[tac_plus] Need your help

Daniel Schmidt daniel.schmidt at wyo.gov
Tue Mar 20 17:46:36 UTC 2018


tac_plus can be run -d 8 to debug authorization

On Mon, Mar 19, 2018 at 5:35 PM, Bruce Ferrell <bferrell at baywinds.org>
wrote:

> Daniel,
>
> What I do to trouble shoot this type of issue is to use tcpdump and
> capture the tacacs connection data to a file.
>
> Yes, I know, the transaction is encrypted.  Since you control both ends
> and posses the shared secret info, you can feed that into wireshark. Under
> perferences/protocols, locate tacacs+.  One of the options allows you to
> store the shared secret... Now you can see the transaction in wireshark)
>
> regards
>
>
>
> On 03/19/2018 07:49 AM, Daniel Schmidt wrote:
>
>> Are Brocade FOS switches capable of authorization?
>>
>> On Fri, Mar 16, 2018 at 11:42 PM, 83358066 <83358066 at qq.com> wrote:
>>
>> Hi Dear Shrubbery
>>>
>>>        Thank you very much for your contributes for the excellent TACACS
>>> plus tools ,Currently we plan to test the tacacs plus to manage Brocade
>>> SAN switch ,most of the functions are working well and very powerful, But
>>> only one point we still have some issue ,Would you kindly help to provide
>>> some advice ,Thanks in advance.
>>>
>>>
>>>   The question we meet is that we defined the groups and users, for
>>> example
>>> ,I want to forbid the user in the group usergroup can not run the
>>> the explicit command "reboot" , as we know the brocade FOS command mode
>>> is
>>> not same as CISCO, We found the setting was not in effect and the command
>>> "reboot"still can be run after the user got authorized by Tacac_plus
>>> server
>>> daemon, So would you kindly let me know how can i configure that can
>>> forbid
>>> the explicit command like "reboot" be executed  and took effect. Thanks
>>> for
>>> your support !
>>>
>>>
>>>   our setting for the tac_plus config as follows :
>>>
>>> group = usergroup {
>>>           default service = permit
>>>           login = file /etc/passwd
>>>           enable = file /etc/passwd
>>>           cmd = reboot {
>>>                   deny .*
>>> }
>>>
>>>
>>>   user = stuser {
>>>           member = usergroup
>>>           login = file /etc/passwd         service = exec {
>>>          brcd-role = Admin
>>>          brcd-AV-Pair1 = "homeLF=128;LFRoleList=1-128"
>>>          brcd-AV-Pair2 = "chassisRole=switchadmin"
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>> URL: <http://www.shrubbery.net/pipermail/tac_plus/
>>> attachments/20180317/58bea644/attachment.html>
>>> _______________________________________________
>>> tac_plus mailing list
>>> tac_plus at shrubbery.net
>>> http://www.shrubbery.net/mailman/listinfo/tac_plus
>>>
>>>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>

-- 

E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20180320/006677c6/attachment.html>


More information about the tac_plus mailing list