ADEF-2AE84F8259F4[35].png >>>> Type: image/png >>>> Size: 8698 bytes >>>> Desc: 7B2F1B3D-E309-404C-ADEF-2AE84F8259F4[35].png >>>> URL: < >>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20151020/1db9bcf7/attachment.png >>>> >>>> _______________________________________________ >>>> tac_plus mailing list >>>> tac_plus at shrubbery.net >>>> http://www.shrubbery.net/mailman/listinfo/tac_plus >>> _______________________________________________ >>> tac_plus mailing list >>> tac_plus at shrubbery.net >>> http://www.shrubbery.net/mailman/listinfo/tac_plus > > > -- > Alan McKinnon > alan.mckinnon at gmail.com > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus From alan.mckinnon at gmail.com Fri Oct 23 11:52:39 2015 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Fri, 23 Oct 2015 13:52:39 +0200 Subject: [tac_plus] TAC+ and Solarwinds Orion NCM don't play well together In-Reply-To: References: <56280803.7030205@gmail.com> <1FD1A2FED7E41F4ABD1D2E2BDDEA519B05C3C38F@mbx030-w1-co-6.exch030.domain.local> Message-ID: <562A1F87.2060404@gmail.com> On 23/10/2015 09:46, Matt Almgren wrote: > "make sure .cloginrc has proper/strict permissions" > > This is the one that our auditor says goes against PCI rules. The file itself has passwords in clear text. If an attacker gets root on that box, your network devices can be compromised. I don't want to argue the risks involved here, as they are high, but very low probability. The idea is to limit the attackers ability to compromise more than just one system. But still passwords in the clear is failing PCI requirements. I've had the same argument with auditors myself, and none has ever provided a workable acceptable alternative that doesn't involve $MAGIC auth systems that use AI. I've successfully gotten around the objection by using locked-down password-less accounts that can only do show run etc, or using unencrypted host keys. The irony is not noticed with this. -- Alan McKinnon alan.mckinnon at gmail.com From eric.freeman at tbwachiat.com Fri Oct 23 13:25:09 2015 From: eric.freeman at tbwachiat.com (Eric Freeman) Date: Fri, 23 Oct 2015 09:25:09 -0400 Subject: [tac_plus] accounting logging question In-Reply-To: <179AD03B-4D49-4F21-AF41-CAFA72F05580@shrubbery.net> References: <20151022180539.GD63710@shrubbery.net> <179AD03B-4D49-4F21-AF41-CAFA72F05580@shrubbery.net> Message-ID: How do I get more logging or any of out tacplus? Thanks, Eric *Eric Freeman* Technical Director/NA for TBWA\Chiat\Day TBWA\Chiat\Day New York 488 Madison Ave. New York NY 10022 United States of America Tel: +12128041324 Twitter: @tbwachiatny http://www.tbwachiatdayny.com/ On Thu, Oct 22, 2015 at 6:51 PM, Heasley wrote: > > > Am 22.10.2015 um 11:13 schrieb Eric Freeman : > > Thank you. Are you suggesting for me to do this on my HP switch? > > > > Both; whatever it takes to debug it > > > > > > > *Eric Freeman* > Technical Director/NA for TBWA\Chiat\Day > > TBWA\Chiat\Day New York > 488 Madison Ave. > New York NY 10022 > United States of America > Tel: +12128041324 > > Twitter: @tbwachiatny > http://www.tbwachiatdayny.com/ > > > On Thu, Oct 22, 2015 at 2:05 PM, heasley wrote: > >> Thu, Oct 22, 2015 at 11:52:55AM -0400, Eric Freeman: >> > Please let me know if you need more information. When I try to log >> > accounting packets so I can capture what commands were run on the HP >> switch >> > I receive an error in my tacacs log. Below is information which >> hopefully >> > you will find useful. >> >> enable accounting debugging, and if necessary packet debugging. its >> not sending a proper accounting record. >> >> > Thu Oct 22 11:21:10 2015 [13726]: Error 10.89.64.17: acct minimum >> payload: >> > 198, got: 188 >> > > > This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is privileged, confidential and/or otherwise protected from disclosure. If you received this e-mail in error, any review, use, dissemination, distribution or copying of this e-mail is strictly prohibited. Please notify us immediately of the error via e-mail to disclaimer at email-abuse.com and please delete the e-mail from your system, retaining no copies in any media. We appreciate your cooperation. > > -- This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is privileged, confidential and/or otherwise protected from disclosure. If you received this e-mail in error, any review, use, dissemination, distribution or copying of this e-mail is strictly prohibited. Please notify us immediately of the error via e-mail to disclaimer at email-abuse.com and please delete the e-mail from your system, retaining no copies in any media. We appreciate your cooperation. -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Fri Oct 23 13:33:36 2015 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Fri, 23 Oct 2015 15:33:36 +0200 Subject: [tac_plus] accounting logging question In-Reply-To: References: <20151022180539.GD63710@shrubbery.net> <179AD03B-4D49-4F21-AF41-CAFA72F05580@shrubbery.net> Message-ID: <562A3730.7000201@gmail.com> On 23/10/2015 15:25, Eric Freeman wrote: > How do I get more logging or any of out tacplus? > > Thanks, > Eric man tac_plus You want the -d option > > > > > > > *Eric Freeman* > Technical Director/NA for TBWA\Chiat\Day > > TBWA\Chiat\Day New York > 488 Madison Ave. > New York NY 10022 > United States of America > Tel: +12128041324 > > Twitter: @tbwachiatny > http://www.tbwachiatdayny.com/ > > > On Thu, Oct 22, 2015 at 6:51 PM, Heasley wrote: > >> >> >> Am 22.10.2015 um 11:13 schrieb Eric Freeman : >> >> Thank you. Are you suggesting for me to do this on my HP switch? >> >> >> >> Both; whatever it takes to debug it >> >> >> >> >> >> >> *Eric Freeman* >> Technical Director/NA for TBWA\Chiat\Day >> >> TBWA\Chiat\Day New York >> 488 Madison Ave. >> New York NY 10022 >> United States of America >> Tel: +12128041324 >> >> Twitter: @tbwachiatny >> http://www.tbwachiatdayny.com/ >> >> >> On Thu, Oct 22, 2015 at 2:05 PM, heasley wrote: >> >>> Thu, Oct 22, 2015 at 11:52:55AM -0400, Eric Freeman: >>>> Please let me know if you need more information. When I try to log >>>> accounting packets so I can capture what commands were run on the HP >>> switch >>>> I receive an error in my tacacs log. Below is information which >>> hopefully >>>> you will find useful. >>> >>> enable accounting debugging, and if necessary packet debugging. its >>> not sending a proper accounting record. >>> >>>> Thu Oct 22 11:21:10 2015 [13726]: Error 10.89.64.17: acct minimum >>> payload: >>>> 198, got: 188 >>> >> >> >> This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is privileged, confidential and/or otherwise protected from disclosure. If you received this e-mail in error, any review, use, dissemination, distribution or copying of this e-mail is strictly prohibited. Please notify us immediately of the error via e-mail to disclaimer at email-abuse.com and please delete the e-mail from your system, retaining no copies in any media. We appreciate your cooperation. >> >> > -- Alan McKinnon alan.mckinnon at gmail.com From warikne at yahoo.com Mon Oct 26 13:00:20 2015 From: warikne at yahoo.com (Alexey Manankov) Date: Mon, 26 Oct 2015 13:00:20 +0000 (UTC) Subject: [tac_plus] tacacs tuning References: <126973822.3122655.1445864420586.JavaMail.yahoo@mail.yahoo.com> Message-ID: <126973822.3122655.1445864420586.JavaMail.yahoo@mail.yahoo.com> Hello, i need your help!?I have installed tacacs version F4.0.4.26, my previous version F4.0.4.alpha.ia.096 In old tac_plus.conf:?"group = msk_admin? ? ? ? {? ? ? ? default service = permit? ? ? ? login = tacacs+? ? ? ? ? ? ? ? {? ? ? ? ? ? ? ? tacaddr = 10.254.17.200? ? ? ? ? ? ? ? tacaddr = 10.254.17.201? ? ? ? ? ? ? ? tacaddr = 10.154.191.5? ? ? ? ? ? ? ? key = JO9jhjlkJH? ? ? ? ? ? ? ? }? ? ? ? service = exec? ? ? ? ? ? ? ? ? {? ? ? ? ? ? ? ? ? default attribute = permit? ? ? ? ? ? ? ? ? idletime = 60? ? ? ? ? ? ? ? ? priv-lvl = 15? ? ? ? ? ? ? ? ? }? ? ? " How can I do it in the new version? -------------- next part -------------- An HTML attachment was scrubbed... URL: