Issues with Authentication
12 views
Skip to first unread message
Javo Mora
Mar 16, 2026, 12:21:03 PM (12 days ago) Mar 16
to event-driv...@googlegroups.com
Hi
I would like some help with something going on with our deployment
Everything were working fine until last week,
Users are not authenticated. The authentication flow goes like this:
DEVICE --> tac_plus-NG --> Radius (NPS)
when the user is local, it gets authenticated with no issues. But if it's a radius user, it doesn't work.
LOG
1497172: 12:17:30.654 2/00000000: 10.241.240.1 connection request from 10.241.240.1 (realm: default)
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 New tacacs session
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 ---<start packet>---
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 key used: <secret>
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 version: 193, type: 1, seq no: 1, flags: unencrypted
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 session id: 528c4531, data length: 48
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 packet body [partially masked] (len: 12):
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 0000 01 00 02 01 0e 00 0e 0c 6a 61 76 69 65 72 2e 6d ........ javier.m
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 0010 6f 72 61 6c 65 73 32 30 37 2e 32 30 34 2e 31 35 orales20 7.204.15
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 0020 38 2e 33 38 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 8.38**** ********
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 AUTHEN/START, priv_lvl=0
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 action=login (1)
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 authen_type=pap (2)
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 service=login (1)
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 user_len=14 port_len=0 rem_addr_len=14
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 data_len=12
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 user (len: 14): javier.morales
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 port (len: 0):
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 rem_addr (len: 14): 207.204.158.38
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 ---<end packet>---
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 authen: hdr->seq_no: 1
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 looking for user javier.morales realm default
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 user lookup failed
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 evaluating ACL __internal__username_acl__
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 regex: '[]<>/()|=[*"':$]+' <=> 'javier.morales' = 0
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 line 513: [user] regex '[]<>/()|=[*"':$]+' => false
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 line 513: [permit]
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 ACL __internal__username_acl__: match
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 looking for user javier.morales in MAVIS backend
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 >>> sent user av pairs:
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 USER (len: 14): javier.morales
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 SERVERIP (len: 12): 10.241.240.1
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 IPADDR (len: 14): 207.204.158.38
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 REALM (len: 7): default
1497172: 12:17:38.419 2/528c4531: 10.241.240.1 <<< received user av pairs:
1497172: 12:17:38.419 2/528c4531: 10.241.240.1 USER (len: 14): javier.morales
1497172: 12:17:38.419 2/528c4531: 10.241.240.1 TACMEMBER (len: 18): NetworkAdmins,\664\774\t\647
1497172: 12:17:38.419 2/528c4531: 10.241.240.1 SERVERIP (len: 12): 10.241.240.1
1497172: 12:17:38.419 2/528c4531: 10.241.240.1 IPADDR (len: 14): 207.204.158.38
1497172: 12:17:38.419 2/528c4531: 10.241.240.1 REALM (len: 7): default
1497172: 12:17:38.419 2/528c4531: 10.241.240.1 IDENTITY_SOURCE (len: 1): 0
1497172: 12:17:38.419 0/00000000: - creating user javier.morales in realm default
1497172: file=javier.morales line=1 sym=[{] buf='{'
1497172: file=javier.morales line=1 sym=[member] buf='member'
1497172: file=javier.morales line=1 sym=[=] buf='='
1497172: file=javier.morales line=1 sym=[<string>] buf='NetworkAdmins'
1497172: file=javier.morales line=1 sym=[,] buf=','
1497172: file=javier.morales line=1 sym=[<string>] buf='1;0m'
{ member = NetworkAdmins,
javier.morales:1: Group 'not found.
1497172: javier.morales:1: Group 'not found.
