tac_plus-ng: Fortigate access to multiple vdom(s) - generating dynamic TACACS VSA attribute (vdom=<vdom_name>)

379 views
Skip to first unread message

Filip Beran

unread,
Jun 8, 2023, 6:14:39 AM6/8/23
to Event-Driven Servers
Hi Marc,

Fortigate supports TACACS VSA allowing access into specific VDOMs.
Complication is that, tacacs reply packet must contain each vdom as the unique AV pair vdom=<vdom_name>, it means if an user have access into more vdoms, then the reply must contain:
vdom=vdom1
vdom=vdom2
vdom=vdom3
...
vdom=vdomX

My goal is generating these AV pairs dynamically based on MS-AD groups memberships. In MS-AD I would create as many groups as vdom(s) exists. Then each user will be member only such groups where he need access.
But what I don't how (or if it is even possible) creating dynamically AV pairs on tac_plus-ng based on a specific list of groups returned form MS-AD.
It means I'll need to iterate the specific such group list, and from each such group parse a vdom_name and assign it into single unique AV pairs:
"set vdom = vdom1"
"set vdom = vdom2"
...

Is it possible to reach something like that in tac_plus-ng ?

Thank you in advanced for any help or idea how to do it,

Regards,
Filip

Marc Huber

unread,
Jun 8, 2023, 7:48:46 AM6/8/23
to event-driv...@googlegroups.com

Hi Filip,

you could disable user caching (cache timeout = 0) and authorize you users using a custom LDAP backend script that sets the VERDICT attribute to "TRUE" and the RARGS attribute to whatever arguments you want the daemon to set/add. E.g., "vdom+vdom1\nvdom+vdom2\nvdom+vdom3\n...vdom+vdomX", based on memberOf attributes.

The "+" attributes will be added as optional attributes to the response ("*"). Adding them as mandatory will quite likely not work (mandatory arguments aren't multi-value).

In "mavis_tacplus-ng_ldap.pl" I'd probably place that code somewhere around line 267:

                my $val = $entry->get_value('memberof', asref => 1);
                if ($#{$val} > -1) {
                        $val = expand_memberof($val);
                        my (@M, @MO, @RARGS);
                        foreach my $m (sort @$val) {
                                if ($m =~ /$LDAP_MEMBEROF_REGEX/i) {
                                        push @M, $1;
                                        push @MO, $m;
                                }
                                if ($m =~ /^cn=vdom_([^,]+),.*/) {
                                    push @RARGS, $a;
                                }
                        }
                        $V[AV_A_TACMEMBER] = '"' . join('","', @M) . '"' if $#M > -1;
                        $V[AV_A_MEMBEROF] = '"' . join('","', @MO) . '"' if $#MO > -1;
                        if ($#RARGS > -1) {
                            $V[AV_A_VERDICT = AV_V_BOOL_TRUE;
                            $V[AV_A_RARGS] = 'vdom+' . join('"\nvdom+"', @RARGS);
                        }
                }

This is obviously untested on my part.

Cheers,

Marc

Filip --
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/event-driven-servers/e37ca503-c002-4433-9f36-5bb4ae4cda07n%40googlegroups.com.

Filip Beran

unread,
Jun 15, 2023, 6:50:47 AM6/15/23
to Event-Driven Servers
Hi Marc,
 
thank you for an idea, updating perl code is relatively clear what it will do. Unfortunately I don't know how to handle RARGS later. Event what is strange for me, that RARGS var content is missing in debug output among  av_get(<variable_name>) and av_set(<variable_name>) I would expect to see   av_get(RARGS) = ...  and av_set(RARGS) = ... if RARGS exists and contains something :-(. 

And later I don't know how should I extract each single vdom element from RARGS array variable into the stand-alone AV pairs for TACACS response packet at authorization tacacs step.:
set vdom=vdom1
set vdom=vdom2
... 

