From Kevin.Cruse at Instinet.com Tue Jan 17 19:50:29 2017 From: Kevin.Cruse at Instinet.com (Kevin.Cruse at Instinet.com) Date: Tue, 17 Jan 2017 14:50:29 -0500 Subject: [tac_plus] Install with do_auth In-Reply-To: References: <35BC8CE95CE34F46A23FD9A9630BBBE901852C9BA1@Corp-exch-02.fccorporate.fife> <20161224153852.GC62123@shrubbery.net> Message-ID: I am in the process of migrating to centos 7 and have setup the following environment: CentOS Linux release 7.2.1511 tac_plus version F4.0.4.28 do_auth.py v1.9 The problem I am having is users will authenticate properly to tac_plus, however, the 'after authorization' is never called and user ends up with full control on router. It's been awhile since I setup our centos 6 servers with tacplus and wonder if I need to build from source with specific switches to support do auth? I cannot for the life of me figure out why 'after authorization' is not called! I've copied the same config from production (currently working perfectly) and cannot get this to work. Any ideas/thoughts/suggestions? im banging my head on this one. group = default_group { default service = permit service = exec { priv-lvl = 0 shell:roles=\"\\"network-operator\\"" } after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address -fix_crs_bug -u $user -d $name -l /var/log/tacacs/do_auth_log -f /usr/local/sbin/tacplus/do_auth.ini" } Thanks ----------------------------------------------------------------- Kevin Cruse US Networks Instinet LLC 309 West 49th Street New York, NY 10019 US kevin.cruse at instinet.com 212-310-4734 ========================================================================================================= <<<< Disclaimer >>>> This message, including all attachments, is private and confidential, may contain proprietary or privileged information and material and is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material herein is forbidden. We reserve the right to retain, monitor, intercept and archive electronic communications. This message does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy unless expressly stated therein. Any reference to the terms of executed transactions should be treated as preliminary only and subject to formal written confirmation. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This message is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. No confidentiality or privilege is waived or lost by any mistransmission of this message. Instinet, LLC (member SIPC) and Instinet Canada Limited (member IIROC/CIPF) are subsidiaries of Instinet Incorporated that are locally registered or otherwise authorized to provide securities brokerage products and services. Please refer to the following link for additional disclosures and disclaimers that apply to this message: http://instinet.com/docs/legal/le_disclaimers.html. Effective July 1, 2014, Canada introduced Canadian Anti-Spam Legislation ("CASL"). As a Canadian resident you are receiving this electronic communication because of your existing relationship with Instinet Canada Limited ("ICL") or an authorized affiliate. Canadian residents who wish to unsubscribe from commercial electronic messages: please e-mail iclcompliance at instinet.com. Please note that you will continue to receive non-commercial electronic messages, such as account statements, invoices, client communications, and other similar factual electronic communications. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 60645993.gif Type: image/gif Size: 4077 bytes Desc: not available URL: From daniel.schmidt at wyo.gov Tue Jan 17 21:41:19 2017 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Tue, 17 Jan 2017 14:41:19 -0700 Subject: [tac_plus] Install with do_auth In-Reply-To: References: <35BC8CE95CE34F46A23FD9A9630BBBE901852C9BA1@Corp-exch-02.fccorporate.fife> <20161224153852.GC62123@shrubbery.net> Message-ID: We're on 1.13 actually. Try that. https://github.com/jathanism/do_auth Off of the top of my head, this here: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address -fix_crs_bug -u $user -d $name -l /var/log/tacacs/do_auth_log -f /usr/local/sbin/tacplus/do_auth.ini Run that as your tac_plus user, fill in your values and add -D. See if it gives you some output or an error. And you probably don't need -fix_crs_bug if you upgrade as I believe Jathan fixed that kludge. On Tue, Jan 17, 2017 at 12:50 PM, wrote: > I am in the process of migrating to centos 7 and have setup the