1497172: file=javier.morales line=1 sym=[<string>] buf=';0m'
{ member = NetworkAdmins,
javier.morales:1: Expected 'alias', 'debug', 'enable', 'fallback-only', 'hushlogin', 'member', 'message', 'net', 'password', 'profile', 'rewritten-only', 'ssh-key', 'ssh-key-id', 'tag', 'time', 'user.tag' or 'valid', but got '1497172: javier.morales:1: Expected 'alias', 'debug', 'enable', 'fallback-only', 'hushlogin', 'member', 'message', 'net', 'password', 'profile', 'rewritten-only', 'ssh-key', 'ssh-key-id', 'tag', 'time', 'user.tag' or 'valid', but got '
CONFIG
root@POLI-TACACS1:/etc/tac_plus# cat radius-ad-mfa.cfg
#!/usr/bin/env -S /usr/local/bin/tactrace.pl --user demo --conf
# initial process and network config
id = spawnd {
background = no
listen { port = 49 }
listen { port = 4950 tls = yes}
spawn {
instances min = 1
instances max = 32
}
}
#create a context
id = tac_plus-ng {
#log configuration
log authzlog { destination = /var/log/tac_plus/access_%Y-%m-%d.log }
log authclog { destination = /var/log/tac_plus/auth_%Y-%m-%d.log }
log acctlog { destination = /var/log/tac_plus/acct_%Y-%m-%d.log }
#accounting log = acctlog
#authentication log = authclog
#authorization log = authzlog
#retire limit = 1000
debug = ALL
log mysyslog
access log = mysyslog
access log = authclog
authentication log = authclog
authorization log = authzlog
accounting log = mysyslog
accounting log = acctlog
tls cert-file = /etc/cert/poli-tacacs01.pem
tls key-file = /etc/cert/poli-tacacs01.key
tls ca-file = /etc/cert/ca.pem
tls passphrase = "<secret>"
# Network Clients
include = /etc/tac_plus/clients/*.cfg
# GROUPS
group admins
group NetworkAdmins
group NetworkOperators
group guest
#profiles
profile admin {
script {
if (service == shell) {
if (cmd == "")
set priv-lvl = 15
permit
}
if (service == fortigate) {
set vdom = "root"
set admin_prof = "super_admin"
set memberof = "tacacs"
permit
}
}
}
profile netop {
script{
if (service == fortigate ) {
set vdom = "root"
set memberof = "tacacs"
set admin_prof = "fw-operator"
permit
}
if (service == shell) {
if (cmd == "")
set priv-lvl = 15
permit
}
}
}
profile netopcx {
script{
if (service == shell ) {
if (cmd == "")
set Aruba-Admin-Role = "netop"
permit
}
}
}
#local users
include = /etc/tac_plus/users/*.cfg
mavis module = external {
exec = /usr/local/sbin/radmavis "radmavis" "group_attribute=Class" "authserver=10.226.4.9:1812:q1w2e3r4t5y6"
}
login backend =mavis
user backend =mavis
pap backend =mavis
# Ruleste to authorize users
ruleset {
rule network_admins {
enabled = yes
script {
if (member == NetworkAdmins ) { profile = admin permit }
}
}
rule network_operators {
enabled = yes
script {
if (member == NetworkOperators && host == AurubaCX ) {profile = netopcx permit}
if (member == NetworkOperators ) {profile = netop permit}
}
}
}
}
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 New tacacs session
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 ---<start packet>---
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 key used: <secret>
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 version: 193, type: 1, seq no: 1, flags: unencrypted
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 session id: 528c4531, data length: 48
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 packet body [partially masked] (len: 12):
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 0000 01 00 02 01 0e 00 0e 0c 6a 61 76 69 65 72 2e 6d ........ javier.m
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 0010 6f 72 61 6c 65 73 32 30 37 2e 32 30 34 2e 31 35 orales20 7.204.15
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 0020 38 2e 33 38 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 8.38**** ********
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 AUTHEN/START, priv_lvl=0
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 action=login (1)
