From heas at shrubbery.net Wed Apr 1 22:23:04 2009 From: heas at shrubbery.net (john heasley) Date: Wed, 1 Apr 2009 22:23:04 +0000 Subject: [tac_plus] Re: Query In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BC70D0FF@che-exch-003.uplinkdata.com> References: <21AF5C86B8DBA2489D136BD3AF5801901EE348@lhmail03.xDerwentSharedServices.nhs.uk> <20090330173928.GM3066@shrubbery.net> <8423e7bb0903301045q7920cdfalc35e7a3c3894fddb@mail.gmail.com> <20090330202043.GJ8627@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BC70D0FF@che-exch-003.uplinkdata.com> Message-ID: <20090401222304.GC7653@shrubbery.net> Tue, Mar 31, 2009 at 03:44:01PM -0600, Schmidt, Daniel: > I've never been able to make it work... if anybody has a working example > they could provide, that would be greatly appreciated. you read all the AVPs on stdin then write the appropriate AVPs on stdout and/or finally exit with the appropriate exit code there shouldnt be any voodoo. its not something i do or test on a regular basis. i suppose the daemon's handling could be broken, but doubt it. From antoninvitecek at seznam.cz Thu Apr 2 11:33:39 2009 From: antoninvitecek at seznam.cz (Antonin Vitecek) Date: Thu, 02 Apr 2009 13:33:39 +0200 Subject: [tac_plus] tacacs+-F4.0.4.16 Message-ID: <49D4A293.6020603@seznam.cz> Hi, I just would like to know why tacacs+-F4.0.4.16 is not available from your ftp server? Is it buggy or which version is the current now? Thanks, Antonin From dan.schmidt at uplinkdata.com Thu Apr 2 14:56:43 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Thu, 2 Apr 2009 08:56:43 -0600 Subject: [tac_plus] Re: Query In-Reply-To: <20090401222304.GC7653@shrubbery.net> References: <21AF5C86B8DBA2489D136BD3AF5801901EE348@lhmail03.xDerwentSharedServices.nhs.uk> <20090330173928.GM3066@shrubbery.net> <8423e7bb0903301045q7920cdfalc35e7a3c3894fddb@mail.gmail.com> <20090330202043.GJ8627@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BC70D0FF@che-exch-003.uplinkdata.com> <20090401222304.GC7653@shrubbery.net> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BC70D11C@che-exch-003.uplinkdata.com> Thank you for your reply and for your time. I found something like this that Ben Kennedy had tried (and failed) in 2007. Attempting to use/modify/change this simple bash script was of no use - I could not make it work, I could not so much as login. The exit values look correct and it echo's to stdout. Can anybody see something wrong? <> Here is an example of the config file: user = test { after authorization "/etc/tac-plus/authen $user $address" } Example of script: #!/bin/sh if [ "$1" = 'test' ] then if [ "$2" = 'X.X.X.X' ] #ip of switch then echo default service=permit echo login=cleartext XXX echo service=exec echo { echo priv-lvl=15 echo echo cmd=arp echo { echo permit timeout echo } echo cmd=no echo { echo permit arp echo } echo cmd=show echo { echo permit run echo permit start echo } echo cmd=configure echo { echo permit terminal echo permit interface echo deny .* echo } exit 2 fi fi exit 1 -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Wednesday, April 01, 2009 4:23 PM To: Schmidt, Daniel Cc: john heasley; Lance Vermilion; tac_plus at shrubbery.net Subject: Re: [tac_plus] Re: Query Tue, Mar 31, 2009 at 03:44:01PM -0600, Schmidt, Daniel: > I've never been able to make it work... if anybody has a working example > they could provide, that would be greatly appreciated. you read all the AVPs on stdin then write the appropriate AVPs on stdout and/or finally exit with the appropriate exit code there shouldnt be any voodoo. its not something i do or test on a regular basis. i suppose the daemon's handling could be broken, but doubt it. From heas at shrubbery.net Thu Apr 2 18:06:04 2009 From: heas at shrubbery.net (john heasley) Date: Thu, 2 Apr 2009 18:06:04 +0000 Subject: [tac_plus] Re: tacacs+-F4.0.4.16 In-Reply-To: <49D4A293.6020603@seznam.cz> References: <49D4A293.6020603@seznam.cz> Message-ID: <20090402180604.GE19445@shrubbery.net> Thu, Apr 02, 2009 at 01:33:39PM +0200, Antonin Vitecek: > Hi, > > I just would like to know why tacacs+-F4.0.4.16 is not available from > your ftp server? Is it buggy or which version is the current now? Because I had cut the image, then realized that I'd broken something for one of the OSes, which would only comes back to haunt me. I think it existed for about 1 hour. From heas at shrubbery.net Thu Apr 2 18:14:04 2009 From: heas at shrubbery.net (john heasley) Date: Thu, 2 Apr 2009 18:14:04 +0000 Subject: [tac_plus] Re: Query In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BC70D11C@che-exch-003.uplinkdata.com> References: <21AF5C86B8DBA2489D136BD3AF5801901EE348@lhmail03.xDerwentSharedServices.nhs.uk> <20090330173928.GM3066@shrubbery.net> <8423e7bb0903301045q7920cdfalc35e7a3c3894fddb@mail.gmail.com> <20090330202043.GJ8627@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BC70D0FF@che-exch-003.uplinkdata.com> <20090401222304.GC7653@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BC70D11C@che-exch-003.uplinkdata.com> Message-ID: <20090402181404.GF19445@shrubbery.net> Thu, Apr 02, 2009 at 08:56:43AM -0600, Schmidt, Daniel: > Thank you for your reply and for your time. > > I found something like this that Ben Kennedy had tried (and failed) in > 2007. Attempting to use/modify/change this simple bash script was of no > use - I could not make it work, I could not so much as login. The exit > values look correct and it echo's to stdout. Can anybody see something > wrong? first, you MUST drain stdin, even if you do not want to use the data. second, the output is AV pairs only. this script is producing tacplus.conf like output. while read avp - ; do : done echo avp=bar exit 2 > <> > > Here is an example of the config file: > user = test { > after authorization "/etc/tac-plus/authen $user $address" > } > > Example of script: > #!/bin/sh > > if [ "$1" = 'test' ] > then > if [ "$2" = 'X.X.X.X' ] #ip of switch > then > echo default service=permit > echo login=cleartext XXX > echo service=exec > echo { > echo priv-lvl=15 > echo > echo cmd=arp > echo { > echo permit timeout > echo } > echo cmd=no > echo { > echo permit arp > echo } > echo cmd=show > echo { > echo permit run > echo permit start > echo } > echo cmd=configure > echo { > echo permit terminal > echo permit interface > echo deny .* > echo } > exit 2 > fi > fi > exit 1 > > -----Original Message----- > From: john heasley [mailto:heas at shrubbery.net] > Sent: Wednesday, April 01, 2009 4:23 PM > To: Schmidt, Daniel > Cc: john heasley; Lance Vermilion; tac_plus at shrubbery.net > Subject: Re: [tac_plus] Re: Query > > Tue, Mar 31, 2009 at 03:44:01PM -0600, Schmidt, Daniel: > > I've never been able to make it work... if anybody has a working > example > > they could provide, that would be greatly appreciated. > > you read all the AVPs on stdin > then write the appropriate AVPs on stdout > and/or finally exit with the appropriate exit code > > there shouldnt be any voodoo. its not something i do or test on a > regular > basis. i suppose the daemon's handling could be broken, but doubt it. From dan.schmidt at uplinkdata.com Thu Apr 2 21:50:11 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Thu, 2 Apr 2009 15:50:11 -0600 Subject: [tac_plus] Re: Query In-Reply-To: <20090402181404.GF19445@shrubbery.net> References: <21AF5C86B8DBA2489D136BD3AF5801901EE348@lhmail03.xDerwentSharedServices.nhs.uk> <20090330173928.GM3066@shrubbery.net> <8423e7bb0903301045q7920cdfalc35e7a3c3894fddb@mail.gmail.com> <20090330202043.GJ8627@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BC70D0FF@che-exch-003.uplinkdata.com> <20090401222304.GC7653@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BC70D11C@che-exch-003.uplinkdata.com> <20090402181404.GF19445@shrubbery.net> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BC70D132@che-exch-003.uplinkdata.com> Thanks much, John! However, I think we may misunderstand the passed variables because $address returns the IP of the user, not the device. >From the tac_plus developers kit guide. user -- user name name -- Nas name port -- Nas port address -- Nac address (remote user location) priv -- privilege level (a digit, 0 to 15) method -- (a digit, 1 to 4) type -- (a digit, 1 to 4) service -- (a digit, 1 to 7) status -- (pass, fail, error, unknown) NAS --- A Network Access Server e.g. a Cisco box, or any other *client* which makes tacacs+ authentication and authorization requests, or generates Tacacs+ accounting packets. Rather confusing - Nac address would be the Cisco box, but in parenthesis, it very specifically says "remote user location." Which, is exactly what I have found it to return. They keys it returns were: service=shell cmdref.pdf priv-lvl=15 Which were less than helpful. (cmdref.pdf?) The user address is useful - we could forbid users from certain IP ranges. Some sort of integration with fail2ban comes to mind. But, another variable is needed in the code for device address. Any takers? -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Thursday, April 02, 2009 12:14 PM To: Schmidt, Daniel Cc: john heasley; Lance Vermilion; tac_plus at shrubbery.net Subject: Re: [tac_plus] Re: Query Thu, Apr 02, 2009 at 08:56:43AM -0600, Schmidt, Daniel: > Thank you for your reply and for your time. > > I found something like this that Ben Kennedy had tried (and failed) in > 2007. Attempting to use/modify/change this simple bash script was of no > use - I could not make it work, I could not so much as login. The exit > values look correct and it echo's to stdout. Can anybody see something > wrong? first, you MUST drain stdin, even if you do not want to use the data. second, the output is AV pairs only. this script is producing tacplus.conf like output. while read avp - ; do : done echo avp=bar exit 2 > <> > > Here is an example of the config file: > user = test { > after authorization "/etc/tac-plus/authen $user $address" > } > > Example of script: > #!/bin/sh > > if [ "$1" = 'test' ] > then > if [ "$2" = 'X.X.X.X' ] #ip of switch > then > echo default service=permit > echo login=cleartext XXX > echo service=exec > echo { > echo priv-lvl=15 > echo > echo cmd=arp > echo { > echo permit timeout > echo } > echo cmd=no > echo { > echo permit arp > echo } > echo cmd=show > echo { > echo permit run > echo permit start > echo } > echo cmd=configure > echo { > echo permit terminal > echo permit interface > echo deny .* > echo } > exit 2 > fi > fi > exit 1 > > -----Original Message----- > From: john heasley [mailto:heas at shrubbery.net] > Sent: Wednesday, April 01, 2009 4:23 PM > To: Schmidt, Daniel > Cc: john heasley; Lance Vermilion; tac_plus at shrubbery.net > Subject: Re: [tac_plus] Re: Query > > Tue, Mar 31, 2009 at 03:44:01PM -0600, Schmidt, Daniel: > > I've never been able to make it work... if anybody has a working > example > > they could provide, that would be greatly appreciated. > > you read all the AVPs on stdin > then write the appropriate AVPs on stdout > and/or finally exit with the appropriate exit code > > there shouldnt be any voodoo. its not something i do or test on a > regular > basis. i suppose the daemon's handling could be broken, but doubt it. From steve at dss.nhs.uk Fri Apr 3 16:58:32 2009 From: steve at dss.nhs.uk (Barry Stephen (YDD08) Derwent Shared Services) Date: Fri, 3 Apr 2009 17:58:32 +0100 Subject: [tac_plus] Working Command Authorization Script Message-ID: <21AF5C86B8DBA2489D136BD3AF5801901EE389@lhmail03.xDerwentSharedServices.nhs.uk> I posted the other day about providing some users different levels of access depending on the specific device they logged onto, in my case Access versus Distribution & Core switches. Having read previous responses from various people I have managed to create a working authorization script which checks what NAS a user logged onto and if the NAS/Switch is in a specific list the commands are checked against a list and only those commands are permitted. For all other NASes (those not in the list) all commands are allowed. It took me a while to realise that the script is effectively taking on the role of the tacacs+ deamon to some extent, that is to say that it is not returning config/options to the tac_plus deamon in config file format but direct to the NAS/switch. In any case, in this example we simply say allow or deny rather than passing any AV pairs back to the NAS. It is important to parse STDIN to see what command the NAS is requesting auth for. I am using the after authorization method as the before authorization method seemed a little harder to get working. This is my tac_plus.conf definition for these group of people: # Read/Write Access to non distribution devices - All commands authorised group = rw-except-distribution { default service = permit service = exec { priv-lvl=15 idletime=15 timeout=0 } after authorization "/usr/bin/perl /etc/tac_plus_auth.pl $user $name $address" } I pass username, nas ip address and client ip address to my script but only use nas address ($name) in my script. In my case $name is the NAS IP address but possibly may not be in all cases. It is necessary to have 'default service = permit' with 'after auth' scripts because it needs to pass the internal deamon checks otherwise it doesn't get passed to the script. However the script can override the deamon's permit so not all commands are allowed as it might look like. I wrote this in perl as I don't do bash. I am a complete amateur so I am sure there are lots of mistakes and bad practice. I hope this helps someone and goes some way to repay the help I have received in the past. Feel free to reply with any questions. Cheers Steve Stephen Barry Senior IT Service Designer | IT Operations | Derbyshire Health Informatics Service | Derwent Shared Services t: 01332 622444 | m: 07919 173353 | f: 01332 222256 | e: steve at dss.nhs.uk ############### START SAMPLE AUTH SCRIPT ##################### #! /usr/bin/perl $log_file = "/var/log/tac_plus_ext_auth.log"; $log_enabled = 1; #Create array of devices that require special treatment @device_group_1 = ("10.95.130.1", "10.95.130.251", "10.95.130.252", "10.95.191.37", "10.95.191.38", "10.95.253.21", "10.95.253.22", "10.95.253.84", "172.16.5.66"); #Create array of all the commands allowed on above devices, regex OK @command_group_1 = ("show running-config", "show .*", "ping .*", "traceroute .*"); #Read in the command line arguements $username = $ARGV[0]; $nas_ip = $ARGV[1]; $client_ip = $ARGV[2]; #Read in the stdin and extract commands only while (defined($line = )){ if ($line =~ /^cmd=(.*)\n/) { $command_string = $1; } elsif ($line =~ /^cmd-arg=(?!)(.*)\n/) { $command_string = $command_string." ".$1; } } #Im only interested in commands, ignore if it wasnt a cmd or cmd-arg if(!defined($command_string)){ exit 0; } #Check for device and command match if(nas_match($nas_ip,\@device_group_1)) { if(command_match($command_string,\@command_group_1)) { print_log("Yes","Yes"); exit 0; } else { print_log("Yes","No"); exit 1; } } else { #I want to allow any command on devices that dont match any in my list print_log("No","Yes"); exit 0; } #Compares passed nas to array of nases to see if the nas is of interest sub nas_match { $nas_match_nas_ip = shift(@_); $nas_match_nas_list = shift(@_); foreach $nas (@$nas_match_nas_list){ if ($nas_match_nas_ip eq $nas){ return TRUE; } } } #Compares passed command to array of commands to see if the nas is of interest sub command_match { $command_match_command = shift(@_); $command_match_command_list = shift(@_); foreach $command (@$command_match_command_list){ if ($command_match_command =~ /$command/) { return TRUE; } } } #Compares passed command to array of commands to see if the nas is of interest sub print_log { if ($log_enabled == 1) { $print_log_device_match = shift(@_); $print_log_command_allowed = shift(@_); open MY_LOG_FILE, ">>", $log_file or die $!; print MY_LOG_FILE "External Auth Script running at ".localtime()."\n"; print MY_LOG_FILE " Username: $username\n"; print MY_LOG_FILE " NAS IP: $nas_ip\n"; print MY_LOG_FILE " Client IP: $client_ip\n"; print MY_LOG_FILE " Command: $command_string\n"; print MY_LOG_FILE " NAS Match: $print_log_device_match\n"; print MY_LOG_FILE " Allowed: $print_log_command_allowed\n"; print MY_LOG_FILE "\n"; close (MY_LOG_FILE); } } ############### END SAMPLE AUTH SCRIPT ##################### DISCLAIMER - This email and any file transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any views or opinions expressed are those of the author and do not represent the views of Derwent Shared Services, unless otherwise explicitly stated. The information contained in this email may be subject to public disclosure under the Freedom of Information Act 2000. Unless the information is legally exempt from disclosure, the confidentiality of this email cannot be guaranteed. Derwent Shared Services is an NHS Shared Services Organisation. From dan.schmidt at uplinkdata.com Fri Apr 3 17:44:22 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Fri, 3 Apr 2009 11:44:22 -0600 Subject: [tac_plus] Re: Working Command Authorization Script In-Reply-To: <21AF5C86B8DBA2489D136BD3AF5801901EE389@lhmail03.xDerwentSharedServices.nhs.uk> References: <21AF5C86B8DBA2489D136BD3AF5801901EE389@lhmail03.xDerwentSharedServices.nhs.uk> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BC70D13F@che-exch-003.uplinkdata.com> $name is the DEVICE IP? I'm not sure how I missed that, I must have been tired - my apologies for filling your inboxes with questions. My sincere thanks to Barry for posting - I'm more of a Python person, but I'll probably just use simple bash script. If anybody has further questions on this topic, I'll answer them. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Barry Stephen (YDD08) Derwent Shared Services Sent: Friday, April 03, 2009 10:59 AM To: tac_plus at shrubbery.net Subject: [tac_plus] Working Command Authorization Script I posted the other day about providing some users different levels of access depending on the specific device they logged onto, in my case Access versus Distribution & Core switches. Having read previous responses from various people I have managed to create a working authorization script which checks what NAS a user logged onto and if the NAS/Switch is in a specific list the commands are checked against a list and only those commands are permitted. For all other NASes (those not in the list) all commands are allowed. It took me a while to realise that the script is effectively taking on the role of the tacacs+ deamon to some extent, that is to say that it is not returning config/options to the tac_plus deamon in config file format but direct to the NAS/switch. In any case, in this example we simply say allow or deny rather than passing any AV pairs back to the NAS. It is important to parse STDIN to see what command the NAS is requesting auth for. I am using the after authorization method as the before authorization method seemed a little harder to get working. This is my tac_plus.conf definition for these group of people: # Read/Write Access to non distribution devices - All commands authorised group = rw-except-distribution { default service = permit service = exec { priv-lvl=15 idletime=15 timeout=0 } after authorization "/usr/bin/perl /etc/tac_plus_auth.pl $user $name $address" } I pass username, nas ip address and client ip address to my script but only use nas address ($name) in my script. In my case $name is the NAS IP address but possibly may not be in all cases. It is necessary to have 'default service = permit' with 'after auth' scripts because it needs to pass the internal deamon checks otherwise it doesn't get passed to the script. However the script can override the deamon's permit so not all commands are allowed as it might look like. I wrote this in perl as I don't do bash. I am a complete amateur so I am sure there are lots of mistakes and bad practice. I hope this helps someone and goes some way to repay the help I have received in the past. Feel free to reply with any questions. Cheers Steve Stephen Barry Senior IT Service Designer | IT Operations | Derbyshire Health Informatics Service | Derwent Shared Services t: 01332 622444 | m: 07919 173353 | f: 01332 222256 | e: steve at dss.nhs.uk ############### START SAMPLE AUTH SCRIPT ##################### #! /usr/bin/perl $log_file = "/var/log/tac_plus_ext_auth.log"; $log_enabled = 1; #Create array of devices that require special treatment @device_group_1 = ("10.95.130.1", "10.95.130.251", "10.95.130.252", "10.95.191.37", "10.95.191.38", "10.95.253.21", "10.95.253.22", "10.95.253.84", "172.16.5.66"); #Create array of all the commands allowed on above devices, regex OK @command_group_1 = ("show running-config", "show .*", "ping .*", "traceroute .*"); #Read in the command line arguements $username = $ARGV[0]; $nas_ip = $ARGV[1]; $client_ip = $ARGV[2]; #Read in the stdin and extract commands only while (defined($line = )){ if ($line =~ /^cmd=(.*)\n/) { $command_string = $1; } elsif ($line =~ /^cmd-arg=(?!)(.*)\n/) { $command_string = $command_string." ".$1; } } #Im only interested in commands, ignore if it wasnt a cmd or cmd-arg if(!defined($command_string)){ exit 0; } #Check for device and command match if(nas_match($nas_ip,\@device_group_1)) { if(command_match($command_string,\@command_group_1)) { print_log("Yes","Yes"); exit 0; } else { print_log("Yes","No"); exit 1; } } else { #I want to allow any command on devices that dont match any in my list print_log("No","Yes"); exit 0; } #Compares passed nas to array of nases to see if the nas is of interest sub nas_match { $nas_match_nas_ip = shift(@_); $nas_match_nas_list = shift(@_); foreach $nas (@$nas_match_nas_list){ if ($nas_match_nas_ip eq $nas){ return TRUE; } } } #Compares passed command to array of commands to see if the nas is of interest sub command_match { $command_match_command = shift(@_); $command_match_command_list = shift(@_); foreach $command (@$command_match_command_list){ if ($command_match_command =~ /$command/) { return TRUE; } } } #Compares passed command to array of commands to see if the nas is of interest sub print_log { if ($log_enabled == 1) { $print_log_device_match = shift(@_); $print_log_command_allowed = shift(@_); open MY_LOG_FILE, ">>", $log_file or die $!; print MY_LOG_FILE "External Auth Script running at ".localtime()."\n"; print MY_LOG_FILE " Username: $username\n"; print MY_LOG_FILE " NAS IP: $nas_ip\n"; print MY_LOG_FILE " Client IP: $client_ip\n"; print MY_LOG_FILE " Command: $command_string\n"; print MY_LOG_FILE " NAS Match: $print_log_device_match\n"; print MY_LOG_FILE " Allowed: $print_log_command_allowed\n"; print MY_LOG_FILE "\n"; close (MY_LOG_FILE); } } ############### END SAMPLE AUTH SCRIPT ##################### DISCLAIMER - This email and any file transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any views or opinions expressed are those of the author and do not represent the views of Derwent Shared Services, unless otherwise explicitly stated. The information contained in this email may be subject to public disclosure under the Freedom of Information Act 2000. Unless the information is legally exempt from disclosure, the confidentiality of this email cannot be guaranteed. Derwent Shared Services is an NHS Shared Services Organisation. _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From heas at shrubbery.net Sat Apr 4 07:54:56 2009 From: heas at shrubbery.net (john heasley) Date: Sat, 4 Apr 2009 07:54:56 +0000 Subject: [tac_plus] Re: Working Command Authorization Script In-Reply-To: <21AF5C86B8DBA2489D136BD3AF5801901EE389@lhmail03.xDerwentSharedServices.nhs.uk> References: <21AF5C86B8DBA2489D136BD3AF5801901EE389@lhmail03.xDerwentSharedServices.nhs.uk> Message-ID: <20090404075456.GE13959@shrubbery.net> Fri, Apr 03, 2009 at 05:58:32PM +0100, Barry Stephen (YDD08) Derwent Shared Services: > I posted the other day about providing some users different levels of > access depending on the specific device they logged onto, in my case > Access versus Distribution & Core switches. > > Having read previous responses from various people I have managed to > create a working authorization script which checks what NAS a user > logged onto and if the NAS/Switch is in a specific list the commands are > checked against a list and only those commands are permitted. For all > other NASes (those not in the list) all commands are allowed. > > It took me a while to realise that the script is effectively taking on > the role of the tacacs+ deamon to some extent, that is to say that it is > not returning config/options to the tac_plus deamon in config file > format but direct to the NAS/switch. In any case, in this example we > simply say allow or deny rather than passing any AV pairs back to the > NAS. > > It is important to parse STDIN to see what command the NAS is requesting > auth for. > > I am using the after authorization method as the before authorization > method seemed a little harder to get working. > > This is my tac_plus.conf definition for these group of people: > > # Read/Write Access to non distribution devices - All commands > authorised > group = rw-except-distribution { > default service = permit > service = exec { > priv-lvl=15 > idletime=15 > timeout=0 > } > after authorization "/usr/bin/perl /etc/tac_plus_auth.pl $user > $name $address" > } > > I pass username, nas ip address and client ip address to my script but > only use nas address ($name) in my script. In my case $name is the NAS > IP address but possibly may not be in all cases. That is right, unless it resolves. I've added $ip in the code just now, so that both are available. From asturluismi at gmail.com Wed Apr 8 15:39:39 2009 From: asturluismi at gmail.com (luismi) Date: Wed, 08 Apr 2009 17:39:39 +0200 Subject: [tac_plus] Access directly to enable mode Message-ID: <1239205179.7314.30.camel@dsba-ipso> Hi all, I have configured here: aaa new-model aaa group server tacacs+ tac-plus aaa authentication attempts login 2 aaa authentication login default group tac-plus local-case aaa authentication login console group tac-plus local-case aaa authorization console aaa authorization exec default group tacacs+ if-authenticated aaa authorization commands 0 default group tacacs+ local if-authenticated aaa authorization commands 1 default group tacacs+ local if-authenticated aaa authorization commands 15 default group tacacs+ local if-authenticated aaa authorization network default group tac-plus local aaa accounting send stop-record authentication failure vrf Gestion aaa accounting suppress null-username aaa accounting update newinfo periodic 1440 aaa accounting exec default start-stop group tac-plus aaa accounting commands 0 default start-stop group tac-plus aaa accounting commands 1 default start-stop group tac-plus aaa accounting commands 15 default start-stop group tac-plus aaa accounting network default start-stop group tac-plus aaa accounting connection default start-stop group tac-plus aaa accounting system default start-stop group tac-plus aaa session-id common and in the tacacs side... user = userXXX { name = "the USERXXX" service = exec { priv_lvl = 15 } login = des AABBCCDD } It works because I am able to do login to the router but I also need to do enable to get access to # prompt, and I want to avoid it. Any idea? From kissg at ssg.ki.iif.hu Wed Apr 8 15:52:17 2009 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Wed, 8 Apr 2009 17:52:17 +0200 (CEST) Subject: [tac_plus] Re: Access directly to enable mode In-Reply-To: <1239205179.7314.30.camel@dsba-ipso> References: <1239205179.7314.30.camel@dsba-ipso> Message-ID: > user = userXXX { > name = "the USERXXX" > service = exec { > priv_lvl = 15 > } > login = des AABBCCDD > } > > It works because I am able to do login to the router but I also need to > do enable to get access to # prompt, and I want to avoid it. > > Any idea? priv-lvl vs. priv_lvl :) From asturluismi at gmail.com Wed Apr 8 15:54:13 2009 From: asturluismi at gmail.com (luismi) Date: Wed, 08 Apr 2009 17:54:13 +0200 Subject: [tac_plus] Re: Access directly to enable mode In-Reply-To: References: <1239205179.7314.30.camel@dsba-ipso> Message-ID: <1239206053.7314.34.camel@dsba-ipso> UPPPS fixed but,tacacs server restarted and same result :P El mi?, 08-04-2009 a las 17:52 +0200, Kiss Gabor (Bitman) escribi?: > > user = userXXX { > > name = "the USERXXX" > > service = exec { > > priv_lvl = 15 > > } > > login = des AABBCCDD > > } > > > > It works because I am able to do login to the router but I also need to > > do enable to get access to # prompt, and I want to avoid it. > > > > Any idea? > > priv-lvl vs. priv_lvl > > :) From kissg at ssg.ki.iif.hu Wed Apr 8 15:56:40 2009 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Wed, 8 Apr 2009 17:56:40 +0200 (CEST) Subject: [tac_plus] Re: Access directly to enable mode In-Reply-To: <1239206053.7314.34.camel@dsba-ipso> References: <1239205179.7314.30.camel@dsba-ipso> <1239206053.7314.34.camel@dsba-ipso> Message-ID: > UPPPS fixed but,tacacs server restarted and same result :P The very same tac-plus config works for me since years. Maybe the router configuration differs. Regards Gabor From steve at dss.nhs.uk Wed Apr 8 16:08:45 2009 From: steve at dss.nhs.uk (Barry Stephen (YDD08) Derwent Shared Services) Date: Wed, 8 Apr 2009 17:08:45 +0100 Subject: [tac_plus] Re: Access directly to enable mode References: <1239205179.7314.30.camel@dsba-ipso><1239206053.7314.34.camel@dsba-ipso> Message-ID: <21AF5C86B8DBA2489D136BD3AF5801901EE3B9@lhmail03.xDerwentSharedServices.nhs.uk> do you have a line for exec authorization, something like this: aaa authorization exec default group tacacs+ I believe you need this otherwise your priv level will not take effect. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Kiss Gabor (Bitman) Sent: 08 April 2009 16:57 To: luismi Cc: tac_plus at shrubbery.net Subject: [tac_plus] Re: Access directly to enable mode > UPPPS fixed but,tacacs server restarted and same result :P The very same tac-plus config works for me since years. Maybe the router configuration differs. Regards Gabor _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus DISCLAIMER - This email and any file transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any views or opinions expressed are those of the author and do not represent the views of Derwent Shared Services, unless otherwise explicitly stated. The information contained in this email may be subject to public disclosure under the Freedom of Information Act 2000. Unless the information is legally exempt from disclosure, the confidentiality of this email cannot be guaranteed. Derwent Shared Services is an NHS Shared Services Organisation. From asturluismi at gmail.com Wed Apr 8 16:15:12 2009 From: asturluismi at gmail.com (luismi) Date: Wed, 08 Apr 2009 18:15:12 +0200 Subject: [tac_plus] Re: Access directly to enable mode In-Reply-To: <21AF5C86B8DBA2489D136BD3AF5801901EE3B9@lhmail03.xDerwentSharedServices.nhs.uk> References: <1239205179.7314.30.camel@dsba-ipso> <1239206053.7314.34.camel@dsba-ipso> <21AF5C86B8DBA2489D136BD3AF5801901EE3B9@lhmail03.xDerwentSharedServices.nhs.uk> Message-ID: <1239207312.7314.40.camel@dsba-ipso> I have this one: aaa authorization exec default group tacacs+ if-authenticated El mi?, 08-04-2009 a las 17:08 +0100, Barry Stephen (YDD08) Derwent Shared Services escribi?: > do you have a line for exec authorization, something like this: > > aaa authorization exec default group tacacs+ > > I believe you need this otherwise your priv level will not take effect. > > -----Original Message----- > From: tac_plus-bounces at shrubbery.net > [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Kiss Gabor (Bitman) > Sent: 08 April 2009 16:57 > To: luismi > Cc: tac_plus at shrubbery.net > Subject: [tac_plus] Re: Access directly to enable mode > > > UPPPS fixed but,tacacs server restarted and same result :P > > The very same tac-plus config works for me since years. > Maybe the router configuration differs. > > Regards > > Gabor > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > DISCLAIMER - This email and any file transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any views or opinions expressed are those of the author and do not represent the views of Derwent Shared Services, unless otherwise explicitly stated. The information contained in this email may be subject to public disclosure under the Freedom of Information Act 2000. Unless the information is legally exempt from disclosure, the confidentiality of this email cannot be guaranteed. > > Derwent Shared Services is an NHS Shared Services Organisation. > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From tbertolozzi at msufcu.org Wed Apr 8 15:57:38 2009 From: tbertolozzi at msufcu.org (Todd Bertolozzi) Date: Wed, 8 Apr 2009 11:57:38 -0400 Subject: [tac_plus] des passwords Message-ID: <1DA008EBD17D7E45A802948A5BE1A7240388E0CD@EXCH2.cu.msufcu.org> Am I correct that if you use DES passwords in tac_plus.conf you are limited to an 8 character password? How are you all dealing with that? Are you just using plaintext in there? Thanks in advance, Todd ------------------------------------------------------- This electronic transmission and any information that it contains is the property of MSU Federal Credit Union and is intended for the use of the intended recipient. If you are not the intended recipient, any disclosure, copying or other use of this information is strictly prohibited. If you acquired this transmission in error or feel that any of the information contained within it is offensive or inappropriate, please contact internalaudit at msufcu.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090408/fd0b9061/attachment.html From tbertolozzi at msufcu.org Wed Apr 8 16:00:16 2009 From: tbertolozzi at msufcu.org (Todd Bertolozzi) Date: Wed, 8 Apr 2009 12:00:16 -0400 Subject: [tac_plus] Re: Access directly to enable mode In-Reply-To: References: <1239205179.7314.30.camel@dsba-ipso><1239206053.7314.34.camel@dsba-ipso> Message-ID: <1DA008EBD17D7E45A802948A5BE1A7240388E0CE@EXCH2.cu.msufcu.org> Do you maybe need to have the enable secret set in the config in order for this to work? I have the special enable user set in my config to supply the secret from tacacs and I get dropped into enable mode. user = $enab15$ Todd -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Kiss Gabor (Bitman) Sent: Wednesday, April 08, 2009 11:57 AM To: luismi Cc: tac_plus at shrubbery.net Subject: [tac_plus] Re: Access directly to enable mode > UPPPS fixed but,tacacs server restarted and same result :P The very same tac-plus config works for me since years. Maybe the router configuration differs. Regards Gabor _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus ------------------------------------------------------- This electronic transmission and any information that it contains is the property of MSU Federal Credit Union and is intended for the use of the intended recipient. If you are not the intended recipient, any disclosure, copying or other use of this information is strictly prohibited. If you acquired this transmission in error or feel that any of the information contained within it is offensive or inappropriate, please contact internalaudit at msufcu.org. From dan.schmidt at uplinkdata.com Wed Apr 8 22:20:13 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Wed, 8 Apr 2009 16:20:13 -0600 Subject: [tac_plus] Re: des passwords In-Reply-To: <1DA008EBD17D7E45A802948A5BE1A7240388E0CD@EXCH2.cu.msufcu.org> References: <1DA008EBD17D7E45A802948A5BE1A7240388E0CD@EXCH2.cu.msufcu.org> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BC70D1C6@che-exch-003.uplinkdata.com> Bitman once showed me how to do longer passwords: $ mkpasswd --hash=md5 mysecret $1$TEWuOxgm$eHFn1umfTovC0ukCYovBf1 $ -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Todd Bertolozzi Sent: Wednesday, April 08, 2009 9:58 AM To: tac_plus at shrubbery.net Subject: [tac_plus] des passwords Am I correct that if you use DES passwords in tac_plus.conf you are limited to an 8 character password? How are you all dealing with that? Are you just using plaintext in there? Thanks in advance, Todd ------------------------------------------------------- This electronic transmission and any information that it contains is the property of MSU Federal Credit Union and is intended for the use of the intended recipient. If you are not the intended recipient, any disclosure, copying or other use of this information is strictly prohibited. If you acquired this transmission in error or feel that any of the information contained within it is offensive or inappropriate, please contact internalaudit at msufcu.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090408/fd0b906 1/attachment.html _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From kissg at ssg.ki.iif.hu Thu Apr 9 20:33:55 2009 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Thu, 9 Apr 2009 22:33:55 +0200 (CEST) Subject: [tac_plus] Re: des passwords In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BC70D1C6@che-exch-003.uplinkdata.com> References: <1DA008EBD17D7E45A802948A5BE1A7240388E0CD@EXCH2.cu.msufcu.org> <05CC562AFB5A9446A1BC3F66AD04A3BC70D1C6@che-exch-003.uplinkdata.com> Message-ID: > Bitman once showed me how to do longer passwords: > > $ mkpasswd --hash=md5 mysecret > $1$TEWuOxgm$eHFn1umfTovC0ukCYovBf1 > $ Note: this is useful on systems (e.g. Linux) where libcrypt handles md5 passwords in a transperent way. Gabor > -----Original Message----- > Am I correct that if you use DES passwords in tac_plus.conf you are > limited to an 8 character password? How are you all dealing with that? > Are you just using plaintext in there? From heas at shrubbery.net Fri Apr 10 17:31:42 2009 From: heas at shrubbery.net (john heasley) Date: Fri, 10 Apr 2009 17:31:42 +0000 Subject: [tac_plus] Re: des passwords In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BC70D1C6@che-exch-003.uplinkdata.com> References: <1DA008EBD17D7E45A802948A5BE1A7240388E0CD@EXCH2.cu.msufcu.org> <05CC562AFB5A9446A1BC3F66AD04A3BC70D1C6@che-exch-003.uplinkdata.com> Message-ID: <20090410173141.GE3911@shrubbery.net> Wed, Apr 08, 2009 at 04:20:13PM -0600, Schmidt, Daniel: > Bitman once showed me how to do longer passwords: > > $ mkpasswd --hash=md5 mysecret > $1$TEWuOxgm$eHFn1umfTovC0ukCYovBf1 Typically 8 characters, but afaik the limitation is in your system's crypt() and historical backward-compatibility. Implying that, login = des $1$2qGr5PPQ$eT08WBFev3RPLNChixg0H. login = des $2a$12$eIAq8PR8sIUnJ1HaohxX2O9x9Qlm2vK97LJ5dsXdmB.eXF42qjchC for MD5 and blowfish, respectively, should work if your crypt supports them, as FreeBSD's and NetBSD's do. > > -----Original Message----- > From: tac_plus-bounces at shrubbery.net > [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Todd Bertolozzi > Sent: Wednesday, April 08, 2009 9:58 AM > To: tac_plus at shrubbery.net > Subject: [tac_plus] des passwords > > Am I correct that if you use DES passwords in tac_plus.conf you are > limited to an 8 character password? How are you all dealing with that? > Are you just using plaintext in there? > > > > Thanks in advance, > > > > Todd > > > > ------------------------------------------------------- > This electronic transmission and any information that it contains is the > property of MSU Federal Credit Union and is intended for the use of the > intended recipient. If you are not the intended recipient, any > disclosure, copying or other use of this information is strictly > prohibited. If you acquired this transmission in error or feel that any > of the information contained within it is offensive or inappropriate, > please contact internalaudit at msufcu.org. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://www.shrubbery.net/pipermail/tac_plus/attachments/20090408/fd0b906 > 1/attachment.html > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From kissg at ssg.ki.iif.hu Mon Apr 13 06:07:28 2009 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Mon, 13 Apr 2009 08:07:28 +0200 (CEST) Subject: [tac_plus] Re: Access directly to enable mode In-Reply-To: <21AF5C86B8DBA2489D136BD3AF5801901EE3B9@lhmail03.xDerwentSharedServices.nhs.uk> References: <1239205179.7314.30.camel@dsba-ipso><1239206053.7314.34.camel@dsba-ipso> <21AF5C86B8DBA2489D136BD3AF5801901EE3B9@lhmail03.xDerwentSharedServices.nhs.uk> Message-ID: > do you have a line for exec authorization, something like this: > > aaa authorization exec default group tacacs+ > > I believe you need this otherwise your priv level will not take effect. Yes we have: aaa authorization exec default group tacacs+ if-authenticated Sorry for late answer. Your mail was delivered today. Gabor From heas at shrubbery.net Mon Apr 13 07:38:39 2009 From: heas at shrubbery.net (john heasley) Date: Mon, 13 Apr 2009 07:38:39 +0000 Subject: [tac_plus] Re: Access directly to enable mode In-Reply-To: References: <1239205179.7314.30.camel@dsba-ipso> <1239206053.7314.34.camel@dsba-ipso> <21AF5C86B8DBA2489D136BD3AF5801901EE3B9@lhmail03.xDerwentSharedServices.nhs.uk> Message-ID: <20090413073839.GC2246@shrubbery.net> Mon, Apr 13, 2009 at 08:07:28AM +0200, Kiss Gabor (Bitman): > > do you have a line for exec authorization, something like this: > > > > aaa authorization exec default group tacacs+ > > > > I believe you need this otherwise your priv level will not take effect. > > Yes we have: > aaa authorization exec default group tacacs+ if-authenticated > > Sorry for late answer. Your mail was delivered today. > > Gabor > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus start by using tac_plus authorization debugging to ensure that your device really is attempting authorization. you can also use that to debug any authorization failures. From steve at dss.nhs.uk Mon Apr 20 16:00:24 2009 From: steve at dss.nhs.uk (Barry Stephen (YDD08) Derwent Shared Services) Date: Mon, 20 Apr 2009 17:00:24 +0100 Subject: [tac_plus] http command accouting Message-ID: <21AF5C86B8DBA2489D136BD3AF5801901EE3DC@lhmail03.xDerwentSharedServices.nhs.uk> Has anyone experienced problems with AAA command accounting via the web based device manager. I am talking about catalyst switches specifically. I am testing on a 2960 running 12.2(44)SE3 I have configured the required commands but accouting is not working for changes, eg. an interface description change. When I log on all the show commands to populate the GUI are accounted but not changes. I have debugged the authorization to see what is going on and the switch implements a different method to the CLI of creating the changes and merging them, see below. Debug for accouting did not produce anything useful. This also affects changes via Cisco Network Assistant. Any ideas....? 01:19:24: AAA/AUTHOR (0x0): Pick method list 'telnet-ssh' 01:19:24: AAA: parse name=tty0 idb type=-1 tty=-1 01:19:24: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0 01:19:24: AAA/MEMORY: create_user (0x22C27EC) user='stephen_barry' ruser='sbtest' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0) 01:19:24: tty0 AAA/AUTHOR/CMD (490239621): Port='tty0' list='default' service=CMD 01:19:24: AAA/AUTHOR/CMD: tty0 (490239621) user='stephen_barry' 01:19:24: tty0 AAA/AUTHOR/CMD (490239621): send AV service=shell 01:19:24: tty0 AAA/AUTHOR/CMD (490239621): send AV cmd=cluster 01:19:24: tty0 AAA/AUTHOR/CMD (490239621): send AV cmd-arg=preferences 01:19:24: tty0 AAA/AUTHOR/CMD (490239621): send AV cmd-arg=file 01:19:24: tty0 AAA/AUTHOR/CMD (490239621): send AV cmd-arg=d.cli 01:19:24: tty0 AAA/AUTHOR/CMD (490239621): send AV cmd-arg=interface 01:19:24: tty0 AAA/AUTHOR/CMD (490239621): send AV cmd-arg=Fa0/23 description 01:19:24: tty0 AAA/AUTHOR/CMD (490239621): send AV cmd-arg=THIS 01:19:24: tty0 AAA/AUTHOR/CMD (490239621): send AV cmd-arg=IS 01:19:24: tty0 AAA/AUTHOR/CMD (490239621): send AV cmd-arg=A 01:19:24: tty0 AAA/AUTHOR/CMD (490239621): send AV cmd-arg=TEST ! end 01:19:24: tty0 AAA/AUTHOR/CMD (490239621): send AV cmd-arg= 01:19:24: tty0 AAA/AUTHOR/CMD (490239621): found list "default" 01:19:24: tty0 AAA/AUTHOR/CMD (490239621): Method=dhis-auth (tacacs+) 01:19:24: AAA/AUTHOR/TAC+: (490239621): user=stephen_barry 01:19:24: AAA/AUTHOR/TAC+: (490239621): send AV service=shell 01:19:24: AAA/AUTHOR/TAC+: (490239621): send AV cmd=cluster 01:19:24: AAA/AUTHOR/TAC+: (490239621): send AV cmd-arg=preferences 01:19:24: AAA/AUTHOR/TAC+: (490239621): send AV cmd-arg=file 01:19:24: AAA/AUTHOR/TAC+: (490239621): send AV cmd-arg=d.cli 01:19:24: AAA/AUTHOR/TAC+: (490239621): send AV cmd-arg=interface 01:19:24: AAA/AUTHOR/TAC+: (490239621): send AV cmd-arg=Fa0/23 description 01:19:24: AAA/AUTHOR/TAC+: (490239621): send AV cmd-arg=THIS 01:19:24: AAA/AUTHOR/TAC+: (490239621): send AV cmd-arg=IS 01:19:24: AAA/AUTHOR/TAC+: (490239621): send AV cmd-arg=A 01:19:24: AAA/AUTHOR/TAC+: (490239621): send AV cmd-arg=TEST ! end 01:19:24: AAA/AUTHOR/TAC+: (490239621): send AV cmd-arg= 01:19:24: AAA/AUTHOR (490239621): Post authorization status = PASS_ADD 01:19:24: AAA/MEMORY: free_user (0x22C27EC) user='stephen_barry' ruser='sbtest' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 01:19:24: AAA: parse name=tty0 idb type=-1 tty=-1 01:19:24: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0 01:19:24: AAA/MEMORY: create_user (0x22D5A58) user='stephen_barry' ruser='sbtest' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0) 01:19:24: tty0 AAA/AUTHOR/CMD (2671731899): Port='tty0' list='default' service=CMD 01:19:24: AAA/AUTHOR/CMD: tty0 (2671731899) user='stephen_barry' 01:19:24: tty0 AAA/AUTHOR/CMD (2671731899): send AV service=shell 01:19:24: tty0 AAA/AUTHOR/CMD (2671731899): send AV cmd=copy 01:19:24: tty0 AAA/AUTHOR/CMD (2671731899): send AV cmd-arg=d.cli 01:19:24: tty0 AAA/AUTHOR/CMD (2671731899): send AV cmd-arg=running-config 01:19:24: tty0 AAA/AUTHOR/CMD (2671731899): send AV cmd-arg= 01:19:24: tty0 AAA/AUTHOR/CMD (2671731899): found list "default" 01:19:24: tty0 AAA/AUTHOR/CMD (2671731899): Method=dhis-auth (tacacs+) 01:19:24: AAA/AUTHOR/TAC+: (2671731899): user=stephen_barry 01:19:24: AAA/AUTHOR/TAC+: (2671731899): send AV service=shell 01:19:24: AAA/AUTHOR/TAC+: (2671731899): send AV cmd=copy 01:19:24: AAA/AUTHOR/TAC+: (2671731899): send AV cmd-arg=d.cli 01:19:24: AAA/AUTHOR/TAC+: (2671731899): send AV cmd-arg=running-config 01:19:24: AAA/AUTHOR/TAC+: (2671731899): send AV cmd-arg= 01:19:25: AAA/AUTHOR (2671731899): Post authorization status = PASS_ADD 01:19:25: AAA/MEMORY: free_user (0x22D5A58) user='stephen_barry' ruser='sbtest' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 01:19:25: AAA: parse name=tty0 idb type=-1 tty=-1 01:19:25: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0 01:19:25: AAA/MEMORY: create_user (0x22B96E8) user='stephen_barry' ruser='sbtest' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0) 01:19:25: tty0 AAA/AUTHOR/CMD (469821217): Port='tty0' list='default' service=CMD 01:19:25: AAA/AUTHOR/CMD: tty0 (469821217) user='stephen_barry' 01:19:25: tty0 AAA/AUTHOR/CMD (469821217): send AV service=shell 01:19:25: tty0 AAA/AUTHOR/CMD (469821217): send AV cmd=delete 01:19:25: tty0 AAA/AUTHOR/CMD (469821217): send AV cmd-arg=/force 01:19:25: tty0 AAA/AUTHOR/CMD (469821217): send AV cmd-arg=d.cli 01:19:25: tty0 AAA/AUTHOR/CMD (469821217): send AV cmd-arg= 01:19:25: tty0 AAA/AUTHOR/CMD (469821217): found list "default" 01:19:25: tty0 AAA/AUTHOR/CMD (469821217): Method=dhis-auth (tacacs+) 01:19:25: AAA/AUTHOR/TAC+: (469821217): user=stephen_barry 01:19:25: AAA/AUTHOR/TAC+: (469821217): send AV service=shell 01:19:25: AAA/AUTHOR/TAC+: (469821217): send AV cmd=delete 01:19:25: AAA/AUTHOR/TAC+: (469821217): send AV cmd-arg=/force 01:19:25: AAA/AUTHOR/TAC+: (469821217): send AV cmd-arg=d.cli 01:19:25: AAA/AUTHOR/TAC+: (469821217): send AV cmd-arg= 01:19:25: AAA/AUTHOR (469821217): Post authorization status = PASS_ADD 01:19:25: AAA/MEMORY: free_user (0x22B96E8) user='stephen_barry' ruser='sbtest' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 01:19:25: AAA: parse name=tty0 idb type=-1 tty=-1 01:19:25: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0 01:19:25: AAA/MEMORY: create_user (0x2272ED0) user='stephen_barry' ruser='sbtest' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0) Stephen Barry Senior IT Service Designer | IT Operations | Derbyshire Health Informatics Service | Derwent Shared Services t: 01332 622444 | m: 07919 173353 | f: 01332 222256 | e: steve at dss.nhs.uk DISCLAIMER - This email and any file transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any views or opinions expressed are those of the author and do not represent the views of Derwent Shared Services, unless otherwise explicitly stated. The information contained in this email may be subject to public disclosure under the Freedom of Information Act 2000. Unless the information is legally exempt from disclosure, the confidentiality of this email cannot be guaranteed. Derwent Shared Services is an NHS Shared Services Organisation. From heas at shrubbery.net Mon Apr 20 16:22:02 2009 From: heas at shrubbery.net (john heasley) Date: Mon, 20 Apr 2009 16:22:02 +0000 Subject: [tac_plus] Re: http command accouting In-Reply-To: <21AF5C86B8DBA2489D136BD3AF5801901EE3DC@lhmail03.xDerwentSharedServices.nhs.uk> References: <21AF5C86B8DBA2489D136BD3AF5801901EE3DC@lhmail03.xDerwentSharedServices.nhs.uk> Message-ID: <20090420162202.GA21045@shrubbery.net> Mon, Apr 20, 2009 at 05:00:24PM +0100, Barry Stephen (YDD08) Derwent Shared Services: > Has anyone experienced problems with AAA command accounting via the web > based device manager. I am talking about catalyst switches specifically. > I am testing on a 2960 running 12.2(44)SE3 > > I have configured the required commands but accouting is not working for > changes, eg. an interface description change. When I log on all the show > commands to populate the GUI are accounted but not changes. > > I have debugged the authorization to see what is going on and the switch > implements a different method to the CLI of creating the changes and > merging them, see below. Debug for accouting did not produce anything > useful. > > This also affects changes via Cisco Network Assistant. > > Any ideas....? try enabling authorization and accounting debugging in the daemon. also, these look like authorization logs, not accounting logs. From schmitz at anl.gov Mon Apr 20 16:32:32 2009 From: schmitz at anl.gov (Schmitz Corby) Date: Mon, 20 Apr 2009 11:32:32 -0500 Subject: [tac_plus] Accounting difficulties Message-ID: I have been working with the latest build of tac_plus distributed on your website. I have been successful at getting everything working (includeing ACL support which is why I chose this version in the first place) except for accounting. I was using the Ubuntu distribution previously and with the accounting directive in the configuration file, things just worked: accounting file = /var/log/tac-plus/accounting Under the current version: root at nms221:/usr/local/tacacs+-F4.0.4.18# /usr/local/tacacs/bin/ tac_plus -v tac_plus version F4.0.4.18 ACLS FIONBIO LIBWRAP LINUX LITTLE_ENDIAN LOG_DAEMON PAM NO_PWAGE REAPCHILD RETSIGTYPE RETSIGTYPE SHADOW_PASSWORDS SIGTSTP SIGTTIN SIGTTOU SO_REUSEADDR STRERROR TAC_PLUS_PORT UENABLE __STDC__ I cannot seem to get it working again. I have tried building with a specific entry for the accounting file when I run configure prior to building: --with-acctfile=/var/log/tac-plus/account With our without this entry and despite what is in the configuration file, nothing ever gets written to the accounting log file. I am not sure what else to supply. Any help would be greatly appreciated. -corby schmitz From heas at shrubbery.net Mon Apr 20 17:14:58 2009 From: heas at shrubbery.net (john heasley) Date: Mon, 20 Apr 2009 17:14:58 +0000 Subject: [tac_plus] Re: Accounting difficulties In-Reply-To: References: Message-ID: <20090420171457.GI21045@shrubbery.net> Mon, Apr 20, 2009 at 11:32:32AM -0500, Schmitz Corby: > I have been working with the latest build of tac_plus distributed on > your website. I have been successful at getting everything working > (includeing ACL support which is why I chose this version in the first > place) except for accounting. I was using the Ubuntu distribution > previously and with the accounting directive in the configuration > file, things just worked: > accounting file = /var/log/tac-plus/accounting > Under the current version: > root at nms221:/usr/local/tacacs+-F4.0.4.18# /usr/local/tacacs/bin/ > tac_plus -v > tac_plus version F4.0.4.18 > ACLS > FIONBIO > LIBWRAP > LINUX > LITTLE_ENDIAN > LOG_DAEMON > PAM > NO_PWAGE > REAPCHILD > RETSIGTYPE RETSIGTYPE > SHADOW_PASSWORDS > SIGTSTP > SIGTTIN > SIGTTOU > SO_REUSEADDR > STRERROR > TAC_PLUS_PORT > UENABLE > __STDC__ > > I cannot seem to get it working again. I have tried building with a > specific entry for the accounting file when I run configure prior to > building: > --with-acctfile=/var/log/tac-plus/account > > With our without this entry and despite what is in the configuration > file, nothing ever gets written to the accounting log file. errors in syslog? does accounting work when set to syslog? does the daemon run chroot'd? tried accounting debugging in the daemon to be sure the device in sending accounting? From schmitz at anl.gov Mon Apr 20 17:33:36 2009 From: schmitz at anl.gov (schmitz at anl.gov) Date: Mon, 20 Apr 2009 12:33:36 -0500 (CDT) Subject: [tac_plus] Re: Accounting difficulties In-Reply-To: <20090420171457.GI21045@shrubbery.net> References: <20090420171457.GI21045@shrubbery.net> Message-ID: Many apologies. I figured it out. I was setting the wtmp log file in the cli, and this prevented acconting records from hitting the accounting log file. They must be mutually exclusive. Does this make sense? -- Corby Schmitz Mobile On Apr 20, 2009, at 12:15, john heasley wrote: > Mon, Apr 20, 2009 at 11:32:32AM -0500, Schmitz Corby: >> I have been working with the latest build of tac_plus distributed on >> your website. I have been successful at getting everything working >> (includeing ACL support which is why I chose this version in the >> first >> place) except for accounting. I was using the Ubuntu distribution >> previously and with the accounting directive in the configuration >> file, things just worked: >> accounting file = /var/log/tac-plus/accounting >> Under the current version: >> root at nms221:/usr/local/tacacs+-F4.0.4.18# /usr/local/tacacs/bin/ >> tac_plus -v >> tac_plus version F4.0.4.18 >> ACLS >> FIONBIO >> LIBWRAP >> LINUX >> LITTLE_ENDIAN >> LOG_DAEMON >> PAM >> NO_PWAGE >> REAPCHILD >> RETSIGTYPE RETSIGTYPE >> SHADOW_PASSWORDS >> SIGTSTP >> SIGTTIN >> SIGTTOU >> SO_REUSEADDR >> STRERROR >> TAC_PLUS_PORT >> UENABLE >> __STDC__ >> >> I cannot seem to get it working again. I have tried building with a >> specific entry for the accounting file when I run configure prior to >> building: >> --with-acctfile=/var/log/tac-plus/account >> >> With our without this entry and despite what is in the configuration >> file, nothing ever gets written to the accounting log file. > > errors in syslog? does accounting work when set to syslog? does the > daemon run chroot'd? tried accounting debugging in the daemon to be > sure the device in sending accounting? From heas at shrubbery.net Mon Apr 20 17:42:58 2009 From: heas at shrubbery.net (john heasley) Date: Mon, 20 Apr 2009 17:42:58 +0000 Subject: [tac_plus] Re: Accounting difficulties In-Reply-To: References: <20090420171457.GI21045@shrubbery.net> Message-ID: <20090420174258.GN21045@shrubbery.net> Mon, Apr 20, 2009 at 12:33:36PM -0500, schmitz at anl.gov: > Many apologies. I figured it out. I was setting the wtmp log file in the > cli, and this prevented acconting records from hitting the accounting log > file. They must be mutually exclusive. > > Does this make sense? yes, apparently. the code only does one or the other; which seems awfully stupid. hmm, why would it do that. > -- > Corby Schmitz > Mobile > > On Apr 20, 2009, at 12:15, john heasley wrote: > >> Mon, Apr 20, 2009 at 11:32:32AM -0500, Schmitz Corby: >>> I have been working with the latest build of tac_plus distributed on >>> your website. I have been successful at getting everything working >>> (includeing ACL support which is why I chose this version in the >>> first >>> place) except for accounting. I was using the Ubuntu distribution >>> previously and with the accounting directive in the configuration >>> file, things just worked: >>> accounting file = /var/log/tac-plus/accounting >>> Under the current version: >>> root at nms221:/usr/local/tacacs+-F4.0.4.18# /usr/local/tacacs/bin/ >>> tac_plus -v >>> tac_plus version F4.0.4.18 >>> ACLS >>> FIONBIO >>> LIBWRAP >>> LINUX >>> LITTLE_ENDIAN >>> LOG_DAEMON >>> PAM >>> NO_PWAGE >>> REAPCHILD >>> RETSIGTYPE RETSIGTYPE >>> SHADOW_PASSWORDS >>> SIGTSTP >>> SIGTTIN >>> SIGTTOU >>> SO_REUSEADDR >>> STRERROR >>> TAC_PLUS_PORT >>> UENABLE >>> __STDC__ >>> >>> I cannot seem to get it working again. I have tried building with a >>> specific entry for the accounting file when I run configure prior to >>> building: >>> --with-acctfile=/var/log/tac-plus/account >>> >>> With our without this entry and despite what is in the configuration >>> file, nothing ever gets written to the accounting log file. >> >> errors in syslog? does accounting work when set to syslog? does the >> daemon run chroot'd? tried accounting debugging in the daemon to be >> sure the device in sending accounting? From dan.schmidt at uplinkdata.com Mon Apr 20 22:01:34 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Mon, 20 Apr 2009 16:01:34 -0600 Subject: [tac_plus] Re: single connection In-Reply-To: <20090319211702.GV22385@shrubbery.net> References: <05CC562AFB5A9446A1BC3F66AD04A3BC1BD6CE@che-exch-003.uplinkdata.com> <20080529210331.GE24141@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BC1BD6D8@che-exch-003.uplinkdata.com> <20090318233331.GA3200@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BC70D012@che-exch-003.uplinkdata.com> <20090319211702.GV22385@shrubbery.net> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BC70D2AA@che-exch-003.uplinkdata.com> This lousy bug caused triggered another ssh/tty lockup bug.... long story. I have to wonder if it works right on ANY Tacacs server. How could it, if the flag isn't set and it has to be defined on the server? -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Thursday, March 19, 2009 3:17 PM To: Schmidt, Daniel Cc: john heasley; tac_plus at shrubbery.net Subject: Re: [tac_plus] single connection Thu, Mar 19, 2009 at 09:03:21AM -0600, Schmidt, Daniel: > Thank you kindly for your reply again. > > I have hundreds of devices that I put it on. Are we to understand that > Cisco recommends single-connection on one hand, and then on the other > hand tells us that single-connection does not work and they won't fix > it? I suppose I had better start work on removing it. > > Rather than removing your debug code, perhaps a warning would be in > order? It would be a shame to have an upgrade break tacacs for those i think it *appears* to work. for starters, the client does not set the single-connection flag in the header, so either the daemon would refuse single-connection behavior or not be able to concurrently support both clients that had the support and those that didnt. secondly, afaict, it always closes the connection, which may be why it appears to work. the daemon does not support it, but I was going to add support. The code was simply to figure out how it worked. > who have been following their lousy CCNP book. As I mentioned, > single-connection does work, just not well. If you check tacacs, you > will note aborts and errors. > > Funny that it seems to work right in IOS-XR yet they did such a terrible > job of implementing SSH in IOS-XR. > > -----Original Message----- > From: john heasley [mailto:heas at shrubbery.net] > Sent: Wednesday, March 18, 2009 5:34 PM > To: Schmidt, Daniel > Cc: tac_plus at shrubbery.net > Subject: Re: [tac_plus] single connection > > Thu, May 29, 2008 at 03:32:18PM -0600, Dan Schmidt: > > Thanks for kindly for your reply. > > > > The symptoms are that, if multiple sessions are opened - one right > after > > the other, exactly every other session fails to contact the tacacs > > server (defaults to local authentication) spitting out that debug > > message. Perhaps it is a bug on the 7600's, as the 6500's in that > city > > are completely fine. (And 3750's, ect.) > > > > Single-connection was implemented in CiscoSecure Release 1.0.1 - is it > > fully supported in tac_plus? > > > > Obviously, the work around is to disable single connection, but that > > creates more connections to the tacacs server. > > I FINALLY researched this extensively. The problem is that, except for > IOS-XR, single-connection does not work, period. And, Cisco told me > that > they would not fix it. > > Note that the tac_plus daemon does not support it anyway; I'd just > jammed > basic debugging code into it. I don't know if I'll add it in the > future. From heas at shrubbery.net Mon Apr 20 22:41:33 2009 From: heas at shrubbery.net (john heasley) Date: Mon, 20 Apr 2009 22:41:33 +0000 Subject: [tac_plus] Re: single connection In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BC70D2AA@che-exch-003.uplinkdata.com> References: <05CC562AFB5A9446A1BC3F66AD04A3BC1BD6CE@che-exch-003.uplinkdata.com> <20080529210331.GE24141@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BC1BD6D8@che-exch-003.uplinkdata.com> <20090318233331.GA3200@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BC70D012@che-exch-003.uplinkdata.com> <20090319211702.GV22385@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BC70D2AA@che-exch-003.uplinkdata.com> Message-ID: <20090420224133.GB5907@shrubbery.net> Mon, Apr 20, 2009 at 04:01:34PM -0600, Schmidt, Daniel: > This lousy bug caused triggered another ssh/tty lockup bug.... long > story. > > I have to wonder if it works right on ANY Tacacs server. How could it, > if the flag isn't set and it has to be defined on the server? its possible to half-fudge around it. it would not be 100% reliable. From heas at shrubbery.net Tue Apr 21 16:00:21 2009 From: heas at shrubbery.net (john heasley) Date: Tue, 21 Apr 2009 16:00:21 +0000 Subject: [tac_plus] Re: Accounting difficulties In-Reply-To: <20090420174258.GN21045@shrubbery.net> References: <20090420171457.GI21045@shrubbery.net> <20090420174258.GN21045@shrubbery.net> Message-ID: <20090421160021.GM3772@shrubbery.net> Mon, Apr 20, 2009 at 05:42:58PM +0000, john heasley: > Mon, Apr 20, 2009 at 12:33:36PM -0500, schmitz at anl.gov: > > Many apologies. I figured it out. I was setting the wtmp log file in the > > cli, and this prevented acconting records from hitting the accounting log > > file. They must be mutually exclusive. > > > > Does this make sense? > > yes, apparently. the code only does one or the other; which seems awfully > stupid. hmm, why would it do that. I cant think of a reason why these should be mutually exclusive. the attached patch removes that. > > -- > > Corby Schmitz > > Mobile > > > > On Apr 20, 2009, at 12:15, john heasley wrote: > > > >> Mon, Apr 20, 2009 at 11:32:32AM -0500, Schmitz Corby: > >>> I have been working with the latest build of tac_plus distributed on > >>> your website. I have been successful at getting everything working > >>> (includeing ACL support which is why I chose this version in the > >>> first > >>> place) except for accounting. I was using the Ubuntu distribution > >>> previously and with the accounting directive in the configuration > >>> file, things just worked: > >>> accounting file = /var/log/tac-plus/accounting > >>> Under the current version: > >>> root at nms221:/usr/local/tacacs+-F4.0.4.18# /usr/local/tacacs/bin/ > >>> tac_plus -v > >>> tac_plus version F4.0.4.18 > >>> ACLS > >>> FIONBIO > >>> LIBWRAP > >>> LINUX > >>> LITTLE_ENDIAN > >>> LOG_DAEMON > >>> PAM > >>> NO_PWAGE > >>> REAPCHILD > >>> RETSIGTYPE RETSIGTYPE > >>> SHADOW_PASSWORDS > >>> SIGTSTP > >>> SIGTTIN > >>> SIGTTOU > >>> SO_REUSEADDR > >>> STRERROR > >>> TAC_PLUS_PORT > >>> UENABLE > >>> __STDC__ > >>> > >>> I cannot seem to get it working again. I have tried building with a > >>> specific entry for the accounting file when I run configure prior to > >>> building: > >>> --with-acctfile=/var/log/tac-plus/account > >>> > >>> With our without this entry and despite what is in the configuration > >>> file, nothing ever gets written to the accounting log file. > >> > >> errors in syslog? does accounting work when set to syslog? does the > >> daemon run chroot'd? tried accounting debugging in the daemon to be > >> sure the device in sending accounting? -------------- next part -------------- Index: acct.c =================================================================== RCS file: /home/heas/.CVS/src/routers/tac_plus/acct.c,v retrieving revision 1.10 diff -d -u -r1.10 acct.c --- acct.c 21 Apr 2009 15:56:24 -0000 1.10 +++ acct.c 21 Apr 2009 15:56:25 -0000 @@ -136,17 +136,13 @@ loguser(&rec); #endif - /* - * Do accounting. - */ - if (wtmpfile) { + /* Do accounting */ + if (wtmpfile) errors = do_wtmp(&rec); - } else { - if (session.acctfile != NULL) - errors = do_acct_file(&rec); - if (session.flags & SESS_FLAG_ACCTSYSL) - errors = do_acct_syslog(&rec); - } + if (session.acctfile != NULL) + errors += do_acct_file(&rec); + if (session.flags & SESS_FLAG_ACCTSYSL) + errors += do_acct_syslog(&rec); if (errors) { status = TAC_PLUS_ACCT_STATUS_ERROR; From tbertolozzi at msufcu.org Tue Apr 21 18:48:40 2009 From: tbertolozzi at msufcu.org (Todd Bertolozzi) Date: Tue, 21 Apr 2009 14:48:40 -0400 Subject: [tac_plus] Misc Items Message-ID: <1DA008EBD17D7E45A802948A5BE1A7240388E101@EXCH2.cu.msufcu.org> Hello people, I've been searching around for answers to a few questions but haven't had much luck. Thanks in advance for anyone who can either answer or point me in the right direction. - I'm used to seeing the Username prompt when using tacacs. However, I don't get that prompt. Is that available with tac_plus and if so can I set the username prompt in the conf file so that I know it's actually hitting the tac_plus server. - Are there other login options that can be set in the conf file such as max number of failed connection attempts? I don't really see anything in the man page. Currently there appears to be no limit. Some of device commands like certain aaa commands don't appear to have an effect (i.e. aaa authentication attempts login 3). The only thing I really see in the man pages is a password 'expires' option. - What about a login timeout? I am able to set 'ip ssh time-out x' that actually works but if I set the above aaa command or a 'ip ssh authentication-retries 3' it has no effect. Thanks, Todd ------------------------------------------------------- This electronic transmission and any information that it contains is the property of MSU Federal Credit Union and is intended for the use of the intended recipient. If you are not the intended recipient, any disclosure, copying or other use of this information is strictly prohibited. If you acquired this transmission in error or feel that any of the information contained within it is offensive or inappropriate, please contact internalaudit at msufcu.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090421/edafbb13/attachment.html From schmitz at anl.gov Tue Apr 21 16:04:47 2009 From: schmitz at anl.gov (Schmitz Corby) Date: Tue, 21 Apr 2009 11:04:47 -0500 Subject: [tac_plus] Re: Accounting difficulties In-Reply-To: <20090421160021.GM3772@shrubbery.net> References: <20090420171457.GI21045@shrubbery.net> <20090420174258.GN21045@shrubbery.net> <20090421160021.GM3772@shrubbery.net> Message-ID: <603C2439-7EF4-47D7-B70D-D30C8B8252FF@anl.gov> I will give it a go. -corby On Apr 21, 2009, at 11:00 AM, john heasley wrote: > Mon, Apr 20, 2009 at 05:42:58PM +0000, john heasley: >> Mon, Apr 20, 2009 at 12:33:36PM -0500, schmitz at anl.gov: >>> Many apologies. I figured it out. I was setting the wtmp log file >>> in the >>> cli, and this prevented acconting records from hitting the >>> accounting log >>> file. They must be mutually exclusive. >>> >>> Does this make sense? >> >> yes, apparently. the code only does one or the other; which seems >> awfully >> stupid. hmm, why would it do that. > > I cant think of a reason why these should be mutually exclusive. the > attached patch removes that. > >>> -- >>> Corby Schmitz >>> Mobile >>> >>> On Apr 20, 2009, at 12:15, john heasley wrote: >>> >>>> Mon, Apr 20, 2009 at 11:32:32AM -0500, Schmitz Corby: >>>>> I have been working with the latest build of tac_plus >>>>> distributed on >>>>> your website. I have been successful at getting everything working >>>>> (includeing ACL support which is why I chose this version in the >>>>> first >>>>> place) except for accounting. I was using the Ubuntu distribution >>>>> previously and with the accounting directive in the configuration >>>>> file, things just worked: >>>>> accounting file = /var/log/tac-plus/accounting >>>>> Under the current version: >>>>> root at nms221:/usr/local/tacacs+-F4.0.4.18# /usr/local/tacacs/bin/ >>>>> tac_plus -v >>>>> tac_plus version F4.0.4.18 >>>>> ACLS >>>>> FIONBIO >>>>> LIBWRAP >>>>> LINUX >>>>> LITTLE_ENDIAN >>>>> LOG_DAEMON >>>>> PAM >>>>> NO_PWAGE >>>>> REAPCHILD >>>>> RETSIGTYPE RETSIGTYPE >>>>> SHADOW_PASSWORDS >>>>> SIGTSTP >>>>> SIGTTIN >>>>> SIGTTOU >>>>> SO_REUSEADDR >>>>> STRERROR >>>>> TAC_PLUS_PORT >>>>> UENABLE >>>>> __STDC__ >>>>> >>>>> I cannot seem to get it working again. I have tried building >>>>> with a >>>>> specific entry for the accounting file when I run configure >>>>> prior to >>>>> building: >>>>> --with-acctfile=/var/log/tac-plus/account >>>>> >>>>> With our without this entry and despite what is in the >>>>> configuration >>>>> file, nothing ever gets written to the accounting log file. >>>> >>>> errors in syslog? does accounting work when set to syslog? does >>>> the >>>> daemon run chroot'd? tried accounting debugging in the daemon to >>>> be >>>> sure the device in sending accounting? > From tbertolozzi at msufcu.org Thu Apr 23 12:41:53 2009 From: tbertolozzi at msufcu.org (Todd Bertolozzi) Date: Thu, 23 Apr 2009 08:41:53 -0400 Subject: [tac_plus] Re: Misc Items In-Reply-To: <1DA008EBD17D7E45A802948A5BE1A7240388E101@EXCH2.cu.msufcu.org> References: <1DA008EBD17D7E45A802948A5BE1A7240388E101@EXCH2.cu.msufcu.org> Message-ID: <1DA008EBD17D7E45A802948A5BE1A7240388E104@EXCH2.cu.msufcu.org> Can anyone point me in the right direction as far as why the daemon isn't providing a Username: prompt? I assume it is supposed to? Thanks, Todd -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Todd Bertolozzi Sent: Tuesday, April 21, 2009 2:49 PM To: tac_plus at shrubbery.net Subject: [tac_plus] Misc Items Hello people, I've been searching around for answers to a few questions but haven't had much luck. Thanks in advance for anyone who can either answer or point me in the right direction. - I'm used to seeing the Username prompt when using tacacs. However, I don't get that prompt. Is that available with tac_plus and if so can I set the username prompt in the conf file so that I know it's actually hitting the tac_plus server. - Are there other login options that can be set in the conf file such as max number of failed connection attempts? I don't really see anything in the man page. Currently there appears to be no limit. Some of device commands like certain aaa commands don't appear to have an effect (i.e. aaa authentication attempts login 3). The only thing I really see in the man pages is a password 'expires' option. - What about a login timeout? I am able to set 'ip ssh time-out x' that actually works but if I set the above aaa command or a 'ip ssh authentication-retries 3' it has no effect. Thanks, Todd ------------------------------------------------------- This electronic transmission and any information that it contains is the property of MSU Federal Credit Union and is intended for the use of the intended recipient. If you are not the intended recipient, any disclosure, copying or other use of this information is strictly prohibited. If you acquired this transmission in error or feel that any of the information contained within it is offensive or inappropriate, please contact internalaudit at msufcu.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090421/edafbb1 3/attachment.html _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus ------------------------------------------------------- This electronic transmission and any information that it contains is the property of MSU Federal Credit Union and is intended for the use of the intended recipient. If you are not the intended recipient, any disclosure, copying or other use of this information is strictly prohibited. If you acquired this transmission in error or feel that any of the information contained within it is offensive or inappropriate, please contact internalaudit at msufcu.org. From nathan at schrenk.org Thu Apr 23 14:42:28 2009 From: nathan at schrenk.org (Nathan Schrenk) Date: Thu, 23 Apr 2009 07:42:28 -0700 Subject: [tac_plus] Re: Misc Items In-Reply-To: <1DA008EBD17D7E45A802948A5BE1A7240388E104@EXCH2.cu.msufcu.org> References: <1DA008EBD17D7E45A802948A5BE1A7240388E101@EXCH2.cu.msufcu.org> <1DA008EBD17D7E45A802948A5BE1A7240388E104@EXCH2.cu.msufcu.org> Message-ID: <6121a88b0904230742o7348cd02jda4d7dc470047872@mail.gmail.com> I use a directive in my tac_plus config file to customize the prompt on a per-device basis: ... host = 1.2.3.4 { prompt = "1.2.3.4 Username: " } ... Nathan On 4/23/09, Todd Bertolozzi wrote: > > Can anyone point me in the right direction as far as why the daemon > isn't providing a Username: prompt? I assume it is supposed to? > > Thanks, > > > Todd > > > -----Original Message----- > From: tac_plus-bounces at shrubbery.net > [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Todd Bertolozzi > Sent: Tuesday, April 21, 2009 2:49 PM > To: tac_plus at shrubbery.net > Subject: [tac_plus] Misc Items > > Hello people, > > > > I've been searching around for answers to a few questions but haven't > had much luck. Thanks in advance for anyone who can either answer or > point me in the right direction. > > > > - I'm used to seeing the Username prompt when using tacacs. > However, I don't get that prompt. Is that available with tac_plus and if > so can I set the username prompt in the conf file so that I know it's > actually hitting the tac_plus server. > > - Are there other login options that can be set in the conf > file such as max number of failed connection attempts? I don't really > see anything in the man page. Currently there appears to be no limit. > Some of device commands like certain aaa commands don't appear to have > an effect (i.e. aaa authentication attempts login 3). The only thing I > really see in the man pages is a password 'expires' option. > > - What about a login timeout? I am able to set 'ip ssh time-out > x' that actually works but if I set the above aaa command or a 'ip ssh > authentication-retries 3' it has no effect. > > > > Thanks, > > > > Todd > > > > ------------------------------------------------------- > This electronic transmission and any information that it contains is the > property of MSU Federal Credit Union and is intended for the use of the > intended recipient. If you are not the intended recipient, any > disclosure, copying or other use of this information is strictly > prohibited. If you acquired this transmission in error or feel that any > of the information contained within it is offensive or inappropriate, > please contact internalaudit at msufcu.org. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://www.shrubbery.net/pipermail/tac_plus/attachments/20090421/edafbb1 > 3/attachment.html > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > ------------------------------------------------------- > This electronic transmission and any information that it contains is the > property of MSU Federal Credit Union and is intended for the use of the > intended recipient. If you are not the intended recipient, any disclosure, > copying or other use of this information is strictly prohibited. If you > acquired this transmission in error or feel that any of the information > contained within it is offensive or inappropriate, please contact > internalaudit at msufcu.org. > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090423/32cab283/attachment.html From heas at shrubbery.net Thu Apr 23 15:51:53 2009 From: heas at shrubbery.net (john heasley) Date: Thu, 23 Apr 2009 08:51:53 -0700 Subject: [tac_plus] Re: Misc Items In-Reply-To: <1DA008EBD17D7E45A802948A5BE1A7240388E104@EXCH2.cu.msufcu.org> References: <1DA008EBD17D7E45A802948A5BE1A7240388E101@EXCH2.cu.msufcu.org> <1DA008EBD17D7E45A802948A5BE1A7240388E104@EXCH2.cu.msufcu.org> Message-ID: <20090423155153.GC22098@shrubbery.net> Thu, Apr 23, 2009 at 08:41:53AM -0400, Todd Bertolozzi: > Can anyone point me in the right direction as far as why the daemon > isn't providing a Username: prompt? I assume it is supposed to? my guess is that its not the daemon, but the device. but, prove me right with debugging, tac_plus -d 16 should show the AVPs > Thanks, > > Todd > > -----Original Message----- > From: tac_plus-bounces at shrubbery.net > [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Todd Bertolozzi > Sent: Tuesday, April 21, 2009 2:49 PM > To: tac_plus at shrubbery.net > Subject: [tac_plus] Misc Items > > Hello people, > > > > I've been searching around for answers to a few questions but haven't > had much luck. Thanks in advance for anyone who can either answer or > point me in the right direction. > > > > - I'm used to seeing the Username prompt when using tacacs. > However, I don't get that prompt. Is that available with tac_plus and if > so can I set the username prompt in the conf file so that I know it's > actually hitting the tac_plus server. > > - Are there other login options that can be set in the conf > file such as max number of failed connection attempts? I don't really > see anything in the man page. Currently there appears to be no limit. > Some of device commands like certain aaa commands don't appear to have > an effect (i.e. aaa authentication attempts login 3). The only thing I > really see in the man pages is a password 'expires' option. > > - What about a login timeout? I am able to set 'ip ssh time-out > x' that actually works but if I set the above aaa command or a 'ip ssh > authentication-retries 3' it has no effect. > > > > Thanks, > > > > Todd > > > > ------------------------------------------------------- > This electronic transmission and any information that it contains is the > property of MSU Federal Credit Union and is intended for the use of the > intended recipient. If you are not the intended recipient, any > disclosure, copying or other use of this information is strictly > prohibited. If you acquired this transmission in error or feel that any > of the information contained within it is offensive or inappropriate, > please contact internalaudit at msufcu.org. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://www.shrubbery.net/pipermail/tac_plus/attachments/20090421/edafbb1 > 3/attachment.html > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > ------------------------------------------------------- > This electronic transmission and any information that it contains is the property of MSU Federal Credit Union and is intended for the use of the intended recipient. If you are not the intended recipient, any disclosure, copying or other use of this information is strictly prohibited. If you acquired this transmission in error or feel that any of the information contained within it is offensive or inappropriate, please contact internalaudit at msufcu.org. > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From tbertolozzi at msufcu.org Thu Apr 23 22:26:28 2009 From: tbertolozzi at msufcu.org (Todd Bertolozzi) Date: Thu, 23 Apr 2009 18:26:28 -0400 Subject: [tac_plus] Re: Misc Items In-Reply-To: <20090423184658.GH22098@shrubbery.net> References: <1DA008EBD17D7E45A802948A5BE1A7240388E101@EXCH2.cu.msufcu.org> <1DA008EBD17D7E45A802948A5BE1A7240388E104@EXCH2.cu.msufcu.org> <20090423155153.GC22098@shrubbery.net> <1DA008EBD17D7E45A802948A5BE1A7240388E10A@EXCH2.cu.msufcu.org> <20090423184658.GH22098@shrubbery.net> Message-ID: <1DA008EBD17D7E45A802948A5BE1A7240388E112@EXCH2.cu.msufcu.org> It appears to be something to do with ssh as when using telnet I do receive the expected "Username:" prompt. Todd -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Thursday, April 23, 2009 2:47 PM To: Todd Bertolozzi Subject: Re: [tac_plus] Re: Misc Items Thu, Apr 23, 2009 at 02:17:15PM -0400, Todd Bertolozzi: > I have debugging set to 16 but don't think I'm really seeing anything > useful. Here's some of the log file: > > Thu Apr 23 14:14:32 2009 [12309]: session.peerip is x.x.x.x > Thu Apr 23 14:14:32 2009 [12317]: authorization query for 'admin' tty2 > from x.x.x.x accepted > Thu Apr 23 14:14:32 2009 [12309]: session.peerip is x.x.x.x > Thu Apr 23 14:14:41 2009 [12309]: session.peerip is x.x.x.x > Thu Apr 23 14:14:41 2009 [12319]: authorization query for 'admin' tty2 > from x.x.x.x accepted > Thu Apr 23 14:14:41 2009 [12309]: session.peerip is x.x.x.x > Thu Apr 23 14:15:01 2009 [12309]: session.peerip is x.x.x.x > Thu Apr 23 14:15:01 2009 [12321]: login query for 'berto' tty3 from > x.x.x.x accepted > Thu Apr 23 14:15:01 2009 [12309]: session.peerip is 10.100.220.243 > Thu Apr 23 14:15:01 2009 [12322]: authorization query for 'berto' tty3 > from x.x.x.x accepted > Thu Apr 23 14:15:01 2009 [12309]: session.peerip is x.x.x.x > > It's my understanding that the daemon actually provides the login prompt > of Username: but I could be completely wrong. it provides the string IFF the device starts an authentication session with an empty username, but the device does what it wants with it anyway. the cisco, for example, begins with the username already supplied, so maybe its broken and no one else has ever seem the problem. otherwise, the string will be "Username: ", "\nUser Access Verification\n\nUsername: ", or tacplus.conf defined. i guess you'd have to use packet debugging to see it. > Thanks, > > Todd > > -----Original Message----- > From: john heasley [mailto:heas at shrubbery.net] > Sent: Thursday, April 23, 2009 11:52 AM > To: Todd Bertolozzi > Cc: tac_plus at shrubbery.net > Subject: Re: [tac_plus] Re: Misc Items > > Thu, Apr 23, 2009 at 08:41:53AM -0400, Todd Bertolozzi: > > Can anyone point me in the right direction as far as why the daemon > > isn't providing a Username: prompt? I assume it is supposed to? > > my guess is that its not the daemon, but the device. but, prove me > right > with debugging, tac_plus -d 16 should show the AVPs > > > Thanks, > > > > Todd > > > > -----Original Message----- > > From: tac_plus-bounces at shrubbery.net > > [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Todd Bertolozzi > > Sent: Tuesday, April 21, 2009 2:49 PM > > To: tac_plus at shrubbery.net > > Subject: [tac_plus] Misc Items > > > > Hello people, > > > > > > > > I've been searching around for answers to a few questions but haven't > > had much luck. Thanks in advance for anyone who can either answer or > > point me in the right direction. > > > > > > > > - I'm used to seeing the Username prompt when using tacacs. > > However, I don't get that prompt. Is that available with tac_plus and > if > > so can I set the username prompt in the conf file so that I know it's > > actually hitting the tac_plus server. > > > > - Are there other login options that can be set in the conf > > file such as max number of failed connection attempts? I don't really > > see anything in the man page. Currently there appears to be no limit. > > Some of device commands like certain aaa commands don't appear to have > > an effect (i.e. aaa authentication attempts login 3). The only thing > I > > really see in the man pages is a password 'expires' option. > > > > - What about a login timeout? I am able to set 'ip ssh > time-out > > x' that actually works but if I set the above aaa command or a 'ip > ssh > > authentication-retries 3' it has no effect. > > > > > > > > Thanks, > > > > > > > > Todd > > > > > > > > ------------------------------------------------------- > > This electronic transmission and any information that it contains is > the > > property of MSU Federal Credit Union and is intended for the use of > the > > intended recipient. If you are not the intended recipient, any > > disclosure, copying or other use of this information is strictly > > prohibited. If you acquired this transmission in error or feel that > any > > of the information contained within it is offensive or inappropriate, > > please contact internalaudit at msufcu.org. > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: > > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20090421/edafbb1 > > 3/attachment.html > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > > > > ------------------------------------------------------- > > This electronic transmission and any information that it contains is > the property of MSU Federal Credit Union and is intended for the use of > the intended recipient. If you are not the intended recipient, any > disclosure, copying or other use of this information is strictly > prohibited. If you acquired this transmission in error or feel that any > of the information contained within it is offensive or inappropriate, > please contact internalaudit at msufcu.org. > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > ------------------------------------------------------- > This electronic transmission and any information that it contains is the property of MSU Federal Credit Union and is intended for the use of the intended recipient. If you are not the intended recipient, any disclosure, copying or other use of this information is strictly prohibited. If you acquired this transmission in error or feel that any of the information contained within it is offensive or inappropriate, please contact internalaudit at msufcu.org. ------------------------------------------------------- This electronic transmission and any information that it contains is the property of MSU Federal Credit Union and is intended for the use of the intended recipient. If you are not the intended recipient, any disclosure, copying or other use of this information is strictly prohibited. If you acquired this transmission in error or feel that any of the information contained within it is offensive or inappropriate, please contact internalaudit at msufcu.org. From y.lesaout at free.fr Sat Apr 25 19:07:08 2009 From: y.lesaout at free.fr (Yann Le Saout) Date: Sat, 25 Apr 2009 21:07:08 +0200 Subject: [tac_plus] Installation problem with a LENNY/DEBIAN Message-ID: <1240686428.6734.8.camel@localhost.localdomain> Hi, I try to install F4.0.4.18 (or F4.0.4.15) on a lenny and when i execute the configure i've got this error : "Could not find lbwrap. You must first install tcp_wrappers" But the checking information give : "checking whether to use libwrap...yes" On my system the package libwrap0 (7.6.q-16) is installed and also tcpd (7.6.q-16) I don't know what to do to resolve this problem. Cheers. From heas at shrubbery.net Sat Apr 25 21:25:51 2009 From: heas at shrubbery.net (john heasley) Date: Sat, 25 Apr 2009 21:25:51 +0000 Subject: [tac_plus] Re: Installation problem with a LENNY/DEBIAN In-Reply-To: <1240686428.6734.8.camel@localhost.localdomain> References: <1240686428.6734.8.camel@localhost.localdomain> Message-ID: <20090425212551.GD12786@shrubbery.net> Sat, Apr 25, 2009 at 09:07:08PM +0200, Yann Le Saout: > Hi, > > I try to install F4.0.4.18 (or F4.0.4.15) on a lenny and when i execute > the configure i've got this error : > > "Could not find lbwrap. You must first install tcp_wrappers" > > But the checking information give : "checking whether to use > libwrap...yes" > > On my system the package libwrap0 (7.6.q-16) is installed and also tcpd > (7.6.q-16) configure --with-libwrap=/somewhere/lib/.. > I don't know what to do to resolve this problem. > > Cheers. > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From Sunmeet.Saluja at air2web.com Wed Apr 29 19:27:03 2009 From: Sunmeet.Saluja at air2web.com (Sunmeet Saluja) Date: Wed, 29 Apr 2009 15:27:03 -0400 Subject: [tac_plus] Re: Misc Items In-Reply-To: <1DA008EBD17D7E45A802948A5BE1A7240388E104@EXCH2.cu.msufcu.org> References: <1DA008EBD17D7E45A802948A5BE1A7240388E101@EXCH2.cu.msufcu.org> <1DA008EBD17D7E45A802948A5BE1A7240388E104@EXCH2.cu.msufcu.org> Message-ID: <336E93A5D77EC246881C518F41A47CCA0DFE8253@EXCHANGE1.atl.air2web.com> Can you please post the aaa configs from the NAS that you are working with. Thanks, Sunmeet Saluja -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Todd Bertolozzi Sent: Thursday, April 23, 2009 8:42 AM To: tac_plus at shrubbery.net Subject: [tac_plus] Re: Misc Items Can anyone point me in the right direction as far as why the daemon isn't providing a Username: prompt? I assume it is supposed to? Thanks, Todd -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Todd Bertolozzi Sent: Tuesday, April 21, 2009 2:49 PM To: tac_plus at shrubbery.net Subject: [tac_plus] Misc Items Hello people, I've been searching around for answers to a few questions but haven't had much luck. Thanks in advance for anyone who can either answer or point me in the right direction. - I'm used to seeing the Username prompt when using tacacs. However, I don't get that prompt. Is that available with tac_plus and if so can I set the username prompt in the conf file so that I know it's actually hitting the tac_plus server. - Are there other login options that can be set in the conf file such as max number of failed connection attempts? I don't really see anything in the man page. Currently there appears to be no limit. Some of device commands like certain aaa commands don't appear to have an effect (i.e. aaa authentication attempts login 3). The only thing I really see in the man pages is a password 'expires' option. - What about a login timeout? I am able to set 'ip ssh time-out x' that actually works but if I set the above aaa command or a 'ip ssh authentication-retries 3' it has no effect. Thanks, Todd ------------------------------------------------------- This electronic transmission and any information that it contains is the property of MSU Federal Credit Union and is intended for the use of the intended recipient. If you are not the intended recipient, any disclosure, copying or other use of this information is strictly prohibited. If you acquired this transmission in error or feel that any of the information contained within it is offensive or inappropriate, please contact internalaudit at msufcu.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090421/edafbb1 3/attachment.html _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus ------------------------------------------------------- This electronic transmission and any information that it contains is the property of MSU Federal Credit Union and is intended for the use of the intended recipient. If you are not the intended recipient, any disclosure, copying or other use of this information is strictly prohibited. If you acquired this transmission in error or feel that any of the information contained within it is offensive or inappropriate, please contact internalaudit at msufcu.org. _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From tbertolozzi at msufcu.org Wed Apr 29 21:02:21 2009 From: tbertolozzi at msufcu.org (Todd Bertolozzi) Date: Wed, 29 Apr 2009 17:02:21 -0400 Subject: [tac_plus] Re: Misc Items In-Reply-To: <336E93A5D77EC246881C518F41A47CCA0DFE8253@EXCHANGE1.atl.air2web.com> References: <1DA008EBD17D7E45A802948A5BE1A7240388E101@EXCH2.cu.msufcu.org> <1DA008EBD17D7E45A802948A5BE1A7240388E104@EXCH2.cu.msufcu.org> <336E93A5D77EC246881C518F41A47CCA0DFE8253@EXCHANGE1.atl.air2web.com> Message-ID: <1DA008EBD17D7E45A802948A5BE1A7240388E127@EXCH2.cu.msufcu.org> This actually seems to be something related to SSH or something dumb I'm missing. When using telnet I receive the Username prompt as expected and I can modify the tac_plus.conf file to change that prompt around to my choice. When using SSH I get a "login as:" prompt which doesn't seem to be too much of an issue. I have noticed though that if I log in with a null username it drops out into "@hostname password:" which I prefer it not do obviously. I also seem to have some issues with retry timeouts. I can't seem to limit them in the conf file or on the NAS. Here's a sample of what I was working with. Things have probably been changed around a bit since last I looked at it. aaa authentication login default group tacacs+ local enable aaa authorization config-commands aaa authorization exec default group tacacs+ if-authenticated aaa authorization commands 0 default group tacacs+ if-authenticated aaa authorization commands 1 default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ if-authenticated aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ Thanks, Todd -----Original Message----- From: Sunmeet Saluja [mailto:Sunmeet.Saluja at air2web.com] Sent: Wednesday, April 29, 2009 3:27 PM To: Todd Bertolozzi; tac_plus at shrubbery.net Subject: RE: [tac_plus] Re: Misc Items Can you please post the aaa configs from the NAS that you are working with. Thanks, Sunmeet Saluja -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Todd Bertolozzi Sent: Thursday, April 23, 2009 8:42 AM To: tac_plus at shrubbery.net Subject: [tac_plus] Re: Misc Items Can anyone point me in the right direction as far as why the daemon isn't providing a Username: prompt? I assume it is supposed to? Thanks, Todd -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Todd Bertolozzi Sent: Tuesday, April 21, 2009 2:49 PM To: tac_plus at shrubbery.net Subject: [tac_plus] Misc Items Hello people, I've been searching around for answers to a few questions but haven't had much luck. Thanks in advance for anyone who can either answer or point me in the right direction. - I'm used to seeing the Username prompt when using tacacs. However, I don't get that prompt. Is that available with tac_plus and if so can I set the username prompt in the conf file so that I know it's actually hitting the tac_plus server. - Are there other login options that can be set in the conf file such as max number of failed connection attempts? I don't really see anything in the man page. Currently there appears to be no limit. Some of device commands like certain aaa commands don't appear to have an effect (i.e. aaa authentication attempts login 3). The only thing I really see in the man pages is a password 'expires' option. - What about a login timeout? I am able to set 'ip ssh time-out x' that actually works but if I set the above aaa command or a 'ip ssh authentication-retries 3' it has no effect. Thanks, Todd ------------------------------------------------------- This electronic transmission and any information that it contains is the property of MSU Federal Credit Union and is intended for the use of the intended recipient. If you are not the intended recipient, any disclosure, copying or other use of this information is strictly prohibited. If you acquired this transmission in error or feel that any of the information contained within it is offensive or inappropriate, please contact internalaudit at msufcu.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090421/edafbb1 3/attachment.html _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus ------------------------------------------------------- This electronic transmission and any information that it contains is the property of MSU Federal Credit Union and is intended for the use of the intended recipient. If you are not the intended recipient, any disclosure, copying or other use of this information is strictly prohibited. If you acquired this transmission in error or feel that any of the information contained within it is offensive or inappropriate, please contact internalaudit at msufcu.org. _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus ------------------------------------------------------- This electronic transmission and any information that it contains is the property of MSU Federal Credit Union and is intended for the use of the intended recipient. If you are not the intended recipient, any disclosure, copying or other use of this information is strictly prohibited. If you acquired this transmission in error or feel that any of the information contained within it is offensive or inappropriate, please contact internalaudit at msufcu.org. From dan.schmidt at uplinkdata.com Wed Apr 29 21:34:23 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Wed, 29 Apr 2009 15:34:23 -0600 Subject: [tac_plus] Re: Misc Items In-Reply-To: <1DA008EBD17D7E45A802948A5BE1A7240388E127@EXCH2.cu.msufcu.org> References: <1DA008EBD17D7E45A802948A5BE1A7240388E101@EXCH2.cu.msufcu.org><1DA008EBD17D7E45A802948A5BE1A7240388E104@EXCH2.cu.msufcu.org><336E93A5D77EC246881C518F41A47CCA0DFE8253@EXCHANGE1.atl.air2web.com> <1DA008EBD17D7E45A802948A5BE1A7240388E127@EXCH2.cu.msufcu.org> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BC70D3BE@che-exch-003.uplinkdata.com> Username prompt is hard coded in the ssh client. I'm not sure what you mean by a retry timeout. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Todd Bertolozzi Sent: Wednesday, April 29, 2009 3:02 PM To: Sunmeet Saluja; tac_plus at shrubbery.net Subject: [tac_plus] Re: Misc Items This actually seems to be something related to SSH or something dumb I'm missing. When using telnet I receive the Username prompt as expected and I can modify the tac_plus.conf file to change that prompt around to my choice. When using SSH I get a "login as:" prompt which doesn't seem to be too much of an issue. I have noticed though that if I log in with a null username it drops out into "@hostname password:" which I prefer it not do obviously. I also seem to have some issues with retry timeouts. I can't seem to limit them in the conf file or on the NAS. Here's a sample of what I was working with. Things have probably been changed around a bit since last I looked at it. aaa authentication login default group tacacs+ local enable aaa authorization config-commands aaa authorization exec default group tacacs+ if-authenticated aaa authorization commands 0 default group tacacs+ if-authenticated aaa authorization commands 1 default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ if-authenticated aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ Thanks, Todd -----Original Message----- From: Sunmeet Saluja [mailto:Sunmeet.Saluja at air2web.com] Sent: Wednesday, April 29, 2009 3:27 PM To: Todd Bertolozzi; tac_plus at shrubbery.net Subject: RE: [tac_plus] Re: Misc Items Can you please post the aaa configs from the NAS that you are working with. Thanks, Sunmeet Saluja -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Todd Bertolozzi Sent: Thursday, April 23, 2009 8:42 AM To: tac_plus at shrubbery.net Subject: [tac_plus] Re: Misc Items Can anyone point me in the right direction as far as why the daemon isn't providing a Username: prompt? I assume it is supposed to? Thanks, Todd -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Todd Bertolozzi Sent: Tuesday, April 21, 2009 2:49 PM To: tac_plus at shrubbery.net Subject: [tac_plus] Misc Items Hello people, I've been searching around for answers to a few questions but haven't had much luck. Thanks in advance for anyone who can either answer or point me in the right direction. - I'm used to seeing the Username prompt when using tacacs. However, I don't get that prompt. Is that available with tac_plus and if so can I set the username prompt in the conf file so that I know it's actually hitting the tac_plus server. - Are there other login options that can be set in the conf file such as max number of failed connection attempts? I don't really see anything in the man page. Currently there appears to be no limit. Some of device commands like certain aaa commands don't appear to have an effect (i.e. aaa authentication attempts login 3). The only thing I really see in the man pages is a password 'expires' option. - What about a login timeout? I am able to set 'ip ssh time-out x' that actually works but if I set the above aaa command or a 'ip ssh authentication-retries 3' it has no effect. Thanks, Todd ------------------------------------------------------- This electronic transmission and any information that it contains is the property of MSU Federal Credit Union and is intended for the use of the intended recipient. If you are not the intended recipient, any disclosure, copying or other use of this information is strictly prohibited. If you acquired this transmission in error or feel that any of the information contained within it is offensive or inappropriate, please contact internalaudit at msufcu.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090421/edafbb1 3/attachment.html _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus ------------------------------------------------------- This electronic transmission and any information that it contains is the property of MSU Federal Credit Union and is intended for the use of the intended recipient. If you are not the intended recipient, any disclosure, copying or other use of this information is strictly prohibited. If you acquired this transmission in error or feel that any of the information contained within it is offensive or inappropriate, please contact internalaudit at msufcu.org. _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus ------------------------------------------------------- This electronic transmission and any information that it contains is the property of MSU Federal Credit Union and is intended for the use of the intended recipient. If you are not the intended recipient, any disclosure, copying or other use of this information is strictly prohibited. If you acquired this transmission in error or feel that any of the information contained within it is offensive or inappropriate, please contact internalaudit at msufcu.org. _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus