From dlambert at OneCommunications.com Thu Jan 10 14:15:51 2008 From: dlambert at OneCommunications.com (Lambert, David) Date: Thu, 10 Jan 2008 09:15:51 -0500 Subject: [tac_plus] Hi I have the Tac_plus up and running aand was wandering if you can point to some documentaion on ties secureid into this solution? Message-ID: Hi I have the Tac_plus up and running aand was wandering if you can point to some documentation on tieing secureid into this solution? Thanks Dave Lambert -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20080110/308553a6/attachment.html From dlambert at OneCommunications.com Thu Jan 10 20:18:50 2008 From: dlambert at OneCommunications.com (Lambert, David) Date: Thu, 10 Jan 2008 15:18:50 -0500 Subject: [tac_plus] OK I have it working as far as the authentication but I can not get the debug to work no matter what I do ! I get no errors jsut no login information int he log even though I sent it to Message-ID: OK I have it working as far as the authentication but I cannot get the debug to work no matter what I do ! I get no errors just no login information in the log even though I set it using the -d 16 option just like the documentation states any ideas on this? Any help would be appreciated! Dave Lambert -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20080110/e53815f5/attachment.html From heas at shrubbery.net Thu Jan 10 22:05:34 2008 From: heas at shrubbery.net (john heasley) Date: Thu, 10 Jan 2008 22:05:34 +0000 Subject: [tac_plus] Re: OK I have it working as far as the authentication but I can not get the debug to work no matter what I do ! I get no errors jsut no login information int he log even though I sent it to In-Reply-To: References: Message-ID: <20080110220534.GG19360@shrubbery.net> debug information should all go to syslog; daemon.debug. Make sure that you have your syslog.conf configured such that it will not filter this facility or priority. Thu, Jan 10, 2008 at 03:18:50PM -0500, Lambert, David: > OK I have it working as far as the authentication but I cannot get the > debug to work no matter what I do ! I get no errors just no login > information in the log even though I set it using the -d 16 option just > like the documentation states any ideas on this? Any help would be > appreciated! > > > > Dave Lambert > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20080110/e53815f5/attachment.html > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From heas at shrubbery.net Thu Jan 10 22:20:50 2008 From: heas at shrubbery.net (john heasley) Date: Thu, 10 Jan 2008 22:20:50 +0000 Subject: [tac_plus] Re: Hi I have the Tac_plus up and running aand was wandering if you can point to some documentaion on ties secureid into this solution? In-Reply-To: References: Message-ID: <20080110222050.GH19360@shrubbery.net> Thu, Jan 10, 2008 at 09:15:51AM -0500, Lambert, David: > Hi I have the Tac_plus up and running aand was wandering if > you can point to some documentation on tieing secureid into this > solution? I guess that it was you who I spoke with this morning. For the mail archives, the only way to do this is with PAM, since RSA does not release any information about the protocol(s) used to converse with their daemon. RSA offers an unsupported (IIRC) securIDPAM module. As long as you're using an O/S for which RSA has seen fit to make it available, tacacs can be configured to use PAM for individual users and with the module and appropriate PAM configuration, those users will be authenticated with securID. Technically, RSA offers a library that you can get if you sign an NDA with them. However, true to their normal behavior, the library is only available on a few platforms and O/Ses; for example, the last I checked they did not offer a version for Solaris 10 x86 and certainly not a 64-bit version for even the Solaris Sparc 64-bit. Therefore, PAM is a much better solution, even though RSA may choose to stop supporting it; though unlikely given the proliferation of PAM. So, what would be keen is a PAM module that would use tacacs for authentication. That would allow machines not supported by RSA to authenticate via tacacs running on a host that is supported. From x0sin0x at gmail.com Wed Jan 16 17:59:38 2008 From: x0sin0x at gmail.com (SiN) Date: Wed, 16 Jan 2008 10:59:38 -0700 Subject: [tac_plus] anyone know of any test clients available for windows/*nix? Message-ID: <8e885d590801160959y6a85b083g6882e34975d28a43@mail.gmail.com> i'm having a hard time finding a test client for modifications ive made to the source. Dont have any hardware available at the moment to test with. -- ..::x0SiN0x::.. G4m3R 4 L1F3 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20080116/7e33ee66/attachment.html From dlambert at OneCommunications.com Fri Jan 18 14:16:22 2008 From: dlambert at OneCommunications.com (Lambert, David) Date: Fri, 18 Jan 2008 09:16:22 -0500 Subject: [tac_plus] I am trying to compile the 4.0.4.15 with pam supprt and not having nay luck when I do a configure --help i do not see it as an option what is the best way to get pam added? Message-ID: I am trying to compile the 4.0.4.15 with pam support and not having nay luck when I do a configure --help i do not see it as an option what is the best way to get pam added? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20080118/ee96ca83/attachment.html From heas at shrubbery.net Sat Jan 19 19:39:15 2008 From: heas at shrubbery.net (john heasley) Date: Sat, 19 Jan 2008 19:39:15 +0000 Subject: [tac_plus] Re: I am trying to compile the 4.0.4.15 with pam supprt and not having nay luck when I do a configure --help i do not see it as an option what is the best way to get pam added? In-Reply-To: References: Message-ID: <20080119193915.GG2634@shrubbery.net> the configure script always checks for pam; looking for libpam. if HAVE_PAM is defined in config.h, then it found it successfully. if not, then the configure script failed for some reason; the reason could be found if the config.log file. Fri, Jan 18, 2008 at 09:16:22AM -0500, Lambert, David: > I am trying to compile the 4.0.4.15 with pam support and not having nay > luck when I do a configure --help i do not see it as an option what is > the best way to get pam added? > > > > Thanks! > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20080118/ee96ca83/attachment.html > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From justin at justinshore.com Fri Jan 25 19:41:52 2008 From: justin at justinshore.com (Justin Shore) Date: Fri, 25 Jan 2008 13:41:52 -0600 Subject: [tac_plus] TACACS mailing list Message-ID: <479A3B80.3040604@justinshore.com> Is there a mailing list for your TACACS fork? I need to find a place to post a config query. I'm trying to figure out how to set up tac_plus to auth HTTPS connections (SDM) on a IOS device and I need to configure it to permit an exec shell and set the priv level to 15. I haven't been able to find any docs on it so far. Thanks Justin From tomas.triyoso at ap.equinix.com Mon Jan 28 12:15:18 2008 From: tomas.triyoso at ap.equinix.com (Tomas TRIYOSO) Date: Mon, 28 Jan 2008 20:15:18 +0800 Subject: [tac_plus] tac plus acl problem with specific ip address Message-ID: Hi, I have problem with tacacs plus implementation that I downloaded from ftp://ftp.shrubbery.net/pub/tac_plus Below ACL was implemented on the group HKG-OPS. acl = limit_hkg-ops { permit = 10.7.7\. permit = 172.16.113\. permit = 172.16.115\. permit = 10.5.21.2 permit = 172.31.7.2 permit = 172.16.115.4 permit = 172.16.115.5 permit = 172.16.116.254 } The HKG-OPS groups successfully login to above IP address, except 172.16.116.254. I also try to remove all the other IP address so the acl looks below: acl = limit_hkg-ops { permit = 172.16.116.254 } The HKG-OPS groups still can not login to that device. With message: "% authentication failure" While the other group without acl implementation, successfully login to the device. Please advice. Regards, Tomas Triyoso [The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system.] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20080128/a67cd303/attachment.html From heas at shrubbery.net Mon Jan 28 16:59:44 2008 From: heas at shrubbery.net (john heasley) Date: Mon, 28 Jan 2008 16:59:44 +0000 Subject: [tac_plus] Re: tac plus acl problem with specific ip address In-Reply-To: References: Message-ID: <20080128165944.GD25139@shrubbery.net> Mon, Jan 28, 2008 at 08:15:18PM +0800, Tomas TRIYOSO: > Hi, > > I have problem with tacacs plus implementation that I downloaded from > ftp://ftp.shrubbery.net/pub/tac_plus > > Below ACL was implemented on the group HKG-OPS. > > acl = limit_hkg-ops { > > permit = 10.7.7\. > > permit = 172.16.113\. > > permit = 172.16.115\. > > permit = 10.5.21.2 > > permit = 172.31.7.2 > > permit = 172.16.115.4 > > permit = 172.16.115.5 > > permit = 172.16.116.254 > > } > > The HKG-OPS groups successfully login to above IP address, except > 172.16.116.254. > > I also try to remove all the other IP address so the acl looks below: > > acl = limit_hkg-ops { > > permit = 172.16.116.254 > > } > > > > The HKG-OPS groups still can not login to that device. With message: "% > authentication failure" > > While the other group without acl implementation, successfully login to > the device. check the source ip of the device's connection. ie: ip tacacs source-interface X From tomas.triyoso at ap.equinix.com Tue Jan 29 00:54:28 2008 From: tomas.triyoso at ap.equinix.com (Tomas TRIYOSO) Date: Tue, 29 Jan 2008 08:54:28 +0800 Subject: [tac_plus] Re: tac plus acl problem with specific ip address Message-ID: Hi John, Thank you for your email. I have already checked there is no source IP of the device connection on the router (172.16.116.254) configuration. BTW, when I remark the "acl" on the TACACS configuration, the group "HKG-OPS" can successfully login to the device (172.16.116.254) group = HKG-OPS { member = OPERATOR # acl = limit_hkg-ops } Please advice. Regards, Tomas Triyoso Equinix Asia Pacific Pte Ltd. Company Registration No: 200210224C [The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system.] -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Tuesday, January 29, 2008 1:00 AM To: Tomas TRIYOSO Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] tac plus acl problem with specific ip address Mon, Jan 28, 2008 at 08:15:18PM +0800, Tomas TRIYOSO: > Hi, > > I have problem with tacacs plus implementation that I downloaded from > ftp://ftp.shrubbery.net/pub/tac_plus > > Below ACL was implemented on the group HKG-OPS. > > acl = limit_hkg-ops { > > permit = 10.7.7\. > > permit = 172.16.113\. > > permit = 172.16.115\. > > permit = 10.5.21.2 > > permit = 172.31.7.2 > > permit = 172.16.115.4 > > permit = 172.16.115.5 > > permit = 172.16.116.254 > > } > > The HKG-OPS groups successfully login to above IP address, except > 172.16.116.254. > > I also try to remove all the other IP address so the acl looks below: > > acl = limit_hkg-ops { > > permit = 172.16.116.254 > > } > > > > The HKG-OPS groups still can not login to that device. With message: "% > authentication failure" > > While the other group without acl implementation, successfully login to > the device. check the source ip of the device's connection. ie: ip tacacs source-interface X From aleksandarn at sbb.co.yu Thu Jan 31 19:34:58 2008 From: aleksandarn at sbb.co.yu (Aleksandar Nasuovski) Date: Thu, 31 Jan 2008 20:34:58 +0100 Subject: [tac_plus] Tacacs+ group quastion Message-ID: <200801311934.m0VJYqOT014100@smtp1.sbb.co.yu> Hello, I'm using the last version of yours version of Tacacs: F4.0.4.15. Quastion is: I was tested the configuration of groups ACL to put Allow/Deny commands witch can user type. But that does not woring because notify me that config got error in Group. When I add the Allow/Deny command in USER config that working. I won't to say that ACL like Permit 192.168.X.X NAS and merge with groups working wery well. Q: Can I put Allow/Deny commands in ACL? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20080131/981f95de/attachment.html