following > environment: > > CentOS Linux release 7.2.1511 > tac_plus version F4.0.4.28 > do_auth.py v1.9 > > The problem I am having is users will authenticate properly to tac_plus, > however, the 'after authorization' is never called and user ends up with > full control on router. It's been awhile since I setup our centos 6 servers > with tacplus and wonder if I need to build from source with specific > switches to support do auth? I cannot for the life of me figure out why > 'after authorization' is not called! I've copied the same config from > production (currently working perfectly) and cannot get this to work. Any > ideas/thoughts/suggestions? im banging my head on this one. > > group = default_group { > default service = permit > service = exec { > priv-lvl = 0 > shell:roles=\"\\"network-operator\\"" > } > after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py > -i $address -fix_crs_bug -u $user -d $name -l /var/log/tacacs/do_auth_log > -f /usr/local/sbin/tacplus/do_auth.ini" > > } > > > Thanks > > ----------------------------------------------------------------- > *Kevin Cruse* > US Networks > Instinet LLC > 309 West 49th Street > New York, NY 10019 US > kevin.cruse at instinet.com > 212-310-4734 <(212)%20310-4734> > > > ============================================================ > ============================================= > > *<<<< Disclaimer >>>>* > > This message, including all attachments, is private and confidential, may > contain proprietary or privileged information and material and is intended > solely for use by the named addressee(s). If you receive this transmission > in error, please immediately notify the sender and destroy this message in > its entirety, whether in electronic or hard copy format. Any unauthorized > use (and reliance thereon), copying, disclosure, retention, or distribution > of this transmission or the material herein is forbidden. We reserve the > right to retain, monitor, intercept and archive electronic communications. > This message does not constitute an offer or solicitation with respect to > the purchase or sale of any security. It should not be construed to contain > any recommendation regarding any security or strategy unless expressly > stated therein. Any reference to the terms of executed transactions should > be treated as preliminary only and subject to formal written confirmation. > Any views expressed are those of the individual sender, except where the > message states otherwise and the sender is authorized to state them to be > the views of any such entity. This message is provided on an ?as is? basis. > It contains material that is owned by Instinet Incorporated, its > subsidiaries or its or their licensors, and may not, in whole or in part, > be (i) copied, photocopied or duplicated in any form, by any means, or (ii) > redistributed, posted, published, excerpted, or quoted without Instinet > Incorporated's prior written consent. No confidentiality or privilege is > waived or lost by any mistransmission of this message. Instinet, LLC > (member SIPC) and Instinet Canada Limited (member IIROC/CIPF) are > subsidiaries of Instinet Incorporated that are locally registered or > otherwise authorized to provide securities brokerage products and services. > Please refer to the following link for additional disclosures and > disclaimers that apply to this message: http://instinet.com/docs/ > legal/le_disclaimers.html. > Effective July 1, > 2014, Canada introduced Canadian Anti-Spam Legislation ("CASL"). As a > Canadian resident you are receiving this electronic communication because > of your existing relationship with Instinet Canada Limited ("ICL") or an > authorized affiliate. Canadian residents who wish to unsubscribe from > commercial electronic messages: please e-mail iclcompliance at instinet.com. > Please note that you will continue to receive non-commercial electronic > messages, such as account statements, invoices, client communications, and > other similar factual electronic communications. > > > > ============================================================ > ============================================= > > -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 60645993.gif Type: image/gif Size: 4077 bytes Desc: not available URL: From Kevin.Cruse at Instinet.com Wed Jan 18 15:39:41 2017 From: Kevin.Cruse at Instinet.com (Kevin.Cruse at Instinet.com) Date: Wed, 18 Jan 2017 10:39:41 -0500 Subject: [tac_plus] Install with do_auth In-Reply-To: References: <35BC8CE95CE34F46A23FD9A9630BBBE901852C9BA1@Corp-exch-02.fccorporate.fife> <20161224153852.GC62123@shrubbery.net> Message-ID: If I run this: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address -fix_crs_bug -u $user -d $name -l /var/log/tacacs/do_auth_log -f /usr/local/sbin/tacplus/do_auth.ini -D it works! The log file is updated, however, the problem still persists where it does not updated when run with 'after authorization'. I ran an strace on the tac_plus daemon and it never attempts to write to the do_auth log file. Something very quirky is going on here. I also checked the log file and saw no attempts to access it from any process. It definitely seems to be something wrong with the daemon. ----------------------------------------------------------------- Kevin Cruse US Networks Instinet LLC 309 West 49th Street New York, NY 10019 US kevin.cruse at instinet.com 212-310-4734 From: Daniel Schmidt To: Kevin.Cruse at instinet.com, Cc: "tac_plus at shrubbery.net" , tac_plus Date: 01/17/2017 04:41 PM Subject: Re: Install with do_auth We're on 1.13 actually.? Try that. https://github.com/jathanism/do_auth Off of the top of my head, this here: /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address -fix_crs_bug -u $user -d $name -l /var/log/tacacs/do_auth_log -f /usr/local/sbin/tacplus/do_auth.ini Run that as your tac_plus user,? fill in your values and add -D.? See if it gives you some output or an error.? And you probably don't need -fix_crs_bug if you upgrade as I believe Jathan fixed that kludge. On Tue, Jan 17, 2017 at 12:50 PM, wrote: I am in the process of migrating to centos 7 and have setup the following environment: CentOS Linux release 7.2.1511 tac_plus version F4.0.4.28 do_auth.py v1.9 The problem I am having is users will authenticate properly to tac_plus, however, the 'after authorization' is never called and user ends up with full control on router. It's been awhile since I setup our centos 6 servers with tacplus and wonder if I need to build from source with specific switches to support do auth? I cannot for the life of me figure out why 'after authorization' is not called! I've copied the same config from production (currently working perfectly) and cannot get this to work. Any ideas/thoughts/suggestions? im banging my head on this one. ?group = default_group { ? ? ? ? default service = permit ? ? ? ? service = exec { ? ? ? ? priv-lvl = 0 ? ? ? ? shell:roles=\"\\"network-operator\\"" ? ? ? ? } ? ? ? ? after authorization "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address -fix_crs_bug -u $user -d $name -l /var/log/tacacs/do_auth_log -f /usr/local/sbin/tacplus/do_auth.ini" ?} Thanks ----------------------------------------------------------------- Kevin Cruse US Networks Instinet LLC 309 West 49th Street New York, NY 10019 US kevin.cruse at instinet.com 212-310-4734 ========================================================================================================= <<<< Disclaimer >>>> This message, including all attachments, is private and confidential, may contain proprietary or privileged information and material and is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material herein is forbidden. We reserve the right to retain, monitor, intercept and archive electronic communications. This message does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy unless expressly stated therein. Any reference to the terms of executed transactions should be treated as preliminary only and subject to formal written confirmation. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This message is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. No confidentiality or privilege is waived or lost by any mistransmission of this message. Instinet, LLC (member SIPC) and Instinet Canada Limited (member IIROC/CIPF) are subsidiaries of Instinet Incorporated that are locally registered or otherwise authorized to provide securities brokerage products and services. Please refer to the following link for additional disclosures and disclaimers that apply to this message: http://instinet.com/docs/legal/le_disclaimers.html. Effective July 1, 2014, Canada introduced Canadian Anti-Spam Legislation ("CASL"). As a Canadian resident you are receiving this electronic communication because of your existing relationship with Instinet Canada Limited ("ICL") or an authorized affiliate. Canadian residents who wish to unsubscribe from commercial electronic messages: please e-mail iclcompliance at instinet.com. Please note that you will continue to receive non-commercial electronic messages, such as account statements, invoices, client communications, and other similar factual electronic communications. ========================================================================================================= E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. ========================================================================================================= <<<< Disclaimer >>>> This message, including all attachments, is private and confidential, may contain proprietary or privileged information and material and is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material herein is forbidden. We reserve the right to retain, monitor, intercept and archive electronic communications. This message does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy unless expressly stated therein. Any reference to the terms of executed transactions should be treated as preliminary only and subject to formal written confirmation. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This message is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. No confidentiality or privilege is waived or lost by any mistransmission of this message. Instinet, LLC (member SIPC) and Instinet Canada Limited (member IIROC/CIPF) are subsidiaries of Instinet Incorporated that are locally registered or otherwise authorized to provide securities brokerage products and services. Please refer to the following link for additional disclosures and disclaimers that apply to this message: http://instinet.com/docs/legal/le_disclaimers.html. Effective July 1, 2014, Canada introduced Canadian Anti-Spam Legislation ("CASL"). As a Canadian resident you are receiving this electronic communication because of your existing relationship with Instinet Canada Limited ("ICL") or an authorized affiliate. Canadian residents who wish to unsubscribe from commercial electronic messages: please e-mail iclcompliance at instinet.com. Please note that you will continue to receive non-commercial electronic messages, such as account statements, invoices, client communications, and other similar factual electronic communications. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 21671581.gif Type: image/gif Size: 4077 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From daniel.schmidt at wyo.gov Thu Jan 19 21:54:12 2017 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Thu, 19 Jan 2017 14:54:12 -0700 Subject: [tac_plus] Install with do_auth In-Reply-To: References: <35BC8CE95CE34F46A23FD9A9630BBBE901852C9BA1@Corp-exch-02.fccorporate.fife> <20161224153852.GC62123@shrubbery.net> Message-ID: What manner of router? Are you running authorization on the router? (Not authentication, authorization) What's your aa config look like? On Wed, Jan 18, 2017 at 8:39 AM, wrote: > If I run this: > > /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address > -fix_crs_bug -u $user -d $name -l /var/log/tacacs/do_auth_log -f > /usr/local/sbin/tacplus/do_auth.ini -D > > it works! The log file is updated, however, the problem still persists > where it does not updated when run with 'after authorization'. I ran an > strace on the tac_plus daemon and it never attempts to write to the do_auth > log file. Something very quirky is going on here. I also checked the log > file and saw no attempts to access it from any process. It definitely seems > to be something wrong with the daemon. > > ----------------------------------------------------------------- > *Kevin Cruse* > US Networks > Instinet LLC > 309 West 49th Street > New York, NY 10019 US > kevin.cruse at instinet.com > 212-310-4734 <(212)%20310-4734> > > > [image: Inactive hide details for Daniel Schmidt ---01/17/2017 04:41:21 > PM---We're on 1.13 actually. Try that. https://github.com/jath]Daniel > Schmidt ---01/17/2017 04:41:21 PM---We're on 1.13 actually. Try that. > https://github.com/jathanism/do_auth > > From: Daniel Schmidt > To: Kevin.Cruse at instinet.com, > Cc: "tac_plus at shrubbery.net" , tac_plus < > tac_plus-bounces at shrubbery.net> > Date: 01/17/2017 04:41 PM > Subject: Re: Install with do_auth > ------------------------------ > > > > We're on 1.13 actually. Try that. > *https://github.com/jathanism/do_auth* > > > > Off of the top of my head, this here: > /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address > -fix_crs_bug -u $user -d $name -l /var/log/tacacs/do_auth_log -f > /usr/local/sbin/tacplus/do_auth.ini > > Run that as your tac_plus user, fill in your values and add -D. See if > it gives you some output or an error. And you probably don't need > -fix_crs_bug if you upgrade as I believe Jathan fixed that kludge. > > > > On Tue, Jan 17, 2017 at 12:50 PM, <*Kevin.Cruse at instinet.com* > > wrote: > > I am in the process of migrating to centos 7 and have setup the > following environment: > > CentOS Linux release 7.2.1511 > tac_plus version F4.0.4.28 > do_auth.py v1.9 > > The problem I am having is users will authenticate properly to > tac_plus, however, the 'after authorization' is never called and user ends > up with full control on router. It's been awhile since I setup our centos 6 > servers with tacplus and wonder if I need to build from source with > specific switches to support do auth? I cannot for the life of me figure > out why 'after authorization' is not called! I've copied the same config > from production (currently working perfectly) and cannot get this to work. > Any ideas/thoughts/suggestions? im banging my head on this one. > > group = default_group { > default service = permit > service = exec { > priv-lvl = 0 > shell:roles=\"\\"network-operator\\"" > } > after authorization "/usr/bin/python > /usr/local/sbin/tacplus/do_auth.py -i $address -fix_crs_bug -u $user > -d $name -l /var/log/tacacs/do_auth_log -f /usr/local/sbin/tacplus/do_ > auth.ini" > > } > > > Thanks > > ----------------------------------------------------------------- > * Kevin Cruse* > US Networks > Instinet LLC > 309 West 49th Street > New York, NY 10019 US > *kevin.cruse at instinet.com* > *212-310-4734* <(212)%20310-4734> > > > > * > ========================================================================================================= > * > > *<<<< Disclaimer >>>>* > > *This message, including all attachments, is private and confidential, > may contain proprietary or privileged information and material and is > intended solely for use by the named addressee(s). If you receive this > transmission in error, please immediately notify the sender and destroy > this message in its entirety, whether in electronic or hard copy format. > Any unauthorized use (and reliance thereon), copying, disclosure, > retention, or distribution of this transmission or the material herein is > forbidden. We reserve the right to retain, monitor, intercept and archive > electronic communications. This message does not constitute an offer or > solicitation with respect to the purchase or sale of any security. It > should not be construed to contain any recommendation regarding any > security or strategy unless expressly stated therein. Any reference to the > terms of executed transactions should be treated as preliminary only and > subject to formal written confirmation. Any views expressed are those of > the individual sender, except where the message states otherwise and the > sender is authorized to state them to be the views of any such entity. This > message is provided on an ?as is? basis. It contains material that is owned > by Instinet Incorporated, its subsidiaries or its or their licensors, and > may not, in whole or in part, be (i) copied, photocopied or duplicated in > any form, by any means, or (ii) redistributed, posted, published, > excerpted, or quoted without Instinet Incorporated's prior written consent. > No confidentiality or privilege is waived or lost by any mistransmission of > this message. Instinet, LLC (member SIPC) and Instinet Canada Limited > (member IIROC/CIPF) are subsidiaries of Instinet Incorporated that are > locally registered or otherwise authorized to provide securities brokerage > products and services. Please refer to the following link for additional > disclosures and disclaimers that apply to this message: * > *http://instinet.com/docs/legal/le_disclaimers.html.* > * Effective July > 1, 2014, Canada introduced Canadian Anti-Spam Legislation ("CASL"). As a > Canadian resident you are receiving this electronic communication because > of your existing relationship with Instinet Canada Limited ("ICL") or an > authorized affiliate. Canadian residents who wish to unsubscribe from > commercial electronic messages: please e-mail * > *iclcompliance at instinet.com* *. Please > note that you will continue to receive non-commercial electronic messages, > such as account statements, invoices, client communications, and other > similar factual electronic communications. * > > > > * > ========================================================================================================= > * > > > > > > > E-Mail to and from me, in connection with the transaction > of public business, is subject to the Wyoming Public Records > Act and may be disclosed to third parties. > > > ============================================================ > ============================================= > > *<<<< Disclaimer >>>>* > > This message, including all attachments, is private and confidential, may > contain proprietary or privileged information and material and is intended > solely for use by the named addressee(s). If you receive this transmission > in error, please immediately notify the sender and destroy this message in > its entirety, whether in electronic or hard copy format. Any unauthorized > use (and reliance thereon), copying, disclosure, retention, or distribution > of this transmission or the material herein is forbidden. We reserve the > right to retain, monitor, intercept and archive electronic communications. > This message does not constitute an offer or solicitation with respect to > the purchase or sale of any security. It should not be construed to contain > any recommendation regarding any security or strategy unless expressly > stated therein. Any reference to the terms of executed transactions should > be treated as preliminary only and subject to formal written confirmation. > Any views expressed are those of the individual sender, except where the > message states otherwise and the sender is authorized to state them to be > the views of any such entity. This message is provided on an ?as is? basis. > It contains material that is owned by Instinet Incorporated, its > subsidiaries or its or their licensors, and may not, in whole or in part, > be (i) copied, photocopied or duplicated in any form, by any means, or (ii) > redistributed, posted, published, excerpted, or quoted without Instinet > Incorporated's prior written consent. No confidentiality or privilege is > waived or lost by any mistransmission of this message. Instinet, LLC > (member SIPC) and Instinet Canada Limited (member IIROC/CIPF) are > subsidiaries of Instinet Incorporated that are locally registered or > otherwise authorized to provide securities brokerage products and services. > Please refer to the following link for additional disclosures and > disclaimers that apply to this message: http://instinet.com/docs/ > legal/le_disclaimers.html. > Effective July 1, > 2014, Canada introduced Canadian Anti-Spam Legislation ("CASL"). As a > Canadian resident you are receiving this electronic communication because > of your existing relationship with Instinet Canada Limited ("ICL") or an > authorized affiliate. Canadian residents who wish to unsubscribe from > commercial electronic messages: please e-mail iclcompliance at instinet.com. > Please note that you will continue to receive non-commercial electronic > messages, such as account statements, invoices, client communications, and > other similar factual electronic communications. > > > > ============================================================ > ============================================= > > -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 21671581.gif Type: image/gif Size: 4077 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From nilesh.shinde at hpe.com Wed Jan 25 05:46:33 2017 From: nilesh.shinde at hpe.com (Shinde, Nilesh) Date: Wed, 25 Jan 2017 05:46:33 +0000 Subject: [tac_plus] Issue with certain addresses on tacacs+-F4.0.4.27a Message-ID: Hi, I have noticed that some tacacs+ server with tacacs+-F4.0.4.27a does not listen to all the IPv6 addresses. Log: tac_connect_single: connection failed with 2013:cdba:1002:1304:4001:2005:3257:2000:49: Transport endpoint is not connected This shows that the server is not listening to certain addresses. I used a radius server with this IP and it worked ok. Is there a patch for this issue? Thanks, Nilesh -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Wed Jan 25 16:55:00 2017 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Wed, 25 Jan 2017 09:55:00 -0700 Subject: [tac_plus] Issue with certain addresses on tacacs+-F4.0.4.27a In-Reply-To: References: Message-ID: If I recall correctly, single-connection isn't really supported correctly by vendors - try turning it off on your router. On Tue, Jan 24, 2017 at 10:46 PM, Shinde, Nilesh wrote: > Hi, > > I have noticed that some tacacs+ server with tacacs+-F4.0.4.27a does not > listen to all the IPv6 addresses. > Log: > > tac_connect_single: connection failed with 2013:cdba:1002:1304:4001:2005:3257:2000:49: > Transport endpoint is not connected > > This shows that the server is not listening to certain addresses. > I used a radius server with this IP and it worked ok. > Is there a patch for this issue? > > Thanks, > Nilesh > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: attachments/20170125/5630a5c7/attachment.html> > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From nilesh.shinde at hpe.com Wed Jan 25 19:14:52 2017 From: nilesh.shinde at hpe.com (Shinde, Nilesh) Date: Wed, 25 Jan 2017 19:14:52 +0000 Subject: [tac_plus] Issue with certain addresses on tacacs+-F4.0.4.27a In-Reply-To: References: Message-ID: Hi Daniel, If I understand the suggestion correctly, you are pointing to the log with ?tac_connect_single?. This is an API from the tac plus client library. We are trying to connect to the server mentioned as tacacs server. The tacacs server is not listening to all the addresses. Thanks, Nilesh From: Daniel Schmidt [mailto:daniel.schmidt at wyo.gov] Sent: Wednesday, January 25, 2017 8:55 AM To: Shinde, Nilesh Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] Issue with certain addresses on tacacs+-F4.0.4.27a If I recall correctly, single-connection isn't really supported correctly by vendors - try turning it off on your router. On Tue, Jan 24, 2017 at 10:46 PM, Shinde, Nilesh > wrote: Hi, I have noticed that some tacacs+ server with tacacs+-F4.0.4.27a does not listen to all the IPv6 addresses. Log: tac_connect_single: connection failed with 2013:cdba:1002:1304:4001:2005:3257:2000:49: Transport endpoint is not connected This shows that the server is not listening to certain addresses. I used a radius server with this IP and it worked ok. Is there a patch for this issue? Thanks, Nilesh -------------- next part -------------- An HTML attachment was scrubbed... URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Tue Jan 31 23:14:54 2017 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Tue, 31 Jan 2017 16:14:54 -0700 Subject: [tac_plus] PAM support for PAP In-Reply-To: <20120320222353.GF39349@shrubbery.net> References: <4F63BDDB.60409@jeroennijhof.nl> <20120320222353.GF39349@shrubbery.net> Message-ID: My apologies for the necromancy, but I noticed something concerning this old thread. Being required to use the AFL patch, I am stuck on version F4.0.4.19. However, I noticed the patch is missing the modifications to pwlib.c. This patch will not work as is, at least not in 4.0.4.19. I believe an example of the correct modifications are here: http://www.shrubbery.net/pipermail/tac_plus/2008-October/000282.html Thank you, -Dan On Tue, Mar 20, 2012 at 4:23 PM, john heasley wrote: > Fri, Mar 16, 2012 at 11:25:31PM +0100, Jeroen Nijhof: > > Dear John, > > > > Since I've noticed my old pam patch for pap is still used I've decided > > to rewrite the patch. > > > > Attached you can find the patch which will enable PAM support for PAP. I > > used the 4.0.4.23 branch but it also works for 4.0.4.19 and 4.0.4.22. > > > > Maybe it's worth to integrate the patch with the upstream code? > > got it. thanks, Jeroen. > > > Thanks! > > > > With kind regards, > > Jeroen Nijhof > > > diff -ur tacacs+-F4.0.4.23.orig/config.c tacacs+-F4.0.4.23/config.c > > --- tacacs+-F4.0.4.23.orig/config.c 2012-01-24 01:05:22.000000000 > +0100 > > +++ tacacs+-F4.0.4.23/config.c 2012-03-16 22:15:38.835033501 +0100 > > @@ -86,6 +86,7 @@ > > #endif > > pap = cleartext | > > pap = des | > > + pap = PAM | > > opap = cleartext | > > global = cleartext | > > msg = > > @@ -1134,6 +1135,12 @@ > > parse(S_separator); > > switch(sym_code) { > > > > +#ifdef HAVE_PAM > > + case S_pam: > > + user->pap = tac_strdup(sym_buf); > > + break; > > +#endif > > + > > case S_cleartext: > > case S_des: > > sprintf(buf, "%s ", sym_buf); > > @@ -1143,7 +1150,11 @@ > > break; > > > > default: > > - parse_error("expecting 'cleartext', or 'des' keyword after > " > > + parse_error("expecting 'cleartext', " > > +#ifdef HAVE_PAM > > + "'PAM', " > > +#endif > > + "or 'des' keyword after " > > "'pap =' on line %d", sym_line); > > } > > sym_get(); > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: