From mus3 at lehigh.edu Mon May 15 17:38:14 2017 From: mus3 at lehigh.edu (Munroe Sollog) Date: Mon, 15 May 2017 13:38:14 -0400 Subject: [tac_plus] Different AV pairs for the same service Message-ID: I am using tacacs to aaa nexus equipment and now a firepower chassis manager. My 'admins' group is configured like so: group = admins { default service = permit service = exec { priv-lvl = 15 # optional shell:roles = "admin network-admin" optional shell:roles = "network-admin" optional shell:roles = "admin" } service = AMP { role = "tacacs" } service = gigamon { } } The problem is the nexus equipment uses the network-admin role while the firepower chassis manager uses the admin role. While I can probably create one role on the other box, I was wondering if there was an easier way to resolve this issue. As you see I have tried a space separated list as well as individual statements. For further reference here is the documentation on the firepower tacacs config: http://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos201/web-config/b_GUI_ConfigGuide_FXOS_201/user_management.html#concept_2770BFB3259042F5A4420595A0A6946C -- Munroe Sollog Senior Network Engineer munroe at lehigh.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Mon May 15 20:11:08 2017 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Mon, 15 May 2017 14:11:08 -0600 Subject: [tac_plus] Different AV pairs for the same service In-Reply-To: References: Message-ID: Have you considered using the after authentication "do_auth.py?" On Mon, May 15, 2017 at 11:38 AM, Munroe Sollog wrote: > I am using tacacs to aaa nexus equipment and now a firepower chassis > manager. My 'admins' group is configured like so: > > group = admins { > default service = permit > service = exec { > priv-lvl = 15 > # optional shell:roles = "admin network-admin" > optional shell:roles = "network-admin" > optional shell:roles = "admin" > } > service = AMP { > role = "tacacs" > } > service = gigamon { > } > > } > > The problem is the nexus equipment uses the network-admin role while the > firepower chassis manager uses the admin role. While I can probably create > one role on the other box, I was wondering if there was an easier way to > resolve this issue. As you see I have tried a space separated list as well > as individual statements. > > For further reference here is the documentation on the firepower tacacs > config: > > http://www.cisco.com/c/en/us/td/docs/security/firepower/ > fxos/fxos201/web-config/b_GUI_ConfigGuide_FXOS_201/user_ > management.html#concept_2770BFB3259042F5A4420595A0A6946C > > > > > -- > Munroe Sollog > Senior Network Engineer > munroe at lehigh.edu > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: attachments/20170515/6acdab2b/attachment.html> > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mus3 at lehigh.edu Mon May 15 20:41:08 2017 From: mus3 at lehigh.edu (Munroe Sollog) Date: Mon, 15 May 2017 16:41:08 -0400 Subject: [tac_plus] Different AV pairs for the same service In-Reply-To: References: Message-ID: I know about do_auth.py and I have been avoiding re-implementing my config using it until I understand how to do everything. I haven't found an example of a do_auth config that allows me to specify different AV pairs for different devices within the same group though. On Mon, May 15, 2017 at 4:11 PM, Daniel Schmidt wrote: > Have you considered using the after authentication "do_auth.py?" > > On Mon, May 15, 2017 at 11:38 AM, Munroe Sollog wrote: > >> I am using tacacs to aaa nexus equipment and now a firepower chassis >> manager. My 'admins' group is configured like so: >> >> group = admins { >> default service = permit >> service = exec { >> priv-lvl = 15 >> # optional shell:roles = "admin network-admin" >> optional shell:roles = "network-admin" >> optional shell:roles = "admin" >> } >> service = AMP { >> role = "tacacs" >> } >> service = gigamon { >> } >> >> } >> >> The problem is the nexus equipment uses the network-admin role while the >> firepower chassis manager uses the admin role. While I can probably >> create >> one role on the other box, I was wondering if there was an easier way to >> resolve this issue. As you see I have tried a space separated list as >> well >> as individual statements. >> >> For further reference here is the documentation on the firepower tacacs >> config: >> >> http://www.cisco.com/c/en/us/td/docs/security/firepower/fxos >> /fxos201/web-config/b_GUI_ConfigGuide_FXOS_201/user_manageme >> nt.html#concept_2770BFB3259042F5A4420595A0A6946C >> >> >> >> >> -- >> Munroe Sollog >> Senior Network Engineer >> munroe at lehigh.edu >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: > 20170515/6acdab2b/attachment.html> >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus >> > > > > E-Mail to and from me, in connection with the transaction > of public business, is subject to the Wyoming Public Records > Act and may be disclosed to third parties. > -- Munroe Sollog Senior Network Engineer munroe at lehigh.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Mon May 15 22:32:36 2017 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Mon, 15 May 2017 16:32:36 -0600 Subject: [tac_plus] Different AV pairs for the same service In-Reply-To: References: Message-ID: That is why do_auth allows the use of multiple groups, it can't know the OS of the device which is talking to it. A notable exception is nexus, do_auth is kluged to know when it is talking to a nexus and will strip the shell:roles when talking to other devices. (nexus sends a "cmd=\n" which nobody else seems to) I don't know about FXOS, you would have to send set debug in do_auth and send me the returned tac pairs. i suspect is is the same as NXOS, in which case you would be required to make two different groups by IP and assign both of them to the user with av_pairs statement to send different roles. On Mon, May 15, 2017 at 2:41 PM, Munroe Sollog wrote: > I know about do_auth.py and I have been avoiding re-implementing my config > using it until I understand how to do everything. I haven't found an > example of a do_auth config that allows me to specify different AV pairs > for different devices within the same group though. > > On Mon, May 15, 2017 at 4:11 PM, Daniel Schmidt > wrote: > >> Have you considered using the after authentication "do_auth.py?" >> >> On Mon, May 15, 2017 at 11:38 AM, Munroe Sollog wrote: >> >>> I am using tacacs to aaa nexus equipment and now a firepower chassis >>> manager. My 'admins' group is configured like so: >>> >>> group = admins { >>> default service = permit >>> service = exec { >>> priv-lvl = 15 >>> # optional shell:roles = "admin network-admin" >>> optional shell:roles = "network-admin" >>> optional shell:roles = "admin" >>> } >>> service = AMP { >>> role = "tacacs" >>> } >>> service = gigamon { >>> } >>> >>> } >>> >>> The problem is the nexus equipment uses the network-admin role while the >>> firepower chassis manager uses the admin role. While I can probably >>> create >>> one role on the other box, I was wondering if there was an easier way to >>> resolve this issue. As you see I have tried a space separated list as >>> well >>> as individual statements. >>> >>> For further reference here is the documentation on the firepower tacacs >>> config: >>> >>> http://www.cisco.com/c/en/us/td/docs/security/firepower/fxos >>> /fxos201/web-config/b_GUI_ConfigGuide_FXOS_201/user_manageme >>> nt.html#concept_2770BFB3259042F5A4420595A0A6946C >>> >>> >>> >>> >>> -- >>> Munroe Sollog >>> Senior Network Engineer >>> munroe at lehigh.edu >>> -------------- next part -------------- >>> An HTML attachment was scrubbed... >>> URL: >> 70515/6acdab2b/attachment.html> >>> _______________________________________________ >>> tac_plus mailing list >>> tac_plus at shrubbery.net >>> http://www.shrubbery.net/mailman/listinfo/tac_plus >>> >> >> >> >> E-Mail to and from me, in connection with the transaction >> of public business, is subject to the Wyoming Public Records >> Act and may be disclosed to third parties. >> > > > > -- > Munroe Sollog > Senior Network Engineer > munroe at lehigh.edu > -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: