Comments for TACACS+ stuff http://tacacs.org Casting Light on the Dark Art of TACACS+ Sat, 28 Aug 2010 14:43:41 -0400 http://wordpress.org/?v=2.8.4 hourly 1 Comment on Easier Tacacs Configurations with do_auth by Rogerio http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-701 Rogerio Sat, 28 Aug 2010 14:43:41 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-701 Excellent guide, Dan! Does exist any bug about limiting configuration commands? In my do_auth.ini I'd restricted the following comands to the specified user: <strong> [users] integra = restrito rogerios = admin [restrito] host_allow = .* device_permit = 192.168.0.2402 command_permit = show .* quit command_deny = show ver.* conf.* int.* shutdown </strong> But it didn't work! All other features are working (including deny "show version"), but "config ter", "interface gi 0/1" and "shutdown" were permited. Can you help me? Thanks in advance Excellent guide, Dan! Does exist any bug about limiting configuration commands? In my do_auth.ini I’d restricted the following comands to the specified user:

[users]
integra =
restrito
rogerios =
admin
[restrito]
host_allow =
.*
device_permit =
192.168.0.2402
command_permit =
show .*
quit
command_deny =
show ver.*
conf.*
int.*
shutdown

But it didn’t work!
All other features are working (including deny “show version”), but “config ter”, “interface gi 0/1″ and “shutdown” were permited.

Can you help me?

Thanks in advance

]]> Comment on Easier Tacacs Configurations with do_auth by Alex http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-578 Alex Fri, 26 Mar 2010 05:19:09 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-578 Thanks helpdeskdan, it works fine now. I do appreciate the effort toward helping me resolve this. Thanks helpdeskdan, it works fine now. I do appreciate the effort toward helping me resolve this.

]]> Comment on Easier Tacacs Configurations with do_auth by helpdeskdan http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-577 helpdeskdan Fri, 26 Mar 2010 00:29:07 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-577 Not exactly what cat would do - it only prints the help. So, let's debug with -D. (don't run from command line without -D) python do_auth.py -i 10.1.1.1 -u alex -d 192.168.1.1 -l log.txt -f do_auth.ini -D We get errors: Traceback (most recent call last): File "do_auth.py", line 375, in main() File "do_auth.py", line 281, in main if not (filename in config.read(filename)): File "/usr/lib/python2.6/ConfigParser.py", line 286, in read self._read(fp, filename) File "/usr/lib/python2.6/ConfigParser.py", line 510, in _read raise e ConfigParser.ParsingError: File contains parsing errors: do_auth.ini [line 3]: 'admin\n' .... I see the problem. No tabs! I can't seem to print tabs on the wiki, but you need tabs everywhere I have a \t [users] alex = \tadmin [admin] host_allow = \t.* device_permit = \t.* command_permit = \t.* After than, it's a lot happier: dan@dan-desktop:~$ python do_auth.py -i 10.1.1.1 -u alex -d 192.168.1.1 -l log.txt -f do_auth.ini -D dan@dan-desktop:~$ cat log.txt 2010-03-25 18:16:06: User 'alex' allowed command 'show users wide' to device '192.168.1.1' in 'admin'->'command_permit' The debug command is hard coded to "show users wide." I was going to change that to allow a variable, but I was finished with the program and nobody else had any interest in it. Not exactly what cat would do – it only prints the help.

So, let’s debug with -D. (don’t run from command line without -D)

python do_auth.py -i 10.1.1.1 -u alex -d 192.168.1.1 -l log.txt -f do_auth.ini -D

We get errors:

Traceback (most recent call last):
File “do_auth.py”, line 375, in
main()
File “do_auth.py”, line 281, in main
if not (filename in config.read(filename)):
File “/usr/lib/python2.6/ConfigParser.py”, line 286, in read
self._read(fp, filename)
File “/usr/lib/python2.6/ConfigParser.py”, line 510, in _read
raise e
ConfigParser.ParsingError: File contains parsing errors: do_auth.ini
[line 3]: ‘admin\n’
….

I see the problem. No tabs! I can’t seem to print tabs on the wiki, but you need tabs everywhere I have a \t

[users]
alex =
\tadmin

[admin]
host_allow =
\t.*
device_permit =
\t.*
command_permit =
\t.*

After than, it’s a lot happier:
dan@dan-desktop:~$ python do_auth.py -i 10.1.1.1 -u alex -d 192.168.1.1 -l log.txt -f do_auth.ini -D
dan@dan-desktop:~$ cat log.txt
2010-03-25 18:16:06: User ‘alex’ allowed command ’show users wide’ to device ‘192.168.1.1′ in ‘admin’->’command_permit’

The debug command is hard coded to “show users wide.” I was going to change that to allow a variable, but I was finished with the program and nobody else had any interest in it.

