<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Jun 16, 2014 at 5:02 PM, Asif Iqbal <span dir="ltr"><<a href="mailto:vadud3@gmail.com" target="_blank">vadud3@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote"><div class="">On Mon, Jun 16, 2014 at 4:20 PM, Aaron Wasserott <span dir="ltr"><<a href="mailto:aaron.wasserott@viawest.com" target="_blank">aaron.wasserott@viawest.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">If you use DEFAULT in both tac_plus.conf and do_auth.ini then, no, you could not restrict who can login to what. Only restriction there would be locking that user account in LDAP/AD to prevent any access for that user.<br>
<br>
But you could use DEFAULT in tac_plus.conf and then define users/groups in do_auth.ini you can restrict it that way who can login to what.<br></blockquote><div><br></div></div><div>device_deny is not being honored.</div>
<div><br>
</div><div><div>[users]</div><div>DEFAULT =</div><div> noprivs</div><div>iqbala =</div><div> noprivs</div><div>[noprivs]</div><div>host_deny =</div><div> .*</div><div>host_allow =</div><div>device_deny =</div><div>
.*</div><div>device_allow =</div><div>command_deny =</div><div> .*</div><div>command_permit =</div></div><div><br></div><div>user ``iqbala'' still can login to a router. command_deny works fine.</div><div>
<br>
</div><div>I do not see any log</div></div></div></div></blockquote><div><br></div><div><br></div><div><br></div><div>Oh yeah, DEFAULT on both tac_plus.conf and do_auth.ini and then device_deny works.</div><div><br></div>
<div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div><div class="h5"><div>
<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
I remember reading your emails before, and it sounds like you have a pretty complicated user base setup. The best way is to model user access around the tried-and-true tier groups, like tier1, tier2, tier3. Then you could have those three groups defined in tac_plus.conf pointing to different do_auth.ini files that control access to certain devices. The big issue for you will be something you mentioned a few weeks back, where you said you want users in different groups. You might want to think about letting more trusted/privileged users have access to things they don't necessary need, so you can just stick them in one group like tier2.<br>
<div><div><br></div></div></blockquote></div></div></div></div></div></blockquote><div><br></div><div><br></div><div>So I have over 1500 network devices. Each vendor type gets it own instance of tac_plus which can point to</div>
<div>separate do_auth.ini file like you suggested.</div><div><br></div><div>Otherwise I have to consolidate all the devices in permit or deny block for different groups. That would be nightmare if I want to consolidate to one do_auth.ini file. Plus it will be slow to read through list of devices for each authorization request for 1000s of employees. May be there should be database option to read for device lists to make it perform well.</div>
<div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div><div class="h5"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div><div>
-----Original Message-----<br>
From: tac_plus [mailto:<a href="mailto:tac_plus-bounces@shrubbery.net" target="_blank">tac_plus-bounces@shrubbery.net</a>] On Behalf Of Asif Iqbal<br>
Sent: Monday, June 16, 2014 1:17 PM<br>
To: <a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br>
Subject: [tac_plus] user DEFAULT - anyone can login?<br>
<br>
So if I understand correctly with the following stanza in tac_plus.conf anyone with valid LDAP credentials (PAM is pointing to LDAP in my case) can login to a router?<br>
<br>
user = DEFAULT {<br>
login = PAM<br>
member = doauthaccess<br>
}<br>
<br>
I am guessing I cannot really use this should I want to limit who can login?<br>
<br>
I guess I cannot take advantage of do_auth to prevent login since it gets called after authorization?<br>
<br>
May be I can use do_auth with before authorization as well and define the allowed users under the [users] stanza and limti that way if I want to shrink my tac_plus conf user blocks to just DEFAULT?<br>
<br>
Please advise.<br>
<br>
--<br>
Asif Iqbal<br>
PGP Key: 0xE62693C5 KeyServer: <a href="http://pgp.mit.edu" target="_blank">pgp.mit.edu</a><br>
A: Because it messes up the order in which people normally read text.<br>
Q: Why is top-posting such a bad thing?<br>
</div></div>-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20140616/321bd514/attachment.html" target="_blank">http://www.shrubbery.net/pipermail/tac_plus/attachments/20140616/321bd514/attachment.html</a>><br>
_______________________________________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo/tac_plus</a><br>
</blockquote></div></div></div><div><div class="h5"><br><br clear="all"><div><br></div>-- <br>Asif Iqbal<br>PGP Key: 0xE62693C5 KeyServer: <a href="http://pgp.mit.edu" target="_blank">pgp.mit.edu</a><br>A: Because it messes up the order in which people normally read text.<br>
Q: Why is top-posting such a bad thing?<br><br>
</div></div></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Asif Iqbal<br>PGP Key: 0xE62693C5 KeyServer: <a href="http://pgp.mit.edu">pgp.mit.edu</a><br>A: Because it messes up the order in which people normally read text.<br>
Q: Why is top-posting such a bad thing?<br><br>
</div></div>