[tac_plus] deny a particular command and allow all others

Alan McKinnon alan.mckinnon at gmail.com
Tue Apr 9 08:07:55 UTC 2019 

This gets tricky in tacplus config file.

The first thing you must understand is that tacplus has no concept of 
what those commands *mean* in context and the only tool it can use is 
string matching with regular expressions. tacplus does not know what 
part of the command is command keywords and what is data (i.e. VLAN 
numbers), it sees only a bunch of text. So you have to do this:

allow
   ^switchport trunk allowed vlan add .*$
   ^switchport trunk allowed vlan none$
   ^switchport trunk allowed vlan all$

deny
   ^switchport trunk allowed vlan .*$

allow
   ^.*$

You have to make those first "allow"s explicit, as add, none and all 
match the ".*" (i.e. anything) at the end of the deny, so you must cater 
for this. The list of such allows can become quite long. Of course this 
rabbit hole gets very deep very quick and there are possibly hundreds of 
similar use cases.

do_auth is not much help here as it will have the identical problem for 
the same reason. It's a very good script but it is not good at solving 
*this* problem.

I would never recommend you go the above route as it very quickly 
balloons to crazy levels as real life intrudes. Rather take this route:

- check if the switch can help with built-in roles or such. Perhaps the 
equipment itself understand the implications of
"switchport trunk allowed vlan X"
that it's different to other variants and can deal with it differently 
somehow, then us solution 3) offered by John

Alan


On 2019/04/09 00:39, sambill at netcourrier.com wrote:
> Hello;
> 
> 
> 
> Thank you for your reply, I want to provide more details for the issues I'm facing, any suggestion will be wellcome.
> 
> 
> 
> Someone accidentally removed the existing Allowed VLANs on trunk while adding new Vlan, he forgets to type "switchport trunk allowed vlan add X" but type "switchport trunk allowed vlan X".
> 
> How can I prevent this using tac_plus
> My goal is to deny "switchport trunk allowed vlan X" and permit "switchport trunk allowed vlan add X", "switchport trunk allowed vlan none", "switchport trunk allowed vlan all" and all any others configuration commands.
> 
> Ours cisco equipments are already integrated to tac_plus and work fine, below is the current extract tac_plus configuration file with user test belongs to networkadmin, is there someone who can point me how to modify below file in order to achieve my goal
> 
> root at lab:~# more /etc/tacacs+/tac_plus.conf
> 
> ....
> ....
> accounting file = /var/log/tac_plus.acct
> 
> group = networkadmin {
>                  default service = permit
>                  #enable = cleartext "test"
>          enable = nopassword
>                  service = exec {
>                          priv-lvl = 15
>                          idletime = 10
>                          optional shell:roles="\"network-admin vdc-admin\""
>    
> }
> 
> user = test {
>          login = PAM
>          member = networkadmin
> }
> 
> ...
> ...
> 
> root at lab:~#
> 
> The second problem, is between my switch and tacacs server, there is NAT, so on tacacs all requests come with same IP, in this situation no way to know which request or logs come to which network equipement, is there the way to configure aaa on cisco equipment so that the for example the hostname or management IP of the cisco equipment can be include into accounting file send to tac_plus server.
> 
> 
> 
> Best regards;
> 
> 
> 
> De : heasley <heas at shrubbery.net>
> À : sambill at netcourrier.com
> Sujet : Re: [tac_plus] deny a particular command and allow all others
> Date : 04/04/2019 16:43:23 Europe/Paris
> Copie à : tac_plus at shrubbery.net
> 
> Thu, Apr 04, 2019 at 12:41:33PM +0200, sambill at netcourrier.com:
>> Hello;
>>
>> We use tac_plus into our network working fine (Cisco and juniper equipments), I want to allow a particular commands and allow all others.
>>
>> how can I set tac_plus config file to achieve this ?
> 
> there are three ways, depending upon the equipment.
> 1) use cmd authorization in tac_plus, like the user fred in the example config,
> assuming the device supports command authorization
> 2) use an external authorization script, like do_auth which comes with tac_plus,
> assuming the device supports command authorization
> 3) create roles (or whatever the jargon the vendor uses) on the equipment
> and assign users to those roles via tacacs AVPs
> 
> i suppose, a variation of 3,
> 4) create roles (or whatever the jargon the vendor uses)
> and assign users to those roles on the equipment and just do authentication
> via tacacs
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20190409/cb008171/attachment.html>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
> 


-- 
Alan McKinnon
alan.mckinnon at gmail.com

More information about the tac_plus mailing list