[tac_plus] Need your help
John Fraizer
john at op-sec.us
Mon Mar 19 21:21:51 UTC 2018
It is likely that one of two things is causing the 'reboot' command to
succeed even though you have it forbidden in your tac_plus config.
(1) The TACACS+ implementation on your brocade devices is not sending
command authorization requests and is only doing login authorization.
(2) Another possibility is that the brocade does RBAC. This can make
things a bit more difficult but, its not a show-stopper. At least with
JUNOS, you can do some very fancy things using AV-PAIRS. It is much easier
to use an "after authorization" script like do_auth.py. See
http://www.shrubbery.net/pipermail/tac_plus/2015-April/001622.html for a
detailed example.
Note: With RBAC, once a user has logged in and the AV-PAIRS have been
passed to the device, it will never ask permission for anything else for
the duration of that login session. So, if you are tinkering with your
tac_plus/do_auth config and not seeing changes in device behavior, remember
that you need to log out and then back in to get the new AV_PAIRS.
--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/
On Mon, Mar 19, 2018 at 8:33 AM, 83358066 <83358066 at qq.com> wrote:
> During the test ,I configured the file "tac_plus.conf" and tried to forbid
> some commands t"reboot" for example )to run for users in a explicit
> group, But it have no effect . So i'm taking the liberty of writing to you
> and intend to know if you have some experience on this hand or Would you
> kindly help to provide some advice .
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20180319/27c37f3e/attachment.html>
More information about the tac_plus
mailing list