<div dir="ltr"><div><div><div><div><div><br>Thanks for the input.<br><br></div><div>I am not using IOS, I am using/customizing pam_tacplus.so Linux module.<br></div><div><br></div>I am trying to set AVP in service=shell, but I am not able to get it right.<br> <br>user = joe {<br> pap = cleartext 123<br> service = shell {<br> default attribute = permit<br> priv-lvl = 15<br> }<br></div><br>And from client I am sending service=shell protocol=ssh. However, the server [tacplus daemon ] is not able to find these AVPs and returning error.<br><br><br>Mon Feb 23 15:03:04 2015 [17466]: Start authorization request<br>Mon Feb 23 15:03:04 2015 [17466]: cfg_get_value: name=joe isuser=1 attr=acl rec=1<br>Mon Feb 23 15:03:04 2015 [17466]: cfg_get_pvalue: returns NULL<br>Mon Feb 23 15:03:04 2015 [17466]: do_author: user='joe'<br>Mon Feb 23 15:03:04 2015 [17466]: cfg_get_value: name=joe isuser=1 attr=before rec=1<br>Mon Feb 23 15:03:04 2015 [17466]: cfg_get_pvalue: returns NULL<br>Mon Feb 23 15:03:04 2015 [17466]: user joe No identifiable service/protocol in authorization request<br>Mon Feb 23 15:03:04 2015 [17466]: Writing AUTHOR/ERROR size=75<br><br></div>What is the right format for using service=shell? It does not accept the service=shell protocol=ssh, it returns error<br><br>Starting tacacs+: Error: expecting '{' but found 'protocol' on line 19<br> [FAILED]<br><br><br></div>However, it works well for service= ppp protocol =ssh<br><br>user = joe {<br> pap = cleartext 123<br> service = ppp protocol = ssh {<br> tunnel-id = my_nas<br> ip-addresses = "173.20.12.19 173.20.12.20"<br> source-ip = 173.5.10.1<br> }<br>}<br><br></div>This is accepted by the tacplu daemon. If I send service=ppp, protocol=ssh from the client.<br><div><div><div><br></div><div><div><div><div><br></div></div></div></div></div></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><br><div>--</div><div><a href="http://about.me/chandank" target="_blank">http://about.me/chandank</a><br></div></div></div>
<br><div class="gmail_quote">On Mon, Feb 23, 2015 at 1:49 PM, heasley <span dir="ltr"><<a href="mailto:heas@shrubbery.net" target="_blank">heas@shrubbery.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Mon, Feb 23, 2015 at 11:42:04AM -0500, Chandan Kumar:<br>
<span class="">> Hi Heasley,<br>
><br>
> Thanks for your response. Basically I am not able to get a working example<br>
> of how to use those AVPs in tac_plus.conf. Whatever I have used so far,<br>
> they appear to have no impact on the server at all. [the basic<br>
> authentication using file /etc/passwd is working though].<br>
<br>
</span>I'm fairly sure that IOS supports the syntax below to change the username<br>
prompt, but the device is not required to honor it, it is optional according<br>
to the spec and is not applicable in all contexts. the daemon sets a default<br>
if one isnt in the config, default_v0_fn.c:default_v0_fn().<br>
<span class=""><br>
> While googling I mostly get examples of how to configure CISCO device<br>
> [client side] and very limited configuration examples associated with<br>
> server configuration other than the file that is packaged with the tac_plus<br>
> source code itself.<br>
><br>
> Example 1:<br>
><br>
> I want to send a prompt message to host connecting from 192.168.2.53<br>
><br>
><br>
> default authentication = file /etc/passwd<br>
><br>
> host = 192.168.2.53 {<br>
> prompt = "Welcome\n"<br>
> }<br>
><br>
> Now when I login, I do not see any "welcome" attched in the reply message<br>
> in wireshark. I only see<br>
><br>
> Status: 0x1 (Authetication Passed)<br>
<br>
</span>it would occur before this; in the GETUSER packet.<br>
<span class=""><br>
> Flags : 0x0<br>
> Server message length : 0<br>
> Data Lengh :0<br>
><br>
> I would appreciate if you could provide a working example of tac_plus.conf<br>
> with some AVPs either at authentication or at authorization phase.<br>
<br>
</span>see priv-lvl, autocmd, inacl, and outacl in the sample config.<br>
<span class=""><br>
> I would appreciate any help in this regard.<br>
><br>
><br>
> Thanks<br>
> Chandan<br>
><br>
> PS: In RADIUS it is very simple to send a reply with auth example:<br>
><br>
> joe Cleartext-Password := "1234"<br>
> Reply-Message := "Welcom"<br>
><br>
> On auth success, the server sends this welcom string, which could be used<br>
> by the client side to provide additional functionality. [I agree it is not<br>
> the best way to do, this example is only for illustration purpose]<br>
<br>
</span>technically it is possible, afaict, to send any message back, but the daemon<br>
does not offer this. it sends actualy status messages, like "failed",<br>
"succees", etc; for the daemon to provide this from the config it would need<br>
to differentiate between all those.<br>
</blockquote></div><br></div>