[tac_plus] Deny Config Commands.

John Fraizer john at op-sec.us
Thu Jan 7 01:55:51 UTC 2016 

Make use of do_auth.py and after - authorization.  It makes life much
easier and provides much more granular control.

John Fraizer
--Sent from my Android phone.
Please excuse any typos.
On Jan 5, 2016 10:31 PM, "Alan McKinnon" <alan.mckinnon at gmail.com> wrote:

> On 06/01/2016 04:13, Mailing Lists wrote:
> > Thanx for the response guys. Maybe I'm stupid, but I can't see how I can
> > deny a specific command while still allowing users to configure things,
> is
> > anyone able to give me some pointers on how I would deny 'no router bgp'
> > for exapmle.
>
>
> It's fully described in man 5 tac_plus.conf
>
> eg in a "user" stanza:
>
>
>            cmd = no {
>                deny router bgp
>                permit .*
>            }
>
>
> Be very careful with this and make sure you understand what is
> happening. tac_plus does not have internal knowledge of what router
> commands mean (the only thing that knows that is the router OS), it has
> to work with text strings and regexes. So you can get false
> negatives/positives very easily if you are not careful. For example,
> tac_plus has no concept that "no ..." is the inverse of "..." so you
> must explicitly configure it.
>
>
> When you allow some commands like this and deny others, the list of
> things allowed and denied tends to get very very long
>
>
> >
> > Cheers,
> > Damien.
> >
> > On Wed, Jan 6, 2016 at 7:15 AM, Daniel Schmidt <daniel.schmidt at wyo.gov>
> > wrote:
> >
> >> Yes, it can be done on those platforms with authorization.
> >>
> >> On Tue, Jan 5, 2016 at 11:11 AM, heasley <heas at shrubbery.net> wrote:
> >>
> >>> Tue, Jan 05, 2016 at 06:35:34PM +1100, Mailing Lists:
> >>>> Hi All,
> >>>>
> >>>> Is it possible to deny users from entering certain configuration
> >> commands
> >>>> in TACACS?
> >>>>
> >>>> So for example I want my users to be able to do enable and run
> whatever
> >>>> commands they like, but once they type 'conf t' commands are
> >> restricted.
> >>> If
> >>>> it matters, I am specifically interested in denying 'no router'
> >> commands
> >>> on
> >>>> IOS-XE and Brocade NetIron (CER/S/MLX) devices.
> >>>
> >>> on ios this is done with aaa command authorization.  no idea if brocade
> >>> supports this or it can be done there.
> >>> _______________________________________________
> >>> tac_plus mailing list
> >>> tac_plus at shrubbery.net
> >>> http://www.shrubbery.net/mailman/listinfo/tac_plus
> >>>
> >>
> >> --
> >>
> >> E-Mail to and from me, in connection with the transaction
> >> of public business, is subject to the Wyoming Public Records
> >> Act and may be disclosed to third parties.
> >> -------------- next part --------------
> >> An HTML attachment was scrubbed...
> >> URL: <
> >>
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20160105/9db6bd5e/attachment.html
> >>>
> >> _______________________________________________
> >> tac_plus mailing list
> >> tac_plus at shrubbery.net
> >> http://www.shrubbery.net/mailman/listinfo/tac_plus
> >>
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: <
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20160106/350d48e5/attachment.html
> >
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo/tac_plus
> >
>
>
> --
> Alan McKinnon
> alan.mckinnon at gmail.com
>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20160106/09d850dd/attachment.html>

More information about the tac_plus mailing list