[f-nsp] AAA command authorization

[Daniel Schmidt]

> I don't receive Command Authorization commands (confirmed with logs /
pcap) for commands prefaced with 'no', but do for other configuration level
commands.

Sry I'm late to the party -  Have you opened a tac case?  Extreme will try
to disagree, but *that is no small security vulnerability*.  Have you (and
this shouldn't work) tried authorization on the other levels (4 and 5) to
see if they help?  Your only other option is to try brocade-privlvl = 4
which doesn't give many configuration rights:
#conf t
(config)#?
  cls                            Clear screen
  end                            End Configuration level and go to
Privileged
                                 level
  exit                           Exit current level
  global-port-security           Global-level Port Security configuration
  interface                      Port commands
  mac-authentication             Configure MAC authentication
  no                             Undo/disable commands
  quit                           Exit to User level
  show                           Display system information
  <cr>

Or maybe try radius as you have hinted to and which I have never had a need
to do.  If it were Cisco, you could define a new privilege level - not sure
about Brocade.

On Fri, Mar 15, 2019 at 2:00 PM Patrick Ohearn via foundry-nsp <
foundry-nsp at puck.nether.net> wrote:

> Hi List,
>
> Has anyone got AAA command authorization working correctly on modern
> Netiron code, on the MLX/CER's?
>
> With a working TACACS+ server, with the below aaa configuration, I don't
> receive Command Authorization commands (confirmed with logs / pcap) for
> commands prefaced with 'no', but do for other configuration level commands.
>
> This presents a problem when I can block commands like 'router mpls', but
> other commands such as 'no router mpls' still work.
>
> Testing is done with a logged in user with priv level 0 (super user).
> Testing has been done with a few varents of 5.8, 6.0 and 6.2 code all with
> the same results.
>
> Has anyone else ran into this issue? Or has working command authorization
> with a different (eg; radius) setup?
>
> AAA config:
> tacacs-server host 192.0.2.200
> tacacs-server key tacacskeyhere
> aaa authentication enable default tacacs+
> aaa authentication login default tacacs+
> aaa authentication login privilege-mode
> aaa authorization commands 0 default tacacs+
> aaa authorization exec default tacacs+
> aaa accounting commands 0 default start-stop tacacs+
> aaa accounting exec default start-stop tacacs+
> aaa accounting system default start-stop tacacs+
>
>
> --
> Email: pat at ge3k.net
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>

-- 

E-Mail to and from me, in connection with the transaction 
of public 
business, is subject to the Wyoming Public Records 
Act and may be 
disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20190321/3d318e85/attachment.html>