<html><body><p><font size="2" face="sans-serif">Aaron</font><br><br><font size="2" face="sans-serif">Do you have experience with Arista? It seems I am having similar problem with this device. Authentication works fine, but once i login and send enable password I can run any command i'd like. It's not restricting access to my preconfigured commands:</font><br><br><br><font size="2" face="sans-serif">Arista1#sh run | i aaa</font><br><font size="2" face="sans-serif">aaa group server tacacs+ CiscoACS</font><br><font size="2" face="sans-serif">aaa authentication login default group CiscoACS local</font><br><font size="2" face="sans-serif">aaa authorization exec default group CiscoACS local</font><br><font size="2" face="sans-serif">aaa authorization commands all default group CiscoACS local</font><br><font size="2" face="sans-serif">aaa accounting exec default start-stop group CiscoACS</font><br><font size="2" face="sans-serif">aaa accounting commands all default start-stop group CiscoACS</font><br><font size="2" face="sans-serif">no aaa root</font><br><br><font size="2" face="sans-serif">----- </font><br><br><font size="2" face="sans-serif"> user = testuser {</font><br><font size="2" face="sans-serif"> login = clear "test123"</font><br><font size="2" face="sans-serif"> pap = clear "test123"</font><br><font size="2" face="sans-serif"> member = snm</font><br><font size="2" face="sans-serif"> }</font><br><br><br><font size="2" face="sans-serif"> group = snm {</font><br><font size="2" face="sans-serif"> default service = deny</font><br><font size="2" face="sans-serif"> service = shell {</font><br><font size="2" face="sans-serif"> set shell:roles="\"network-admin\""</font><br><font size="2" face="sans-serif"> default command = deny</font><br><font size="2" face="sans-serif"> default attribute = deny</font><br><font size="2" face="sans-serif"> set priv-lvl = 15</font><br><font size="2" face="sans-serif"> cmd = configure {deny .*}</font><br><font size="2" face="sans-serif"> cmd = clear {</font><br><font size="2" face="sans-serif"> permit "counters"</font><br><font size="2" face="sans-serif"> permit "qos stat"</font><br><font size="2" face="sans-serif"> permit "mls qos int"</font><br><font size="2" face="sans-serif"> }</font><br><font size="2" face="sans-serif"> cmd = disable {permit .*}</font><br><font size="2" face="sans-serif"> cmd = enable {permit .*}</font><br><font size="2" face="sans-serif"> cmd = end {permit .*}</font><br><font size="2" face="sans-serif"> cmd = exit {permit .*}</font><br><font size="2" face="sans-serif"> cmd = logout {permit .*}</font><br><font size="2" face="sans-serif"> cmd = ping {permit .*}</font><br><font size="2" face="sans-serif"> cmd = set {</font><br><font size="2" face="sans-serif"> permit "length 0"</font><br><font size="2" face="sans-serif"> }</font><br><font size="2" face="sans-serif"> cmd = show {</font><br><font size="2" face="sans-serif"> deny "controllers vip"</font><br><font size="2" face="sans-serif"> permit .*</font><br><font size="2" face="sans-serif"> }</font><br><font size="2" face="sans-serif"> cmd = skip-page-display {permit .*}</font><br><font size="2" face="sans-serif"> cmd = terminal {</font><br><font size="2" face="sans-serif"> permit "length 0"</font><br><font size="2" face="sans-serif"> }</font><br><font size="2" face="sans-serif"> cmd = write {</font><br><font size="2" face="sans-serif"> permit "network"</font><br><font size="2" face="sans-serif"> permit "terminal"</font><br><font size="2" face="sans-serif"> permit "memory"</font><br><font size="2" face="sans-serif"> }</font><br><font size="2" face="sans-serif"> }</font><br><font size="2" face="sans-serif"> }</font><br><br><font size="2" face="sans-serif">----</font><br><br><br><font size="2" face="sans-serif">Arista1 login: testuser</font><br><font size="2" face="sans-serif">Password:</font><br><font size="2" face="sans-serif">Last login: Wed Jul 22 18:49:42 on ttyS0</font><br><font size="2" face="sans-serif">Arista1>en</font><br><font size="2" face="sans-serif">Password:</font><br><font size="2" face="sans-serif">Arista1#conf t <--- This command should be restricted</font><br><font size="2" face="sans-serif">Arista1(config)#interface eth 10 <--- This command should be restricted</font><br><font size="2" face="sans-serif">Arista1(config-if-Et10)#shut <--- This command should be restricted</font><br><font size="2" face="sans-serif">Arista1(config-if-Et10)#end</font><br><font size="2" face="sans-serif">Arista1#exit</font><br><br><br><br><img width="16" height="16" src="cid:1__=0ABBF419DFF506C78f9e@AMERICAS.CORP.LOCAL" border="0" alt="Inactive hide details for Aaron Wasserott ---07/16/2015 09:26:32 PM---Try changing "service = shell" to "service = exec" and se"><font size="2" color="#424282" face="sans-serif">Aaron Wasserott ---07/16/2015 09:26:32 PM---Try changing "service = shell" to "service = exec" and see if that works. I have NX-OS working fine</font><br><br><font size="1" color="#5F5F5F" face="sans-serif">From: </font><font size="1" face="sans-serif">Aaron Wasserott <aaron.wasserott@viawest.com></font><br><font size="1" color="#5F5F5F" face="sans-serif">To: </font><font size="1" face="sans-serif">"Kevin.Cruse@Instinet.com" <Kevin.Cruse@Instinet.com>, "tac_plus@shrubbery.net" <tac_plus@shrubbery.net>, </font><br><font size="1" color="#5F5F5F" face="sans-serif">Date: </font><font size="1" face="sans-serif">07/16/2015 09:26 PM</font><br><font size="1" color="#5F5F5F" face="sans-serif">Subject: </font><font size="1" face="sans-serif">RE: [tac_plus] Cisco Nexus Authorization problem</font><br><hr width="100%" size="2" align="left" noshade style="color:#8091A5; "><br><br><br><tt><font size="2">Try changing "service = shell" to "service = exec" and see if that works. I have NX-OS working fine using that. Also, I have never seen the shell service used in real-world examples for network devices. But reading the manpage it appears it should work to prevent them from entering configuration mode, as long as your AAA commands are set right.<br><br>service=shell<br>for exec startup, and also for command authorizations. Requires: aaa authorization exec tacacs+<br><br>Whether authorization happens, and at which prompt level, depends on the aaa authorization settings. It's possible to only restrict exec level commands, and prevent them from entering the 'conf t' command. But if you want them in conf t mode but restrict their commands at that level, you need to enable something like this:<br><br>aaa authorization config-commands default group myTacacsGroup local<br><br>If changing the service doesn't work, include the AAA commands on your NX-OS switches.<br><br>-----Original Message-----<br>From: tac_plus [</font></tt><tt><font size="2"><a href="mailto:tac_plus-bounces@shrubbery.net">mailto:tac_plus-bounces@shrubbery.net</a></font></tt><tt><font size="2">] On Behalf Of Kevin.Cruse@Instinet.com<br>Sent: Thursday, July 16, 2015 3:40 PM<br>To: tac_plus@shrubbery.net<br>Subject: [tac_plus] Cisco Nexus Authorization problem<br><br><br><br>Hello<br><br>I have configured TACPLUS to work with cisco nexus device. I am able to successfully authenticate, however, I am able to run all commands on router. It seems the router is not restricted to the commands specified in my group config. Has anyone gotten Cisco nexus to work properly with tacplus? I need to limit certain users and cannot get this working properly. Any help is greatly appreciated!!! Thanks.<br><br>Group Config:<br><br> group = snm {<br> default service = deny<br> service = shell {<br> set shell:roles="\"network-admin\""<br> default command = deny<br> default attribute = deny<br> set priv-lvl = 15<br> cmd = configure {deny .*}<br> cmd = clear {<br> permit "counters"<br> permit "qos stat"<br> permit "mls qos int"<br> }<br> cmd = disable {permit .*}<br> cmd = enable {permit .*}<br> cmd = end {permit .*}<br> cmd = exit {permit .*}<br> cmd = logout {permit .*}<br> cmd = ping {permit .*}<br> cmd = set {<br> permit "length 0"<br> }<br> cmd = show {<br> deny "controllers vip"<br> permit .*<br> }<br> cmd = skip-page-display {permit .*}<br> cmd = terminal {<br> permit "length 0"<br> }<br> cmd = write {<br> permit "network"<br> permit "terminal"<br> permit "memory"<br> }<br> }<br> }<br><br><br> user = testuser {<br><br> member = snm<br> }<br><br><br>Session output from router:<br><br> telnet labrouter<br>Trying labrouter...<br>Connected to labrouter.<br>Escape character is '^]'.<br>User Access Verification<br>login: testuser<br>Password:<br>Cisco Nexus Operating System (NX-OS) Software TAC support: </font></tt><tt><font size="2"><a href="http://www.cisco.com/tac">http://www.cisco.com/tac</a></font></tt><tt><font size="2"> Copyright (c) 2002-2014, Cisco Systems, Inc. All rights reserved.<br>The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at </font></tt><tt><font size="2"><a href="http://www.opensource.org/licenses/gpl-2.0.php">http://www.opensource.org/licenses/gpl-2.0.php</a></font></tt><tt><font size="2"> and </font></tt><tt><font size="2"><a href="http://www.opensource.org/licenses/lgpl-2.1.php">http://www.opensource.org/licenses/lgpl-2.1.php</a></font></tt><tt><font size="2"><br>LABROUTER# configure<br><------------------------------------------------------------ This should be denied Enter configuration commands, one per line. End with CNTL/Z.<br>LABROUTER(config)# interface ethernet 1/1 configure<br><------------------------------------------------------------ This should be denied LABROUTER(config-if)# shut<br><------------------------------------------------------------ This should be denied LABROUTER(config-if)# no shut<br><------------------------------------------------------------ This should be denied LABROUTER(config-if)# end LABROUTER#<br><br>========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an “as is” basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: </font></tt><tt><font size="2"><a href="http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt">http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt</a></font></tt><tt><font size="2"> Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC.<br><br>=========================================================================================================<br>-------------- next part --------------<br>An HTML attachment was scrubbed...<br>URL: <</font></tt><tt><font size="2"><a href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20150716/5c309608/attachment.html">http://www.shrubbery.net/pipermail/tac_plus/attachments/20150716/5c309608/attachment.html</a></font></tt><tt><font size="2">><br>_______________________________________________<br>tac_plus mailing list<br>tac_plus@shrubbery.net<br></font></tt><tt><font size="2"><a href="http://www.shrubbery.net/mailman/listinfo/tac_plus">http://www.shrubbery.net/mailman/listinfo/tac_plus</a></font></tt><tt><font size="2"><br>This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message.<br></font></tt><br><font face="sans-serif"><div style="font-size:12px; font-style:italic; font-family:georgia,arial,sans-serif">
<br><br>
=========================================================================================================
<div style="font-size:12px; font-style:italic; font-family:georgia,arial,sans-serif">
<p>
<B><<<< Disclaimer >>>></B>
<p>
This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an “as is” basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: <a href=" http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt"> http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt</a>
<p>
Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC.
<p>
<br><br>
=========================================================================================================
</div></font>
</body></html>