From daniel.schmidt at wyo.gov Thu May 3 19:10:26 2018 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Thu, 3 May 2018 13:10:26 -0600 Subject: [tac_plus] Auth Fail Lock (AFL) patch Message-ID: I believe I have updated Mark Ellzey Thomas's AFL patch for 4.0.4.28 referenced here: http://www.shrubbery.net/pipermail/tac_plus/2009-September/000508.html Please note: I needed this patch for reasons too banal to admit and thought I might share the result. Using PAM to reference another system that locks user account may be preferable for most. Also, while I do claim it seems to work fine, I do not claim I did it right, I could not get autoconf to work as you may see from this patch. (Appreciate tips on dark art of autoconf, I am but an lowly network engineer) Thanks -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: afl_patch Type: application/octet-stream Size: 16768 bytes Desc: not available URL: From noreply at skynet.be Fri May 18 13:00:40 2018 From: noreply at skynet.be (Sven Stenson) Date: Fri, 18 May 2018 15:00:40 +0200 Subject: [tac_plus] Using cli-prompt as a Shared Secret? Message-ID: Hello, While reading through the code I noticed the following part in the function read_packet() defined in the file packet.c ------ snip ----- ??? /* decrypt the data portion */ ??? tkey = cfg_get_host_key(session.peerip); ??? if (tkey == NULL && !STREQ(session.peer, session.peerip)) { ??? tkey = cfg_get_host_prompt(session.peer); ??? } ??? if (tkey == NULL) ??? tkey = session.key; ------ snip ----- Could if be that there is a typo in the line "tkey = cfg_get_host_prompt(session.peer);" should this not be again a call to cfg_get_host_key() but instead with session.peerip use session.peer as an argument ? Or is it intended to use the cli-prompt users see after logging into a network device as 'shared secret' for the communication between the host and the tacacs server? regards, Sven From veerabhadra at stpi.in Tue May 22 09:37:36 2018 From: veerabhadra at stpi.in (veerabhadra) Date: Tue, 22 May 2018 15:07:36 +0530 Subject: [tac_plus] Questions regarding tacacs+ server config file In-Reply-To: References: <5EE5E9460336453AA2B0C27D31504921@stpmydc.in> <20180324092122.GD37614@shrubbery.net> <6F5FD4865E5F40BE97F1A729E3AEE775@stpmydc.in> <20180326070206.GA6246@shrubbery.net> <603186E0A79243DD8B6586067CC8F9BE@stpmydc.in> Message-ID: Dear Sir, Followed your inputs and successfully authenticated users for access to juniper J6350 and Cisco 3660 routers. Now, i have huawei NE40E-X3A router and done configuration on router , but stuck in tac_server config relating to that. Please help with template specific to huawei router , if you have. Regards Veerabhadra From: John Fraizer Sent: Monday, March 26, 2018 12:58 PM To: veerabhadra Cc: tac_plus Subject: Re: [tac_plus] Questions regarding tacacs+ server config file Take a look at http://www.shrubbery.net/pipermail/tac_plus/2015-April/001622.html It will look something like this: key = "blah-blah-blah" accounting file = /some/location/tacplus.acct default authentication = file /etc/passwd # # Default group to run all command authentication through do_auth. # group = doauthaccess { default service = permit service = exec { priv-lvl = 1 optional idletime = 30 optional acl = 2 shell:roles="\"network-operator vdc-operator\"" } service = junos-exec { bug-fix = "first pair is lost" local-user-name = "remote" allow-commands = "(.*exit)|(show cli auth.*)" deny-commands = ".*" allow-configuration = "" deny-configuration = ".*" } after authorization "/usr/bin/python /some-location/do_auth.py -i $address -u $user -d $name -l /some-location/do_auth.log -f /some-location/do_auth.ini" } # # Default user - Used when no user specific stanza exists in tac_plus.conf. # user = DEFAULT { member = doauthaccess login = PAM } Notice that there are two stanzas... One for 'exec' (cisco, cisco-like) and 'junos-exec' (Juniper)... You simply need to know what 'service' the device in question is going to use and you need a stanza for it... -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ On Mon, Mar 26, 2018 at 12:17 AM, veerabhadra wrote: Sir, Authenticating users of network using standalone file for each NAS works fine. ( cisco and juniper separately). Please let me know how to combine both cisco and juniper config in single file to authenticate same users of both devices. Did not find any details in man pages for combining config for both devices. Regards Veerabhadra -----Original Message----- From: heasley Sent: Monday, March 26, 2018 12:32 PM To: veerabhadra Cc: tac_plus at shrubbery.net ; heasley Subject: Re: Questions regarding tacacs+ server config file Mon, Mar 26, 2018 at 10:18:52AM +0530, veerabhadra: Hi, Can i use "single" tac_plus.conf file to load configuration to authenticate cisco and juniper devices at the same time. yes. If yes, can i have template of the configuration file , please. I have the network with cisco and juniper devices and looking to authenticate users of both devices using single tacacs server and single config file. the distribution and installation provide a tac_plus.conf.sample file which has an example for nearly all configuration syntax. _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus -------------- next part -------------- An HTML attachment was scrubbed... URL: From m4rtntns at gmail.com Thu May 24 16:20:39 2018 From: m4rtntns at gmail.com (Martin T) Date: Thu, 24 May 2018 19:20:39 +0300 Subject: [tac_plus] Is it possible to handle anonymous authorization requests? Message-ID: Hi! I have two Cisco 3750-E series switches in a stacked configuration. When I connect to "Master" switch over console port, then I'm able to authenticate and authorize without issues. When I connect to "Member" switch over console port, then I'm not able to authorize. I see that switch sends the authorization(type 2) packet to TACACS+ server: 014310: May 24 15:34:57.824 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: UNKNOWN] [localport: 0] at 15:34:57 UTC Thu May 24 2018 014352: May 24 15:35:58.258 UTC: T+: Version 192 (0xC0), type 2, seq 1, encryption 1 014353: May 24 15:35:58.258 UTC: T+: session_id 3904028160 (0xE8B2BE00), dlen 40 (0x28) 014354: May 24 15:35:58.258 UTC: T+: AUTHOR, priv_lvl:1, authen:1 method:enable 014355: May 24 15:35:58.258 UTC: T+: svc:1 user_len:0 port_len:4 rem_addr_len:9 arg_cnt:2 014356: May 24 15:35:58.258 UTC: T+: user: 014357: May 24 15:35:58.258 UTC: T+: port: tty4 014358: May 24 15:35:58.258 UTC: T+: rem_addr: 127.0.0.4 014359: May 24 15:35:58.258 UTC: T+: arg[0]: size:13 service=shell 014360: May 24 15:35:58.258 UTC: T+: arg[1]: size:4 cmd* 014361: May 24 15:35:58.267 UTC: T+: End Packet ..and TACACS+ server replies with FAIL. I also did the packet capture in TACACS+ server and saw exactly the same behavior. As seen above, "user" field is empty. Also, the TACACS+ server logs that "user '' not found, denied by default". Any ideas, why master switch skips sending the authorization request? Why is the "user" field of member switch authentication request empty? Most importantly, is there a workaround to handle anonymous authorization requests? I tried with "anonymous-enable = permit" under host level, but this did not help. Authorization-related configuration in the switch is "aaa authorization exec default group tacacs+ if-authenticated". thanks, Martin From heas at shrubbery.net Thu May 24 22:12:03 2018 From: heas at shrubbery.net (heasley) Date: Thu, 24 May 2018 22:12:03 +0000 Subject: [tac_plus] Is it possible to handle anonymous authorization requests? In-Reply-To: References: Message-ID: <20180524221203.GA48860@shrubbery.net> Thu, May 24, 2018 at 07:20:39PM +0300, Martin T: > Hi! > > I have two Cisco 3750-E series switches in a stacked configuration. > When I connect to "Master" switch over console port, then I'm able to > authenticate and authorize without issues. When I connect to "Member" > switch over console port, then I'm not able to authorize. I see that > switch sends the authorization(type 2) packet to TACACS+ server: > > 014310: May 24 15:34:57.824 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login > Success [user: ] [Source: UNKNOWN] [localport: 0] at 15:34:57 UTC Thu > May 24 2018 > 014352: May 24 15:35:58.258 UTC: T+: Version 192 (0xC0), type 2, seq > 1, encryption 1 > 014353: May 24 15:35:58.258 UTC: T+: session_id 3904028160 > (0xE8B2BE00), dlen 40 (0x28) > 014354: May 24 15:35:58.258 UTC: T+: AUTHOR, priv_lvl:1, authen:1 > method:enable > 014355: May 24 15:35:58.258 UTC: T+: svc:1 user_len:0 port_len:4 > rem_addr_len:9 arg_cnt:2 > 014356: May 24 15:35:58.258 UTC: T+: user: > 014357: May 24 15:35:58.258 UTC: T+: port: tty4 > 014358: May 24 15:35:58.258 UTC: T+: rem_addr: 127.0.0.4 > 014359: May 24 15:35:58.258 UTC: T+: arg[0]: size:13 service=shell > 014360: May 24 15:35:58.258 UTC: T+: arg[1]: size:4 cmd* > 014361: May 24 15:35:58.267 UTC: T+: End Packet > > > ..and TACACS+ server replies with FAIL. I also did the packet capture > in TACACS+ server and saw exactly the same behavior. As seen above, > "user" field is empty. Also, the TACACS+ server logs that "user '' not > found, denied by default". > > Any ideas, why master switch skips sending the authorization request? > Why is the "user" field of member switch authentication request empty? Does the console ask for a username? does it require different configuration to enable aaa such as configured under 'line tty4' rather than line con? > Most importantly, is there a workaround to handle anonymous > authorization requests? I tried with "anonymous-enable = permit" under > host level, but this did not help. Authorization-related configuration > in the switch is "aaa authorization exec default group tacacs+ > if-authenticated". I'd lean toward a bug in ios or missing config, but the tacacs protocol clearly allows the the username to omitted. tbh, i dont know if the daemon allows an empty user; its not in the manpage that I compiled. I'd have to look through the code, whcih i can't do ATM. perhaps, try the special user DEFAULT or "". From m4rtntns at gmail.com Fri May 25 10:37:34 2018 From: m4rtntns at gmail.com (Martin T) Date: Fri, 25 May 2018 13:37:34 +0300 Subject: [tac_plus] Is it possible to handle anonymous authorization requests? In-Reply-To: <20180524221203.GA48860@shrubbery.net> References: <20180524221203.GA48860@shrubbery.net> Message-ID: On Fri, May 25, 2018 at 1:12 AM, heasley wrote: > Thu, May 24, 2018 at 07:20:39PM +0300, Martin T: >> Hi! >> >> I have two Cisco 3750-E series switches in a stacked configuration. >> When I connect to "Master" switch over console port, then I'm able to >> authenticate and authorize without issues. When I connect to "Member" >> switch over console port, then I'm not able to authorize. I see that >> switch sends the authorization(type 2) packet to TACACS+ server: >> >> 014310: May 24 15:34:57.824 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login >> Success [user: ] [Source: UNKNOWN] [localport: 0] at 15:34:57 UTC Thu >> May 24 2018 >> 014352: May 24 15:35:58.258 UTC: T+: Version 192 (0xC0), type 2, seq >> 1, encryption 1 >> 014353: May 24 15:35:58.258 UTC: T+: session_id 3904028160 >> (0xE8B2BE00), dlen 40 (0x28) >> 014354: May 24 15:35:58.258 UTC: T+: AUTHOR, priv_lvl:1, authen:1 >> method:enable >> 014355: May 24 15:35:58.258 UTC: T+: svc:1 user_len:0 port_len:4 >> rem_addr_len:9 arg_cnt:2 >> 014356: May 24 15:35:58.258 UTC: T+: user: >> 014357: May 24 15:35:58.258 UTC: T+: port: tty4 >> 014358: May 24 15:35:58.258 UTC: T+: rem_addr: 127.0.0.4 >> 014359: May 24 15:35:58.258 UTC: T+: arg[0]: size:13 service=shell >> 014360: May 24 15:35:58.258 UTC: T+: arg[1]: size:4 cmd* >> 014361: May 24 15:35:58.267 UTC: T+: End Packet >> >> >> ..and TACACS+ server replies with FAIL. I also did the packet capture >> in TACACS+ server and saw exactly the same behavior. As seen above, >> "user" field is empty. Also, the TACACS+ server logs that "user '' not >> found, denied by default". >> >> Any ideas, why master switch skips sending the authorization request? >> Why is the "user" field of member switch authentication request empty? > > Does the console ask for a username? does it require different configuration > to enable aaa such as configured under 'line tty4' rather than line con? > >> Most importantly, is there a workaround to handle anonymous >> authorization requests? I tried with "anonymous-enable = permit" under >> host level, but this did not help. Authorization-related configuration >> in the switch is "aaa authorization exec default group tacacs+ >> if-authenticated". > > I'd lean toward a bug in ios or missing config, but the tacacs protocol > clearly allows the the username to omitted. tbh, i dont know if the > daemon allows an empty user; its not in the manpage that I compiled. I'd > have to look through the code, whcih i can't do ATM. perhaps, try the > special user DEFAULT or "". Thanks for the reply! > Does the console ask for a username? No, the console does not ask for a username. Only the password. > does it require different configuration to enable aaa such as configured under 'line tty4' rather than line con? Yes, in case of stacked setup, the "Member" switch console port should use line "vty 0 15" AAA authorization list. There is a Cisco bug CSCsw51727 for this. I use default authorization list for vty lines, i.e "authorization exec default". This should mean that "aaa authorization exec default group tacacs+ if-authenticated" has an effect. I can confirm this by changing the "aaa authorization exec default group tacacs+ if-authenticated" to "aaa authorization exec default none". Then I was able to log in to the console port of "Member" switch. > perhaps, try the special user DEFAULT or "". Unfortunately, those did not work. I still see the "user '' not found, denied by default" in tac_plus log. > I'd lean toward a bug in ios or missing config Me too. The workaround in CSCsw51727 works, i.e if one creates a local user to a switch, then configures "aaa authentication login console local" and finally adds this local user to TACACS+ server, then switch sends this authorization packet with this locally configured user-name. However, in case of "aaa authentication login console enable" it sends this authorization packet with an empty user-name. regards, Martin