From 83358066 at qq.com Sat Mar 17 05:42:05 2018 From: 83358066 at qq.com (=?ISO-8859-1?B?ODMzNTgwNjY=?=) Date: Sat, 17 Mar 2018 13:42:05 +0800 Subject: [tac_plus] Need your help Message-ID: Hi Dear Shrubbery Thank you very much for your contributes for the excellent TACACS plus tools ,Currently we plan to test the tacacs plus to manage Brocade SAN switch ,most of the functions are working well and very powerful, But only one point we still have some issue ,Would you kindly help to provide some advice ,Thanks in advance. The question we meet is that we defined the groups and users, for example ,I want to forbid the user in the group usergroup can not run the the explicit command "reboot" , as we know the brocade FOS command mode is not same as CISCO, We found the setting was not in effect and the command "reboot"still can be run after the user got authorized by Tacac_plus server daemon, So would you kindly let me know how can i configure that can forbid the explicit command like "reboot" be executed and took effect. Thanks for your support ! our setting for the tac_plus config as follows : group = usergroup { default service = permit login = file /etc/passwd enable = file /etc/passwd cmd = reboot { deny .* } user = stuser { member = usergroup login = file /etc/passwd service = exec { brcd-role = Admin brcd-AV-Pair1 = "homeLF=128;LFRoleList=1-128" brcd-AV-Pair2 = "chassisRole=switchadmin" -------------- next part -------------- An HTML attachment was scrubbed... URL: From 83358066 at qq.com Mon Mar 19 15:33:29 2018 From: 83358066 at qq.com (=?ISO-8859-1?B?ODMzNTgwNjY=?=) Date: Mon, 19 Mar 2018 23:33:29 +0800 Subject: [tac_plus] Need your help In-Reply-To: References: Message-ID: Hi Daniel Thanks for the quick update, Please excuse me for i'm taking the liberty of writing to you. I checked Brocade FOS administrator guide ,and can confirmed that from the FOS 7.1.x Brocade FOS began to support the TACACS+. through the result of testing in lab I found it works well. During the test ,I configured the file "tac_plus.conf" and tried to forbid some commands t"reboot" for example )to run for users in a explicit group, But it have no effect . So i'm taking the liberty of writing to you and intend to know if you have some experience on this hand or Would you kindly help to provide some advice . Best regards ----------------- Original ------------------ From: "Daniel Schmidt";; Send time: Monday, Mar 19, 2018 10:49 PM To: "83358066"<83358066 at qq.com>; Cc: "tac_plus"; Subject: Re: [tac_plus] Need your help Are Brocade FOS switches capable of authorization? On Fri, Mar 16, 2018 at 11:42 PM, 83358066 <83358066 at qq.com> wrote: Hi Dear Shrubbery Thank you very much for your contributes for the excellent TACACS plus tools ,Currently we plan to test the tacacs plus to manage Brocade SAN switch ,most of the functions are working well and very powerful, But only one point we still have some issue ,Would you kindly help to provide some advice ,Thanks in advance. The question we meet is that we defined the groups and users, for example ,I want to forbid the user in the group usergroup can not run the the explicit command "reboot" , as we know the brocade FOS command mode is not same as CISCO, We found the setting was not in effect and the command "reboot"still can be run after the user got authorized by Tacac_plus server daemon, So would you kindly let me know how can i configure that can forbid the explicit command like "reboot" be executed and took effect. Thanks for your support ! our setting for the tac_plus config as follows : group = usergroup { default service = permit login = file /etc/passwd enable = file /etc/passwd cmd = reboot { deny .* } user = stuser { member = usergroup login = file /etc/passwd service = exec { brcd-role = Admin brcd-AV-Pair1 = "homeLF=128;LFRoleList=1-128" brcd-AV-Pair2 = "chassisRole=switchadmin" -------------- next part -------------- An HTML attachment was scrubbed... URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Mon Mar 19 14:49:41 2018 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Mon, 19 Mar 2018 08:49:41 -0600 Subject: [tac_plus] Need your help In-Reply-To: References: Message-ID: Are Brocade FOS switches capable of authorization? On Fri, Mar 16, 2018 at 11:42 PM, 83358066 <83358066 at qq.com> wrote: > Hi Dear Shrubbery > > Thank you very