Some Procurves do not have the “aaa authentication login privilege-mode “ command. Hence, do_auth is not even called. If you have these, you will have to do all your security in tac_plus.conf. Beware, any security defined in your do_auth.ini is void on these.

Other (newer?) Procurves did call an after-authentication script, but did not work right. In English, you can’t modify any pairs as you have to tell it to kludge a response as 0. Do_auth will do this for you if you add the following to your Procurve group: exit_val =
    0

This is the wrong exit value, but will make everything work with “aaa authentication login privilege-mode “ (Again, which is flat out wrong – do not send that to Cisco/Brocade/Anybody else as it voids everything done in do_auth) You can’t modify the privilege level, but you can at least deny a person access to a switch. If you have a mixed environment, I would highly suggest having a separate group exclusively for your Procurves. One last thing, the -fix-crs-bug also fixes the Procurves and is mandatory as it doesn’t send $address.

The following group would go before other groups and assumes you define a priv-vlv (of any number) in your tac_plus config: [brocade_readonly]
hostallow =
    .*
devicepermit =
    192.168.1.*
commandpermit =
    .*
avpairs =
    priv-lvl,brocade-privlvl=5


The following example would watch for 10 authentication failures within 60 seconds and, if triggered, disable user for 120 seconds. auth-fail-lock 10 60 120 More info here: https://github.com/ellzey/tac_plus_AFL

Tacacs on Nexus is different. However, you can still continue to use tacacs the way you always have. Example configuration is as such:

tacacs-server key -key-
tacacs-server host -host-
aaa group server tacacs+ private
    server -host, yes again-
    use-vrf management
    source-interface mgmt0
aaa authentication login default group private
aaa authorization config-commands default group private
aaa authorization commands default group private
aaa accounting default group private


Many of you may be wondering why I did not add a “local” on the end of the aaa authorization commands. In short: It wouldn’t let me – Cisco says it’s a bug. Hence, till that is fixed, I recommend you use roles instead of authorization or you’ll be locked out when the tacacs server is down. To enable roles, simple take out the two authorization lines above. You can read more on roles than I have to time explain on cisco’s website, and you can even create your own. You can even create users that can only operate inside of their own vdc. However, for my examples, we’ll just focus on how to use tac_plus and do_auth.

Nexus and Cisco just don’t play well together. Or, rather the Nexus plays OK, but the Cisco gets confused when it gets a Nexus role. Without do_auth, you are forced to do things like run two separate tac_plus servers. However, with do_auth, you can run a single server. For instance, consider the following snippet:

    service = exec {
        priv-lvl = 15
        shell:roles="\"network-admin\""
        idletime = 3
        timeout = 15
    }


The roles will confuse your switches, and you’ll end up having to use enable passwords. However, add do_auth as an after-authentication script, and do_auth will strip the shell:roles from the Cisco. Hence, it works like it should.

I’ve improved the add/replacement of tac_pairs. For example:

av_pairs =
    priv-lvl=1
    shell:roles="network-operator"


Add this to a do_auth group, and you’ve created a safe little read_only group to give helpdesk operators. More information is available on key replacement – do_auth.py | less.

In short, you need do_auth to make roles work correctly with other Cisco gear. But, this is NOT to imply a shortcoming of tac_plus – this kluge in do_auth was written to fix vendor problems, NOT tac_plus problems.

Of course, these changes required changes to do_auth.

v1.91 http://pastie.org/3284098

av_pairs =
    priv-lvl=1


This assumes you have priv-lvl in your tac_plus.conf. (Like examples in other posts) Note, of course, you’ll also need to add a command_deny for enable or they’ll just type ‘en’ if they have an enable password. Better yet, just don’t give them an enable password!

In addition, we can replace one pair with something completely different, like for a brocade device. priv-lvl,brocade-privlvl=5 will replace any priv-lvl with that brocade-privlv. Think of it as a find/replace function.
Some devices do not like to have their tac_pairs messed with. They don’t accept AUTHOR_STATUS_PASS_REPL and I’ll spare the rest of the details for lack of time. These include the procurves and the Cisco WLC. Attempts to make these devices work have resulted in much “code sprawl” in do_auth and are the reason that any service other than shell return 0 unless you explicitly modify a tac_pair. For these devices, you will have to do all your config in tac_plus.conf.

One last thing, don’t use v1.6 – it had a bug. Also sorry if you’re comments don’t get approved, apparently I don’t have rights to do that.

http://pastie.org/2433995