From lists at dreamboat.id.au Tue Jan 5 07:35:34 2016 From: lists at dreamboat.id.au (Mailing Lists) Date: Tue, 5 Jan 2016 18:35:34 +1100 Subject: [tac_plus] Deny Config Commands. Message-ID: Hi All, Is it possible to deny users from entering certain configuration commands in TACACS? So for example I want my users to be able to do enable and run whatever commands they like, but once they type 'conf t' commands are restricted. If it matters, I am specifically interested in denying 'no router' commands on IOS-XE and Brocade NetIron (CER/S/MLX) devices. Thanx in Advance. Damien. -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Tue Jan 5 18:11:03 2016 From: heas at shrubbery.net (heasley) Date: Tue, 5 Jan 2016 18:11:03 +0000 Subject: [tac_plus] Deny Config Commands. In-Reply-To: References: Message-ID: <20160105181103.GH65066@shrubbery.net> Tue, Jan 05, 2016 at 06:35:34PM +1100, Mailing Lists: > Hi All, > > Is it possible to deny users from entering certain configuration commands > in TACACS? > > So for example I want my users to be able to do enable and run whatever > commands they like, but once they type 'conf t' commands are restricted. If > it matters, I am specifically interested in denying 'no router' commands on > IOS-XE and Brocade NetIron (CER/S/MLX) devices. on ios this is done with aaa command authorization. no idea if brocade supports this or it can be done there. From daniel.schmidt at wyo.gov Tue Jan 5 20:15:07 2016 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Tue, 5 Jan 2016 13:15:07 -0700 Subject: [tac_plus] Deny Config Commands. In-Reply-To: <20160105181103.GH65066@shrubbery.net> References: <20160105181103.GH65066@shrubbery.net> Message-ID: Yes, it can be done on those platforms with authorization. On Tue, Jan 5, 2016 at 11:11 AM, heasley wrote: > Tue, Jan 05, 2016 at 06:35:34PM +1100, Mailing Lists: > > Hi All, > > > > Is it possible to deny users from entering certain configuration commands > > in TACACS? > > > > So for example I want my users to be able to do enable and run whatever > > commands they like, but once they type 'conf t' commands are restricted. > If > > it matters, I am specifically interested in denying 'no router' commands > on > > IOS-XE and Brocade NetIron (CER/S/MLX) devices. > > on ios this is done with aaa command authorization. no idea if brocade > supports this or it can be done there. > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at dreamboat.id.au Wed Jan 6 02:13:40 2016 From: lists at dreamboat.id.au (Mailing Lists) Date: Wed, 6 Jan 2016 13:13:40 +1100 Subject: [tac_plus] Deny Config Commands. In-Reply-To: References: <20160105181103.GH65066@shrubbery.net> Message-ID: Thanx for the response guys. Maybe I'm stupid, but I can't see how I can deny a specific command while still allowing users to configure things, is anyone able to give me some pointers on how I would deny 'no router bgp' for exapmle. Cheers, Damien. On Wed, Jan 6, 2016 at 7:15 AM, Daniel Schmidt wrote: > Yes, it can be done on those platforms with authorization. > > On Tue, Jan 5, 2016 at 11:11 AM, heasley wrote: > > > Tue, Jan 05, 2016 at 06:35:34PM +1100, Mailing Lists: > > > Hi All, > > > > > > Is it possible to deny users from entering certain configuration > commands > > > in TACACS? > > > > > > So for example I want my users to be able to do enable and run whatever > > > commands they like, but once they type 'conf t' commands are > restricted. > > If > > > it matters, I am specifically interested in denying 'no router' > commands > > on > > > IOS-XE and Brocade NetIron (CER/S/MLX) devices. > > > > on ios this is done with aaa command authorization. no idea if brocade > > supports this or it can be done there. > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo/tac_plus > > > > -- > > E-Mail to and from me, in connection with the transaction > of public business, is subject to the Wyoming Public Records > Act and may be disclosed to third parties. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20160105/9db6bd5e/attachment.html > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Wed Jan 6 06:29:32 2016 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Wed, 6 Jan 2016 08:29:32 +0200 Subject: [tac_plus] Deny Config Commands. In-Reply-To: References: <20160105181103.GH65066@shrubbery.net> Message-ID: <568CB44C.7070706@gmail.com> On 06/01/2016 04:13, Mailing Lists wrote: > Thanx for the response guys. Maybe I'm stupid, but I can't see how I can > deny a specific command while still allowing users to configure things, is > anyone able to give me some pointers on how I would deny 'no router bgp' > for exapmle. It's fully described in man 5 tac_plus.conf eg in a "user" stanza: cmd = no { deny router bgp permit .* } Be very careful with this and make sure you understand what is happening. tac_plus does not have internal knowledge of what router commands mean (the only thing that knows that is the router OS), it has to work with text strings and regexes. So you can get false negatives/positives very easily if you are not careful. For example, tac_plus has no concept that "no ..." is the inverse of "..." so you must explicitly configure it. When you allow some commands like this and deny others, the list of things allowed and denied tends to get very very long > > Cheers, > Damien. > > On Wed, Jan 6, 2016 at 7:15 AM, Daniel Schmidt > wrote: > >> Yes, it can be done on those platforms with authorization. >> >> On Tue, Jan 5, 2016 at 11:11 AM, heasley wrote: >> >>> Tue, Jan 05, 2016 at 06:35:34PM +1100, Mailing Lists: >>>> Hi All, >>>> >>>> Is it possible to deny users from entering certain configuration >> commands >>>> in TACACS? >>>> >>>> So for example I want my users to be able to do enable and run whatever >>>> commands they like, but once they type 'conf t' commands are >> restricted. >>> If >>>> it matters, I am specifically interested in denying 'no router' >> commands >>> on >>>> IOS-XE and Brocade NetIron (CER/S/MLX) devices. >>> >>> on ios this is done with aaa command authorization. no idea if brocade >>> supports this or it can be done there. >>> _______________________________________________ >>> tac_plus mailing list >>> tac_plus at shrubbery.net >>> http://www.shrubbery.net/mailman/listinfo/tac_plus >>> >> >> -- >> >> E-Mail to and from me, in connection with the transaction >> of public business, is subject to the Wyoming Public Records >> Act and may be disclosed to third parties. >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: < >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20160105/9db6bd5e/attachment.html >>> >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus >> > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- Alan McKinnon alan.mckinnon at gmail.com From john at op-sec.us Thu Jan 7 01:55:51 2016 From: john at op-sec.us (John Fraizer) Date: Wed, 6 Jan 2016 17:55:51 -0800 Subject: [tac_plus] Deny Config Commands. In-Reply-To: <568CB44C.7070706@gmail.com> References: <20160105181103.GH65066@shrubbery.net> <568CB44C.7070706@gmail.com> Message-ID: Make use of do_auth.py and after - authorization. It makes life much easier and provides much more granular control. John Fraizer --Sent from my Android phone. Please excuse any typos. On Jan 5, 2016 10:31 PM, "Alan McKinnon" wrote: > On 06/01/2016 04:13, Mailing Lists wrote: > > Thanx for the response guys. Maybe I'm stupid, but I can't see how I can > > deny a specific command while still allowing users to configure things, > is > > anyone able to give me some pointers on how I would deny 'no router bgp' > > for exapmle. > > > It's fully described in man 5 tac_plus.conf > > eg in a "user" stanza: > > > cmd = no { > deny router bgp > permit .* > } > > > Be very careful with this and make sure you understand what is > happening. tac_plus does not have internal knowledge of what router > commands mean (the only thing that knows that is the router OS), it has > to work with text strings and regexes. So you can get false > negatives/positives very easily if you are not careful. For example, > tac_plus has no concept that "no ..." is the inverse of "..." so you > must explicitly configure it. > > > When you allow some commands like this and deny others, the list of > things allowed and denied tends to get very very long > > > > > > Cheers, > > Damien. > > > > On Wed, Jan 6, 2016 at 7:15 AM, Daniel Schmidt > > wrote: > > > >> Yes, it can be done on those platforms with authorization. > >> > >> On Tue, Jan 5, 2016 at 11:11 AM, heasley wrote: > >> > >>> Tue, Jan 05, 2016 at 06:35:34PM +1100, Mailing Lists: > >>>> Hi All, > >>>> > >>>> Is it possible to deny users from entering certain configuration > >> commands > >>>> in TACACS? > >>>> > >>>> So for example I want my users to be able to do enable and run > whatever > >>>> commands they like, but once they type 'conf t' commands are > >> restricted. > >>> If > >>>> it matters, I am specifically interested in denying 'no router' > >> commands > >>> on > >>>> IOS-XE and Brocade NetIron (CER/S/MLX) devices. > >>> > >>> on ios this is done with aaa command authorization. no idea if brocade > >>> supports this or it can be done there. > >>> _______________________________________________ > >>> tac_plus mailing list > >>> tac_plus at shrubbery.net > >>> http://www.shrubbery.net/mailman/listinfo/tac_plus > >>> > >> > >> -- > >> > >> E-Mail to and from me, in connection with the transaction > >> of public business, is subject to the Wyoming Public Records > >> Act and may be disclosed to third parties. > >> -------------- next part -------------- > >> An HTML attachment was scrubbed... > >> URL: < > >> > http://www.shrubbery.net/pipermail/tac_plus/attachments/20160105/9db6bd5e/attachment.html > >>> > >> _______________________________________________ > >> tac_plus mailing list > >> tac_plus at shrubbery.net > >> http://www.shrubbery.net/mailman/listinfo/tac_plus > >> > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20160106/350d48e5/attachment.html > > > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo/tac_plus > > > > > -- > Alan McKinnon > alan.mckinnon at gmail.com > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -------------- next part -------------- An HTML attachment was scrubbed... URL: From acruhl at gmail.com Fri Jan 15 18:17:04 2016 From: acruhl at gmail.com (Andy Ruhl) Date: Fri, 15 Jan 2016 11:17:04 -0700 Subject: [tac_plus] Question about failed logins Message-ID: I'm looking for advice or direction on failed logins. I have tac_plus F4.0.4.28 running on Linux. It's using pam for authentication. I'm required to lock out users after 5 failed login attempts, but the problem is that when I log into an average Cisco switch, it seems to create a failed login attempt before I'm even prompted for a password: [root at machine ~]# pam_tally2 Login Failures Latest failure From acruhl 1 01/15/16 11:05:12 unknown So if I log into a few switches I get locked out even if I never put in an incorrect password. Is there some option to prevent this failed login? I've done some searching but I really hope I didn't miss something obvious. Thanks, Andy From heas at shrubbery.net Fri Jan 15 19:46:17 2016 From: heas at shrubbery.net (heasley) Date: Fri, 15 Jan 2016 19:46:17 +0000 Subject: [tac_plus] Question about failed logins In-Reply-To: References: Message-ID: <20160115194617.GC36714@shrubbery.net> Fri, Jan 15, 2016 at 11:17:04AM -0700, Andy Ruhl: > I'm looking for advice or direction on failed logins. > > I have tac_plus F4.0.4.28 running on Linux. > > It's using pam for authentication. > > I'm required to lock out users after 5 failed login attempts, but the > problem is that when I log into an average Cisco switch, it seems to > create a failed login attempt before I'm even prompted for a password: > > [root at machine ~]# pam_tally2 > Login Failures Latest failure From > acruhl 1 01/15/16 11:05:12 unknown > > So if I log into a few switches I get locked out even if I never put > in an incorrect password. > > Is there some option to prevent this failed login? I've done some > searching but I really hope I didn't miss something obvious. I presume this is a problem with the pam module or your pam configuration; have you tested without the password-failed configuration? and, folks would need to know which pam you are using, if various linux use different pam implementations - i do not know. From xihuang at SonicWALL.com Fri Jan 22 02:45:28 2016 From: xihuang at SonicWALL.com (Justin (Xiaogang) Huang) Date: Fri, 22 Jan 2016 02:45:28 +0000 Subject: [tac_plus] MSCHAP authen fails always Message-ID: <986E29EB40FDF94594C43951F06E607C010F4A@us0exc08.us.sonicwall.com> Hi, First many thanks for your great open source implementation. I've tried this tac_plus server(F4.0.4.28) and succeeded to authen with PAP/CHAP but always failed with MS-CHAP. I dumped some more debug info and found that the NT compatible response was generated wrongly in server. The MD4 password hash is correct. But the DES encryption is not. Here I used the data in RFC2433 B.2 as the reference. Please have a check and keep me informed if you confirm/reject it and/or make it fixed. Thanks. BRs, Justin Huang TEL: 86-21-65100909 ext.42463 -------------- next part -------------- An HTML attachment was scrubbed... URL: From darren.share at chronos.co.uk Fri Jan 29 09:11:40 2016 From: darren.share at chronos.co.uk (Darren Share) Date: Fri, 29 Jan 2016 09:11:40 +0000 Subject: [tac_plus] Need help to authenticate to SSH Message-ID: An HTML attachment was scrubbed... URL: