[tac_plus] Authorization problems
heasley
heas at shrubbery.net
Sat Jan 27 16:31:20 UTC 2018
Fri, Jan 26, 2018 at 10:15:01AM +0000, Pontus Zoladz:
> Hi!,
>
> I have set up a tac_plus server to authorize certain users to run show commands on a Cisco ASA running 9.9.
>
> My configuration looks like the following:
> group = read-only {
> default service = permit
> service = exec {
> priv-lvl = 15
> }
>
> }
>
> user = bob {
> login = des $1$VF$kBGTjygux4xckHjGUSSwd1
> service = shell { priv-lvl=5 }
> cmd = show { permit .* }
> member = read-only
> }
>
> However, in the logs, i can see this:
> Fri Jan 26 11:09:08 2018 [31706]: Start authorization request
> Fri Jan 26 11:09:08 2018 [31706]: do_author: user='enable_15'
> Fri Jan 26 11:09:08 2018 [31706]: user 'enable_15' found
> Fri Jan 26 11:09:08 2018 [31706]: authorize_cmd: user=enable_15, cmd=show
> Fri Jan 26 11:09:08 2018 [31706]: cmd show does not exist, denied by default
>
> Why is this?
using the enable user for authorization seems odd and i suspect is an ASA bug,
but been so long since I've need to debug such things. Can you compare this
to an IOS device?
More information about the tac_plus
mailing list