[tac_plus] TACACS+ config group syntax for Arbor

Asif Iqbal vadud3 at gmail.com
Fri Nov 10 00:54:26 UTC 2017 

found out need to define group which needs to map to group name local to
the arbor appliance.

Fri Nov 10 00:42:49 2017 [29090]: connect from 192.168.1.100 [192.168.1.100]
Fri Nov 10 00:42:50 2017 [29090]: login query for 'iqbala' port tty?? from
192.168.1.100 accepted
Fri Nov 10 00:42:50 2017 [29114]: connect from 192.168.1.100 [192.168.1.100]
Fri Nov 10 00:42:50 2017 [29114]: Start authorization request
Fri Nov 10 00:42:50 2017 [29114]: do_author: user='iqbala'
Fri Nov 10 00:42:50 2017 [29114]: user 'iqbala' found
Fri Nov 10 00:42:50 2017 [29114]: nas:service=arbor (passed thru)
Fri Nov 10 00:42:50 2017 [29114]: nas:absent,
server:arbor_group=arbor_admin -> add arbor_group=arbor_admin (k)
Fri Nov 10 00:42:50 2017 [29114]: added 1 args
Fri Nov 10 00:42:50 2017 [29114]: out_args[0] = service=arbor input copy
discarded
Fri Nov 10 00:42:50 2017 [29114]: out_args[1] = arbor_group=arbor_admin
compacted to out_args[0]
Fri Nov 10 00:42:50 2017 [29114]: 1 output args
Fri Nov 10 00:42:50 2017 [29114]: authorization query for 'iqbala' login
from 192.168.1.100 accepted


group = ARBOR_ADMIN {
        service = arbor {
            arbor_group = arbor_admin
        }
}

much closer now



On Thu, Nov 9, 2017 at 7:25 PM, Asif Iqbal <vadud3 at gmail.com> wrote:

> This is all I get when doing debug like this and type the ``shell'' command
>
>   -d 8 -d 16 -d 32 -d 64 -d 128 -d 256 -d 512 -d 1024 -d 2048 -d 32768 -d
> 65536
>
> Also setup default service = permit
>
> Fri Nov 10 00:09:44 2017 [27585]: connect from 192.168.1.100
> [192.168.1.100]
> Fri Nov 10 00:09:45 2017 [27585]: login query for 'iqbala' port tty?? from
> 192.168.1.100 accepted
> Fri Nov 10 00:09:45 2017 [27619]: connect from 192.168.1.100
> [192.168.1.100]
> Fri Nov 10 00:09:45 2017 [27619]: Start authorization request
> Fri Nov 10 00:09:45 2017 [27619]: do_author: user='iqbala'
> Fri Nov 10 00:09:45 2017 [27619]: user 'iqbala' found
> Fri Nov 10 00:09:45 2017 [27619]: svc=N_svc protocol= svcname=arbor not
> found, permitted by default
> Fri Nov 10 00:09:45 2017 [27619]: authorization query for 'iqbala' login
> from 192.168.1.100 accepted
> Fri Nov 10 00:09:45 2017 [27630]: connect from 192.168.1.100
> [192.168.1.100]
> Fri Nov 10 00:09:45 2017 [27630]: Start authorization request
> Fri Nov 10 00:09:45 2017 [27630]: do_author: user='iqbala'
> Fri Nov 10 00:09:45 2017 [27630]: user 'iqbala' found
> Fri Nov 10 00:09:45 2017 [27630]: svc=N_svc protocol= svcname=system not
> found, permitted by default
> Fri Nov 10 00:09:45 2017 [27630]: authorization query for 'iqbala' login
> from 192.168.1.100 accepted
>
>
>
> On Thu, Nov 9, 2017 at 6:42 PM, heasley <heas at shrubbery.net> wrote:
>
>> Thu, Nov 09, 2017 at 04:38:39PM -0500, Asif Iqbal:
>> > Hi All.
>> >
>> > Any one doing TACACS+ with Arbor? We can authenticate fine, but failing
>> to
>> > get into shell mode.
>> >
>> > with -d 8 -d 16 I get no following log when run shell command, and Arbor
>> > says "970: Command requires higher privilege"
>> >
>> > Thu Nov  9 21:23:25 2017 [3079]: login query for 'iqbala' port tty??
>> from
>> > > 192.168.1.100 accepted
>> > > Thu Nov  9 21:23:25 2017 [3113]: connect from 192.168.1.100
>> [192.168.1.100]
>> > > Thu Nov  9 21:23:25 2017 [3113]: Start authorization request
>> > > Thu Nov  9 21:23:25 2017 [3113]: do_author: user='iqbala'
>> > > Thu Nov  9 21:23:25 2017 [3113]: user 'iqbala' found
>> > > Thu Nov  9 21:23:25 2017 [3113]: svc=N_svc protocol= not found,
>> denied by
>> > > default
>>
>> enable the packet dump debug to see what service the device is sending.
>> you dont have that service in the config so its going to the default.
>>
>> > > Thu Nov  9 21:23:25 2017 [3113]: authorization query for 'iqbala'
>> login
>> > > from 192.168.1.100 rejected
>> > > Thu Nov  9 21:23:25 2017 [3122]: connect from 192.168.1.100
>> [192.168.1.100]
>> > > Thu Nov  9 21:23:25 2017 [3122]: Start authorization request
>> > > Thu Nov  9 21:23:25 2017 [3122]: do_author: user='iqbala'
>> > > Thu Nov  9 21:23:25 2017 [3122]: user 'iqbala' found
>> > > Thu Nov  9 21:23:25 2017 [3122]: svc=N_svc protocol= not found,
>> denied by
>> > > default
>> > > Thu Nov  9 21:23:25 2017 [3122]: authorization query for 'iqbala'
>> login
>> > > from 192.168.1.100 rejected
>> >
>> >
>> >
>> >
>> > Appreciate any help!
>> >
>> >
>> > --
>> > Asif Iqbal
>> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
>> > A: Because it messes up the order in which people normally read text.
>> > Q: Why is top-posting such a bad thing?
>> > -------------- next part --------------
>> > An HTML attachment was scrubbed...
>> > URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/
>> 20171109/d2c152fb/attachment.html>
>> > _______________________________________________
>> > tac_plus mailing list
>> > tac_plus at shrubbery.net
>> > http://www.shrubbery.net/mailman/listinfo/tac_plus
>>
>
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>
>


-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20171109/634cc871/attachment.html>

More information about the tac_plus mailing list