[f-nsp] AAA, TACACS, some users enabled on login, others not

Daniel Schmidt daniel.schmidt at wyo.gov
Thu Nov 17 13:32:24 EST 2016


Yeah.... I don' t think that is going to work.  I'm pretty sure you can
only have one priv-lvl.  I can't remember if Brocade is smart enough to
figure it out, I'm pretty sure Cisco is not.  That's why Jathan and I wrote
do_auth, so you can swap that tac_pair based on what IP it comes from.  If
you don't have any cisco, just pull the priv-lvl out.  If not, consider
do_auth.

On Thu, Nov 17, 2016 at 6:39 AM, Tom Storey <tom at snnap.net> wrote:

> Yeah, foundry-privlvl and brocade-privlvl did nothing. Also per my
> original email I seemed to try brcd-role.
>
> aaa authentication enable implicit-user
> aaa authentication login default tacacs+ local
> aaa authorization commands 0 default tacacs+ none
> aaa authorization exec default tacacs+
> aaa accounting commands 0 default start-stop tacacs+
> aaa accounting exec default start-stop tacacs+
> aaa accounting system default start-stop tacacs+
> !
>
> group = read_write {
>     default service = permit
>     acl = venus_nets
>
>     service = exec {
>         idletime = 30
>         priv-lvl = 15
>         <insert other priv level>
>     }
> }
>
> I had to add the foundry-privlvl/brocade-privlvl AVs as optional,
> otherwise they were mandatory and would break login on things like Cisco.
>
> Also, as per the link below, it would seem that I shouldnt even need to
> specify a Foundry/Brocade specific AV, because it should take the last
> numeric AV as the privlvl, and translate Cisco-esque priv levels in to its
> own scheme.
>
> http://www.brocade.com/content/html/en/configuration-
> guide/FI_08030_SECURITY/GUID-A2449097-2DA4-4CD1-B2DA-C531D7A90587.html
>
> Tom
>
>
> On 16 November 2016 at 15:01, Eldon Koyle <ekoyle+puck.nether.net at gmail.
> com> wrote:
>
>> Did you try the foundry-privlvl one?  Also, if you are using tac_plus,
>> you should be able to enable debug and look at the actual avp's
>> sent/received by the server.
>>
>> --
>> Eldon
>>
>> On Nov 16, 2016 5:09 AM, "Tom Storey" <tom at snnap.net> wrote:
>>
>>> Hi Daniel,
>>>
>>> I hadnt tried the brocade-privlvl AV pair before, so I gave that a try,
>>> but still that didnt seem to enable me upon login.
>>>
>>> Either the TACACS server isnt sending the AV pair (although I believe it
>>> is, because if it is not made optional, then I cant login to Cisco devices
>>> for example), or the Brocades are just ignoring them or Im just doing
>>> something really wrong...
>>>
>>>
>>> On 15 November 2016 at 17:06, Daniel Schmidt <daniel.schmidt at wyo.gov>
>>> wrote:
>>>
>>>> Brocade has the brocade specific brocade-privlvl, with three different
>>>> levels of access as I remember, 1, 4 and 5.  The mapping between the two is
>>>> not always good.  For instance, on Brocade, as I remember, 1 on Cisco maps
>>>> to 4 of Brocade, which is just stupid - it should map to 5.  (Granted, this
>>>> was years ago, it may have changed)  As a shameless plug, it's not hard to
>>>> do modify this with tac_plus & do_auth provided you can distinguish by
>>>> device IP.  You can authorize by priv levels or commands.  I wrote about it
>>>> years ago here:
>>>>
>>>> http://www.tacacs.org/tacacsplus/2012/02/06/disable-account-on-brocade
>>>>
>>>> On Sat, Nov 5, 2016 at 1:32 PM, Eldon Koyle <
>>>> ekoyle+puck.nether.net at gmail.com> wrote:
>>>>
>>>>> I did notice that document says privlvl and not priv-lvl.  Depending
>>>>> on what you changed, you may be able to see the enable attempt on the
>>>>> tacacs server (it may just be expecting the same username/password with
>>>>> admin privs on tacacs).
>>>>>
>>>>> On Nov 5, 2016 11:06 AM, "Tom Storey" <tom at snnap.net> wrote:
>>>>>
>>>>>> Hi Eldon,
>>>>>>
>>>>>> Thanks for pointing me to this document.
>>>>>>
>>>>>> If I understand it correctly, my existing configuration should have
>>>>>> been working just fine as it is. Since I wasnt specifying the