Do you mean using some section 'script {...}' inside in tacplus-ng.cfg in a specific profile section something like this:

profile customer_vFW_ACCESS {
script {
if (service == fortigate) {
if (memberof =~ /CN=tacacs_VDC-[A-Z,0-9]_vdom,OU=vendor_Fortigate,OU=vFW/ ) {
set memberof = "fortigate_vdom_access"
set admin_prof = "vdom_access"
if (rargs =~ /.+/) {
[procesing somehow rargs variable ???] ???
permit
}
}
deny
}
deny
}
}


Thank you in advanced.
Regards,
Filip

Marc Huber

unread,
Jun 16, 2023, 10:30:41 AM6/16/23
to event-driv...@googlegroups.com
Hi Filip,

tac_plus-ng will take care of RARGS handling and use them as "set" (=),
"optional" (*) or "add" (+) attributes. The attributes will be processed
just like they were set in a profile.

I've just seen that the "join" operation concetenator for RARGS given in
my example doesn't look correct, that line should read

$V[AV_A_RARGS] = 'vdom+' . join('\rvdom+', @RARGS);

Cheers,

Marc


Filip Beran

unread,
Jun 16, 2023, 11:16:13 AM6/16/23
to Event-Driven Servers
Hi Marc,

hmm interesting, so if the authorization request from Frotigate looks like this:

180809: 16:59:23.132 5/115bdae1: 100.64.37.1 packet body (len: 65): \006\000\002\001\v\000\000\004\021\t\v\005test_u1_DSTservice=fortigatememberof*admin_prof*vdom*
180809: 16:59:23.132 5/115bdae1: 100.64.37.1 0000 06 00 02 01 0b 00 00 04  11 09 0b 05 74 65 73 74  ........ ....test
180809: 16:59:23.132 5/115bdae1: 100.64.37.1 0010 5f 75 31 5f 44 53 54 73  65 72 76 69 63 65 3d 66  _u1_DSTs ervice=f
180809: 16:59:23.132 5/115bdae1: 100.64.37.1 0020 6f 72 74 69 67 61 74 65  6d 65 6d 62 65 72 6f 66  ortigate memberof
180809: 16:59:23.132 5/115bdae1: 100.64.37.1 0030 2a 61 64 6d 69 6e 5f 70  72 6f 66 2a 76 64 6f 6d  *admin_p rof*vdom
180809: 16:59:23.132 5/115bdae1: 100.64.37.1 0040 2a                                                *
180809: 16:59:23.132 5/115bdae1: 100.64.37.1 AUTHOR, priv_lvl=0
180809: 16:59:23.132 5/115bdae1: 100.64.37.1 authen_type=pap (2)
180809: 16:59:23.132 5/115bdae1: 100.64.37.1 authen_method=tacacs+ (6)
180809: 16:59:23.132 5/115bdae1: 100.64.37.1 service=login (1)
180809: 16:59:23.132 5/115bdae1: 100.64.37.1 user_len=11 port_len=0 rem_addr_len=0 arg_cnt=4
180809: 16:59:23.132 5/115bdae1: 100.64.37.1 user (len: 11): test_u1_DST
180809: 16:59:23.132 5/115bdae1: 100.64.37.1 port (len: 0):
180809: 16:59:23.132 5/115bdae1: 100.64.37.1 rem_addr (len: 0):
180809: 16:59:23.132 5/115bdae1: 100.64.37.1 arg[0] (len: 17): service=fortigate
180809: 16:59:23.132 5/115bdae1: 100.64.37.1 arg[1] (len: 9): memberof*
180809: 16:59:23.132 5/115bdae1: 100.64.37.1 arg[2] (len: 11): admin_prof*
180809: 16:59:23.132 5/115bdae1: 100.64.37.1 arg[3] (len: 5): vdom*

than should I use your suggested code, or should I use 'vdom*' instead of 'vdom+' in AV_A_RARGS ?

BTW Can I show content of  AV_A_RARGS  in some debug output?  Actually I'm not sure if it is filled correctly :-(

Thank you.
Regards,
Filip

Marc Huber

unread,
Jun 16, 2023, 12:12:15 PM6/16/23
to event-driv...@googlegroups.com

Hi Filip,

On 16.06.2023 17:16, Filip Beran wrote:
180809: 16:59:23.132 5/115bdae1: 100.64.37.1 arg[1] (len: 9): memberof*
180809: 16:59:23.132 5/115bdae1: 100.64.37.1 arg[2] (len: 11): admin_prof*
180809: 16:59:23.132 5/115bdae1: 100.64.37.1 arg[3] (len: 5): vdom*

the devices requests those attributes as optional (*), but the authorization algorithm (from the TAC_PLUS dev kit) specifies that only one attribute is returned. This is back from the SLIP/PPP ages and seems no longer relevant. However, to retain compatibility I've added "add" to complement the "set" and "optional" keywords. "add" will set an optional parameter unconditionally, even multiple times. I've used "+" for RARGS as an indicator for those additional return attributes. On-the-wire these are just optional ones (with "*" as a separator), and that's what I'd use.

For testing configurations, tac_plus-ng comes with the tac_plus-ng/perl/tac_trace.pl utility which will show the AV pairs just fine.

Cheers,

Marc

than should I use your suggested code, or should I use 'vdom*' instead of 'vdom+' in AV_A_RARGS ?

BTW Can I show content of  AV_A_RARGS  in some debug output?  Actually I'm not sure if it is filled correctly :-(

Filip Beran

unread,
Aug 15, 2023, 10:40:06 AM8/15/23
to Event-Driven Servers
Hi Marc,
finally I had enough time to test your recommended approach above.

Actually I'm able to fill RARGS variable, unfortunately splitting string of RARGS variable into multiple A/V pairs does not work  (
vdom=<vdom1_name>
vdom=<vdom2_name>
....

My added code in "mavis_tacplus-ng_ldap.pl" :

        if ($mesg->count() == 1) {
                my $entry = $mesg->entry(0);



                my $val = $entry->get_value('memberof', asref => 1);

                $authdn = $entry->dn;
                my (@M, @MO, @RARGS);


                if ($#{$val} > -1) {
                        $val = expand_memberof($val);

                } else {
                        $val = expand_groupOfNames($entry->dn);


                }
                foreach my $m (sort @$val) {
                        if ($m =~ /$LDAP_MEMBEROF_REGEX/i) {
                                push @M, $1;
                                push @MO, $m;
                        }

                       if ($m =~ /^(cn=vdom_)(([^,]+))(,.*)/i) {
                                   $m = $2;
                                   push @RARGS, $m;
                        }


                }
                $V[AV_A_TACMEMBER] = '"' . join('","', @M) . '"' if $#M > -1;
                $V[AV_A_MEMBEROF] = '"' . join('","', @MO) . '"' if $#MO > -1;

                if ($#RARGS > -1) {
                    $V[AV_A_VERDICT] = AV_V_BOOL_TRUE;

                    $V[AV_A_RARGS] = '"vdom+"' . join('"\nvdom+"', @RARGS);
                }
                $V[AV_A_DN] = $authdn;


My DN(s) of vdom groups in MS AD:
CN=vdom_VDDST01FE01,OU=vdoms,OU=vendor_Fortigate,OU=vFW,OU=APP_NET,OU=Application_Roles,OU=dscen,DC=fbe-test,DC=local
CN=vdom_VDDST99,OU=vdoms,OU=vendor_Fortigate,OU=vFW,OU=APP_NET,OU=Application_Roles,OU=dscen,DC=fbe-test,DC=local


So parsing of such DN(s) and filling vdom name into RARGS seems working fine by the perl script, but split of the RARGS string into multiple A/V pairs doesn't:

263498: 16:05:32.751 1/ad8a5131: 100.64.27.1 Writing AUTHOR/PASS_REPL size=71
263498: 16:05:32.751 1/ad8a5131: 100.64.27.1 ---<start packet>---
263498: 16:05:32.751 1/ad8a5131: 100.64.27.1 key used: ***
263498: 16:05:32.751 1/ad8a5131: 100.64.27.1 version: 192, type: 2, seq no: 2, flags: unencrypted
263498: 16:05:32.751 1/ad8a5131: 100.64.27.1 session id: 31518aad, data length: 59
263498: 16:05:32.751 1/ad8a5131: 100.64.27.1 packet body (len: 59): \002\002\000\000\000\000\021"service=fortigate"vdom*"VDDST01FE01"\\nvdom+"VDDST99
263498: 16:05:32.751 1/ad8a5131: 100.64.27.1 0000 02 02 00 00 00 00 11 22  73 65 72 76 69 63 65 3d  ......." service=
263498: 16:05:32.751 1/ad8a5131: 100.64.27.1 0010 66 6f 72 74 69 67 61 74  65 22 76 64 6f 6d 2a 22  fortigat e"vdom*"
263498: 16:05:32.751 1/ad8a5131: 100.64.27.1 0020 56 44 44 53 54 30 31 46  45 30 31 22 5c 6e 76 64  VDDST01F E01"\nvd
263498: 16:05:32.751 1/ad8a5131: 100.64.27.1 0030 6f 6d 2b 22 56 44 44 53  54 39 39                 om+"VDDS T99
263498: 16:05:32.751 1/ad8a5131: 100.64.27.1 AUTHOR/REPLY, status=2 (AUTHOR/PASS_REPL)
263498: 16:05:32.751 1/ad8a5131: 100.64.27.1 msg_len=0, data_len=0, arg_cnt=2
263498: 16:05:32.751 1/ad8a5131: 100.64.27.1 msg (len: 0):
263498: 16:05:32.751 1/ad8a5131: 100.64.27.1 data (len: 0):
263498: 16:05:32.751 1/ad8a5131: 100.64.27.1 arg[0] (len: 17): service=fortigate
263498: 16:05:32.751 1/ad8a5131: 100.64.27.1 arg[1] (len: 34): "vdom*"VDDST01FE01"\\nvdom+"VDDST99
263498: 16:05:32.751 1/ad8a5131: 100.64.27.1 ---<end packet>---

Yellow highlighted line above should be two separated A/V pairs in tacacs response packet:
vdom=VDDST01FE01
vdom=VDDST99


But to be able to control access into specific VDOM(s) on firewall fortigate (FortiOS) there is another dimension (A/V pair) which complicates this simple approach ( V[AV_A_VERDICT] = AV_V_BOOL_TRUE; causes to skip rest of tac_plus-ng.cfg and I'm not able to add another relevant A/V pairs into response).
In such case I need to be able to set different A/V (admin_prof = <value>) various value for various people based on membership at specific MS AD groups. This logic I have configured in tac_plus-ng.cfg.
some people need to use:
admin_prof = "vdom_admin_restricted"
some people needs to use:
admin_prof = "vdom_readonly"
some people needs to use:
admin_prof = "vpn_admin"
...

For such scenario, it will be the best, if tac_plus-ng would support iterate RARGS content somehow inside tac_plus-ng.cfg within profile secions. What do you think, would it be possible to implement somethink like this?
To my regret I'm not a C programmer, If I was I would suggest some improvement, unfortunately I'm not.

Thank you in advanced,
Regards,
Filip

Marc Huber

unread,
Aug 15, 2023, 11:25:58 AM8/15/23
to event-driv...@googlegroups.com

Hi Filip,

please use \r instead of \n for joining. I actually think I've mentioned that before but I'm too lazy to look that up.

    $V[AV_A_RARGS] = '"vdom+' . join('"\r\"vdom+', @RARGS) . '"';

should return suitable AV pairs.

Cheers,

Marc

--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.

Marc Huber

unread,
Aug 15, 2023, 11:32:04 AM8/15/23
to event-driv...@googlegroups.com

Hi,

wrong again, please try

    $V[AV_A_RARGS] = '"vdom+' . join('"\r"vdom+', @RARGS) . '"';

instead.

Cheers,

Marc

Filip Beran

unread,
Aug 15, 2023, 11:54:21 AM8/15/23
to Event-Driven Servers
Hi Marc,
I've tested both variants, unfortunately similar result :-( splitting into more standalone A/V pairs does not work.
The result for last one:
263682: 17:50:53.397 3/b5d589bc: 100.64.27.1 Writing AUTHOR/PASS_REPL size=70
263682: 17:50:53.397 3/b5d589bc: 100.64.27.1 ---<start packet>---
263682: 17:50:53.397 3/b5d589bc: 100.64.27.1 key used: MySecurityKey123
263682: 17:50:53.397 3/b5d589bc: 100.64.27.1 version: 192, type: 2, seq no: 2, flags: unencrypted
263682: 17:50:53.397 3/b5d589bc: 100.64.27.1 session id: bc89d5b5, data length: 58
263682: 17:50:53.397 3/b5d589bc: 100.64.27.1 packet body (len: 58): \002\002\000\000\000\000\021!service=fortigate"vdom*VDDST01FE01"\\r"vdom+VDDST99
263682: 17:50:53.397 3/b5d589bc: 100.64.27.1 0000 02 02 00 00 00 00 11 21  73 65 72 76 69 63 65 3d  .......! service=
263682: 17:50:53.397 3/b5d589bc: 100.64.27.1 0010 66 6f 72 74 69 67 61 74  65 22 76 64 6f 6d 2a 56  fortigat e"vdom*V
263682: 17:50:53.397 3/b5d589bc: 100.64.27.1 0020 44 44 53 54 30 31 46 45  30 31 22 5c 72 22 76 64  DDST01FE 01"\r"vd
263682: 17:50:53.397 3/b5d589bc: 100.64.27.1 0030 6f 6d 2b 56 44 44 53 54  39 39                    om+VDDST 99
263682: 17:50:53.397 3/b5d589bc: 100.64.27.1 AUTHOR/REPLY, status=2 (AUTHOR/PASS_REPL)
263682: 17:50:53.397 3/b5d589bc: 100.64.27.1 msg_len=0, data_len=0, arg_cnt=2
263682: 17:50:53.397 3/b5d589bc: 100.64.27.1 msg (len: 0):
263682: 17:50:53.397 3/b5d589bc: 100.64.27.1 data (len: 0):
263682: 17:50:53.397 3/b5d589bc: 100.64.27.1 arg[0] (len: 17): service=fortigate
263682: 17:50:53.397 3/b5d589bc: 100.64.27.1 arg[1] (len: 33): "vdom*VDDST01FE01"\\r"vdom+VDDST99
263682: 17:50:53.397 3/b5d589bc: 100.64.27.1 ---<end packet>---

Regards,
Filip

Marc Huber

unread,
Aug 15, 2023, 12:28:00 PM8/15/23
to event-driv...@googlegroups.com

Hi Filip,

ok, let's give that another try. Does one of

    $V[AV_A_RARGS] = 'vdom+' . join('\rvdom+', @RARGS);

    $V[AV_A_RARGS] = 'vdom+"' . join('\rvdom+"', @RARGS) :'"';

work?

The first should result in

    vdom*VDDST01FE01
    vdom*VDDST99

while the seond one should quote the values, such as

    vdom*"VDDST01FE01"
    vdom*"VDDST99"

However, I've the gut feeling that I've missed some + => * or \r => \n conversion somewhere.

Cheers,

Marc

Filip Beran

unread,
Aug 15, 2023, 12:37:15 PM8/15/23
to Event-Driven Servers
Hi Marc,
still a similar output without splitting. I'm affraid too, that there is missing the mentioned convertion somewhere.
Regards,
Filip

Marc Huber

unread,
Aug 15, 2023, 1:17:56 PM8/15/23
to event-driv...@googlegroups.com

Hi Filip,

ok, I did a couple of quick tests with manually setting RARGS to

    "vdom+\"1\"\rvdom+\"2\"\rvdom+\"3\""

which should come pretty close to what

    $V[AV_A_RARGS] = 'vdom+"' . join('"\rvdom+"', @RARGS) . '"';

returns as output.

The result looked pretty well:

packet body (len: 33): \001\003\000\000\000\000\b\b\bvdom*"1"vdom*"2"vdom*"3"
0000 01 03 00 00 00 00 08 08  08 76 64 6f 6d 2a 22 31  ........ .vdom*"1
0010 22 76 64 6f 6d 2a 22 32  22 76 64 6f 6d 2a 22 33  "vdom*"2 "vdom*"3
0020 22                                                "
AUTHOR/REPLY, status=1 (AUTHOR/PASS_ADD)
msg_len=0, data_len=0, arg_cnt=3
msg (len: 0):
data (len: 0):
arg[0] (len: 8): vdom*"1"
arg[1] (len: 8): vdom*"2"
arg[2] (len: 8): vdom*"3"
---<end packet>---

So, how exactly does the hexdump in your test look like with the exact Perl snippet above?

Cheers,

Marc

Filip Beran

unread,
Aug 15, 2023, 1:29:54 PM8/15/23
to Event-Driven Servers
Hi Marc,

unfortunately, on my system it does not work.... (I'm using x64 alma linux v9.2 distrinution).

Filling RARGS by the perl script:
$V[AV_A_RARGS] = 'vdom+"' . join('"\rvdom+"', @RARGS) . '"';

RARGS content filled by perl script:
263849:         av_get(RARGS) = vdom+"VDDST01FE01"\rvdom+"VDDST99"

hex output:
263849: 19:22:57.697 1/bda61368: 100.64.27.1 Writing AUTHOR/PASS_REPL size=71
263849: 19:22:57.697 1/bda61368: 100.64.27.1 ---<start packet>---
263849: 19:22:57.697 1/bda61368: 100.64.27.1 key used: MySecurityKey123
263849: 19:22:57.697 1/bda61368: 100.64.27.1 version: 192, type: 2, seq no: 2, flags: unencrypted
263849: 19:22:57.697 1/bda61368: 100.64.27.1 session id: 6813a6bd, data length: 59
263849: 19:22:57.697 1/bda61368: 100.64.27.1 packet body (len: 59): \002\002\000\000\000\000\021"service=fortigatevdom*"VDDST01FE01"\\rvdom+"VDDST99"
263849: 19:22:57.697 1/bda61368: 100.64.27.1 0000 02 02 00 00 00 00 11 22  73 65 72 76 69 63 65 3d  ......." service=
263849: 19:22:57.697 1/bda61368: 100.64.27.1 0010 66 6f 72 74 69 67 61 74  65 76 64 6f 6d 2a 22 56  fortigat evdom*"V
263849: 19:22:57.697 1/bda61368: 100.64.27.1 0020 44 44 53 54 30 31 46 45  30 31 22 5c 72 76 64 6f  DDST01FE 01"\rvdo
263849: 19:22:57.697 1/bda61368: 100.64.27.1 0030 6d 2b 22 56 44 44 53 54  39 39 22                 m+"VDDST 99"
263849: 19:22:57.697 1/bda61368: 100.64.27.1 AUTHOR/REPLY, status=2 (AUTHOR/PASS_REPL)
263849: 19:22:57.697 1/bda61368: 100.64.27.1 msg_len=0, data_len=0, arg_cnt=2
263849: 19:22:57.697 1/bda61368: 100.64.27.1 msg (len: 0):
263849: 19:22:57.697 1/bda61368: 100.64.27.1 data (len: 0):
263849: 19:22:57.697 1/bda61368: 100.64.27.1 arg[0] (len: 17): service=fortigate
263849: 19:22:57.697 1/bda61368: 100.64.27.1 arg[1] (len: 34): vdom*"VDDST01FE01"\\rvdom+"VDDST99"
263849: 19:22:57.697 1/bda61368: 100.64.27.1 ---<end packet>---

Regards,
F.

Marc Huber

unread,
Aug 15, 2023, 1:46:59 PM8/15/23
to event-driv...@googlegroups.com

Hi Filip,

ok, does

$V[AV_A_RARGS] = 'vdom+"' . join("\"\rvdom+\"", @RARGS) . '"';

give a better result?

Cheers,

Marc

Filip Beran

unread,
Aug 15, 2023, 4:31:58 PM8/15/23
to Event-Driven Servers
Hi Marc,

thanks, now the result is indeed better (splitting is working fine, unfortunately there is still some issue at convertion  instead '*' there shuld be '='):
264107: 22:03:37.061 1/5f8e6dea: 100.64.27.1 Writing AUTHOR/PASS_REPL size=70
264107: 22:03:37.061 1/5f8e6dea: 100.64.27.1 ---<start packet>---
264107: 22:03:37.061 1/5f8e6dea: 100.64.27.1 key used: MySecurityKey123
264107: 22:03:37.061 1/5f8e6dea: 100.64.27.1 version: 192, type: 2, seq no: 2, flags: unencrypted
264107: 22:03:37.061 1/5f8e6dea: 100.64.27.1 session id: ea6d8e5f, data length: 58
264107: 22:03:37.061 1/5f8e6dea: 100.64.27.1 packet body (len: 58): \002\003\000\000\000\000\021\022\016service=fortigatevdom*"VDDST01FE01"vdom*"VDDST99"
264107: 22:03:37.061 1/5f8e6dea: 100.64.27.1 0000 02 03 00 00 00 00 11 12  0e 73 65 72 76 69 63 65  ........ .service
264107: 22:03:37.061 1/5f8e6dea: 100.64.27.1 0010 3d 66 6f 72 74 69 67 61  74 65 76 64 6f 6d 2a 22  =fortiga tevdom*"
264107: 22:03:37.061 1/5f8e6dea: 100.64.27.1 0020 56 44 44 53 54 30 31 46  45 30 31 22 76 64 6f 6d  VDDST01F E01"vdom
264107: 22:03:37.061 1/5f8e6dea: 100.64.27.1 0030 2a 22 56 44 44 53 54 39  39 22                    *"VDDST9 9"
264107: 22:03:37.061 1/5f8e6dea: 100.64.27.1 AUTHOR/REPLY, status=2 (AUTHOR/PASS_REPL)
264107: 22:03:37.061 1/5f8e6dea: 100.64.27.1 msg_len=0, data_len=0, arg_cnt=3
264107: 22:03:37.061 1/5f8e6dea: 100.64.27.1 msg (len: 0):
264107: 22:03:37.061 1/5f8e6dea: 100.64.27.1 data (len: 0):
264107: 22:03:37.061 1/5f8e6dea: 100.64.27.1 arg[0] (len: 17): service=fortigate
264107: 22:03:37.061 1/5f8e6dea: 100.64.27.1 arg[1] (len: 18): vdom*"VDDST01FE01"
264107: 22:03:37.061 1/5f8e6dea: 100.64.27.1 arg[2] (len: 14): vdom*"VDDST99"
264107: 22:03:37.061 1/5f8e6dea: 100.64.27.1 ---<end packet>---


But for a real  using, it is necessary to be able to use splitting of RARGS under profile sections within  tac_plus-ng.cfg    (ideally some iterate way to be able to validate/filter the splitted output).
As I mentioned  above the usage of  $V[AV_A_VERDICT] = AV_V_BOOL_TRUE  causes skip whole rest of settings in tac_plus-ng.cfg  directly to generate response tacacs packet. But into the response tacacs packet  it is necessary to add next importatnt A/V pairs  based on group memberhip for each user. What do you think, would it be that possible?

Regards,
Filip
Reply all
Reply to author
Forward
0 new messages