[tac_plus] Install with do_auth

Kevin.Cruse at Instinet.com Kevin.Cruse at Instinet.com
Wed Jan 18 15:39:41 UTC 2017


If I run this:

 /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address
-fix_crs_bug -u $user -d $name -l /var/log/tacacs/do_auth_log
-f /usr/local/sbin/tacplus/do_auth.ini -D

it works! The log file is updated, however, the problem still persists
where it does not updated when run with 'after authorization'. I ran an
strace on the tac_plus daemon and it never attempts to write to the do_auth
log file. Something very quirky is going on here. I also checked the log
file and saw no attempts to access it from any process. It definitely seems
to be something wrong with the daemon.



-----------------------------------------------------------------
Kevin Cruse
US Networks
Instinet LLC
309 West 49th Street
New York, NY 10019 US
kevin.cruse at instinet.com
212-310-4734




From:	Daniel Schmidt <daniel.schmidt at wyo.gov>
To:	Kevin.Cruse at instinet.com,
Cc:	"tac_plus at shrubbery.net" <tac_plus at shrubbery.net>, tac_plus
            <tac_plus-bounces at shrubbery.net>
Date:	01/17/2017 04:41 PM
Subject:	Re: Install with do_auth



We're on 1.13 actually.  Try that.
https://github.com/jathanism/do_auth


Off of the top of my head, this here:
/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address -fix_crs_bug
-u $user -d $name -l /var/log/tacacs/do_auth_log
-f /usr/local/sbin/tacplus/do_auth.ini

Run that as your tac_plus user,  fill in your values and add -D.  See if it
gives you some output or an error.  And you probably don't need
-fix_crs_bug if you upgrade as I believe Jathan fixed that kludge.



On Tue, Jan 17, 2017 at 12:50 PM, <Kevin.Cruse at instinet.com> wrote:
  I am in the process of migrating to centos 7 and have setup the following
  environment:

  CentOS Linux release 7.2.1511
  tac_plus version F4.0.4.28
  do_auth.py v1.9

  The problem I am having is users will authenticate properly to tac_plus,
  however, the 'after authorization' is never called and user ends up with
  full control on router. It's been awhile since I setup our centos 6
  servers with tacplus and wonder if I need to build from source with
  specific switches to support do auth? I cannot for the life of me figure
  out why 'after authorization' is not called! I've copied the same config
  from production (currently working perfectly) and cannot get this to
  work. Any ideas/thoughts/suggestions? im banging my head on this one.

   group = default_group {
          default service = permit
          service = exec {
          priv-lvl = 0
          shell:roles=\"\\"network-operator\\""
          }
          after authorization
  "/usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address
  -fix_crs_bug -u $user -d $name -l /var/log/tacacs/do_auth_log
  -f /usr/local/sbin/tacplus/do_auth.ini"

   }


  Thanks


  -----------------------------------------------------------------
  Kevin Cruse
  US Networks
  Instinet LLC
  309 West 49th Street
  New York, NY 10019 US
  kevin.cruse at instinet.com
  212-310-4734





  =========================================================================================================



  <<<< Disclaimer >>>>


  This message, including all attachments, is private and confidential, may
  contain proprietary or privileged information and material and is
  intended solely for use by the named addressee(s). If you receive this
  transmission in error, please immediately notify the sender and destroy
  this message in its entirety, whether in electronic or hard copy format.
  Any unauthorized use (and reliance thereon), copying, disclosure,
  retention, or distribution of this transmission or the material herein is
  forbidden. We reserve the right to retain, monitor, intercept and archive
  electronic communications. This message does not constitute an offer or
  solicitation with respect to the purchase or sale of any security. It
  should not be construed to contain any recommendation regarding any
  security or strategy unless expressly stated therein. Any reference to
  the terms of executed transactions should be treated as preliminary only
  and subject to formal written confirmation. Any views expressed are those
  of the individual sender, except where the message states otherwise and
  the sender is authorized to state them to be the views of any such
  entity. This message is provided on an “as is” basis. It contains
  material that is owned by Instinet Incorporated, its subsidiaries or its
  or their licensors, and may not, in whole or in part, be (i) copied,
  photocopied or duplicated in any form, by any means, or (ii)
  redistributed, posted, published, excerpted, or quoted without Instinet
  Incorporated's prior written consent. No confidentiality or privilege is
  waived or lost by any mistransmission of this message. Instinet, LLC
  (member SIPC) and Instinet Canada Limited (member IIROC/CIPF) are
  subsidiaries of Instinet Incorporated that are locally registered or
  otherwise authorized to provide securities brokerage products and
  services. Please refer to the following link for additional disclosures
  and disclaimers that apply to this message:
  http://instinet.com/docs/legal/le_disclaimers.html. Effective July 1,
  2014, Canada introduced Canadian Anti-Spam Legislation ("CASL"). As a
  Canadian resident you are receiving this electronic communication because
  of your existing relationship with Instinet Canada Limited ("ICL") or an
  authorized affiliate. Canadian residents who wish to unsubscribe from
  commercial electronic messages: please e-mail iclcompliance at instinet.com.
  Please note that you will continue to receive non-commercial electronic
  messages, such as account statements, invoices, client communications,
  and other similar factual electronic communications.




  =========================================================================================================






E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.

=========================================================================================================  <<<< Disclaimer >>>>   This message, including all attachments, is private and confidential, may contain proprietary or privileged information and material and is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material herein is forbidden. We reserve the right to retain, monitor, intercept and archive electronic communications. This message does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy unless expressly stated therein. Any reference to the terms of executed transactions should be treated as preliminary only and subject to formal written confirmation. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This message is provided on an “as is” basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. No confidentiality or privilege is waived or lost by any mistransmission of this message. Instinet, LLC (member SIPC) and Instinet Canada Limited (member IIROC/CIPF) are subsidiaries of Instinet Incorporated that are locally registered or otherwise authorized to provide securities brokerage products and services. Please refer to the following link for additional disclosures and disclaimers that apply to this message:  http://instinet.com/docs/legal/le_disclaimers.html.  Effective July 1, 2014, Canada introduced Canadian Anti-Spam Legislation ("CASL"). As a Canadian resident you are receiving this electronic communication because of your existing relationship with Instinet Canada Limited ("ICL") or an authorized affiliate. Canadian residents who wish to unsubscribe from commercial electronic messages: please e-mail iclcompliance at instinet.com. Please note that you will continue to receive non-commercial electronic messages, such as account statements, invoices, client communications, and other similar factual electronic communications.  

=========================================================================================================  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20170118/74ec014e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 21671581.gif
Type: image/gif
Size: 4077 bytes
Desc: not available
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20170118/74ec014e/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20170118/74ec014e/attachment-0001.gif>


More information about the tac_plus mailing list