Mailing List Archive: AAA command authorization

Hi List,

Has anyone got AAA command authorization working correctly on modern
Netiron code, on the MLX/CER's?

With a working TACACS+ server, with the below aaa configuration, I don't
receive Command Authorization commands (confirmed with logs / pcap) for
commands prefaced with 'no', but do for other configuration level commands.

This presents a problem when I can block commands like 'router mpls', but
other commands such as 'no router mpls' still work.

Testing is done with a logged in user with priv level 0 (super user).
Testing has been done with a few varents of 5.8, 6.0 and 6.2 code all with
the same results.

Has anyone else ran into this issue? Or has working command authorization
with a different (eg; radius) setup?

AAA config:
tacacs-server host 192.0.2.200
tacacs-server key tacacskeyhere
aaa authentication enable default tacacs+
aaa authentication login default tacacs+
aaa authentication login privilege-mode
aaa authorization commands 0 default tacacs+
aaa authorization exec default tacacs+
aaa accounting commands 0 default start-stop tacacs+
aaa accounting exec default start-stop tacacs+
aaa accounting system default start-stop tacacs+

--
Email: pat@ge3k.net

> I don't receive Command Authorization commands (confirmed with logs /
pcap) for commands prefaced with 'no', but do for other configuration level
commands.

Sry I'm late to the party - Have you opened a tac case? Extreme will try
to disagree, but *that is no small security vulnerability*. Have you (and
this shouldn't work) tried authorization on the other levels (4 and 5) to
see if they help? Your only other option is to try brocade-privlvl = 4
which doesn't give many configuration rights:
#conf t
(config)#?
cls Clear screen
end End Configuration level and go to
Privileged
level
exit Exit current level
global-port-security Global-level Port Security configuration
interface Port commands
mac-authentication Configure MAC authentication
no Undo/disable commands
quit Exit to User level
show Display system information
<cr>

Or maybe try radius as you have hinted to and which I have never had a need
to do. If it were Cisco, you could define a new privilege level - not sure
about Brocade.

On Fri, Mar 15, 2019 at 2:00 PM Patrick Ohearn via foundry-nsp <
foundry-nsp@puck.nether.net> wrote:

> Hi List,
>
> Has anyone got AAA command authorization working correctly on modern
> Netiron code, on the MLX/CER's?
>
> With a working TACACS+ server, with the below aaa configuration, I don't
> receive Command Authorization commands (confirmed with logs / pcap) for
> commands prefaced with 'no', but do for other configuration level commands.
>
> This presents a problem when I can block commands like 'router mpls', but
> other commands such as 'no router mpls' still work.
>
> Testing is done with a logged in user with priv level 0 (super user).
> Testing has been done with a few varents of 5.8, 6.0 and 6.2 code all with
> the same results.
>
> Has anyone else ran into this issue? Or has working command authorization
> with a different (eg; radius) setup?
>
> AAA config:
> tacacs-server host 192.0.2.200
> tacacs-server key tacacskeyhere
> aaa authentication enable default tacacs+
> aaa authentication login default tacacs+
> aaa authentication login privilege-mode
> aaa authorization commands 0 default tacacs+
> aaa authorization exec default tacacs+
> aaa accounting commands 0 default start-stop tacacs+
> aaa accounting exec default start-stop tacacs+
> aaa accounting system default start-stop tacacs+
>
>
> --
> Email: pat@ge3k.net
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>

--

E-Mail to and from me, in connection with the transaction
of public
business, is subject to the Wyoming Public Records
Act and may be
disclosed to third parties.