]]> Comment on Easier Tacacs Configurations with do_auth by Alex http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-576 Alex Wed, 24 Mar 2010 05:37:28 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-576 Sorry about the [users] section. I actually do have it on the .ini file. I must have missed in during copy. I do get output from do_auth.pyc. It prints the content of the do_auth.py. What cat do_auth.py would do. Should that be the case? Sorry about the [users] section. I actually do have it on the .ini file. I must have missed in during copy. I do get output from do_auth.pyc. It prints the content of the do_auth.py. What cat do_auth.py would do. Should that be the case?

]]> Comment on Easier Tacacs Configurations with do_auth by helpdeskdan http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-575 helpdeskdan Tue, 23 Mar 2010 23:51:11 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-575 Well, you are missing [users] at the top. However, you should still get a log in /var/log/log.txt. Do you get output from "python do_auth.py"? (or .pyc) Well, you are missing [users] at the top. However, you should still get a log in /var/log/log.txt. Do you get output from “python do_auth.py”? (or .pyc)

]]> Comment on Easier Tacacs Configurations with do_auth by Alex http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-574 Alex Tue, 23 Mar 2010 06:42:58 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-574 #This is my do_auth.ini alex = admin [admin] host_allow = .* device_permit = .* command_permit = .* # This is my tacacs cfg key = xxxxx accounting file = /var/log/tac_acc.log default authentication = file /etc/passwd user = DEFAULT { member = do_auth_access } group = do_auth_access { default service = permit service = exec { priv-lvl = 15 } enable = file /etc/passwd after authorization "/usr/bin/python /etc/tacacs/do_auth.pyc -i $address -u $user -d $name -l /var/log/log.txt -f /etc/tacacs/do_auth.ini" } #log.txt is empty #This is my do_auth.ini
alex =
admin
[admin]
host_allow =
.*
device_permit =
.*
command_permit =
.*

# This is my tacacs cfg
key = xxxxx
accounting file = /var/log/tac_acc.log
default authentication = file /etc/passwd
user = DEFAULT {
member = do_auth_access
}
group = do_auth_access {
default service = permit
service = exec {
priv-lvl = 15
}
enable = file /etc/passwd
after authorization “/usr/bin/python /etc/tacacs/do_auth.pyc -i $address -u $user -d $name -l /var/log/log.txt -f /etc/tacacs/do_auth.ini”
}

#log.txt is empty

]]> Comment on Easier Tacacs Configurations with do_auth by helpdeskdan http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-570 helpdeskdan Fri, 19 Mar 2010 21:49:41 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-570 Post the log.txt & do_auth,ini Post the log.txt & do_auth,ini

]]> Comment on Easier Tacacs Configurations with do_auth by Alex http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-569 Alex Fri, 19 Mar 2010 10:03:12 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-569 I have done each step as you have directed. However, I cannot log in to my router. However, using tac_plus.conf configuration works well. Anything I need to look out for. I get the following telnet 172.17.0.68 Trying 172.17.0.68... Connected to 172.17.0.68. Escape character is '^]'. User Access Verification Username: xxxx Password: % Authorization failed. Connection closed by foreign host. I have done each step as you have directed. However, I cannot log in to my router. However, using tac_plus.conf configuration works well. Anything I need to look out for.

I get the following

telnet 172.17.0.68
Trying 172.17.0.68…
Connected to 172.17.0.68.
Escape character is ‘^]’.

User Access Verification

Username: xxxx
Password:
% Authorization failed.
Connection closed by foreign host.

]]> Comment on Easier Tacacs Configurations with do_auth by helpdeskdan http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-533 helpdeskdan Fri, 26 Feb 2010 00:49:45 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-533 DanH - try 'DEFAULT' instead of 'default' in your tac_plus.conf Skip - This code works by commands, not privilege levels. Not that it couldn't be done, I just did not have a need at the time to modify the tac pairs. You could take priv-lvl = 15 out of the config and deny "enable" to the users you don't want to enable. Or, put them in a different group in tac_plus.conf, but that means you now have to modify two configuration files instead of one. The examples above were done in much haste, there might be errors; if other people are actually interested in this, I'll try to fix it up a bit. My current employer doesn't use tac_plus, so I don't have a testing environment any more. DanH – try ‘DEFAULT’ instead of ‘default’ in your tac_plus.conf

Skip – This code works by commands, not privilege levels. Not that it couldn’t be done, I just did not have a need at the time to modify the tac pairs. You could take priv-lvl = 15 out of the config and deny “enable” to the users you don’t want to enable. Or, put them in a different group in tac_plus.conf, but that means you now have to modify two configuration files instead of one.

The examples above were done in much haste, there might be errors; if other people are actually interested in this, I’ll try to fix it up a bit. My current employer doesn’t use tac_plus, so I don’t have a testing environment any more.

]]> Comment on Easier Tacacs Configurations with do_auth by Skip http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-531 Skip Thu, 25 Feb 2010 21:39:25 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-531 Dan, I would like to implement this but have a question first. The way I would like to use it is, default user has no access and then set the privileged user according to their access level. Is there away to do that? Dan,
I would like to implement this but have a question first.
The way I would like to use it is, default user has no access and then set the privileged user according to their access level. Is there away to do that?

]]>