Comments on: Easier Tacacs Configurations with do_auth http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/ Casting Light on the Dark Art of TACACS+ Thu, 08 Sep 2011 03:11:00 -0400 http://wordpress.org/?v=2.8.4 hourly 1 By: helpdeskdan http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-2539 helpdeskdan Thu, 08 Sep 2011 03:11:00 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-2539 <p>Sry 4 late reply, didn't see comment. This is easy, put the commands you want to deny in command<em>deny section, and put a .* in command</em>permit.</p> Sry 4 late reply, didn’t see comment. This is easy, put the commands you want to deny in commanddeny section, and put a .* in commandpermit.

]]> By: Ivan http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-2414 Ivan Sun, 31 Jul 2011 21:26:32 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-2414 <p>Hi Dan,</p> <p>how can i write only several commands which I want to deny. for example I want to deny those commands: no ip route interface gig 0/0 no aaa authentication login default group tacacs+ local no aaa authorization exec default group tacacs+ if-authenticated really thanks for support. Ivan.</p> Hi Dan,

how can i write only several commands which I want to deny. for example I want to deny those commands: no ip route interface gig 0/0 no aaa authentication login default group tacacs+ local no aaa authorization exec default group tacacs+ if-authenticated really thanks for support. Ivan.

]]> By: helpdeskdan http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-1990 helpdeskdan Wed, 04 May 2011 23:27:03 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-1990 <p>Thanks, I'm glad there is one person out there whom this has helped!</p> Thanks, I’m glad there is one person out there whom this has helped!

]]> By: Celeri http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-1985 Celeri Wed, 04 May 2011 13:51:53 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-1985 <p>Hi Dan, Your little program does exactly what I have been trying to do in bash shell for several weeks and seems to work perfectly. It just makes tac_plus as powerful as I wanted it to be. Thanks very much for your work and the quality of your documentation !</p> Hi Dan, Your little program does exactly what I have been trying to do in bash shell for several weeks and seems to work perfectly. It just makes tac_plus as powerful as I wanted it to be. Thanks very much for your work and the quality of your documentation !

]]> By: helpdeskdan http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-1515 helpdeskdan Tue, 01 Mar 2011 01:21:27 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-1515 <p>:-\ You're right, thanks</p> :-\ You’re right, thanks

]]> By: aojea http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-1509 aojea Mon, 28 Feb 2011 07:14:28 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-1509 <p>I'm sorry for the mistake. The problem is that in your example inside the code you use "device<em>allow", but in the code you check against "device</em>permit".</p> I’m sorry for the mistake. The problem is that in your example inside the code you use “deviceallow”, but in the code you check against “devicepermit”.

]]> By: helpdeskdan http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-1507 helpdeskdan Mon, 28 Feb 2011 00:13:20 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-1507 <p>I did what now? I vaguely remember making a mistake like that, but I thought I fixed it a long time ago.</p> <p>dan@dan-desktop:~$ egrep host<em>allow do</em>auth1-4.py host<em>allow Allow users from this range. Mandatory if host</em>allow = host<em>allow = if not match</em>it(this<em>group, "host</em>allow", ip<em>addr, config, log</em>file, filename): % (user<em>name, ip</em>addr, this<em>group, "host</em>allow")) dan@dan-desktop:~$ egrep host<em>permit do</em>auth1-4.py </p> <p>If people are actually using this, please drop me a line. (As far as I know, nobody is currently using it)</p> I did what now? I vaguely remember making a mistake like that, but I thought I fixed it a long time ago.

dan@dan-desktop:~$ egrep hostallow doauth1-4.py hostallow Allow users from this range. Mandatory if hostallow = hostallow = if not matchit(thisgroup, “hostallow”, ipaddr, config, logfile, filename): % (username, ipaddr, thisgroup, “hostallow”)) dan@dan-desktop:~$ egrep hostpermit doauth1-4.py

If people are actually using this, please drop me a line. (As far as I know, nobody is currently using it)

]]> By: aojea http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-1476 aojea Mon, 21 Feb 2011 21:35:19 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-1476 <p>Hello, you have a bug in 1.4 version. Configuration file says "host<em>allow" but in your code you check agains "host</em>permit".</p> Hello, you have a bug in 1.4 version. Configuration file says “hostallow” but in your code you check agains “hostpermit”.

]]> By: helpdeskdan http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-738 helpdeskdan Tue, 14 Sep 2010 19:10:14 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-738 <p>Post the log. The log will tell us where it was permitted.</p> Post the log. The log will tell us where it was permitted.

]]> By: Rogerio http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-701 Rogerio Sat, 28 Aug 2010 14:43:41 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-701 <p>Excellent guide, Dan! Does exist any bug about limiting configuration commands? In my do<em>auth.ini I'd restricted the following comands to the specified user: <strong> [users] integra = restrito rogerios = admin [restrito] host</em>allow = .* device<em>permit = 192.168.0.2402 command</em>permit = show .* quit command_deny = show ver.* conf.* int.* shutdown </strong> But it didn't work! All other features are working (including deny "show version"), but "config ter", "interface gi 0/1" and "shutdown" were permited.</p> <p>Can you help me?</p> <p>Thanks in advance</p> Excellent guide, Dan! Does exist any bug about limiting configuration commands? In my doauth.ini I’d restricted the following comands to the specified user: [users] integra = restrito rogerios = admin [restrito] hostallow = .* devicepermit = 192.168.0.2402 commandpermit = show .* quit command_deny = show ver.* conf.* int.* shutdown But it didn’t work! All other features are working (including deny “show version”), but “config ter”, “interface gi 0/1″ and “shutdown” were permited.

Can you help me?

Thanks in advance

]]>