From Pontus.Zoladz at bahnhof.net Fri Jan 26 10:15:01 2018 From: Pontus.Zoladz at bahnhof.net (Pontus Zoladz) Date: Fri, 26 Jan 2018 10:15:01 +0000 Subject: [tac_plus] Authorization problems Message-ID: <259211dcef894fe297dc47041f5ca901@ste-exc1.internal.bahnhof.net> Hi!, I have set up a tac_plus server to authorize certain users to run show commands on a Cisco ASA running 9.9. My configuration looks like the following: group = read-only { default service = permit service = exec { priv-lvl = 15 } } user = bob { login = des $1$VF$kBGTjygux4xckHjGUSSwd1 service = shell { priv-lvl=5 } cmd = show { permit .* } member = read-only } However, in the logs, i can see this: Fri Jan 26 11:09:08 2018 [31706]: Start authorization request Fri Jan 26 11:09:08 2018 [31706]: do_author: user='enable_15' Fri Jan 26 11:09:08 2018 [31706]: user 'enable_15' found Fri Jan 26 11:09:08 2018 [31706]: authorize_cmd: user=enable_15, cmd=show Fri Jan 26 11:09:08 2018 [31706]: cmd show does not exist, denied by default Why is this? -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Sat Jan 27 16:31:20 2018 From: heas at shrubbery.net (heasley) Date: Sat, 27 Jan 2018 16:31:20 +0000 Subject: [tac_plus] Authorization problems In-Reply-To: <259211dcef894fe297dc47041f5ca901@ste-exc1.internal.bahnhof.net> References: <259211dcef894fe297dc47041f5ca901@ste-exc1.internal.bahnhof.net> Message-ID: <20180127163120.GD16976@shrubbery.net> Fri, Jan 26, 2018 at 10:15:01AM +0000, Pontus Zoladz: > Hi!, > > I have set up a tac_plus server to authorize certain users to run show commands on a Cisco ASA running 9.9. > > My configuration looks like the following: > group = read-only { > default service = permit > service = exec { > priv-lvl = 15 > } > > } > > user = bob { > login = des $1$VF$kBGTjygux4xckHjGUSSwd1 > service = shell { priv-lvl=5 } > cmd = show { permit .* } > member = read-only > } > > However, in the logs, i can see this: > Fri Jan 26 11:09:08 2018 [31706]: Start authorization request > Fri Jan 26 11:09:08 2018 [31706]: do_author: user='enable_15' > Fri Jan 26 11:09:08 2018 [31706]: user 'enable_15' found > Fri Jan 26 11:09:08 2018 [31706]: authorize_cmd: user=enable_15, cmd=show > Fri Jan 26 11:09:08 2018 [31706]: cmd show does not exist, denied by default > > Why is this? using the enable user for authorization seems odd and i suspect is an ASA bug, but been so long since I've need to debug such things. Can you compare this to an IOS device?