[tac_plus] DCNM tacacs roles

Munroe Sollog mus3 at lehigh.edu
Wed Jun 23 16:04:54 UTC 2021 

I don't want to get distracted from my actual problem, but after reading
this:
https://shrubbery.net/pipermail/tac_plus/2012-January/001048.html
I thought the optional AVPs are not sent unless requested.  Either way, I'm
trying to figure out why <cisco-av-pair:shell:roles= "network-admin"> works
but <optional shell:roles = "network-admin"> does not work.

Thanks.

On Tue, Jun 22, 2021 at 4:19 PM heasley <heas at shrubbery.net> wrote:

> Tue, Jun 22, 2021 at 03:26:20PM -0400, Munroe Sollog:
> > I thought optional pairs are only sent to the device if they are
> requested.
>
> they should always be sent.  It is the device's choice whether to
> act upon optional AVPs.  The device MUST act upon non-optional AVPs;
> this is why an AVP that is unknown to a device often causes an error
> on/from the device.
>
> You might find an external authorization script useful for debugging
> or even for more flexibility in AVP manipulation.
>
> user = auth1 {
>    before authorization "/path/pre_authorize $user $port $address"
>    after authorization "/path/post_authorize $user $port $status"
> }
>
> > On Tue, Jun 22, 2021 at 3:23 PM heasley <heas at shrubbery.net> wrote:
> >
> > > Tue, Jun 22, 2021 at 01:01:37PM -0400, Munroe Sollog:
> > > > According to the Cisco documentation, DCNM expects the role of
> > > > 'network-admin' to be supplied to grant a user administrator
> > > privileges.  I
> > > > was able to provide that role using this config:
> > > >
> > > >         service = exec {
> > > >
> > > >              priv-lvl = 15
> > > >
> > > >             cisco-av-pair:shell:roles= "network-admin"
> > > >
> > > >             #optional shell:roles = "network-admin"
> > > >
> > > >
> > > >              }
> > > >
> > > > However, this causes my switches to balk.  I'm trying to convert
> that to
> > > an
> > > > "optional" parameter as you can see in the commented line.  However
> I am
> > > > not having any success.  I have been trying to confirm that DCNM is
> > > > actually requesting the role attribute, but none of my debug
> commands or
> > > > packet captures seem to make that clear.  Here is some debug output
> of
> > > both
> > > > the authentication and authorization phase.  Any help would be
> > > > appreciated.  Thanks.
> > >
> > > There is no "request" of the attribute.  The attribute is passed with
> > > an authorization reply.
> > >
> > > I suspect that you have some other configuration error.
> > >
> > > > root at rover:/etc/tacacs+# /usr/sbin/tac_plus -C
> > > /etc/tacacs+/tac_plus.conf
> > > > -g -d24
> > > > Reading config
> > > > Version F4.0.4.27a Initialized 1
> > > > tac_plus server F4.0.4.27a starting
> > > > socket FD 4 AF 2
> > > > uid=0 euid=0 gid=0 egid=0 s=-178230864
> > > > connect from 192.168.1.248 [192.168.1.248]
> > > > 192.168.1.248 : fd 5 eof (connection closed)
> > > > Read -1 bytes from 192.168.1.248 , expecting 12
> > > > connect from 192.168.1.248 [192.168.1.248]
> > > > login query for 'mus3' port 49 from 192.168.1.248 accepted
> > > > connect from 192.168.1.248 [192.168.1.248]
> > > > Start authorization request
> > > > do_author: user='mus3'
> > > > user 'mus3' found
> > > > mus3 may run an unlimited number of sessions
> > > > exec authorization request for mus3
> > > > exec is explicitly permitted by line 226
> > > > nas:service=shell (passed thru)
> > > > nas:protocol=ip (passed thru)
> > > > nas:cmd= (passed thru)
> > > > nas:cisco-av-pair*  svr:absent/deny -> delete cisco-av-pair*  (i)
> > > > nas:shell:roles*  svr:shell:roles*network-admin -> replace with
> > > > shell:roles*network-admin (h)
> > > > nas:absent, server:priv-lvl=15 -> add priv-lvl=15 (k)
> > > > replaced 2 args
> > > > authorization query for 'mus3' 49 from 192.168.1.248 accepted
> > > >
> > > >
> > > >
> > > > --
> > > > Munroe Sollog (He/Him/His)
> > > > Senior Network Engineer
> > > > munroe at lehigh.edu
> > > > -------------- next part --------------
> > > > An HTML attachment was scrubbed...
> > > > URL: <
> > >
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20210622/4be317c5/attachment.htm
> > > >
> > > > _______________________________________________
> > > > tac_plus mailing list
> > > > tac_plus at www.shrubbery.net
> > > > https://www.shrubbery.net/mailman/listinfo/tac_plus
> > >
> > --
> > Munroe Sollog (He/Him/His)
> > Senior Network Engineer
> > munroe at lehigh.edu
>


-- 
Munroe Sollog (He/Him/His)
Senior Network Engineer
munroe at lehigh.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20210623/681b40d9/attachment.htm>

More information about the tac_plus mailing list