From jvidal at ciena.com Mon Apr 1 15:13:28 2019 From: jvidal at ciena.com (Vidal, Juan Francisco) Date: Mon, 1 Apr 2019 15:13:28 +0000 Subject: [tac_plus] Change default 49 port Message-ID: Hello, How can I change the default port (49) ? Thanks and regards, Juan F. Vidal | Solution Engineering & Introduction (SE&I) - CALA jvidal at ciena.com | Bouchard 710 3?, Buenos Aires, Argentina Office +54 11 3753 2054 | Mobile +54 911 3404 3403 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ann_morton at nwrdc.fsu.edu Tue Apr 2 16:54:07 2019 From: ann_morton at nwrdc.fsu.edu (Ann Morton) Date: Tue, 2 Apr 2019 16:54:07 +0000 Subject: [tac_plus] Issues with tac_plus and PAM on AD Authenticated RHEL 7 Message-ID: Good Afternoon, We have a RHEL 7 server that is AD authenticated via Kerberos/realmd/sssd. I previously had pam_tally2 configured in the system-auth & password-auth modules to deny=3 unlock=1800. Whenever my network admin would login to a network device regardless if the login was correct it would lock her out. I had to uncomment the pam_tally2 sections of the files to alleviate the lockout issues. Is there a config I'm missing that would allow for using pam_tally2 but not lockout users? Current configs: /etc/pam.d/system-auth & password-auth auth required pam_env.so #auth required pam_tally2.so deny=3 unlock_time=1800 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so #account required pam_tally2.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 minlen=12 minclass=3 lcredit=1 dcredit=1 ocredit=1 ucredit=1 difok=1 password sufficient pam_unix.so md5 remember=10 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so /etc/pam.d/tac_plus auth required pam_nologin.so auth include system-auth account include system-auth password include system-auth session include system-auth Any help is much appreciated. Thanks, Ann Morton Interim Manager Server Response Team NWRDC 850-645-3540 -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Wed Apr 3 17:13:28 2019 From: heas at shrubbery.net (heasley) Date: Wed, 3 Apr 2019 17:13:28 +0000 Subject: [tac_plus] Issues with tac_plus and PAM on AD Authenticated RHEL 7 In-Reply-To: References: Message-ID: <20190403171328.GD41348@shrubbery.net> Tue, Apr 02, 2019 at 04:54:07PM +0000, Ann Morton: > Good Afternoon, > > We have a RHEL 7 server that is AD authenticated via Kerberos/realmd/sssd. I previously had pam_tally2 configured in the system-auth & password-auth modules to deny=3 unlock=1800. Whenever my network admin would login to a network device regardless if the login was correct it would lock her out. I had to uncomment the pam_tally2 sections of the files to alleviate the lockout issues. Is there a config I'm missing that would allow for using pam_tally2 but not lockout users? I do not know; I have never used this pam module. I would look for debugging options for the module; something that would indicate how many times it is invoked, and in theory triggered to record success or failure. One might also strace the tacacs daemon and enable its debugging to see its interaction with PAM. also, check for errors in the pam config; perhaps including the module at the wrong point or multiple times. > Current configs: > /etc/pam.d/system-auth & password-auth > auth required pam_env.so > #auth required pam_tally2.so deny=3 unlock_time=1800 > auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet > auth [default=1 ignore=ignore success=ok] pam_localuser.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 1000 quiet_success > auth sufficient pam_sss.so forward_pass > auth required pam_deny.so > > account required pam_unix.so > #account required pam_tally2.so > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 1000 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 minlen=12 minclass=3 lcredit=1 dcredit=1 ocredit=1 ucredit=1 difok=1 > password sufficient pam_unix.so md5 remember=10 shadow nullok try_first_pass use_authtok > password sufficient pam_sss.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session optional pam_oddjob_mkhomedir.so umask=0077 > session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid > session required pam_unix.so > session optional pam_sss.so > > > > /etc/pam.d/tac_plus > auth required pam_nologin.so > auth include system-auth > account include system-auth > password include system-auth > session include system-auth > > > Any help is much appreciated. > > Thanks, > > Ann Morton > Interim Manager > Server Response Team > NWRDC > 850-645-3540 > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus From sambill at netcourrier.com Thu Apr 4 10:41:33 2019 From: sambill at netcourrier.com (sambill at netcourrier.com) Date: Thu, 4 Apr 2019 12:41:33 +0200 (CEST) Subject: [tac_plus] deny a particular command and allow all others Message-ID: Hello; We use tac_plus into our network working fine (Cisco and juniper equipments), I want to allow a particular commands and allow all others. how can I set tac_plus config file to achieve this ? Any suggestion will be wellcome. Thanks Landry -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Thu Apr 4 14:43:23 2019 From: heas at shrubbery.net (heasley) Date: Thu, 4 Apr 2019 14:43:23 +0000 Subject: [tac_plus] deny a particular command and allow all others In-Reply-To: References: Message-ID: <20190404144323.GB59188@shrubbery.net> Thu, Apr 04, 2019 at 12:41:33PM +0200, sambill at netcourrier.com: > Hello; > > We use tac_plus into our network working fine (Cisco and juniper equipments), I want to allow a particular commands and allow all others. > > how can I set tac_plus config file to achieve this ? there are three ways, depending upon the equipment. 1) use cmd authorization in tac_plus, like the user fred in the example config, assuming the device supports command authorization 2) use an external authorization script, like do_auth which comes with tac_plus, assuming the device supports command authorization 3) create roles (or whatever the jargon the vendor uses) on the equipment and assign users to those roles via tacacs AVPs i suppose, a variation of 3, 4) create roles (or whatever the jargon the vendor uses) and assign users to those roles on the equipment and just do authentication via tacacs From sambill at netcourrier.com Mon Apr 8 22:38:18 2019 From: sambill at netcourrier.com (sambill at netcourrier.com) Date: Tue, 9 Apr 2019 00:38:18 +0200 (CEST) Subject: [tac_plus] deny a particular command and allow all others In-Reply-To: <20190404144323.GB59188@shrubbery.net> Message-ID: Hello; Thank you for your reply, I want to provide more details for the issues I'm facing, any suggestion will be wellcome. Someone accidentally removed the existing Allowed VLANs on trunk while adding new Vlan, he forgets to type "switchport trunk allowed vlan add X" but type "switchport trunk allowed vlan X". How can I prevent this using tac_plus My goal is to deny "switchport trunk allowed vlan X" and permit "switchport trunk allowed vlan add X", "switchport trunk allowed vlan none", "switchport trunk allowed vlan all" and all any others configuration commands. Ours cisco equipments are already integrated to tac_plus and work fine, below is the current extract tac_plus configuration file with user test belongs to networkadmin, is there someone who can point me how to modify below file in order to achieve my goal root at lab:~# more /etc/tacacs+/tac_plus.conf .... .... accounting file = /var/log/tac_plus.acct group = networkadmin { ??????????????? default service = permit ??????????????? #enable = cleartext "test" ??? ??? enable = nopassword ??????????????? service = exec { ??????????????????????? priv-lvl = 15 ??????????????????????? idletime = 10 ??????????????????????? optional shell:roles="\"network-admin vdc-admin\"" ? } user = test { ??????? login = PAM ??????? member = networkadmin } ... ... root at lab:~# The second problem, is between my switch and tacacs server, there is NAT, so on tacacs all requests come with same IP, in this situation no way to know which request or logs come to which network equipement, is there the way to configure aaa on cisco equipment so that the for example the hostname or management IP of the cisco equipment can be include into accounting file send to tac_plus server. Best regards; De : heasley ? : sambill at netcourrier.com Sujet : Re: [tac_plus] deny a particular command and allow all others Date : 04/04/2019 16:43:23 Europe/Paris Copie ? : tac_plus at shrubbery.net Thu, Apr 04, 2019 at 12:41:33PM +0200, sambill at netcourrier.com: > Hello; > > We use tac_plus into our network working fine (Cisco and juniper equipments), I want to allow a particular commands and allow all others. > > how can I set tac_plus config file to achieve this ? there are three ways, depending upon the equipment. 1) use cmd authorization in tac_plus, like the user fred in the example config, assuming the device supports command authorization 2) use an external authorization script, like do_auth which comes with tac_plus, assuming the device supports command authorization 3) create roles (or whatever the jargon the vendor uses) on the equipment and assign users to those roles via tacacs AVPs i suppose, a variation of 3, 4) create roles (or whatever the jargon the vendor uses) and assign users to those roles on the equipment and just do authentication via tacacs -------------- next part -------------- An HTML attachment was scrubbed... URL: From sambill at netcourrier.com Mon Apr 8 22:39:36 2019 From: sambill at netcourrier.com (sambill at netcourrier.com) Date: Tue, 9 Apr 2019 00:39:36 +0200 (CEST) Subject: [tac_plus] deny a particular command and allow all others Message-ID: Hello; Thank you for your reply, I want to provide more details for the issues I'm facing, any suggestion will be wellcome. Someone accidentally removed the existing Allowed VLANs on trunk while adding new Vlan, he forgets to type "switchport trunk allowed vlan add X" but type "switchport trunk allowed vlan X". How can I prevent this using tac_plus My goal is to deny "switchport trunk allowed vlan X" and permit "switchport trunk allowed vlan add X", "switchport trunk allowed vlan none", "switchport trunk allowed vlan all" and all any others configuration commands. Ours cisco equipments are already integrated to tac_plus and work fine, below is the current extract tac_plus configuration file with user test belongs to networkadmin, is there someone who can point me how to modify below file in order to achieve my goal root at lab:~# more /etc/tacacs+/tac_plus.conf .... .... accounting file = /var/log/tac_plus.acct group = networkadmin { ??????????????? default service = permit ??????????????? #enable = cleartext "test" ??? ??? enable = nopassword ??????????????? service = exec { ??????????????????????? priv-lvl = 15 ??????????????????????? idletime = 10 ??????????????????????? optional shell:roles="\"network-admin vdc-admin\"" ? } user = test { ??????? login = PAM ??????? member = networkadmin } ... ... root at lab:~# The second problem, is between my switch and tacacs server, there is NAT, so on tacacs all requests come with same IP, in this situation no way to know which request or logs come to which network equipement, is there the way to configure aaa on cisco equipment so that the for example the hostname or management IP of the cisco equipment can be include into accounting file send to tac_plus server. Best regards; De : heasley ? : sambill at netcourrier.com Sujet : Re: [tac_plus] deny a particular command and allow all others Date : 04/04/2019 16:43:23 Europe/Paris Copie ? : tac_plus at shrubbery.net Thu, Apr 04, 2019 at 12:41:33PM +0200, sambill at netcourrier.com: > Hello; > > We use tac_plus into our network working fine (Cisco and juniper equipments), I want to allow a particular commands and allow all others. > > how can I set tac_plus config file to achieve this ? there are three ways, depending upon the equipment. 1) use cmd authorization in tac_plus, like the user fred in the example config, assuming the device supports command authorization 2) use an external authorization script, like do_auth which comes with tac_plus, assuming the device supports command authorization 3) create roles (or whatever the jargon the vendor uses) on the equipment and assign users to those roles via tacacs AVPs i suppose, a variation of 3, 4) create roles (or whatever the jargon the vendor uses) and assign users to those roles on the equipment and just do authentication via tacacs -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Tue Apr 9 08:07:55 2019 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Tue, 9 Apr 2019 10:07:55 +0200 Subject: [tac_plus] deny a particular command and allow all others In-Reply-To: References: Message-ID: <5a8ad0cd-2cc0-ed9e-9f10-ff81054abad4@gmail.com> This gets tricky in tacplus config file. The first thing you must understand is that tacplus has no concept of what those commands *mean* in context and the only tool it can use is string matching with regular expressions. tacplus does not know what part of the command is command keywords and what is data (i.e. VLAN numbers), it sees only a bunch of text. So you have to do this: allow ^switchport trunk allowed vlan add .*$ ^switchport trunk allowed vlan none$ ^switchport trunk allowed vlan all$ deny ^switchport trunk allowed vlan .*$ allow ^.*$ You have to make those first "allow"s explicit, as add, none and all match the ".*" (i.e. anything) at the end of the deny, so you must cater for this. The list of such allows can become quite long. Of course this rabbit hole gets very deep very quick and there are possibly hundreds of similar use cases. do_auth is not much help here as it will have the identical problem for the same reason. It's a very good script but it is not good at solving *this* problem. I would never recommend you go the above route as it very quickly balloons to crazy levels as real life intrudes. Rather take this route: - check if the switch can help with built-in roles or such. Perhaps the equipment itself understand the implications of "switchport trunk allowed vlan X" that it's different to other variants and can deal with it differently somehow, then us solution 3) offered by John Alan On 2019/04/09 00:39, sambill at netcourrier.com wrote: > Hello; > > > > Thank you for your reply, I want to provide more details for the issues I'm facing, any suggestion will be wellcome. > > > > Someone accidentally removed the existing Allowed VLANs on trunk while adding new Vlan, he forgets to type "switchport trunk allowed vlan add X" but type "switchport trunk allowed vlan X". > > How can I prevent this using tac_plus > My goal is to deny "switchport trunk allowed vlan X" and permit "switchport trunk allowed vlan add X", "switchport trunk allowed vlan none", "switchport trunk allowed vlan all" and all any others configuration commands. > > Ours cisco equipments are already integrated to tac_plus and work fine, below is the current extract tac_plus configuration file with user test belongs to networkadmin, is there someone who can point me how to modify below file in order to achieve my goal > > root at lab:~# more /etc/tacacs+/tac_plus.conf > > .... > .... > accounting file = /var/log/tac_plus.acct > > group = networkadmin { > ??????????????? default service = permit > ??????????????? #enable = cleartext "test" > ??? ??? enable = nopassword > ??????????????? service = exec { > ??????????????????????? priv-lvl = 15 > ??????????????????????? idletime = 10 > ??????????????????????? optional shell:roles="\"network-admin vdc-admin\"" > > } > > user = test { > ??????? login = PAM > ??????? member = networkadmin > } > > ... > ... > > root at lab:~# > > The second problem, is between my switch and tacacs server, there is NAT, so on tacacs all requests come with same IP, in this situation no way to know which request or logs come to which network equipement, is there the way to configure aaa on cisco equipment so that the for example the hostname or management IP of the cisco equipment can be include into accounting file send to tac_plus server. > > > > Best regards; > > > > De : heasley > ? : sambill at netcourrier.com > Sujet : Re: [tac_plus] deny a particular command and allow all others > Date : 04/04/2019 16:43:23 Europe/Paris > Copie ? : tac_plus at shrubbery.net > > Thu, Apr 04, 2019 at 12:41:33PM +0200, sambill at netcourrier.com: >> Hello; >> >> We use tac_plus into our network working fine (Cisco and juniper equipments), I want to allow a particular commands and allow all others. >> >> how can I set tac_plus config file to achieve this ? > > there are three ways, depending upon the equipment. > 1) use cmd authorization in tac_plus, like the user fred in the example config, > assuming the device supports command authorization > 2) use an external authorization script, like do_auth which comes with tac_plus, > assuming the device supports command authorization > 3) create roles (or whatever the jargon the vendor uses) on the equipment > and assign users to those roles via tacacs AVPs > > i suppose, a variation of 3, > 4) create roles (or whatever the jargon the vendor uses) > and assign users to those roles on the equipment and just do authentication > via tacacs > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- Alan McKinnon alan.mckinnon at gmail.com