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 authen_type=pap (2)
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 service=login (1)
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 user_len=14 port_len=0 rem_addr_len=14
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 data_len=12
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 user (len: 14): javier.morales
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 port (len: 0):
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 rem_addr (len: 14): 207.204.158.38
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 ---<end packet>---
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 authen: hdr->seq_no: 1
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 looking for user javier.morales realm default
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 user lookup failed
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 evaluating ACL __internal__username_acl__
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 regex: '[]<>/()|=[*"':$]+' <=> 'javier.morales' = 0
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 line 513: [user] regex '[]<>/()|=[*"':$]+' => false
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 line 513: [permit]
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 ACL __internal__username_acl__: match
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 looking for user javier.morales in MAVIS backend
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 >>> sent user av pairs:
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 USER (len: 14): javier.morales
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 SERVERIP (len: 12): 10.241.240.1
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 IPADDR (len: 14): 207.204.158.38
1497172: 12:17:30.654 2/528c4531: 10.241.240.1 REALM (len: 7): default
1497172: 12:17:38.419 2/528c4531: 10.241.240.1 <<< received user av pairs:
1497172: 12:17:38.419 2/528c4531: 10.241.240.1 USER (len: 14): javier.morales
1497172: 12:17:38.419 2/528c4531: 10.241.240.1 TACMEMBER (len: 18): NetworkAdmins,\664\774\t\647
1497172: 12:17:38.419 2/528c4531: 10.241.240.1 SERVERIP (len: 12): 10.241.240.1
1497172: 12:17:38.419 2/528c4531: 10.241.240.1 IPADDR (len: 14): 207.204.158.38
1497172: 12:17:38.419 2/528c4531: 10.241.240.1 REALM (len: 7): default
1497172: 12:17:38.419 2/528c4531: 10.241.240.1 IDENTITY_SOURCE (len: 1): 0
1497172: 12:17:38.419 0/00000000: - creating user javier.morales in realm default
1497172: file=javier.morales line=1 sym=[{] buf='{'
1497172: file=javier.morales line=1 sym=[member] buf='member'
1497172: file=javier.morales line=1 sym=[=] buf='='
1497172: file=javier.morales line=1 sym=[<string>] buf='NetworkAdmins'
1497172: file=javier.morales line=1 sym=[,] buf=','
1497172: file=javier.morales line=1 sym=[<string>] buf='1;0m'
{ member = NetworkAdmins,
javier.morales:1: Group 'not found.
1497172: javier.morales:1: Group 'not found.
1497172: file=javier.morales line=1 sym=[<string>] buf=';0m'
{ member = NetworkAdmins,
javier.morales:1: Expected 'alias', 'debug', 'enable', 'fallback-only', 'hushlogin', 'member', 'message', 'net', 'password', 'profile', 'rewritten-only', 'ssh-key', 'ssh-key-id', 'tag', 'time', 'user.tag' or 'valid', but got '1497172: javier.morales:1: Expected 'alias', 'debug', 'enable', 'fallback-only', 'hushlogin', 'member', 'message', 'net', 'password', 'profile', 'rewritten-only', 'ssh-key', 'ssh-key-id', 'tag', 'time', 'user.tag' or 'valid', but got '
CONFIG
root@POLI-TACACS1:/etc/tac_plus# cat radius-ad-mfa.cfg
#!/usr/bin/env -S /usr/local/bin/tactrace.pl --user demo --conf
# initial process and network config
id = spawnd {
background = no
listen { port = 49 }
listen { port = 4950 tls = yes}
spawn {
instances min = 1
instances max = 32
}
}
#create a context
id = tac_plus-ng {
#log configuration
log authzlog { destination = /var/log/tac_plus/access_%Y-%m-%d.log }
log authclog { destination = /var/log/tac_plus/auth_%Y-%m-%d.log }
log acctlog { destination = /var/log/tac_plus/acct_%Y-%m-%d.log }
#accounting log = acctlog
#authentication log = authclog
#authorization log = authzlog
#retire limit = 1000
debug = ALL
log mysyslog
access log = mysyslog
access log = authclog
authentication log = authclog
authorization log = authzlog
accounting log = mysyslog
accounting log = acctlog
tls cert-file = /etc/cert/poli-tacacs01.pem
tls key-file = /etc/cert/poli-tacacs01.key
tls ca-file = /etc/cert/ca.pem
tls passphrase = "<secret>"
# Network Clients
include = /etc/tac_plus/clients/*.cfg
# GROUPS
group admins
group NetworkAdmins
group NetworkOperators
group guest
#profiles
profile admin {
script {
if (service == shell) {
if (cmd == "")
set priv-lvl = 15
permit
}
if (service == fortigate) {
set vdom = "root"
set admin_prof = "super_admin"
set memberof = "tacacs"
permit
}
}
}
profile netop {
script{
if (service == fortigate ) {
set vdom = "root"
set memberof = "tacacs"
set admin_prof = "fw-operator"
permit
}
if (service == shell) {
if (cmd == "")
set priv-lvl = 15
permit
}
}
}
profile netopcx {
script{
if (service == shell ) {
if (cmd == "")
set Aruba-Admin-Role = "netop"
permit
}
}
}
#local users
include = /etc/tac_plus/users/*.cfg
mavis module = external {
exec = /usr/local/sbin/radmavis "radmavis" "group_attribute=Class" "authserver=10.226.4.9:1812:q1w2e3r4t5y6"
}
login backend =mavis
user backend =mavis
pap backend =mavis
# Ruleste to authorize users
ruleset {
rule network_admins {
enabled = yes
script {
if (member == NetworkAdmins ) { profile = admin permit }
}
}
rule network_operators {
enabled = yes
script {
if (member == NetworkOperators && host == AurubaCX ) {profile = netopcx permit}
if (member == NetworkOperators ) {profile = netop permit}
}
}
}
}
Marc Huber
Mar 16, 2026, 2:19:14 PM (12 days ago) Mar 16
to event-driv...@googlegroups.com
Hi,
On 16.03.2026 17:20, Javo Mora wrote:
> 1497172: 12:17:38.419 2/528c4531: 10.241.240.1 TACMEMBER (len: 18):
> NetworkAdmins,\664\774\t\647
this looks weird. Could you check with wireshark/tcpdump what Class
attribute your RADIUS server actually returns?
As a temporary workaround you could modify radmavis.c to quote the members:
diff --git a/mavis/radmavis.c b/mavis/radmavis.c
index d004762..f03081f 100644
--- a/mavis/radmavis.c
+++ b/mavis/radmavis.c
@@ -203,7 +203,7 @@ int main(int argc, char **argv)
printf("%d ", AV_A_TACMEMBER);
else
printf(",");
- printf("%s", r->strvalue);
+ printf("\"%s\"", r->strvalue);
mc++;
}
}
This won't fix the issue of the malformed TACMEMBER attribute, but it
should allow the daemon to skip it.
(Already pushed in 92da09d821ee63709f58f972880215c5877d2062).
Cheers,
Marc
On 16.03.2026 17:20, Javo Mora wrote:
> 1497172: 12:17:38.419 2/528c4531: 10.241.240.1 TACMEMBER (len: 18):
> NetworkAdmins,\664\774\t\647
attribute your RADIUS server actually returns?
As a temporary workaround you could modify radmavis.c to quote the members:
diff --git a/mavis/radmavis.c b/mavis/radmavis.c
index d004762..f03081f 100644
--- a/mavis/radmavis.c
+++ b/mavis/radmavis.c
@@ -203,7 +203,7 @@ int main(int argc, char **argv)
printf("%d ", AV_A_TACMEMBER);
else
printf(",");
- printf("%s", r->strvalue);
+ printf("\"%s\"", r->strvalue);
mc++;
}
}
This won't fix the issue of the malformed TACMEMBER attribute, but it
should allow the daemon to skip it.
(Already pushed in 92da09d821ee63709f58f972880215c5877d2062).
Cheers,
Marc
Javo Mora
Mar 16, 2026, 4:38:09 PM (11 days ago) Mar 16
to event-driv...@googlegroups.com
Hi
The Radius was responding with sets of attributes Class (25). One with the group name for the Tacacs, the other I don't know what is.
--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/b50bbc9f-d0a2-4872-b381-3ed5e0ee198a%40googlemail.com.
Reply all
Reply to author
Forward
0 new messages