<div><div><div><div>I am still having the exact same problem. </div><div><br></div><div>The tac_plus daemon is NOT sending optional a/v pairs over the wire at all. I had been in communication with Dan back in September about modifying do_auth.py to be able to append or remove a/v pairs. Currently do_auth.py is only able to replace existing pairs. I was going to try to contribute code to make do_auth.py do this, but it got de-prioritized until last week and I had to move onto something else. I am just now revisiting this issue.</div>
<div><br></div><div>Using this configuration:</div><div><br></div><div>group = admin {</div><div> default service = permit</div><div> service = exec {</div><div> optional brcd-role = admin</div><div> priv-lvl = 15</div>
<div> }</div><div>}</div><div>user = jathan {</div><div> login = cleartext jathan</div><div> pap = cleartext jathan</div><div> member = admin</div><div>}</div><div><br></div><div>And running tac_plus with maximum debug output, you see this when I login to the device and it sends the authorization request:</div>
<div><br></div><div>Mon Jan 23 09:26:11 2012 [11716]: Start authorization request</div><div>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_value: name=jathan isuser=1 attr=acl rec=1</div><div>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_value: recurse group = admin</div>
<div>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_pvalue: returns NULL</div><div>Mon Jan 23 09:26:11 2012 [11716]: do_author: user='jathan'</div><div>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_value: name=jathan isuser=1 attr=before rec=1</div>
<div>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_value: recurse group = admin</div><div>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_pvalue: returns NULL</div><div>Mon Jan 23 09:26:11 2012 [11716]: user 'jathan' found</div>
<div>Mon Jan 23 09:26:11 2012 [11716]: exec authorization request for jathan</div><div>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: username=jathan N_svc_exec proto= svcname= rec=1</div><div>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: recurse group = admin</div>
<div>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: found N_svc_exec proto= svcname=</div><div>Mon Jan 23 09:26:11 2012 [11716]: exec is explicitly permitted by line 6</div><div>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: username=jathan N_svc_exec proto= svcname= rec=1</div>
<div>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: recurse group = admin</div><div>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: found N_svc_exec proto= svcname=</div><div>Mon Jan 23 09:26:11 2012 [11716]: nas:service=shell (passed thru)</div>
<div>Mon Jan 23 09:26:11 2012 [11716]: nas:cmd= (passed thru)</div><div>Mon Jan 23 09:26:11 2012 [11716]: nas:absent, server:priv-lvl=15 -> add priv-lvl=15 (k)</div><div>Mon Jan 23 09:26:11 2012 [11716]: added 1 args</div>
<div>Mon Jan 23 09:26:11 2012 [11716]: out_args[0] = service=shell input copy discarded</div><div>Mon Jan 23 09:26:11 2012 [11716]: out_args[1] = cmd= input copy discarded</div><div>Mon Jan 23 09:26:11 2012 [11716]: out_args[2] = priv-lvl=15 compacted to out_args[0]</div>
<div>Mon Jan 23 09:26:11 2012 [11716]: 1 output args</div><div>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_value: name=jathan isuser=1 attr=after rec=1</div><div>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_value: recurse group = admin</div>
<div>Mon Jan 23 09:26:11 2012 [11716]: cfg_get_pvalue: returns NULL</div><div>Mon Jan 23 09:26:11 2012 [11716]: Writing AUTHOR/PASS_ADD size=30</div><div><br></div><div>Which results in this experience on the device:</div>
<div><br></div><div>vdxhub1-lab-sw0 login: jathan</div><div>Password: </div><div>User's role is unavailable, using default.</div><div>Welcome to the Brocade Network Operating System Software</div><div>jathan connected from 10.178.91.108 using console on vdxhub1-lab-sw0</div>
<div>vdxhub1-lab-sw0# </div><div><br></div><div>Now, if I change that a/v pair to mandatory (remove the optional prefix):</div><div><br></div><div>Mon Jan 23 09:30:29 2012 [11851]: Start authorization request</div><div>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_value: name=jathan isuser=1 attr=acl rec=1</div>
<div>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_value: recurse group = admin</div><div>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_pvalue: returns NULL</div><div>Mon Jan 23 09:30:29 2012 [11851]: do_author: user='jathan'</div>
<div>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_value: name=jathan isuser=1 attr=before rec=1</div><div>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_value: recurse group = admin</div><div>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_pvalue: returns NULL</div>
<div>Mon Jan 23 09:30:29 2012 [11851]: user 'jathan' found</div><div>Mon Jan 23 09:30:29 2012 [11851]: exec authorization request for jathan</div><div>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_svc_node: username=jathan N_svc_exec proto= svcname= rec=1</div>
<div>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_svc_node: recurse group = admin</div><div>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_svc_node: found N_svc_exec proto= svcname=</div><div>Mon Jan 23 09:30:29 2012 [11851]: exec is explicitly permitted by line 6</div>
<div>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_svc_node: username=jathan N_svc_exec proto= svcname= rec=1</div><div>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_svc_node: recurse group = admin</div><div>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_svc_node: found N_svc_exec proto= svcname=</div>
<div>Mon Jan 23 09:30:29 2012 [11851]: nas:service=shell (passed thru)</div><div>Mon Jan 23 09:30:29 2012 [11851]: nas:cmd= (passed thru)</div><div>Mon Jan 23 09:30:29 2012 [11851]: nas:absent, server:brcd-role=admin -> add brcd-role=admin (k)</div>
<div>Mon Jan 23 09:30:29 2012 [11851]: nas:absent, server:priv-lvl=15 -> add priv-lvl=15 (k)</div><div>Mon Jan 23 09:30:29 2012 [11851]: added 2 args</div><div>Mon Jan 23 09:30:29 2012 [11851]: out_args[0] = service=shell input copy discarded</div>
<div>Mon Jan 23 09:30:29 2012 [11851]: out_args[1] = cmd= input copy discarded</div><div>Mon Jan 23 09:30:29 2012 [11851]: out_args[2] = brcd-role=admin compacted to out_args[0]</div><div>Mon Jan 23 09:30:29 2012 [11851]: out_args[3] = priv-lvl=15 compacted to out_args[1]</div>
<div>Mon Jan 23 09:30:29 2012 [11851]: 2 output args</div><div>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_value: name=jathan isuser=1 attr=after rec=1</div><div>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_value: recurse group = admin</div>
<div>Mon Jan 23 09:30:29 2012 [11851]: cfg_get_pvalue: returns NULL</div><div>Mon Jan 23 09:30:29 2012 [11851]: Writing AUTHOR/PASS_ADD size=46</div><div><br></div><div>Note that it accurately picked up the attribute from the config and sent it back to the device. When I login to the device, I get the admin privileges I am expecting:</div>
<div><br></div><div>vdxhub1-lab-sw0 login: jathan</div><div>Password: </div><div>Welcome to the Brocade Network Operating System Software</div><div>jathan connected from 10.178.91.108 using console on vdxhub1-lab-sw0</div>
<div>vdxhub1-lab-sw0# </div><div><br></div><div>This does seem like a bug in tac_plus in which it is not sending optional A/V pairs at all. So I have two asks of this list:</div><div><br></div><div>1. Would it be possible by someone familiar with the C code to confirm as to whether this is actually a bug or not? If so, would it be possible to get it addressed for a upcoming release? </div>
<div><br></div><div>2. Dan, if you have the resources/time would you be willing to add the support for the av_pairs_append thing you and I had talked about in email? (I had gotten it working in my lab before, but you have since updated do_auth.py to version 1.8).</div>
<div><br></div><div>Thanks,</div><div><br></div><div>jathan.</div><div><br></div><div class="gmail_quote">On Mon, Jan 23, 2012 at 8:07 AM, Mick Day <span dir="ltr"><<a href="mailto:mick@mickday.com">mick@mickday.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
Thanks for the information but my specific question was regarding how<br>
tac_plus deals with optional a/v pairs , in the following configuration<br>
should the a/v pair " brcd-role*admin" be sent to NAS?<br>
<div class="im"><br>
group = admin {<br>
default service = permit<br>
service = exec {<br>
priv-lvl = 15<br>
optional brcd-role = admin<br>
}<br>
}<br>
<br>
</div>I have now tested this with Cisco ACS and TACACS.net both of which send the<br>
optional a/v pair but tac_plus does not?<br>
<div class="HOEnZb"><div class="h5"><br>
-----Original Message-----<br>
From: Daniel Schmidt [mailto:<a href="mailto:daniel.schmidt@wyo.gov">daniel.schmidt@wyo.gov</a>]<br>
Sent: 23 January 2012 15:34<br>
To: Mick Day; <a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
Subject: RE: [tac_plus] Should optional A/V pair be sent?<br>
<br>
I also have noted that if you send a Cisco switch/router anything other than<br>
"priv-lvl", they do not work. One workaround is to use do_auth. The<br>
following example is brocade's traditional privlvl, but the same concept<br>
should work with the brcd-role you describe. (Note, this is more to fix a<br>
Cisco bug than a Brocade) Simply put: If you match a brocade device and<br>
find something that says "priv-lvl" replace it with "brocade-privlvl=5"<br>
<br>
[brocade_disable]<br>
host_allow =<br>
.*<br>
device_permit =<br>
<list of brocade devices><br>
command_permit =<br>
.*<br>
av_pairs =<br>
priv-lvl,brocade-privlvl=5<br>
<br>
-----Original Message-----<br>
From: <a href="mailto:tac_plus-bounces@shrubbery.net">tac_plus-bounces@shrubbery.net</a><br>
[mailto:<a href="mailto:tac_plus-bounces@shrubbery.net">tac_plus-bounces@shrubbery.net</a>] On Behalf Of Mick Day<br>
Sent: Monday, January 23, 2012 4:31 AM<br>
To: <a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
Subject: [tac_plus] Should optional A/V pair be sent?<br>
<br>
Hi Everyone,<br>
<br>
I am having a problem with sending optional a/v pair from tac_plus, this is<br>
related to post<br>
<a href="http://www.shrubbery.net/pipermail/tac_plus/2011-September/000978.html" target="_blank">http://www.shrubbery.net/pipermail/tac_plus/2011-September/000978.html</a> as it<br>
now appears that the latest Brocade VDX code now supports optional a/v pairs<br>
for 'brcd-role' the only problem is that when the NAS authenticates with the<br>
server only the mandatory a/v pairs are being sent<br>
<br>
My configuration is as follows:<br>
<br>
group = admin {<br>
default service = permit<br>
service = exec {<br>
priv-lvl = 15<br>
optional brcd-role = admin<br>
}<br>
}<br>
<br>
The NAS only ever receives the a/v pair ' priv-lvl = 15' is this expected<br>
behaviour? If I reconfigure the 'brcd-role' to a mandatory it then sends<br>
both 'priv-lvl' and 'brcd-role' but then this creates the same problem as<br>
described in previous post<br>
<a href="http://www.shrubbery.net/pipermail/tac_plus/2011-September/000978.html" target="_blank">http://www.shrubbery.net/pipermail/tac_plus/2011-September/000978.html</a><br>
where Cisco devices fail authorisation.<br>
<br>
I have also tried the same with Cisco ACS and this sends both the mandatory<br>
and optional a/v pairs allowing both devices to be able to login.<br>
<br>
I am unclear as to whether it is expected behaviour for server to send<br>
optional a/v pairs by default?<br>
<br>
_______________________________________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
E-Mail" target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus<br>
E-Mail</a> to and from me, in connection with the transaction of public<br>
business,is subject to the Wyoming Public Records Act, and may be disclosed<br>
to third parties.<br>
<br>
_______________________________________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Jathan.<br>--<br>
</div></div></div>