[f-nsp] AAA, TACACS, some users enabled on login, others not

Tom Storey tom at snnap.net
Wed Nov 16 07:09:02 EST 2016 

Hi Daniel,

I hadnt tried the brocade-privlvl AV pair before, so I gave that a try, but
still that didnt seem to enable me upon login.

Either the TACACS server isnt sending the AV pair (although I believe it
is, because if it is not made optional, then I cant login to Cisco devices
for example), or the Brocades are just ignoring them or Im just doing
something really wrong...


On 15 November 2016 at 17:06, Daniel Schmidt <daniel.schmidt at wyo.gov> wrote:

> Brocade has the brocade specific brocade-privlvl, with three different
> levels of access as I remember, 1, 4 and 5.  The mapping between the two is
> not always good.  For instance, on Brocade, as I remember, 1 on Cisco maps
> to 4 of Brocade, which is just stupid - it should map to 5.  (Granted, this
> was years ago, it may have changed)  As a shameless plug, it's not hard to
> do modify this with tac_plus & do_auth provided you can distinguish by
> device IP.  You can authorize by priv levels or commands.  I wrote about it
> years ago here:
>
> http://www.tacacs.org/tacacsplus/2012/02/06/disable-account-on-brocade
>
> On Sat, Nov 5, 2016 at 1:32 PM, Eldon Koyle <ekoyle+puck.nether.net at gmail.
> com> wrote:
>
>> I did notice that document says privlvl and not priv-lvl.  Depending on
>> what you changed, you may be able to see the enable attempt on the tacacs
>> server (it may just be expecting the same username/password with admin
>> privs on tacacs).
>>
>> On Nov 5, 2016 11:06 AM, "Tom Storey" <tom at snnap.net> wrote:
>>
>>> Hi Eldon,
>>>
>>> Thanks for pointing me to this document.
>>>
>>> If I understand it correctly, my existing configuration should have been
>>> working just fine as it is. Since I wasnt specifying the "foundry-privlvl"
>>> attribute, it should look for the last exec attribute with a number in it
>>> and treat that number as the priv level. In my case Im using "priv-lvl"
>>> with a value of 15 for my Cisco devices, so the Brocade should have
>>> translated that to mean level 0 given a lack of "foundry-privlvl" attribute.
>>>
>>> But for what ever reason that doesnt seem to be working. So I also tried
>>> specifying it explicitly in my config, including removing the priv-lvl
>>> attribute, but still to no avail.
>>>
>>> Ive managed to lock myself out of my test device now (can no longer
>>> enable, its asking for a username, doh!), its in the office and Im at home.
>>> So I guess I'll resume on Monday if anyone else comes up with anything. :-)
>>>
>>> Thanks
>>> Tom
>>>
>>> On 4 November 2016 at 20:53, Eldon Koyle <ekoyle+puck.nether.net at gmail.
>>> com> wrote:
>>>
>>>> We use foundry-privlvl = 0 for admin access.
>>>>
>>>> See also: http://www.brocade.com/content/html/en/configuration-guide/F
>>>> I_08030_SECURITY/GUID-A2449097-2DA4-4CD1-B2DA-C531D7A90587.html
>>>>
>>>> --
>>>> Eldon
>>>>
>>>> On Fri, Nov 4, 2016 at 5:26 AM, Tom Storey <tom at snnap.net> wrote:
>>>> > Hi everyone,
>>>> >
>>>> > Implementing a TACACS server for a network that I am working on, and
>>>> I am
>>>> > trying to determine how to have certain users (e.g. network admins)
>>>> enabled
>>>> > by default once they have logged in, but certain other users (e.g.
>>>> support
>>>> > group) logged in as read only, and requiring them to enable manually.
>>>> >
>>>> > Ive seen some suggestions of using an optional av pair "brcd-role =
>>>> admin"
>>>> > in the TACACS config, but seems this is for VDX devices, and I am
>>>> working
>>>> > with ICX.
>>>> >
>>>> > The usual "priv-lvl = 15" that works with Cisco doesnt seem to apply,
>>>> and Im
>>>> > finding scant other information about how to do this other than
>>>> specifying
>>>> > "aaa authentication login privilege-mode", but that would have all
>>>> users
>>>> > enabled once they have logged in.
>>>> >
>>>> > My configs look like:
>>>> >
>>>> > aaa authentication enable default enable
>>>> > aaa authentication login default tacacs+
>>>> > aaa authorization commands 0 default tacacs+
>>>> > aaa authorization exec default tacacs+
>>>> > aaa accounting commands 0 default start-stop tacacs+
>>>> > aaa accounting exec default start-stop tacacs+
>>>> > aaa accounting system default start-stop tacacs+
>>>> >
>>>> > and on the TACACS server Ive tried:
>>>> >
>>>> > group = read_write {
>>>> >     default service = permit
>>>> >     acl = network_nets
>>>> >
>>>> >     service = exec {
>>>> >         priv-lvl = 15
>>>> >         optional brcd-role = admin
>>>> >     }
>>>> > }
>>>> >
>>>> > Or maybe the reason I cant find any information is because this just
>>>> isnt
>>>> > possible on a Brocade?
>>>> >
>>>> > Any help appreciated!
>>>> >
>>>> > Thanks
>>>> > Tom
>>>> >
>>>> > _______________________________________________
>>>> > foundry-nsp mailing list
>>>> > foundry-nsp at puck.nether.net
>>>> > http://puck.nether.net/mailman/listinfo/foundry-nsp
>>>>
>>>
>>>
>> _______________________________________________
>> foundry-nsp mailing list
>> foundry-nsp at puck.nether.net
>> http://puck.nether.net/mailman/listinfo/foundry-nsp
>>
>
>
>
> E-Mail to and from me, in connection with the transaction
> of public business, is subject to the Wyoming Public Records
> Act and may be disclosed to third parties.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20161116/0305b138/attachment.html>

More information about the foundry-nsp mailing list