[f-nsp] AAA, TACACS, some users enabled on login, others not

Tom Storey tom at snnap.net
Thu Nov 17 08:39:53 EST 2016


Yeah, foundry-privlvl and brocade-privlvl did nothing. Also per my original
email I seemed to try brcd-role.

aaa authentication enable implicit-user
aaa authentication login default tacacs+ local
aaa authorization commands 0 default tacacs+ none
aaa authorization exec default tacacs+
aaa accounting commands 0 default start-stop tacacs+
aaa accounting exec default start-stop tacacs+
aaa accounting system default start-stop tacacs+
!

group = read_write {
    default service = permit
    acl = venus_nets

    service = exec {
        idletime = 30
        priv-lvl = 15
        <insert other priv level>
    }
}

I had to add the foundry-privlvl/brocade-privlvl AVs as optional, otherwise
they were mandatory and would break login on things like Cisco.

Also, as per the link below, it would seem that I shouldnt even need to
specify a Foundry/Brocade specific AV, because it should take the last
numeric AV as the privlvl, and translate Cisco-esque priv levels in to its
own scheme.

http://www.brocade.com/content/html/en/configuration-guide/FI_08030_SECURITY/GUID-A2449097-2DA4-4CD1-B2DA-C531D7A90587.html

Tom


On 16 November 2016 at 15:01, Eldon Koyle <ekoyle+puck.nether.net at gmail.com>
wrote:

> Did you try the foundry-privlvl one?  Also, if you are using tac_plus, you
> should be able to enable debug and look at the actual avp's sent/received
> by the server.
>
> --
> Eldon
>
> On Nov 16, 2016 5:09 AM, "Tom Storey" <tom at snnap.net> wrote:
>
>> Hi Daniel,
>>
>> I hadnt tried the brocade-privlvl AV pair before, so I gave that a try,
>> but still that didnt seem to enable me upon login.
>>
>> Either the TACACS server isnt sending the AV pair (although I believe it
>> is, because if it is not made optional, then I cant login to Cisco devices
>> for example), or the Brocades are just ignoring them or Im just doing
>> something really wrong...
>>
>>
>> On 15 November 2016 at 17:06, Daniel Schmidt <daniel.schmidt at wyo.gov>
>> wrote:
>>
>>> Brocade has the brocade specific brocade-privlvl, with three different
>>> levels of access as I remember, 1, 4 and 5.  The mapping between the two is
>>> not always good.  For instance, on Brocade, as I remember, 1 on Cisco maps
>>> to 4 of Brocade, which is just stupid - it should map to 5.  (Granted, this
>>> was years ago, it may have changed)  As a shameless plug, it's not hard to
>>> do modify this with tac_plus & do_auth provided you can distinguish by
>>> device IP.  You can authorize by priv levels or commands.  I wrote about it
>>> years ago here:
>>>
>>> http://www.tacacs.org/tacacsplus/2012/02/06/disable-account-on-brocade
>>>
>>> On Sat, Nov 5, 2016 at 1:32 PM, Eldon Koyle <
>>> ekoyle+puck.nether.net at gmail.com> wrote:
>>>
>>>> I did notice that document says privlvl and not priv-lvl.  Depending on
>>>> what you changed, you may be able to see the enable attempt on the tacacs
>>>> server (it may just be expecting the same username/password with admin
>>>> privs on tacacs).
>>>>
>>>> On Nov 5, 2016 11:06 AM, "Tom Storey" <tom at snnap.net> wrote:
>>>>
>>>>> Hi Eldon,
>>>>>
>>>>> Thanks for pointing me to this document.
>>>>>
>>>>> If I understand it correctly, my existing configuration should have
>>>>> been working just fine as it is. Since I wasnt specifying the
>>>>> "foundry-privlvl" attribute, it should look for the last exec attribute
>>>>> with a number in it and treat that number as the priv level. In my case Im
>>>>> using "priv-lvl" with a value of 15 for my Cisco devices, so the Brocade
>>>>> should have translated that to mean level 0 given a lack of
>>>>> "foundry-privlvl" attribute.
>>>>>
>>>>> But for what ever reason that doesnt seem to be working. So I also
>>>>> tried specifying it explicitly in my config, including removing the
>>>>> priv-lvl attribute, but still to no avail.
>>>>>
>>>>> Ive managed to lock myself out of my test device now (can no longer
>>>>> enable, its asking for a username, doh!), its in the office and Im at home.
>>>>> So I guess I'll resume on Monday if anyone else comes up with anything. :-)
>>>>>
>>>>> Thanks
>>>>> Tom
>>>>>
>>>>> On 4 November 2016 at 20:53, Eldon Koyle <
>>>>> ekoyle+puck.nether.net at gmail.com> wrote:
>>>>>
>>>>>> We use foundry-privlvl = 0 for admin access.
>>>>>>
>>>>>> See also: http://www.brocade.com/content
>>>>>> /html/en/configuration-guide/FI_08030_SECURITY/GUID-A2449097
>>>>>> -2DA4-4CD1-B2DA-C531D7A90587.html
>>>>>>
>>>>>> --
>>>>>> Eldon
>>>>>>
>>>>>> On Fri, Nov 4, 2016 at 5:26 AM, Tom Storey <tom at snnap.net> wrote:
>>>>>> > Hi everyone,
>>>>>> >
>>>>>> > Implementing a TACACS server for a network that I am working on,
>>>>>> and I am
>>>>>> > trying to determine how to have certain users (e.g. network admins)
>>>>>> enabled
>>>>>> > by default once they have logged in, but certain other users (e.g.
>>>>>> support
>>>>>> > group) logged in as read only, and requiring them to enable
>>>>>> manually.
>>>>>> >
>>>>>> > Ive seen some suggestions of using an optional av pair "brcd-role =
>>>>>> admin"
>>>>>> > in the TACACS config, but seems this is for VDX devices, and I am
>>>>>> working
>>>>>> > with ICX.
>>>>>> >
>>>>>> > The usual "priv-lvl = 15" that works with Cisco doesnt seem to
>>>>>> apply, and Im
>>>>>> > finding scant other information about how to do this other than
>>>>>> specifying
>>>>>> > "aaa authentication login privilege-mode", but that would have all
>>>>>> users
>>>>>> > enabled once they have logged in.
>>>>>> >
>>>>>> > My configs look like:
>>>>>> >
>>>>>> > aaa authentication enable default enable
>>>>>> > aaa authentication login default tacacs+
>>>>>> > aaa authorization commands 0 default tacacs+
>>>>>> > aaa authorization exec default tacacs+
>>>>>> > aaa accounting commands 0 default start-stop tacacs+
>>>>>> > aaa accounting exec default start-stop tacacs+
>>>>>> > aaa accounting system default start-stop tacacs+
>>>>>> >
>>>>>> > and on the TACACS server Ive tried:
>>>>>> >
>>>>>> > group = read_write {
>>>>>> >     default service = permit
>>>>>> >     acl = network_nets
>>>>>> >
>>>>>> >     service = exec {
>>>>>> >         priv-lvl = 15
>>>>>> >         optional brcd-role = admin
>>>>>> >     }
>>>>>> > }
>>>>>> >
>>>>>> > Or maybe the reason I cant find any information is because this
>>>>>> just isnt
>>>>>> > possible on a Brocade?
>>>>>> >
>>>>>> > Any help appreciated!
>>>>>> >
>>>>>> > Thanks
>>>>>> > Tom
>>>>>> >
>>>>>> > _______________________________________________
>>>>>> > foundry-nsp mailing list
>>>>>> > foundry-nsp at puck.nether.net
>>>>>> > http://puck.nether.net/mailman/listinfo/foundry-nsp
>>>>>>
>>>>>
>>>>>
>>>> _______________________________________________
>>>> foundry-nsp mailing list
>>>> foundry-nsp at puck.nether.net
>>>> http://puck.nether.net/mailman/listinfo/foundry-nsp
>>>>
>>>
>>>
>>>
>>> E-Mail to and from me, in connection with the transaction
>>> of public business, is subject to the Wyoming Public Records
>>> Act and may be disclosed to third parties.
>>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20161117/7cbe0fc3/attachment-0001.html>


More information about the foundry-nsp mailing list