How it works??
47 views
Skip to first unread message
Eveline
May 12, 2025, 11:43:31 AMMay 12
to Event-Driven Servers
Greetings, installed tac_plus-ng on red os 8 operating system. But I don't really understand how to start tacacs itself and if it works at all right away? I also don't understand where the files with settings of tacacs itself are stored?
I found something on the path /usr/local/mavis/sample and there already tac_plus.cfg is it right? Maybe you could give a short instruction, what to do after installation and where to look for the necessary files?
Thanks!
I found something on the path /usr/local/mavis/sample and there already tac_plus.cfg is it right? Maybe you could give a short instruction, what to do after installation and where to look for the necessary files?
Thanks!
Marc Huber
May 13, 2025, 11:02:24 AMMay 13
to event-driv...@googlegroups.com
Hi,
you could use /usr/local/etc/mavis/sample/tac_plus-ng.cfg as a base configuration, copy a modified variant that suits your needs to /usr/local/etc/tac_plus-ng.cfg and then run the daemon manually (tac_plus-ng /usr/local/etc/tac_plus-ng.cfg) or via systems (see tac_plus-ng/extra/tac_plus-ng.service for details).
Cheers,
Marc
On 12.05.2025 17:08, Eveline wrote:
Greetings, installed tac_plus-ng on red os 8 operating system. But I don't really understand how to start tacacs itself and if it works at all right away? I also don't understand where the files with settings of tacacs itself are stored?
I found something on the path /usr/local/mavis/sample and there already tac_plus.cfg is it right? Maybe you could give a short instruction, what to do after installation and where to look for the necessary files?
Thanks! --
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/a3d262b0-4008-441c-8aa9-97e4059eb54en%40googlegroups.com.
Eveline
May 17, 2025, 10:53:53 AMMay 17
to Event-Driven Servers
Hi Marc! I managed to install and configure basic tac_plus-ng, local accounts work and it's great, but now I have to connect LDAP and use a single account. Here is the configuration for LDAP
!/usr/local/sbin/tac_plus-ng
id = spawnd {
listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = yes
}
id = tac_plus-ng {
access log = /var/log/tac_plus-ng/access/%Y%m%d.log
accounting log = /var/log/tac_plus-ng/acct/%Y%m%d.log
# mavis module = groups {
# groups filter = /^(admins|guest|readonly)$/ # these are defined below
# memberof filter = /^CN=tacacs_/ # enforce prefix
# }
mavis module = external {
setenv LDAP_HOSTS = "10.1.50.110:389"
setenv LDAP_BASE = "ou=RTDC,dc=rt-dc,dc=local"
setenv LDAP_USER = "EFROSDO-test"
setenv LDAP_PASSWD = "password"
id = spawnd {
listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = yes
}
id = tac_plus-ng {
access log = /var/log/tac_plus-ng/access/%Y%m%d.log
accounting log = /var/log/tac_plus-ng/acct/%Y%m%d.log
# mavis module = groups {
# groups filter = /^(admins|guest|readonly)$/ # these are defined below
# memberof filter = /^CN=tacacs_/ # enforce prefix
# }
mavis module = external {
setenv LDAP_HOSTS = "10.1.50.110:389"
setenv LDAP_BASE = "ou=RTDC,dc=rt-dc,dc=local"
setenv LDAP_USER = "EFROSDO-test"
setenv LDAP_PASSWD = "password"
setenv AD_GROUP_PREFIX = "ALL_GG_KSPD_"
