[tac_plus] TACACS+ config group syntax for Arbor

Asif Iqbal vadud3 at gmail.com
Fri Nov 10 00:25:36 UTC 2017


This is all I get when doing debug like this and type the ``shell'' command

  -d 8 -d 16 -d 32 -d 64 -d 128 -d 256 -d 512 -d 1024 -d 2048 -d 32768 -d
65536

Also setup default service = permit

Fri Nov 10 00:09:44 2017 [27585]: connect from 192.168.1.100 [192.168.1.100]
Fri Nov 10 00:09:45 2017 [27585]: login query for 'iqbala' port tty?? from
192.168.1.100 accepted
Fri Nov 10 00:09:45 2017 [27619]: connect from 192.168.1.100 [192.168.1.100]
Fri Nov 10 00:09:45 2017 [27619]: Start authorization request
Fri Nov 10 00:09:45 2017 [27619]: do_author: user='iqbala'
Fri Nov 10 00:09:45 2017 [27619]: user 'iqbala' found
Fri Nov 10 00:09:45 2017 [27619]: svc=N_svc protocol= svcname=arbor not
found, permitted by default
Fri Nov 10 00:09:45 2017 [27619]: authorization query for 'iqbala' login
from 192.168.1.100 accepted
Fri Nov 10 00:09:45 2017 [27630]: connect from 192.168.1.100 [192.168.1.100]
Fri Nov 10 00:09:45 2017 [27630]: Start authorization request
Fri Nov 10 00:09:45 2017 [27630]: do_author: user='iqbala'
Fri Nov 10 00:09:45 2017 [27630]: user 'iqbala' found
Fri Nov 10 00:09:45 2017 [27630]: svc=N_svc protocol= svcname=system not
found, permitted by default
Fri Nov 10 00:09:45 2017 [27630]: authorization query for 'iqbala' login
from 192.168.1.100 accepted



On Thu, Nov 9, 2017 at 6:42 PM, heasley <heas at shrubbery.net> wrote:

> Thu, Nov 09, 2017 at 04:38:39PM -0500, Asif Iqbal:
> > Hi All.
> >
> > Any one doing TACACS+ with Arbor? We can authenticate fine, but failing
> to
> > get into shell mode.
> >
> > with -d 8 -d 16 I get no following log when run shell command, and Arbor
> > says "970: Command requires higher privilege"
> >
> > Thu Nov  9 21:23:25 2017 [3079]: login query for 'iqbala' port tty?? from
> > > 192.168.1.100 accepted
> > > Thu Nov  9 21:23:25 2017 [3113]: connect from 192.168.1.100
> [192.168.1.100]
> > > Thu Nov  9 21:23:25 2017 [3113]: Start authorization request
> > > Thu Nov  9 21:23:25 2017 [3113]: do_author: user='iqbala'
> > > Thu Nov  9 21:23:25 2017 [3113]: user 'iqbala' found
> > > Thu Nov  9 21:23:25 2017 [3113]: svc=N_svc protocol= not found, denied
> by
> > > default
>
> enable the packet dump debug to see what service the device is sending.
> you dont have that service in the config so its going to the default.
>
> > > Thu Nov  9 21:23:25 2017 [3113]: authorization query for 'iqbala' login
> > > from 192.168.1.100 rejected
> > > Thu Nov  9 21:23:25 2017 [3122]: connect from 192.168.1.100
> [192.168.1.100]
> > > Thu Nov  9 21:23:25 2017 [3122]: Start authorization request
> > > Thu Nov  9 21:23:25 2017 [3122]: do_author: user='iqbala'
> > > Thu Nov  9 21:23:25 2017 [3122]: user 'iqbala' found
> > > Thu Nov  9 21:23:25 2017 [3122]: svc=N_svc protocol= not found, denied
> by
> > > default
> > > Thu Nov  9 21:23:25 2017 [3122]: authorization query for 'iqbala' login
> > > from 192.168.1.100 rejected
> >
> >
> >
> >
> > Appreciate any help!
> >
> >
> > --
> > Asif Iqbal
> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> > A: Because it messes up the order in which people normally read text.
> > Q: Why is top-posting such a bad thing?
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: <http://www.shrubbery.net/pipermail/tac_plus/
> attachments/20171109/d2c152fb/attachment.html>
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo/tac_plus
>



-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20171109/6b6ea8c4/attachment.html>


More information about the tac_plus mailing list