[tac_plus] DCNM tacacs roles

heasley heas at shrubbery.net
Tue Jun 22 20:19:45 UTC 2021 

Tue, Jun 22, 2021 at 03:26:20PM -0400, Munroe Sollog:
> I thought optional pairs are only sent to the device if they are requested.

they should always be sent.  It is the device's choice whether to
act upon optional AVPs.  The device MUST act upon non-optional AVPs;
this is why an AVP that is unknown to a device often causes an error
on/from the device.

You might find an external authorization script useful for debugging
or even for more flexibility in AVP manipulation.

user = auth1 {
   before authorization "/path/pre_authorize $user $port $address"
   after authorization "/path/post_authorize $user $port $status"
}

> On Tue, Jun 22, 2021 at 3:23 PM heasley <heas at shrubbery.net> wrote:
> 
> > Tue, Jun 22, 2021 at 01:01:37PM -0400, Munroe Sollog:
> > > According to the Cisco documentation, DCNM expects the role of
> > > 'network-admin' to be supplied to grant a user administrator
> > privileges.  I
> > > was able to provide that role using this config:
> > >
> > >         service = exec {
> > >
> > >              priv-lvl = 15
> > >
> > >             cisco-av-pair:shell:roles= "network-admin"
> > >
> > >             #optional shell:roles = "network-admin"
> > >
> > >
> > >              }
> > >
> > > However, this causes my switches to balk.  I'm trying to convert that to
> > an
> > > "optional" parameter as you can see in the commented line.  However I am
> > > not having any success.  I have been trying to confirm that DCNM is
> > > actually requesting the role attribute, but none of my debug commands or
> > > packet captures seem to make that clear.  Here is some debug output of
> > both
> > > the authentication and authorization phase.  Any help would be
> > > appreciated.  Thanks.
> >
> > There is no "request" of the attribute.  The attribute is passed with
> > an authorization reply.
> >
> > I suspect that you have some other configuration error.
> >
> > > root at rover:/etc/tacacs+# /usr/sbin/tac_plus -C
> > /etc/tacacs+/tac_plus.conf
> > > -g -d24
> > > Reading config
> > > Version F4.0.4.27a Initialized 1
> > > tac_plus server F4.0.4.27a starting
> > > socket FD 4 AF 2
> > > uid=0 euid=0 gid=0 egid=0 s=-178230864
> > > connect from 192.168.1.248 [192.168.1.248]
> > > 192.168.1.248 : fd 5 eof (connection closed)
> > > Read -1 bytes from 192.168.1.248 , expecting 12
> > > connect from 192.168.1.248 [192.168.1.248]
> > > login query for 'mus3' port 49 from 192.168.1.248 accepted
> > > connect from 192.168.1.248 [192.168.1.248]
> > > Start authorization request
> > > do_author: user='mus3'
> > > user 'mus3' found
> > > mus3 may run an unlimited number of sessions
> > > exec authorization request for mus3
> > > exec is explicitly permitted by line 226
> > > nas:service=shell (passed thru)
> > > nas:protocol=ip (passed thru)
> > > nas:cmd= (passed thru)
> > > nas:cisco-av-pair*  svr:absent/deny -> delete cisco-av-pair*  (i)
> > > nas:shell:roles*  svr:shell:roles*network-admin -> replace with
> > > shell:roles*network-admin (h)
> > > nas:absent, server:priv-lvl=15 -> add priv-lvl=15 (k)
> > > replaced 2 args
> > > authorization query for 'mus3' 49 from 192.168.1.248 accepted
> > >
> > >
> > >
> > > --
> > > Munroe Sollog (He/Him/His)
> > > Senior Network Engineer
> > > munroe at lehigh.edu
> > > -------------- next part --------------
> > > An HTML attachment was scrubbed...
> > > URL: <
> > http://www.shrubbery.net/pipermail/tac_plus/attachments/20210622/4be317c5/attachment.htm
> > >
> > > _______________________________________________
> > > tac_plus mailing list
> > > tac_plus at www.shrubbery.net
> > > https://www.shrubbery.net/mailman/listinfo/tac_plus
> >
> -- 
> Munroe Sollog (He/Him/His)
> Senior Network Engineer
> munroe at lehigh.edu

More information about the tac_plus mailing list