[tac_plus] tacacs truncating some commands before performing authorization check
heasley
heas at shrubbery.net
Tue Sep 6 16:16:59 UTC 2016
Fri, Sep 02, 2016 at 10:20:24AM -0400, Mason Moody:
> Hi, all,
>
>
> I'm running TACACS+ version 4.0.4.28 on Ubuntu 16.04, and I'm seeing in
> my testing of command authorization some odd truncation of commands. The
> relevant portion of my config limits a group of users to certain 'no'
> commands, in particular, 'no switchport mode access'. The config line
> looks like this:
>
> cmd = no {
> ...
> permit "switchport mode access <cr>"
> ...
> }
>
> My TACACS logs show that when I run the 'no switchport mode access'
> command from a Cisco 3550 (running IOS 12.2(44)SE6), I get an
> authorization failure result. The relevant log result shows that the
> command that's being compared against doesn't include the last term:
>
> [27071]: line 228 compare no permit 'switchport mode access <cr>' &
> 'switchport mode <cr>' no match
If you enable packet dumps, I suspect you will find that the device is
sending the truncated line.
> The Cisco logs record the full command:
>
> %PARSER-5-CFGLOG_LOGGEDCMD: User:tmonkey logged command:switchport mode
> access
>
> Has anyone seen anything like this before?
I have, but do not recall the specific command. There is probably a cisco
document somewhere that defines what portion(s) of commands are sent for
authorization; but i didnt find anything in a brief search.
More information about the tac_plus
mailing list