RE: Lock-and-key with tacacs+ authentication

From: Fabrice Bobes (study@6colabs.com)
Date: Wed Mar 12 2003 - 19:01:02 GMT-3

Peng,

I was assuming you were using Cisco Secure.
You can do it also with NTTacPlus Server using the following parameters:
Service:
Exec=permit
Attribute list:
Autocmd=access-enable (not autocommand=access-enable)

I have just tried it using DialWays 3.0 and it works fine.

Thanks,

Fabrice

-----Original Message-----
From: Peng Zheng [mailto:zpnist@yahoo.com]
Sent: Wednesday, March 12, 2003 9:35 AM
To: Fabrice Bobes; 'Brian Dennis'; ccielab@groupstudy.com
Subject: RE: Lock-and-key with tacacs+ authentication

I can not find how to.

I tried this way on NTTacPlus server.

For the user test, under service tab:

Under Configured Services:

Exec=permit
Then under Attribute Value Pair/Per Service
Autocommand=access-enable

When I tried to login, it said authentication OK but
authorization failed.

Below is log file:
------------------------------------
#12-03-2003 09:28:37#>Login query for 'test' tty5 from
192.168.1.6 accepted
#12-03-2003 09:28:38#debug>Start authorization request
#12-03-2003 09:28:38#debug>user 'test' found
#12-03-2003 09:28:38#debug>nas: service=shell
(unchanged)
#12-03-2003 09:28:38#debug>nas: cmd* (unchanged)
#12-03-2003 09:28:38#debug>nas: <none>, server:
autocommand=access-enable -> add
autocommand=access-enable (k)
#12-03-2003 09:28:38#debug>nas: <none>, server:
priv-lvl=15 -> add priv-lvl=15 (l)
#12-03-2003 09:28:38#debug>added 2 args
#12-03-2003 09:28:38#debug>out args[0] = service=shell
input copy discarded
#12-03-2003 09:28:38#debug>out args[1] = cmd* input
copy discarded
#12-03-2003 09:28:38#debug>out args[2] =
autocommand=access-enable compacted to out args[0]
#12-03-2003 09:28:38#debug>out args[3] = priv-lvl=15
compacted to out args[1]
#12-03-2003 09:28:38#debug>2 output args
#12-03-2003 09:28:38#>authorization query for 'test'
tty5 from 192.168.1.6 accepted

---------------------

--- Fabrice Bobes <study@6colabs.com> wrote:
> OK, I stand corrected and I'll try to give a better
> explanation :-)
>
> 1) Lock-and-key with tacacs+ authentication
> Like Brian said, your access-list is not complete.
> It should be something like:
> access-list 100 permit tcp host 192.168.1.2 host
> 192.168.1.6 eq telnet
> access-list 100 permit tcp host 192.168.1.2 eq 49
> host
> 192.168.1.6
> access-list 100 dynamic fredlist permit tcp host
> 192.168.1.2 any eq telnet
>
> 2) Lock-and-key with tacacs+ authentication and
> authorization
> Since you are using TACACS, you can remove
> Line vty 0 4
> autocommand access-enable
>
> and put this information on the TACACS server
> autocommand = access-enable
> under the section Shell (exec)).
>
> In this situation, you use TACACS to let your user
> start an exec shell
> command.
> You need to enable shell (exec) for your Tacacs user
> and add:
> authorization exec default group tacacs+
> or
> aaa authorization exec TEST group tacacs+
> line vty 0 4
> authorization exec TEST
>
> 3) And yes, you should specify a backup
> authentication method if Tacacs
> fails
>
> Thanks,
>
> Fabrice
> http://www.6colabs.com
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> Brian Dennis
> Sent: Tuesday, March 11, 2003 5:23 PM
> To: 'Peng Zheng'; ccielab@groupstudy.com
> Subject: RE: Lock-and-key with tacacs+
> authentication
>
> You are not allowing TACACS+ through your ACL. The
> AAA server can't
> reply to the authentication request sent by the
> router. Add an entry to
> the ACL that allows the AAA server to reply.
>
> Also as a side note your router is not setup for a
> secondary
> authentication method. As a general rule you should
> at least have a
> secondary authentication method (i.e. local) in case
> the primary is
> unavailable.
>
> Brian Dennis, CCIE #2210 (R&S/ISP Dial/Security)
> CCSI# 98640
> brian@labforge.com
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> Peng Zheng
> Sent: Tuesday, March 11, 2003 4:34 PM
> To: Fabrice Bobes; ccielab@groupstudy.com
> Subject: RE: Lock-and-key with tacacs+
> authentication
>
> Here is my config:
>
> ------------------
>
> aaa new-model
> aaa authentication login default group tacacs+
> aaa authentication login TEST group tacacs+
> aaa authentication enable default group tacacs+
>
> ...
>
> interface Loopback0
> ip address 131.108.3.1 255.255.255.0
> !
> interface Ethernet0
> ip address 192.168.1.6 255.255.255.0
> ip access-group 100 in
>
> ....
>
> access-list 100 permit tcp host 192.168.1.2 host
> 192.168.1.6 eq telnet
> access-list 100 dynamic fredlist permit tcp host
> 192.168.1.2 any eq telnet
>
> ...
>
> tacacs-server host 192.168.1.2
> tacacs-server key cisco
>
> ......
>
> line vty 0 4
> login authentication TEST
> autocommand access-enable
>
> ----------------------------
>
>
> If there is no ip access-group 100 in under int e 0
> , the authentication part is OK.
>
> After I added it, when I tried to telnet
> 192.168.1.6,
> even there is no prompt.
>
>
> What's the problem?
>
>
>
>
> --- Fabrice Bobes <study@6colabs.com> wrote:
> > Peng,
> >
> > Yes, it's possible.
> > Just post your config and I'll check what you are
> > missing.
> >
> > Thanks,
> >
> > Fabrice
> > http://www.6colabs.com
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com
> > [mailto:nobody@groupstudy.com] On Behalf Of
> > Peng Zheng
> > Sent: Tuesday, March 11, 2003 2:07 PM
> > To: ccielab@groupstudy.com
> > Subject: Lock-and-key with tacacs+ authentication
> >
> > Is it possible to use tacacs+ to authenticate
> > lock-and-key? I tried but failed.
> >
> > Thanks for help.
> >
> > __________________________________________________
> > Do you Yahoo!?
> > Yahoo! Web Hosting - establish your business
> online
> > http://webhosting.yahoo.com
> >
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Web Hosting - establish your business online
> http://webhosting.yahoo.com
>

This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:38 GMT-3