From vyasraj at gmail.com Fri Dec 14 07:28:25 2018 From: vyasraj at gmail.com (=?UTF-8?B?Vnlhc3JhaiAo4LK14LON4LKv4LK+4LK44LKw4LK+4LKcKQ==?=) Date: Fri, 14 Dec 2018 12:58:25 +0530 Subject: [tac_plus] tacacs+ for console logins Message-ID: Hello there, First of all thanks a lot for helping us in setting up tacacs access in our systems. We've have enabled a tacacs access to our server with 3 tacacs server details auth [success=done default=bad authinfo_unavail=bad ignore=ignore] /lib/security/pam_tacplus.so server=1.1.1.1 secret=test1234 debug account [success=done default=bad ignore=ignore] /lib/security/pam_tacplus.so server=192.168.5.10 secret=test1234 service=test protocol=ssh debug auth [success=done default=bad authinfo_unavail=bad ignore=ignore] /lib/security/pam_tacplus.so server=2.2.2.2 secret=test 111 debug account [success=done default=bad ignore=ignore] /lib/security/pam_tacplus.so server=2.2.2.2 secret=test 111 service=test protocol=ssh debug auth [success=done default=bad authinfo_unavail=bad ignore=ignore] /lib/security/pam_tacplus.so server=3.3.3.3 secret=test 222 debug account [success=done default=bad ignore=ignore] /lib/security/pam_tacplus.so server=3.3.3.3 secret=test 222 service=test protocol=ssh debug auth [success=done default=bad authinfo_unavail=bad ignore=ignore] /lib/security/pam_tacplus.so server=4.4.4.4 secret=test 333 debug account [success=done default=bad ignore=ignore] /lib/security/pam_tacplus.so server=4.4.4.4 secret=test 333 service=test protocol=ssh debug For sshd, all the server are tried one after the other and login falls back to local. When we login though serial console, its observed that for each tacacs+ server, we need to enter password. Hence for 4 servers in the file, we end up entering passworing 4 times. Is there a way we can over come this and make it similar behaviour as that of sshd ? Thanks Vyasraj -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Fri Dec 14 21:01:24 2018 From: heas at shrubbery.net (heasley) Date: Fri, 14 Dec 2018 21:01:24 +0000 Subject: [tac_plus] tacacs+ for console logins In-Reply-To: References: Message-ID: <20181214210124.GB99222@shrubbery.net> Fri, Dec 14, 2018 at 12:58:25PM +0530, Vyasraj (????????): > Hello there, > > First of all thanks a lot for helping us in setting up tacacs access in our > systems. > > We've have enabled a tacacs access to our server with 3 tacacs server > details > > auth [success=done default=bad authinfo_unavail=bad ignore=ignore] > /lib/security/pam_tacplus.so server=1.1.1.1 secret=test1234 debug > account [success=done default=bad ignore=ignore] > /lib/security/pam_tacplus.so server=192.168.5.10 secret=test1234 > service=test protocol=ssh debug these all look like the same lines. i do not know, but expect that you want 2 lines that have both primary and backup servers specified - if that pam module is capable of that. > auth [success=done default=bad authinfo_unavail=bad ignore=ignore] > /lib/security/pam_tacplus.so server=2.2.2.2 secret=test 111 debug > account [success=done default=bad ignore=ignore] > /lib/security/pam_tacplus.so server=2.2.2.2 secret=test 111 service=test > protocol=ssh debug > auth [success=done default=bad authinfo_unavail=bad ignore=ignore] > /lib/security/pam_tacplus.so server=3.3.3.3 secret=test 222 debug > account [success=done default=bad ignore=ignore] > /lib/security/pam_tacplus.so server=3.3.3.3 secret=test 222 service=test > protocol=ssh debug > auth [success=done default=bad authinfo_unavail=bad ignore=ignore] > /lib/security/pam_tacplus.so server=4.4.4.4 secret=test 333 debug > account [success=done default=bad ignore=ignore] > /lib/security/pam_tacplus.so server=4.4.4.4 secret=test 333 service=test > protocol=ssh debug > > For sshd, all the server are tried one after the other and login falls > back to local. When we login though serial console, its observed that for > each tacacs+ server, we need to enter password. Hence for 4 servers in the > file, we end up entering passworing 4 times. > > Is there a way we can over come this and make it similar behaviour as that > of sshd ? > > Thanks > Vyasraj > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus From tkwak at verisign.com Tue Dec 18 20:09:52 2018 From: tkwak at verisign.com (Kwak, Tony) Date: Tue, 18 Dec 2018 20:09:52 +0000 Subject: [tac_plus] Vendor Specific Attributes for Palo Alto Networks firewall Message-ID: <0CF25038-3DB7-47B4-87FA-23B5D653988E@verisign.com> Hi, I?m trying to set up tacacs authentication on Palo Alto Networks firewall and need assistance configuring vendor specific attributes on Shrubbery tacacs+ Is there pre-defined VSA for Palo Alto Networks devices on Shrubbery tacacs+ server? Thank you [cid:image001.png at 01D37339.EC1EFBE0] Tony (Seok Ho) Kwak Network Engineer tkwak at verisign.com o: 703-948-3958 m: 571-230-2628 12061 Bluemont Way Reston, VA 20190 VerisignInc.com -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 8498 bytes Desc: image001.png URL: From heas at shrubbery.net Wed Dec 19 22:07:14 2018 From: heas at shrubbery.net (heasley) Date: Wed, 19 Dec 2018 22:07:14 +0000 Subject: [tac_plus] Vendor Specific Attributes for Palo Alto Networks firewall In-Reply-To: <0CF25038-3DB7-47B4-87FA-23B5D653988E@verisign.com> References: <0CF25038-3DB7-47B4-87FA-23B5D653988E@verisign.com> Message-ID: <20181219220714.GG60699@shrubbery.net> Tue, Dec 18, 2018 at 08:09:52PM +0000, Kwak, Tony: > Hi, > > I?m trying to set up tacacs authentication on Palo Alto Networks firewall and need assistance configuring vendor specific attributes on Shrubbery tacacs+ > Is there pre-defined VSA for Palo Alto Networks devices on Shrubbery tacacs+ server? > i have no experience with palo alto devices, but vendor specific attributes are just attribute value pairs (AVPs) and typically sent with the optional keyword so that other devices can ignore them.