<div dir="ltr">found out need to define group which needs to map to group name local to the arbor appliance.<div><br></div><div><div>Fri Nov 10 00:42:49 2017 [29090]: connect from 192.168.1.100 [192.168.1.100]</div><div>Fri Nov 10 00:42:50 2017 [29090]: login query for 'iqbala' port tty?? from 192.168.1.100 accepted</div><div>Fri Nov 10 00:42:50 2017 [29114]: connect from 192.168.1.100 [192.168.1.100]</div><div>Fri Nov 10 00:42:50 2017 [29114]: Start authorization request</div><div>Fri Nov 10 00:42:50 2017 [29114]: do_author: user='iqbala'</div><div>Fri Nov 10 00:42:50 2017 [29114]: user 'iqbala' found</div><div>Fri Nov 10 00:42:50 2017 [29114]: nas:service=arbor (passed thru)</div><div>Fri Nov 10 00:42:50 2017 [29114]: nas:absent, server:arbor_group=arbor_admin -> add arbor_group=arbor_admin (k)</div><div>Fri Nov 10 00:42:50 2017 [29114]: added 1 args</div><div>Fri Nov 10 00:42:50 2017 [29114]: out_args[0] = service=arbor input copy discarded</div><div>Fri Nov 10 00:42:50 2017 [29114]: out_args[1] = arbor_group=arbor_admin compacted to out_args[0]</div><div>Fri Nov 10 00:42:50 2017 [29114]: 1 output args</div><div>Fri Nov 10 00:42:50 2017 [29114]: authorization query for 'iqbala' login from 192.168.1.100 accepted</div><div><br></div><div><br></div><div>group = ARBOR_ADMIN {</div><div> service = arbor {</div><div> arbor_group = arbor_admin</div><div> }</div><div>}</div></div><div><br></div><div>much closer now</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Nov 9, 2017 at 7:25 PM, Asif Iqbal <span dir="ltr"><<a href="mailto:vadud3@gmail.com" target="_blank">vadud3@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>This is all I get when doing debug like this and type the ``shell'' command</div><div><br></div><div> -d 8 -d 16 -d 32 -d 64 -d 128 -d 256 -d 512 -d 1024 -d 2048 -d 32768 -d 65536<br></div><div><br></div><div>Also setup default service = permit</div><div><br></div><div>Fri Nov 10 00:09:44 2017 [27585]: connect from 192.168.1.100 [192.168.1.100]</div><div>Fri Nov 10 00:09:45 2017 [27585]: login query for 'iqbala' port tty?? from 192.168.1.100 accepted</div><div>Fri Nov 10 00:09:45 2017 [27619]: connect from 192.168.1.100 [192.168.1.100]</div><div>Fri Nov 10 00:09:45 2017 [27619]: Start authorization request</div><div>Fri Nov 10 00:09:45 2017 [27619]: do_author: user='iqbala'</div><div>Fri Nov 10 00:09:45 2017 [27619]: user 'iqbala' found</div><div>Fri Nov 10 00:09:45 2017 [27619]: svc=N_svc protocol= svcname=arbor not found, permitted by default</div><div>Fri Nov 10 00:09:45 2017 [27619]: authorization query for 'iqbala' login from 192.168.1.100 accepted</div><div>Fri Nov 10 00:09:45 2017 [27630]: connect from 192.168.1.100 [192.168.1.100]</div><div>Fri Nov 10 00:09:45 2017 [27630]: Start authorization request</div><div>Fri Nov 10 00:09:45 2017 [27630]: do_author: user='iqbala'</div><div>Fri Nov 10 00:09:45 2017 [27630]: user 'iqbala' found</div><div>Fri Nov 10 00:09:45 2017 [27630]: svc=N_svc protocol= svcname=system not found, permitted by default</div><div>Fri Nov 10 00:09:45 2017 [27630]: authorization query for 'iqbala' login from 192.168.1.100 accepted</div><div><br></div><div><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Nov 9, 2017 at 6:42 PM, heasley <span dir="ltr"><<a href="mailto:heas@shrubbery.net" target="_blank">heas@shrubbery.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Thu, Nov 09, 2017 at 04:38:39PM -0500, Asif Iqbal:<br>
<span>> Hi All.<br>
><br>
> Any one doing TACACS+ with Arbor? We can authenticate fine, but failing to<br>
> get into shell mode.<br>
><br>
> with -d 8 -d 16 I get no following log when run shell command, and Arbor<br>
> says "970: Command requires higher privilege"<br>
><br>
> Thu Nov 9 21:23:25 2017 [3079]: login query for 'iqbala' port tty?? from<br>
> > 192.168.1.100 accepted<br>
> > Thu Nov 9 21:23:25 2017 [3113]: connect from 192.168.1.100 [192.168.1.100]<br>
> > Thu Nov 9 21:23:25 2017 [3113]: Start authorization request<br>
> > Thu Nov 9 21:23:25 2017 [3113]: do_author: user='iqbala'<br>
> > Thu Nov 9 21:23:25 2017 [3113]: user 'iqbala' found<br>
> > Thu Nov 9 21:23:25 2017 [3113]: svc=N_svc protocol= not found, denied by<br>
> > default<br>
<br>
</span>enable the packet dump debug to see what service the device is sending.<br>
you dont have that service in the config so its going to the default.<br>
<span><br>
> > Thu Nov 9 21:23:25 2017 [3113]: authorization query for 'iqbala' login<br>
> > from 192.168.1.100 rejected<br>
> > Thu Nov 9 21:23:25 2017 [3122]: connect from 192.168.1.100 [192.168.1.100]<br>
> > Thu Nov 9 21:23:25 2017 [3122]: Start authorization request<br>
> > Thu Nov 9 21:23:25 2017 [3122]: do_author: user='iqbala'<br>
> > Thu Nov 9 21:23:25 2017 [3122]: user 'iqbala' found<br>
> > Thu Nov 9 21:23:25 2017 [3122]: svc=N_svc protocol= not found, denied by<br>
> > default<br>
> > Thu Nov 9 21:23:25 2017 [3122]: authorization query for 'iqbala' login<br>
> > from 192.168.1.100 rejected<br>
><br>
><br>
><br>
><br>
> Appreciate any help!<br>
><br>
><br>
> --<br>
> Asif Iqbal<br>
> PGP Key: 0xE62693C5 KeyServer: <a href="http://pgp.mit.edu" rel="noreferrer" target="_blank">pgp.mit.edu</a><br>
> A: Because it messes up the order in which people normally read text.<br>
> Q: Why is top-posting such a bad thing?<br>
</span>> -------------- next part --------------<br>
> An HTML attachment was scrubbed...<br>
> URL: <<a href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20171109/d2c152fb/attachment.html" rel="noreferrer" target="_blank">http://www.shrubbery.net/pipe<wbr>rmail/tac_plus/attachments/<wbr>20171109/d2c152fb/attachment.<wbr>html</a>><br>
> ______________________________<wbr>_________________<br>
> tac_plus mailing list<br>
> <a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br>
> <a href="http://www.shrubbery.net/mailman/listinfo/tac_plus" rel="noreferrer" target="_blank">http://www.shrubbery.net/mailm<wbr>an/listinfo/tac_plus</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="m_-903079407836212126gmail_signature" data-smartmail="gmail_signature">Asif Iqbal<br>PGP Key: 0xE62693C5 KeyServer: <a href="http://pgp.mit.edu" target="_blank">pgp.mit.edu</a><br>A: Because it messes up the order in which people normally read text.<br>Q: Why is top-posting such a bad thing?<br><br></div>
</div>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Asif Iqbal<br>PGP Key: 0xE62693C5 KeyServer: <a href="http://pgp.mit.edu" target="_blank">pgp.mit.edu</a><br>A: Because it messes up the order in which people normally read text.<br>Q: Why is top-posting such a bad thing?<br><br></div>
</div>