>>>>>> "foundry-privlvl" attribute, it should look for the last exec attribute
>>>>>> with a number in it and treat that number as the priv level. In my case Im
>>>>>> using "priv-lvl" with a value of 15 for my Cisco devices, so the Brocade
>>>>>> should have translated that to mean level 0 given a lack of
>>>>>> "foundry-privlvl" attribute.
>>>>>>
>>>>>> But for what ever reason that doesnt seem to be working. So I also
>>>>>> tried specifying it explicitly in my config, including removing the
>>>>>> priv-lvl attribute, but still to no avail.
>>>>>>
>>>>>> Ive managed to lock myself out of my test device now (can no longer
>>>>>> enable, its asking for a username, doh!), its in the office and Im at home.
>>>>>> So I guess I'll resume on Monday if anyone else comes up with anything. :-)
>>>>>>
>>>>>> Thanks
>>>>>> Tom
>>>>>>
>>>>>> On 4 November 2016 at 20:53, Eldon Koyle <
>>>>>> ekoyle+puck.nether.net at gmail.com> wrote:
>>>>>>
>>>>>>> We use foundry-privlvl = 0 for admin access.
>>>>>>>
>>>>>>> See also: http://www.brocade.com/content
>>>>>>> /html/en/configuration-guide/FI_08030_SECURITY/GUID-A2449097
>>>>>>> -2DA4-4CD1-B2DA-C531D7A90587.html
>>>>>>>
>>>>>>> --
>>>>>>> Eldon
>>>>>>>
>>>>>>> On Fri, Nov 4, 2016 at 5:26 AM, Tom Storey <tom at snnap.net> wrote:
>>>>>>> > Hi everyone,
>>>>>>> >
>>>>>>> > Implementing a TACACS server for a network that I am working on,
>>>>>>> and I am
>>>>>>> > trying to determine how to have certain users (e.g. network
>>>>>>> admins) enabled
>>>>>>> > by default once they have logged in, but certain other users (e.g.
>>>>>>> support
>>>>>>> > group) logged in as read only, and requiring them to enable
>>>>>>> manually.
>>>>>>> >
>>>>>>> > Ive seen some suggestions of using an optional av pair "brcd-role
>>>>>>> = admin"
>>>>>>> > in the TACACS config, but seems this is for VDX devices, and I am
>>>>>>> working
>>>>>>> > with ICX.
>>>>>>> >
>>>>>>> > The usual "priv-lvl = 15" that works with Cisco doesnt seem to
>>>>>>> apply, and Im
>>>>>>> > finding scant other information about how to do this other than
>>>>>>> specifying
>>>>>>> > "aaa authentication login privilege-mode", but that would have all
>>>>>>> users
>>>>>>> > enabled once they have logged in.
>>>>>>> >
>>>>>>> > My configs look like:
>>>>>>> >
>>>>>>> > aaa authentication enable default enable
>>>>>>> > aaa authentication login default tacacs+
>>>>>>> > aaa authorization commands 0 default tacacs+
>>>>>>> > aaa authorization exec default tacacs+
>>>>>>> > aaa accounting commands 0 default start-stop tacacs+
>>>>>>> > aaa accounting exec default start-stop tacacs+
>>>>>>> > aaa accounting system default start-stop tacacs+
>>>>>>> >
>>>>>>> > and on the TACACS server Ive tried:
>>>>>>> >
>>>>>>> > group = read_write {
>>>>>>> >     default service = permit
>>>>>>> >     acl = network_nets
>>>>>>> >
>>>>>>> >     service = exec {
>>>>>>> >         priv-lvl = 15
>>>>>>> >         optional brcd-role = admin
>>>>>>> >     }
>>>>>>> > }
>>>>>>> >
>>>>>>> > Or maybe the reason I cant find any information is because this
>>>>>>> just isnt
>>>>>>> > possible on a Brocade?
>>>>>>> >
>>>>>>> > Any help appreciated!
>>>>>>> >
>>>>>>> > Thanks
>>>>>>> > Tom
>>>>>>> >
>>>>>>> > _______________________________________________
>>>>>>> > foundry-nsp mailing list
>>>>>>> > foundry-nsp at puck.nether.net
>>>>>>> > http://puck.nether.net/mailman/listinfo/foundry-nsp
>>>>>>>
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> foundry-nsp mailing list
>>>>> foundry-nsp at puck.nether.net
>>>>> http://puck.nether.net/mailman/listinfo/foundry-nsp
>>>>>
>>>>
>>>>
>>>>
>>>> E-Mail to and from me, in connection with the transaction
>>>> of public business, is subject to the Wyoming Public Records
>>>> Act and may be disclosed to third parties.
>>>>
>>>
>>>
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>

-- 

E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20161117/2536deeb/attachment.html>


More information about the foundry-nsp mailing list