tac_plus-ng cmd filtered command does not work
18 views
Skip to first unread message
sergiu daniel
Jun 5, 2024, 12:52:57 PMJun 5
to Event-Driven Servers
Hello Marc,
I am not able to figure out the right method in providing a shell with priv level 15, but restricting it only to a show command and deny everything else.
All methods that I have tested still allow me to execute the commands filtered out.
Marc Huber
Jun 6, 2024, 4:26:36 AMJun 6
to event-driv...@googlegroups.com
Hi,
please make sure that command authorization is enabled on the router. If
it is, please provide a sample config suitable for reproducing the issue.
Cheers,
Marc
On 05.06.2024 18:52, sergiu daniel wrote:
> Hello Marc,
> I am not able to figure out the right method in providing a shell with
> priv level 15, *but restricting it only to a show command and deny
> everything else.*
> You received this message because you are subscribed to the Google
> Groups "Event-Driven Servers" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to event-driven-ser...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/event-driven-servers/8e6cc674-3b66-4bd9-9e77-78dbf98fd0cbn%40googlegroups.com
> <https://groups.google.com/d/msgid/event-driven-servers/8e6cc674-3b66-4bd9-9e77-78dbf98fd0cbn%40googlegroups.com?utm_medium=email&utm_source=footer>.
please make sure that command authorization is enabled on the router. If
it is, please provide a sample config suitable for reproducing the issue.
Cheers,
Marc
On 05.06.2024 18:52, sergiu daniel wrote:
> Hello Marc,
> I am not able to figure out the right method in providing a shell with
> everything else.*
> All methods that I have tested still allow me to execute the commands
> filtered out.
> --
> filtered out.
> You received this message because you are subscribed to the Google
> Groups "Event-Driven Servers" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to event-driven-ser...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/event-driven-servers/8e6cc674-3b66-4bd9-9e77-78dbf98fd0cbn%40googlegroups.com
> <https://groups.google.com/d/msgid/event-driven-servers/8e6cc674-3b66-4bd9-9e77-78dbf98fd0cbn%40googlegroups.com?utm_medium=email&utm_source=footer>.
sergiu daniel
Jun 6, 2024, 7:50:36 AMJun 6
to Event-Driven Servers
Hi Marc,
Attached also debug.
I used the profile example from one of your posts.
I tried other config examples, but it no luck.
tac trimmed config:
profile usertest {
script {
if (service == shell) {
if (cmd == "") {set priv-lvl = 15 permit }
if (cmd =~ /^show /) permit
deny
}
}
}
script {
if (service == shell) {
if (cmd == "") {set priv-lvl = 15 permit }
if (cmd =~ /^show /) permit
deny
}
}
}
group usertest
user = swbackup {
password login = clear "test123"
member = usertest
}
password login = clear "test123"
member = usertest
}
ruleset {
rule localaccounts {
enabled = yes
script {
if (user == swbackup) { profile = usertest permit }
if (member == admins) { profile = admins permit }
}
}
rule scs {
enabled = yes
script {
if (memberof =~ /^CN=Switchaccess_Radius,/) { profile = admins permit }
}
}
rule localit {
enabled = yes
script {
########################EU2##
if (nas == TM) {if (memberof =~ /^CN=NetworkSupport,/) { profile = admins permit }}
}
}
}
}
rule localaccounts {
enabled = yes
script {
if (user == swbackup) { profile = usertest permit }
if (member == admins) { profile = admins permit }
}
}
rule scs {
enabled = yes
script {
if (memberof =~ /^CN=Switchaccess_Radius,/) { profile = admins permit }
}
}
rule localit {
enabled = yes
script {
########################EU2##
if (nas == TM) {if (memberof =~ /^CN=NetworkSupport,/) { profile = admins permit }}
}
}
}
}
sw config example:
aaa:
aaa authentication login default group tacGroup local
aaa authentication login tacAuthen group tacGroup local
aaa authentication login console local
aaa authentication dot1x default group Wired-NAC
aaa authorization config-commands
aaa authorization exec default group tacGroup local if-authenticated
aaa authorization exec tacAuthor group tacGroup local if-authenticated
aaa authorization network default group Wired-NAC
aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group Wired-NAC
aaa accounting exec default start-stop group tacGroup
aaa accounting commands 15 default start-stop group tacGroup
aaa accounting connection default start-stop group tacGroup
aaa accounting system default start-stop group tacGroup
aaa authentication login tacAuthen group tacGroup local
aaa authentication login console local
aaa authentication dot1x default group Wired-NAC
aaa authorization config-commands
aaa authorization exec default group tacGroup local if-authenticated
aaa authorization exec tacAuthor group tacGroup local if-authenticated
aaa authorization network default group Wired-NAC
aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group Wired-NAC
aaa accounting exec default start-stop group tacGroup
aaa accounting commands 15 default start-stop group tacGroup
aaa accounting connection default start-stop group tacGroup
aaa accounting system default start-stop group tacGroup
vty:
line vty 0 4
session-timeout 3
exec-timeout 3 0
privilege level 15
authorization exec tacAuthor
logging synchronous
login authentication tacAuthen
transport preferred none
transport input ssh
line vty 5 15
session-timeout 3
exec-timeout 3 0
privilege level 15
authorization exec tacAuthor
logging synchronous
login authentication tacAuthen
transport preferred none
transport input ssh
session-timeout 3
exec-timeout 3 0
privilege level 15
authorization exec tacAuthor
logging synchronous
login authentication tacAuthen
transport preferred none
transport input ssh
line vty 5 15
session-timeout 3
exec-timeout 3 0
privilege level 15
authorization exec tacAuthor
logging synchronous
login authentication tacAuthen
transport preferred none
transport input ssh
Marc Huber
Jun 6, 2024, 11:52:48 AMJun 6
to event-driv...@googlegroups.com
Hi,
please try adding something like
aaa authorization commands 15 default group tacGroup local if-authenticated
With your current config, only exec is authenticated.
Cheers,
Marc
please try adding something like
aaa authorization commands 15 default group tacGroup local if-authenticated
With your current config, only exec is authenticated.
Cheers,
Marc
sergiu daniel
Jun 6, 2024, 2:12:31 PMJun 6
to Event-Driven Servers
It is working Sir
"#conf t
Command authorization failed."
Command authorization failed."
Thank You very muc!h
You have made the life of a lot on it people easier :).
Please take in consideration a DONATE button on your site :).
Reply all
Reply to author
Forward
0 new messages