#
# Filtering the memberOf results is highly recommended, e.g.:
# setenv LDAP_MEMBEROF_REG>EX = "^cn=tacacs_([^,]+),.*"
#
# Also, recursive memberOf lookups can be limited. Example:
# setenv LDAP_NESTED_GROUP_DEPTH = 3
#
# See the comments at the start of
exec = /usr/local/lib/mavis/mavis_tacplus-ng_ldap.pl
# for further environment variables.
#
}
login backend = mavis
user backend = mavis
pap backend = mavis
device any {
address = 10.0.0.0/8
welcome banner = "Welcome\n"
enable 15 = clear secret
key = key
}
profile admins {
script {
if (service == shell) {
if (cmd == "")
set priv-lvl = 15
permit
}
}
}
profile guest {
enable = deny
script {
if (service == shell) {
if (cmd == "")
set priv-lvl = 1
permit
}
}
}
group admins
group guest
user test{
password login = clear test
member = admins
}
user = readonly {
password login = clear readonly
member = guest
}
ruleset {
rule {
script {
if (memberof =~ /^CN=ALL_GG_KSPD_Network_Group,/) { profile = admins permit }
if (member == admins ) { profile = admins permit }
}
}
rule {
script {
if (member == guest) { profile = guest permit }
}
}
}
}
#
# Filtering the memberOf results is highly recommended, e.g.:
# setenv LDAP_MEMBEROF_REG>EX = "^cn=tacacs_([^,]+),.*"
#
# Also, recursive memberOf lookups can be limited. Example:
# setenv LDAP_NESTED_GROUP_DEPTH = 3
#
# See the comments at the start of
exec = /usr/local/lib/mavis/mavis_tacplus-ng_ldap.pl
# for further environment variables.
#
}
login backend = mavis
user backend = mavis
pap backend = mavis
device any {
address = 10.0.0.0/8
welcome banner = "Welcome\n"
enable 15 = clear secret
key = key
}
profile admins {
script {
if (service == shell) {
if (cmd == "")
set priv-lvl = 15
permit
}
}
}
profile guest {
enable = deny
script {
if (service == shell) {
if (cmd == "")
set priv-lvl = 1
permit
}
}
}
group admins
group guest
user test{
password login = clear test
member = admins
}
user = readonly {
password login = clear readonly
member = guest
}
ruleset {
rule {
script {
if (memberof =~ /^CN=ALL_GG_KSPD_Network_Group,/) { profile = admins permit }
if (member == admins ) { profile = admins permit }
}
}
rule {
script {
if (member == guest) { profile = guest permit }
}
}
}
}
When I do a check /usr/local/lib/mavis/mavis_tacplus_ldap.pl < /dev/null
I get an error that LDAP hosts not defined
Then when I do /usr/local/bin/mavistest -d -1 /usr/local/etc/tac_plus-ng.cfg tac_plus-ng TACPLUS someusername , everything is fine, it sends ACK. It sees all groups, etc. Trying to connect to the equipment from AD account. Then I see in journalctl such logs ....
authen: hdr->seq_no:1
user lookup failed (local user i guess)
authen: hdr->seq_no:3
looking for user user realm default
user lookup failed
looking for user user in MAVIS backend
result for user user is ACK
looking for user user realm default
user lookup succeded
shell login for user from 10.0.0.10 on shh0 denied by ACL
I get an error that LDAP hosts not defined
Then when I do /usr/local/bin/mavistest -d -1 /usr/local/etc/tac_plus-ng.cfg tac_plus-ng TACPLUS someusername , everything is fine, it sends ACK. It sees all groups, etc. Trying to connect to the equipment from AD account. Then I see in journalctl such logs ....
authen: hdr->seq_no:1
user lookup failed (local user i guess)
authen: hdr->seq_no:3
looking for user user realm default
user lookup failed
looking for user user in MAVIS backend
result for user user is ACK
looking for user user realm default
user lookup succeded
shell login for user from 10.0.0.10 on shh0 denied by ACL
What am I doing wrong?
And one more question, how to run tactrace correctly?
And one more question, how to run tactrace correctly?
Thanks!
вторник, 13 мая 2025 г. в 18:02:24 UTC+3, Marc Huber:
Marc Huber
May 18, 2025, 8:56:49 AMMay 18
to event-driv...@googlegroups.com
Hi,
On 17.05.2025 16:53, Eveline wrote:
setenv LDAP_USER = "EFROSDO-test"
LDAP_USER like needs to be a DN. For AD, user@domain should work.
As mentioned before, setting suitable
environment variables for mavis_tacplus_ldap.pl is mandatory, so
testing is best done using a trivial chain of
printf "0 TACPLUS\n4 $USER\n8 $PASS\n49
AUTH\n=\n" | env LDAP_HOSTS="..." LDAP_BASE="..." ...
mavis_tacplus_ldap.pl
I think I've already answered the
tactrace.pl question in my previous mail.
Cheers,
Marc
Reply all
Reply to author
Forward
0 new messages