much for your contributes for the excellent TACACS > plus tools ,Currently we plan to test the tacacs plus to manage Brocade > SAN switch ,most of the functions are working well and very powerful, But > only one point we still have some issue ,Would you kindly help to provide > some advice ,Thanks in advance. > > > The question we meet is that we defined the groups and users, for example > ,I want to forbid the user in the group usergroup can not run the > the explicit command "reboot" , as we know the brocade FOS command mode is > not same as CISCO, We found the setting was not in effect and the command > "reboot"still can be run after the user got authorized by Tacac_plus server > daemon, So would you kindly let me know how can i configure that can forbid > the explicit command like "reboot" be executed and took effect. Thanks for > your support ! > > > our setting for the tac_plus config as follows : > > group = usergroup { > default service = permit > login = file /etc/passwd > enable = file /etc/passwd > cmd = reboot { > deny .* > } > > > user = stuser { > member = usergroup > login = file /etc/passwd service = exec { > brcd-role = Admin > brcd-AV-Pair1 = "homeLF=128;LFRoleList=1-128" > brcd-AV-Pair2 = "chassisRole=switchadmin" > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: attachments/20180317/58bea644/attachment.html> > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Mon Mar 19 21:15:07 2018 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Mon, 19 Mar 2018 15:15:07 -0600 Subject: [tac_plus] Need your help In-Reply-To: References: Message-ID: But not authorization. Look under "Role-Based Access Control" On Mon, Mar 19, 2018 at 9:33 AM, 83358066 <83358066 at qq.com> wrote: > Hi Daniel > > Thanks for the quick update, Please excuse me for i'm taking the > liberty of writing to you. I checked Brocade FOS administrator guide ,and > can confirmed that from the FOS 7.1.x Brocade FOS began to support the > TACACS+. through the result of testing in lab I found it works well. > > During the test ,I configured the file "tac_plus.conf" and tried to > forbid some commands t"reboot" for example )to run for users in > a explicit group, But it have no effect . So i'm taking the liberty of > writing to you and intend to know if you have some experience on this hand > or Would you kindly help to provide some advice . > > > > Best regards > > ----------------- Original ------------------ > *From: * "Daniel Schmidt";; > *Send time:* Monday, Mar 19, 2018 10:49 PM > *To:* "83358066"<83358066 at qq.com>; > *Cc:* "tac_plus"; > *Subject: * Re: [tac_plus] Need your help > > Are Brocade FOS switches capable of authorization? > > On Fri, Mar 16, 2018 at 11:42 PM, 83358066 <83358066 at qq.com> wrote: > >> Hi Dear Shrubbery >> >> Thank you very much for your contributes for the excellent TACACS >> plus tools ,Currently we plan to test the tacacs plus to manage Brocade >> SAN switch ,most of the functions are working well and very powerful, But >> only one point we still have some issue ,Would you kindly help to provide >> some advice ,Thanks in advance. >> >> >> The question we meet is that we defined the groups and users, for >> example ,I want to forbid the user in the group usergroup can not run the >> the explicit command "reboot" , as we know the brocade FOS command mode >> is not same as CISCO, We found the setting was not in effect and the >> command "reboot"still can be run after the user got authorized by >> Tacac_plus server daemon, So would you kindly let me know how can i >> configure that can forbid the explicit command like "reboot" be executed >> and took effect. Thanks for your support ! >> >> >> our setting for the tac_plus config as follows : >> >> group = usergroup { >> default service = permit >> login = file /etc/passwd >> enable = file /etc/passwd >> cmd = reboot { >> deny .* >> } >> >> >> user = stuser { >> member = usergroup >> login = file /etc/passwd service = exec { >> brcd-role = Admin >> brcd-AV-Pair1 = "homeLF=128;LFRoleList=1-128" >> brcd-AV-Pair2 = "chassisRole=switchadmin" >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: > 20180317/58bea644/attachment.html> >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus >> > > > > E-Mail to and from me, in connection with the transaction > of public business, is subject to the Wyoming Public Records > Act and may be disclosed to third parties. > -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From john at op-sec.us Mon Mar 19 21:21:51 2018 From: john at op-sec.us (John Fraizer) Date: Mon, 19 Mar 2018 14:21:51 -0700 Subject: [tac_plus] Need your help In-Reply-To: References: Message-ID: It is likely that one of two things is causing the 'reboot' command to succeed even though you have it forbidden in your tac_plus config. (1) The TACACS+ implementation on your brocade devices is not sending command authorization requests and is only doing login authorization. (2) Another possibility is that the brocade does RBAC. This can make things a bit more difficult but, its not a show-stopper. At least with JUNOS, you can do some very fancy things using AV-PAIRS. It is much easier to use an "after authorization" script like do_auth.py. See http://www.shrubbery.net/pipermail/tac_plus/2015-April/001622.html for a detailed example. Note: With RBAC, once a user has logged in and the AV-PAIRS have been passed to the device, it will never ask permission for anything else for the duration of that login session. So, if you are tinkering with your tac_plus/do_auth config and not seeing changes in device behavior, remember that you need to log out and then back in to get the new AV_PAIRS. -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Mon, Mar 19, 2018 at 8:33 AM, 83358066 <83358066 at qq.com> wrote: > During the test ,I configured the file "tac_plus.conf" and tried to forbid > some commands t"reboot" for example )to run for users in a explicit > group, But it have no effect . So i'm taking the liberty of writing to you > and intend to know if you have some experience on this hand or Would you > kindly help to provide some advice . > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bferrell at baywinds.org Mon Mar 19 23:35:18 2018 From: bferrell at baywinds.org (Bruce Ferrell) Date: Mon, 19 Mar 2018 16:35:18 -0700 Subject: [tac_plus] Need your help In-Reply-To: References: Message-ID: <9e1efde8-0e68-5eb6-edaf-29efd19df704@baywinds.org> Daniel, What I do to trouble shoot this type of issue is to use tcpdump and capture the tacacs connection data to a file. Yes, I know, the transaction is encrypted.? Since you control both ends and posses the shared secret info, you can feed that into wireshark. Under perferences/protocols, locate tacacs+.? One of the options allows you to store the shared secret... Now you can see the transaction in wireshark) regards On 03/19/2018 07:49 AM, Daniel Schmidt wrote: > Are Brocade FOS switches capable of authorization? > > On Fri, Mar 16, 2018 at 11:42 PM, 83358066 <83358066 at qq.com> wrote: > >> Hi Dear Shrubbery >> >> Thank you very much for your contributes for the excellent TACACS >> plus tools ,Currently we plan to test the tacacs plus to manage Brocade >> SAN switch ,most of the functions are working well and very powerful, But >> only one point we still have some issue ,Would you kindly help to provide >> some advice ,Thanks in advance. >> >> >> The question we meet is that we defined the groups and users, for example >> ,I want to forbid the user in the group usergroup can not run the >> the explicit command "reboot" , as we know the brocade FOS command mode is >> not same as CISCO, We found the setting was not in effect and the command >> "reboot"still can be run after the user got authorized by Tacac_plus server >> daemon, So would you kindly let me know how can i configure that can forbid >> the explicit command like "reboot" be executed and took effect. Thanks for >> your support ! >> >> >> our setting for the tac_plus config as follows : >> >> group = usergroup { >> default service = permit >> login = file /etc/passwd >> enable = file /etc/passwd >> cmd = reboot { >> deny .* >> } >> >> >> user = stuser { >> member = usergroup >> login = file /etc/passwd service = exec { >> brcd-role = Admin >> brcd-AV-Pair1 = "homeLF=128;LFRoleList=1-128" >> brcd-AV-Pair2 = "chassisRole=switchadmin" >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: > attachments/20180317/58bea644/attachment.html> >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus >> From daniel.schmidt at wyo.gov Tue Mar 20 17:46:36 2018 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Tue, 20 Mar 2018 11:46:36 -0600 Subject: [tac_plus] Need your help In-Reply-To: <9e1efde8-0e68-5eb6-edaf-29efd19df704@baywinds.org> References: <9e1efde8-0e68-5eb6-edaf-29efd19df704@baywinds.org> Message-ID: tac_plus can be run -d 8 to debug authorization On Mon, Mar 19, 2018 at 5:35 PM, Bruce Ferrell wrote: > Daniel, > > What I do to trouble shoot this type of issue is to use tcpdump and > capture the tacacs connection data to a file. > > Yes, I know, the transaction is encrypted. Since you control both ends > and posses the shared secret info, you can feed that into wireshark. Under > perferences/protocols, locate tacacs+. One of the options allows you to > store the shared secret... Now you can see the transaction in wireshark) > > regards > > > > On 03/19/2018 07:49 AM, Daniel Schmidt wrote: > >> Are Brocade FOS switches capable of authorization? >> >> On Fri, Mar 16, 2018 at 11:42 PM, 83358066 <83358066 at qq.com> wrote: >> >> Hi Dear Shrubbery >>> >>> Thank you very much for your contributes for the excellent TACACS >>> plus tools ,Currently we plan to test the tacacs plus to manage Brocade >>> SAN switch ,most of the functions are working well and very powerful, But >>> only one point we still have some issue ,Would you kindly help to provide >>> some advice ,Thanks in advance. >>> >>> >>> The question we meet is that we defined the groups and users, for >>> example >>> ,I want to forbid the user in the group usergroup can not run the >>> the explicit command "reboot" , as we know the brocade FOS command mode >>> is >>> not same as CISCO, We found the setting was not in effect and the command >>> "reboot"still can be run after the user got authorized by Tacac_plus >>> server >>> daemon, So would you kindly let me know how can i configure that can >>> forbid >>> the explicit command like "reboot" be executed and took effect. Thanks >>> for >>> your support ! >>> >>> >>> our setting for the tac_plus config as follows : >>> >>> group = usergroup { >>> default service = permit >>> login = file /etc/passwd >>> enable = file /etc/passwd >>> cmd = reboot { >>> deny .* >>> } >>> >>> >>> user = stuser { >>> member = usergroup >>> login = file /etc/passwd service = exec { >>> brcd-role = Admin >>> brcd-AV-Pair1 = "homeLF=128;LFRoleList=1-128" >>> brcd-AV-Pair2 = "chassisRole=switchadmin" >>> -------------- next part -------------- >>> An HTML attachment was scrubbed... >>> URL: >> attachments/20180317/58bea644/attachment.html> >>> _______________________________________________ >>> tac_plus mailing list >>> tac_plus at shrubbery.net >>> http://www.shrubbery.net/mailman/listinfo/tac_plus >>> >>> > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From 83358066 at qq.com Fri Mar 23 06:20:31 2018 From: 83358066 at qq.com (=?ISO-8859-1?B?ODMzNTgwNjY=?=) Date: Fri, 23 Mar 2018 14:20:31 +0800 Subject: [tac_plus] Need your help In-Reply-To: References: Message-ID: Hi Daniel I definitely agree with you to use Role-Based Access Control , And I'm sure the Role-Based Access Control is in effect to access the SAN switch ,what I want to achieve is at the base of the RBAC how can we forbid a specific command to be run ? user = stuser { member = usergroup login = file /etc/passwd service = exec { brcd-role = Admin brcd-AV-Pair1 = "homeLF=128;LFRoleList=1-128" brcd-AV-Pair2 = "chassisRole=switchadmin" ------------------ Original ------------------ From: "Daniel Schmidt";; Send time: Tuesday, Mar 20, 2018 5:15 AM To: "83358066"<83358066 at qq.com>; Cc: "tac_plus"; Subject: Re: [tac_plus] Need your help But not authorization. Look under "Role-Based Access Control" On Mon, Mar 19, 2018 at 9:33 AM, 83358066 <83358066 at qq.com> wrote: Hi Daniel Thanks for the quick update, Please excuse me for i'm taking the liberty of writing to you. I checked Brocade FOS administrator guide ,and can confirmed that from the FOS 7.1.x Brocade FOS began to support the TACACS+. through the result of testing in lab I found it works well. During the test ,I configured the file "tac_plus.conf" and tried to forbid some commands t"reboot" for example )to run for users in a explicit group, But it have no effect . So i'm taking the liberty of writing to you and intend to know if you have some experience on this hand or Would you kindly help to provide some advice . Best regards ----------------- Original ------------------ From: "Daniel Schmidt";; Send time: Monday, Mar 19, 2018 10:49 PM To: "83358066"<83358066 at qq.com>; Cc: "tac_plus"; Subject: Re: [tac_plus] Need your help Are Brocade FOS switches capable of authorization? On Fri, Mar 16, 2018 at 11:42 PM, 83358066 <83358066 at qq.com> wrote: Hi Dear Shrubbery Thank you very much for your contributes for the excellent TACACS plus tools ,Currently we plan to test the tacacs plus to manage Brocade SAN switch ,most of the functions are working well and very powerful, But only one point we still have some issue ,Would you kindly help to provide some advice ,Thanks in advance. The question we meet is that we defined the groups and users, for example ,I want to forbid the user in the group usergroup can not run the the explicit command "reboot" , as we know the brocade FOS command mode is not same as CISCO, We found the setting was not in effect and the command "reboot"still can be run after the user got authorized by Tacac_plus server daemon, So would you kindly let me know how can i configure that can forbid the explicit command like "reboot" be executed and took effect. Thanks for your support ! our setting for the tac_plus config as follows : group = usergroup { default service = permit login = file /etc/passwd enable = file /etc/passwd cmd = reboot { deny .* } user = stuser { member = usergroup login = file /etc/passwd service = exec { brcd-role = Admin brcd-AV-Pair1 = "homeLF=128;LFRoleList=1-128" brcd-AV-Pair2 = "chassisRole=switchadmin" -------------- next part -------------- An HTML attachment was scrubbed... URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Mon Mar 26 07:02:06 2018 From: heas at shrubbery.net (heasley) Date: Mon, 26 Mar 2018 07:02:06 +0000 Subject: [tac_plus] Questions regarding tacacs+ server config file In-Reply-To: <6F5FD4865E5F40BE97F1A729E3AEE775@stpmydc.in> References: <5EE5E9460336453AA2B0C27D31504921@stpmydc.in> <20180324092122.GD37614@shrubbery.net> <6F5FD4865E5F40BE97F1A729E3AEE775@stpmydc.in> Message-ID: <20180326070206.GA6246@shrubbery.net> Mon, Mar 26, 2018 at 10:18:52AM +0530, veerabhadra: > Hi, > > Can i use "single" tac_plus.conf file to load configuration to authenticate > cisco and juniper devices at the same time. yes. > If yes, can i have template of the configuration file , please. > > I have the network with cisco and juniper devices and looking to > authenticate users of both devices using single tacacs server and single > config file. the distribution and installation provide a tac_plus.conf.sample file which has an example for nearly all configuration syntax. From veerabhadra at stpi.in Mon Mar 26 04:48:52 2018 From: veerabhadra at stpi.in (veerabhadra) Date: Mon, 26 Mar 2018 10:18:52 +0530 Subject: [tac_plus] Questions regarding tacacs+ server config file In-Reply-To: <20180324092122.GD37614@shrubbery.net> References: <5EE5E9460336453AA2B0C27D31504921@stpmydc.in> <20180324092122.GD37614@shrubbery.net> Message-ID: <6F5FD4865E5F40BE97F1A729E3AEE775@stpmydc.in> Hi, Can i use "single" tac_plus.conf file to load configuration to authenticate cisco and juniper devices at the same time. If yes, can i have template of the configuration file , please. I have the network with cisco and juniper devices and looking to authenticate users of both devices using single tacacs server and single config file. Regards Veerabhadra -----Original Message----- From: heasley Sent: Saturday, March 24, 2018 2:51 PM To: veerabhadra Subject: Re: Questions regarding tacacs+ server config file Fri, Mar 23, 2018 at 10:11:42AM +0530, veerabhadra: > Dear All, > > I have downloaded and installed tacacs+ server on ubuntu OS. > Using tacacs server to authenticate Juniper Device ( SRX650) and able to > authenticate users through tacacs+. > Similarly i want to authenticate Cisco device in network for same users > using same tacacs servers. > > Wanted to know , whether i am able to use same ?Tac_plus.conf ? for both > devices authentication , if answer is yes ,please explain how? yes; any required AVPs can be marked optional to avoid any problems with devices that do not understand a AVP. please refer quesitons to tac_plus at shrubbery.net, not info at . From veerabhadra at stpi.in Mon Mar 26 07:17:43 2018 From: veerabhadra at stpi.in (veerabhadra) Date: Mon, 26 Mar 2018 12:47:43 +0530 Subject: [tac_plus] Questions regarding tacacs+ server config file In-Reply-To: <20180326070206.GA6246@shrubbery.net> References: <5EE5E9460336453AA2B0C27D31504921@stpmydc.in> <20180324092122.GD37614@shrubbery.net> <6F5FD4865E5F40BE97F1A729E3AEE775@stpmydc.in> <20180326070206.GA6246@shrubbery.net> Message-ID: <603186E0A79243DD8B6586067CC8F9BE@stpmydc.in> Sir, Authenticating users of network using standalone file for each NAS works fine. ( cisco and juniper separately). Please let me know how to combine both cisco and juniper config in single file to authenticate same users of both devices. Did not find any details in man pages for combining config for both devices. Regards Veerabhadra -----Original Message----- From: heasley Sent: Monday, March 26, 2018 12:32 PM To: veerabhadra Cc: tac_plus at shrubbery.net ; heasley Subject: Re: Questions regarding tacacs+ server config file Mon, Mar 26, 2018 at 10:18:52AM +0530, veerabhadra: > Hi, > > Can i use "single" tac_plus.conf file to load configuration to > authenticate > cisco and juniper devices at the same time. yes. > If yes, can i have template of the configuration file , please. > > I have the network with cisco and juniper devices and looking to > authenticate users of both devices using single tacacs server and single > config file. the distribution and installation provide a tac_plus.conf.sample file which has an example for nearly all configuration syntax. From john at op-sec.us Mon Mar 26 07:28:11 2018 From: john at op-sec.us (John Fraizer) Date: Mon, 26 Mar 2018 00:28:11 -0700 Subject: [tac_plus] Questions regarding tacacs+ server config file In-Reply-To: <603186E0A79243DD8B6586067CC8F9BE@stpmydc.in> References: <5EE5E9460336453AA2B0C27D31504921@stpmydc.in> <20180324092122.GD37614@shrubbery.net> <6F5FD4865E5F40BE97F1A729E3AEE775@stpmydc.in> <20180326070206.GA6246@shrubbery.net> <603186E0A79243DD8B6586067CC8F9BE@stpmydc.in> Message-ID: Take a look at http://www.shrubbery.net/pipermail/tac_plus/2015-April/ 001622.html It will look something like this: key = "blah-blah-blah" accounting file = /some/location/tacplus.acct default authentication = file /etc/passwd # # Default group to run all command authentication through do_auth. # group = doauthaccess { default service = permit service = exec { priv-lvl = 1 optional idletime = 30 optional acl = 2 shell:roles="\"network-operator vdc-operator\"" } service = junos-exec { bug-fix = "first pair is lost" local-user-name = "remote" allow-commands = "(.*exit)|(show cli auth.*)" deny-commands = ".*" allow-configuration = "" deny-configuration = ".*" } after authorization "/usr/bin/python /some-location/do_auth.py -i $address -u $user -d $name -l /some-location/do_auth.log -f /some-location/do_auth.ini" } # # Default user - Used when no user specific stanza exists in tac_plus.conf. # user = DEFAULT { member = doauthaccess login = PAM } Notice that there are two stanzas... One for 'exec' (cisco, cisco-like) and 'junos-exec' (Juniper)... You simply need to know what 'service' the device in question is going to use and you need a stanza for it... -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Mon, Mar 26, 2018 at 12:17 AM, veerabhadra wrote: > Sir, > > Authenticating users of network using standalone file for each NAS works > fine. ( cisco and juniper separately). > Please let me know how to combine both cisco and juniper config in single > file to authenticate same users of both devices. > > Did not find any details in man pages for combining config for both > devices. > > Regards > Veerabhadra > > -----Original Message----- From: heasley > Sent: Monday, March 26, 2018 12:32 PM > To: veerabhadra > Cc: tac_plus at shrubbery.net ; heasley > Subject: Re: Questions regarding tacacs+ server config file > > Mon, Mar 26, 2018 at 10:18:52AM +0530, veerabhadra: > >> Hi, >> >> Can i use "single" tac_plus.conf file to load configuration to >> authenticate >> cisco and juniper devices at the same time. >> > > yes. > > If yes, can i have template of the configuration file , please. >> >> I have the network with cisco and juniper devices and looking to >> authenticate users of both devices using single tacacs server and single >> config file. >> > > the distribution and installation provide a tac_plus.conf.sample file which > has an example for nearly all configuration syntax. > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -------------- next part -------------- An HTML attachment was scrubbed... URL: