[f-nsp] AAA command authorization
Daniel Schmidt
daniel.schmidt at wyo.gov
Thu Mar 21 12:17:17 EDT 2019
> I don't receive Command Authorization commands (confirmed with logs /
pcap) for commands prefaced with 'no', but do for other configuration level
commands.
Sry I'm late to the party - Have you opened a tac case? Extreme will try
to disagree, but *that is no small security vulnerability*. Have you (and
this shouldn't work) tried authorization on the other levels (4 and 5) to
see if they help? Your only other option is to try brocade-privlvl = 4
which doesn't give many configuration rights:
#conf t
(config)#?
cls Clear screen
end End Configuration level and go to
Privileged
level
exit Exit current level
global-port-security Global-level Port Security configuration
interface Port commands
mac-authentication Configure MAC authentication
no Undo/disable commands
quit Exit to User level
show Display system information
<cr>
Or maybe try radius as you have hinted to and which I have never had a need
to do. If it were Cisco, you could define a new privilege level - not sure
about Brocade.
On Fri, Mar 15, 2019 at 2:00 PM Patrick Ohearn via foundry-nsp <
foundry-nsp at puck.nether.net> wrote:
> Hi List,
>
> Has anyone got AAA command authorization working correctly on modern
> Netiron code, on the MLX/CER's?
>
> With a working TACACS+ server, with the below aaa configuration, I don't
> receive Command Authorization commands (confirmed with logs / pcap) for
> commands prefaced with 'no', but do for other configuration level commands.
>
> This presents a problem when I can block commands like 'router mpls', but
> other commands such as 'no router mpls' still work.
>
> Testing is done with a logged in user with priv level 0 (super user).
> Testing has been done with a few varents of 5.8, 6.0 and 6.2 code all with
> the same results.
>
> Has anyone else ran into this issue? Or has working command authorization
> with a different (eg; radius) setup?
>
> AAA config:
> tacacs-server host 192.0.2.200
> tacacs-server key tacacskeyhere
> aaa authentication enable default tacacs+
> aaa authentication login default tacacs+
> aaa authentication login privilege-mode
> aaa authorization commands 0 default tacacs+
> aaa authorization exec default tacacs+
> aaa accounting commands 0 default start-stop tacacs+
> aaa accounting exec default start-stop tacacs+
> aaa accounting system default start-stop tacacs+
>
>
> --
> Email: pat at ge3k.net
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>
--
E-Mail to and from me, in connection with the transaction
of public
business, is subject to the Wyoming Public Records
Act and may be
disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20190321/3d318e85/attachment.html>
More information about the foundry-nsp
mailing list