[tac_plus] Need your help

Bruce Ferrell bferrell at baywinds.org
Mon Mar 19 23:35:18 UTC 2018 

Daniel,

What I do to trouble shoot this type of issue is to use tcpdump and capture the tacacs connection data to a file.

Yes, I know, the transaction is encrypted.  Since you control both ends and posses the shared secret info, you can feed that into wireshark. Under perferences/protocols, locate 
tacacs+.  One of the options allows you to store the shared secret... Now you can see the transaction in wireshark)

regards


On 03/19/2018 07:49 AM, Daniel Schmidt wrote:
> Are Brocade FOS switches capable of authorization?
>
> On Fri, Mar 16, 2018 at 11:42 PM, 83358066 <83358066 at qq.com> wrote:
>
>> Hi Dear Shrubbery
>>
>>        Thank you very much for your contributes for the excellent TACACS
>> plus tools ,Currently we plan to test the tacacs plus to manage Brocade
>> SAN switch ,most of the functions are working well and very powerful, But
>> only one point we still have some issue ,Would you kindly help to provide
>> some advice ,Thanks in advance.
>>
>>
>>   The question we meet is that we defined the groups and users, for example
>> ,I want to forbid the user in the group usergroup can not run the
>> the explicit command "reboot" , as we know the brocade FOS command mode is
>> not same as CISCO, We found the setting was not in effect and the command
>> "reboot"still can be run after the user got authorized by Tacac_plus server
>> daemon, So would you kindly let me know how can i configure that can forbid
>> the explicit command like "reboot" be executed  and took effect. Thanks for
>> your support !
>>
>>
>>   our setting for the tac_plus config as follows :
>>
>> group = usergroup {
>>           default service = permit
>>           login = file /etc/passwd
>>           enable = file /etc/passwd
>>           cmd = reboot {
>>                   deny .*
>> }
>>
>>
>>   user = stuser {
>>           member = usergroup
>>           login = file /etc/passwd         service = exec {
>>          brcd-role = Admin
>>          brcd-AV-Pair1 = "homeLF=128;LFRoleList=1-128"
>>          brcd-AV-Pair2 = "chassisRole=switchadmin"
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <http://www.shrubbery.net/pipermail/tac_plus/
>> attachments/20180317/58bea644/attachment.html>
>> _______________________________________________
>> tac_plus mailing list
>> tac_plus at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo/tac_plus
>>

More information about the tac_plus mailing list