tac_plus-ng issue with "dns reverse-lookup [ nac | nas ] = ( yes | no )"

[Filip Beran]

Hello,

actually I tried to use dns commands for possible filtering devices via an ACL based on part of fqdn, unfortunately I hit a few issues:

1) Using the command:  "dns reverse-lookup =  yes" authentication process does not finish successfully :-(

Please, see attachments:   tac_plus-ng.cfg, debug_output.

Although you can see in the attached debug output successful authentication where the last response tacacs message with A/V pairs "shell:domains=all/admin/" is included this last tacacs message is never send from NIC of the tacacs server. It seems like the tacacs daemon generates the last message only on application layer but this message is not send to TCP/IP stacks. Really strange behaviour.  Of course I validated IP traffic on NIC with tcpdump and there is really missing this last response tacacs message.

2) Instead cmd 1) using undocumneted command syntax:  "dns reverse-lookup nas yes" leads to successful authentication  ("nas-name" in ACL working fine).

Please would it be possible to update documentation for tac_plus-ng, actually there is probably more inconsistencies :-(

Thank you.

Regards,

Filip

[Marc Huber]

Hi Filip,

thanks for reporting, I've fixed both issues, please git pull.

Issue number one was caused by an use-after-free() error, and in number two I've forgot to check for the '=', so that wasn't a documentation but implementation bug.

Cheers,

Marc

[Filip Beran]

Hi Mark,

now the cmd "dns reverse-lookup" seems working correctly as is documented. Perfect :-)

Thank you Mark!

Regards,

Filip