user failed authorization to start a shell
342 views
Skip to first unread message
jda...@netskope.com
May 5, 2016, 1:49:30 AM5/5/16
to Event-Driven Servers
I think my AD to group mapping is not working, and I am not sure how to fix this. I need to be able to map an AD group without using the tacacs prefix as the policy here does not allow for that. I assume I have something wrong in my tac_plus config but I am not sure what it is.
May 4 20:48:38 sv5-c1-r104-ae02 Aaa: %AAA-4-EXEC_AUTHZ_FAILED: User jdambly failed authorization to start a shell
May 4 20:50:51 sv5-c1-r104-ae02 Aaa: %AAA-4-EXEC_AUTHZ_FAILED: User jdambly failed authorization to start a shell
May 4 20:58:52 sv5-c1-r104-ae02 Aaa: %AAA-4-EXEC_AUTHZ_FAILED: User jdambly failed authorization to start a shell
output from tac_plus logging
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: New session
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: ---<start packet>---
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: key used: cisco
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: version: 192, type: 2, seq no: 1, flags: unencrypted
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: session id: 7002929a data length: 50
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: AUTHOR priv_lvl=1 authen=1 method=tacacs+ (6) svc=1
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: user_len=7 port_len=3 rem_addr_len=13 arg_cnt=2
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: user (len: 7): jdambly
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: 0000 6a 64 61 6d 62 6c 79 jdambly
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: port (len: 3): ssh
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: 0000 73 73 68 ssh
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: rem_addr (len: 13): 192.168.0.249
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: 0000 31 39 32 2e 31 36 38 2e 30 2e 32 34 39 192.168. 0.249
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: arg[0] (len: 13): service=shell
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: 0000 73 65 72 76 69 63 65 3d 73 68 65 6c 6c service= shell
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: arg[1] (len: 4): cmd*
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: 0000 63 6d 64 2a cmd*
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: ---<end packet>---
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: Start authorization request
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: cfg_get: checking user/group jdambly, tag (NULL)
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: cfg_get: checking user/group jdambly, tag (NULL)
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: user 'jdambly' found
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: cfg_get: checking user/group jdambly, tag (NULL)
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: jda...@192.168.0.19: not found: svcname=shell@world protocol=
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: jda...@192.168.0.19: not found: svcname=shell protocol=
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: jda...@192.168.0.19: svcname=shell protocol= not found, default is <unknown>
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: Writing AUTHOR/FAIL size=18
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: ---<start packet>---
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: key used: cisco
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: version: 192, type: 2, seq no: 2, flags: unencrypted
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: session id: 7002929a data length: 6
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: AUTHOR/REPLY status=16 (AUTHOR/FAIL)
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: msg_len=0, data_len=0, arg_cnt=0
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: msg (len: 0):
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: data (len: 0):
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: ---<end packet>---
here is my config
#!../../../sbin/tac_plus
id = spawnd {
listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = no
}
id = tac_plus {
debug = PACKET AUTHEN AUTHOR MAVIS
access log = /var/log/tac_plus/access.log
accounting log = /var/log/tac_plus/acct.log
authorization log = /var/log/tac_plus/auth.log
mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
#setenv LDAP_HOSTS = "ldaps://xxxxxxx:3268"
setenv LDAP_HOSTS = "xxxxxxx:3268"
setenv LDAP_SCOPE = sub
setenv LDAP_BASE = "dc=nskope,dc=net"
setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"
setenv LDAP_USER = "xxx...@nskope.net"
setenv LDAP_PASSWD = "xxxxxxxx"
#setenv AD_GROUP_PREFIX = devops
# setenv REQUIRE_AD_GROUP_PREFIX = 1
# setenv USE_TLS = 0
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
user backend = mavis
login backend = mavis
pap backend = mavis
skip missing groups = yes
host = world {
address = 0.0.0/0
prompt = "Welcome\n"
key = cisco
}
group = devops {
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
}
Daniel Hartmeier
May 9, 2016, 6:00:33 AM5/9/16
to event-driv...@googlegroups.com
On Wed, May 04, 2016 at 02:09:57PM -0700, jda...@netskope.com wrote:
> I think my AD to group mapping is not working, and I am not sure how to fix
> this. I need to be able to map an AD group without using the tacacs prefix
> as the policy here does not allow for that. I assume I have something wrong
> in my tac_plus config but I am not sure what it is.
If you simply omit AD_GROUP_PREFIX, it defaults to 'tacacs'.
> I think my AD to group mapping is not working, and I am not sure how to fix
> this. I need to be able to map an AD group without using the tacacs prefix
> as the policy here does not allow for that. I assume I have something wrong
> in my tac_plus config but I am not sure what it is.
Try setting it to an empty string instead, like
setenv AD_GROUP_PREFIX = ""
HTH,
Daniel
jda...@netskope.com
May 9, 2016, 5:28:36 PM5/9/16
to Event-Driven Servers, dan...@benzedrine.ch
that worked thanks!
Reply all
Reply to author
Forward
0 new messages