<div dir="ltr">Ask on list - probably somebody has used do_auth with Juniper<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, May 14, 2013 at 11:15 AM, Tom Murch <span dir="ltr"><<a href="mailto:tmurch@tommurch.com" target="_blank">tmurch@tommurch.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Daniel, <div><br></div><div>any chance I could get an example config. I am not having much luck. </div>
<div><br></div><div>Tom </div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Mon, May 13, 2013 at 6:08 PM, Daniel Schmidt <span dir="ltr"><<a href="mailto:daniel.schmidt@wyo.gov" target="_blank">daniel.schmidt@wyo.gov</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">junos-exec - you can send that in do_auth pairs<br></div><div class="gmail_extra"><br><br><div class="gmail_quote"><div>On Mon, May 13, 2013 at 3:21 PM, Tom Murch <span dir="ltr"><<a href="mailto:tmurch@tommurch.com" target="_blank">tmurch@tommurch.com</a>></span> wrote:<br>
</div><div><div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">How do i pass the service = for two different things? In the tac-plus.conf or I. Think do-aurh.ini </p>
<div class="gmail_quote">On May 13, 2013 4:57 PM, "Daniel Schmidt" <<a href="mailto:daniel.schmidt@wyo.gov" target="_blank">daniel.schmidt@wyo.gov</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div>Yeah, Cisco does NOT like to get pairs it doesn't understand. If your Juniper and Cisco networks are on different IP spaces, then it should be possible by creating a group to match them by IP (device_permit/deny). If not, well....<br>
<br>I don't use a lot of Juniper - I think the tac pairs they send are same - you can un-comment the part that says "for item in av_pairs:" and take a look at the initial pairs they send. If they are, in fact, different than Juniper, I can kluge something to tell the difference like I did with Nexus.<br>
<br></div>On a side note, I added '/' notation via netaddr to do_auth if anybody wants to try it out. Makes a lot more sense than the regular expressions, but requires an egg. <br>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, May 13, 2013 at 11:45 AM, Tom Murch <span dir="ltr"><<a href="mailto:tmurch@tommurch.com" target="_blank">tmurch@tommurch.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Daniel, <div><br></div><div>This worked very well thank you. Is it possible to have multiple service entries? I am not sure how to get around that as I use both juniper and cisco gear I have an issue with auth using both. </div>
<div><br></div><div>Tom </div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Mar 14, 2013 at 4:29 PM, Daniel Schmidt <span dir="ltr"><<a href="mailto:daniel.schmidt@wyo.gov" target="_blank">daniel.schmidt@wyo.gov</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Checkout do_auth.py. Several people have reported it to be very useful.<br>
I've been meaning to do some more work on it and Jathan had some excellent<br>
ideas.<br>
<br>
<a href="http://tacacs.org" target="_blank">tacacs.org</a><br>
<div><div><br>
-----Original Message-----<br>
From: <a href="mailto:tac_plus-bounces@shrubbery.net" target="_blank">tac_plus-bounces@shrubbery.net</a><br>
[mailto:<a href="mailto:tac_plus-bounces@shrubbery.net" target="_blank">tac_plus-bounces@shrubbery.net</a>] On Behalf Of Tom Murch<br>
Sent: Thursday, March 14, 2013 12:43 PM<br>
To: <a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br>
Subject: [tac_plus] multiple groups per user<br>
<br>
Hello I am trying to get this working. Reading the mailing list I was<br>
under the impression this was fixed. I am trying to have the same users<br>
admin both juniper and hp gear.<br>
<br>
#<br>
# tacacs configuration file<br>
# xxxxx -<br>
# /etc/tac_plus.conf<br>
<br>
# set the key<br>
key = xxxxx<br>
<br>
accounting file = /var/log/tac_plus.acct<br>
<br>
#group accounts<br>
<br>
group = admins {<br>
## cli service for junipers<br>
service = junos-exec<br>
{<br>
local-user-name = admins<br>
allow-commands = "all"<br>
allow-configuration = "all"<br>
deny-commands = ""<br>
deny-configuration = ""<br>
}<br>
}<br>
<br>
group = admins2 {<br>
default service = permit<br>
service = exec {<br>
priv-lvl = 15<br>
}<br>
}<br>
<br>
# users accounts<br>
user = tom {<br>
<br>
member = admins<br>
login = des "xxxxx"<br>
enable = cleartext "xxxxx"<br>
name = "Thomas Murch"<br>
}<br>
<br>
user = tomhp {<br>
member = admins2<br>
login = des "xxxxxx"<br>
enable = cleartext "xxxx"<br>
name = "Thomas Murch"<br>
}<br>
</div></div>-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL:<br>
<<a href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20130314/2e757a13/attachment.html" target="_blank">http://www.shrubbery.net/pipermail/tac_plus/attachments/20130314/2e757a13<br>
/attachment.html</a>><br>
_______________________________________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a><br>
<br>
E-Mail to and from me, in connection with the transaction<br>
of public business, is subject to the Wyoming Public Records<br>
Act and may be disclosed to third parties.<br>
<br>
</blockquote></div><br></div>
</blockquote></div><br></div>
<pre>E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.
</pre></blockquote></div>
</blockquote></div></div></div><br></div><div><div>
<pre>E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.
</pre></div></div></blockquote></div><br></div>
</blockquote></div><br></div>
<pre>
E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.