[tac_plus] Install with do_auth

Daniel Schmidt daniel.schmidt at wyo.gov
Thu Jan 19 21:54:12 UTC 2017 

What manner of router?  Are you running authorization on the router?  (Not
authentication, authorization)  What's your aa config look like?

On Wed, Jan 18, 2017 at 8:39 AM, <Kevin.Cruse at instinet.com> wrote:

> If I run this:
>
>  /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address
> -fix_crs_bug -u $user -d $name -l /var/log/tacacs/do_auth_log -f
> /usr/local/sbin/tacplus/do_auth.ini -D
>
> it works! The log file is updated, however, the problem still persists
> where it does not updated when run with 'after authorization'. I ran an
> strace on the tac_plus daemon and it never attempts to write to the do_auth
> log file. Something very quirky is going on here. I also checked the log
> file and saw no attempts to access it from any process. It definitely seems
> to be something wrong with the daemon.
>
> -----------------------------------------------------------------
> *Kevin Cruse*
> US Networks
> Instinet LLC
> 309 West 49th Street
> New York, NY 10019 US
> kevin.cruse at instinet.com
> 212-310-4734 <(212)%20310-4734>
>
>
> [image: Inactive hide details for Daniel Schmidt ---01/17/2017 04:41:21
> PM---We're on 1.13 actually. Try that. https://github.com/jath]Daniel
> Schmidt ---01/17/2017 04:41:21 PM---We're on 1.13 actually.  Try that.
> https://github.com/jathanism/do_auth
>
> From: Daniel Schmidt <daniel.schmidt at wyo.gov>
> To: Kevin.Cruse at instinet.com,
> Cc: "tac_plus at shrubbery.net" <tac_plus at shrubbery.net>, tac_plus <
> tac_plus-bounces at shrubbery.net>
> Date: 01/17/2017 04:41 PM
> Subject: Re: Install with do_auth
> ------------------------------
>
>
>
> We're on 1.13 actually.  Try that.
> *https://github.com/jathanism/do_auth*
> <https://github.com/jathanism/do_auth>
>
>
> Off of the top of my head, this here:
> /usr/bin/python /usr/local/sbin/tacplus/do_auth.py -i $address
> -fix_crs_bug -u $user -d $name -l /var/log/tacacs/do_auth_log -f
> /usr/local/sbin/tacplus/do_auth.ini
>
> Run that as your tac_plus user,  fill in your values and add -D.  See if
> it gives you some output or an error.  And you probably don't need
> -fix_crs_bug if you upgrade as I believe Jathan fixed that kludge.
>
>
>
> On Tue, Jan 17, 2017 at 12:50 PM, <*Kevin.Cruse at instinet.com*
> <Kevin.Cruse at instinet.com>> wrote:
>
>    I am in the process of migrating to centos 7 and have setup the
>    following environment:
>
>    CentOS Linux release 7.2.1511
>    tac_plus version F4.0.4.28
>    do_auth.py v1.9
>
>    The problem I am having is users will authenticate properly to
>    tac_plus, however, the 'after authorization' is never called and user ends
>    up with full control on router. It's been awhile since I setup our centos 6
>    servers with tacplus and wonder if I need to build from source with
>    specific switches to support do auth? I cannot for the life of me figure
>    out why 'after authorization' is not called! I've copied the same config
>    from production (currently working perfectly) and cannot get this to work.
>    Any ideas/thoughts/suggestions? im banging my head on this one.
>
>     group = default_group {
>            default service = permit
>            service = exec {
>            priv-lvl = 0
>            shell:roles=\"\\"network-operator\\""
>            }
>            after authorization "/usr/bin/python
>    /usr/local/sbin/tacplus/do_auth.py -i $address -fix_crs_bug -u $user
>    -d $name -l /var/log/tacacs/do_auth_log -f /usr/local/sbin/tacplus/do_
>    auth.ini"
>
>     }
>
>
>    Thanks
>
>    -----------------------------------------------------------------
> * Kevin Cruse*
>    US Networks
>    Instinet LLC
>    309 West 49th Street
>    New York, NY 10019 US
> *kevin.cruse at instinet.com* <kevin.cruse at instinet.com>
> *212-310-4734* <(212)%20310-4734>
>
>
>
> *
>    =========================================================================================================
>    *
>
>    *<<<< Disclaimer >>>>*
>
>    *This message, including all attachments, is private and confidential,
>    may contain proprietary or privileged information and material and is
>    intended solely for use by the named addressee(s). If you receive this
>    transmission in error, please immediately notify the sender and destroy
>    this message in its entirety, whether in electronic or hard copy format.
>    Any unauthorized use (and reliance thereon), copying, disclosure,
>    retention, or distribution of this transmission or the material herein is
>    forbidden. We reserve the right to retain, monitor, intercept and archive
>    electronic communications. This message does not constitute an offer or
>    solicitation with respect to the purchase or sale of any security. It
>    should not be construed to contain any recommendation regarding any
>    security or strategy unless expressly stated therein. Any reference to the
>    terms of executed transactions should be treated as preliminary only and
>    subject to formal written confirmation. Any views expressed are those of
>    the individual sender, except where the message states otherwise and the
>    sender is authorized to state them to be the views of any such entity. This
>    message is provided on an “as is” basis. It contains material that is owned
>    by Instinet Incorporated, its subsidiaries or its or their licensors, and
>    may not, in whole or in part, be (i) copied, photocopied or duplicated in
>    any form, by any means, or (ii) redistributed, posted, published,
>    excerpted, or quoted without Instinet Incorporated's prior written consent.
>    No confidentiality or privilege is waived or lost by any mistransmission of
>    this message. Instinet, LLC (member SIPC) and Instinet Canada Limited
>    (member IIROC/CIPF) are subsidiaries of Instinet Incorporated that are
>    locally registered or otherwise authorized to provide securities brokerage
>    products and services. Please refer to the following link for additional
>    disclosures and disclaimers that apply to this message: *
>    *http://instinet.com/docs/legal/le_disclaimers.html.*
>    <http://instinet.com/docs/legal/le_disclaimers.html>* Effective July
>    1, 2014, Canada introduced Canadian Anti-Spam Legislation ("CASL"). As a
>    Canadian resident you are receiving this electronic communication because
>    of your existing relationship with Instinet Canada Limited ("ICL") or an
>    authorized affiliate. Canadian residents who wish to unsubscribe from
>    commercial electronic messages: please e-mail *
>    *iclcompliance at instinet.com* <iclcompliance at instinet.com>*. Please
>    note that you will continue to receive non-commercial electronic messages,
>    such as account statements, invoices, client communications, and other
>    similar factual electronic communications. *
>
>
>
> *
>    =========================================================================================================
>    *
>
>
>
>
>
>
> E-Mail to and from me, in connection with the transaction
> of public business, is subject to the Wyoming Public Records
> Act and may be disclosed to third parties.
>
>
> ============================================================
> =============================================
>
> *<<<< Disclaimer >>>>*
>
> This message, including all attachments, is private and confidential, may
> contain proprietary or privileged information and material and is intended
> solely for use by the named addressee(s). If you receive this transmission
> in error, please immediately notify the sender and destroy this message in
> its entirety, whether in electronic or hard copy format. Any unauthorized
> use (and reliance thereon), copying, disclosure, retention, or distribution
> of this transmission or the material herein is forbidden. We reserve the
> right to retain, monitor, intercept and archive electronic communications.
> This message does not constitute an offer or solicitation with respect to
> the purchase or sale of any security. It should not be construed to contain
> any recommendation regarding any security or strategy unless expressly
> stated therein. Any reference to the terms of executed transactions should
> be treated as preliminary only and subject to formal written confirmation.
> Any views expressed are those of the individual sender, except where the
> message states otherwise and the sender is authorized to state them to be
> the views of any such entity. This message is provided on an “as is” basis.
> It contains material that is owned by Instinet Incorporated, its
> subsidiaries or its or their licensors, and may not, in whole or in part,
> be (i) copied, photocopied or duplicated in any form, by any means, or (ii)
> redistributed, posted, published, excerpted, or quoted without Instinet
> Incorporated's prior written consent. No confidentiality or privilege is
> waived or lost by any mistransmission of this message. Instinet, LLC
> (member SIPC) and Instinet Canada Limited (member IIROC/CIPF) are
> subsidiaries of Instinet Incorporated that are locally registered or
> otherwise authorized to provide securities brokerage products and services.
> Please refer to the following link for additional disclosures and
> disclaimers that apply to this message: http://instinet.com/docs/
> legal/le_disclaimers.html.
> <http://instinet.com/docs/legal/le_disclaimers.html> Effective July 1,
> 2014, Canada introduced Canadian Anti-Spam Legislation ("CASL"). As a
> Canadian resident you are receiving this electronic communication because
> of your existing relationship with Instinet Canada Limited ("ICL") or an
> authorized affiliate. Canadian residents who wish to unsubscribe from
> commercial electronic messages: please e-mail iclcompliance at instinet.com.
> Please note that you will continue to receive non-commercial electronic
> messages, such as account statements, invoices, client communications, and
> other similar factual electronic communications.
>
>
>
> ============================================================
> =============================================
>
>

-- 

E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20170119/20f47e19/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 21671581.gif
Type: image/gif
Size: 4077 bytes
Desc: not available
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20170119/20f47e19/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20170119/20f47e19/attachment-0001.gif>

More information about the tac_plus mailing list