Re: Custom Access Requirement for Specific Device in tacplus_ng Setup
80 views
Skip to first unread message
Message has been deleted
Message has been deleted
Marc Huber
Jul 7, 2025, 11:02:56 AMJul 7
to event-driv...@googlegroups.com
Hi,
you can check for the device address and assign your readwrite
profile accordingly:
if (member == RO) {
if (device.address == 192.168.1.1)
profile = readwrite
else
profile = readonly
permit
}
Cheers,
Marc
On 07.07.2025 13:47, Sujith S wrote:
We are currently using tacplus_ng integrated with Active Directory, and everything is working well. We have two AD groups:
RW (ReadWrite)
RO (ReadOnly)
These are mapped to two corresponding profiles:
readwrite
readonly
Our current setup enforces access based on group membership as expected. However, we now have a new requirement:
If a user belongs to the RO group and tries to access the device at 192.168.1.1, they should be granted readwrite access instead of readonly.
Could you please advise how we can implement this exception in tacplus_ng? Is there a way to override the default group-to-profile mapping for a specific device? --
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/6496f474-9a62-4666-b952-6da06eb8107dn%40googlegroups.com.
Message has been deleted
Message has been deleted
Marc Huber
Jul 8, 2025, 10:26:21 AMJul 8
to event-driv...@googlegroups.com
Hi,
I've no detail knowledge of FortiGate authentication. I'd likely
start with trying to debug this on the FortiGate first, I think
I've seen a pretty comprehensive TechTip on that on the FortiNet
site some time ago.
Cheers,
Marc
On 08.07.2025 15:10, Sujith S wrote:
Hi Marc
below is my config cisco devices is working fine for cisco and paloalto devices
But facing issue with Fortigate
readonly users are getting only readonly access. But readwrite group members not getting readwrite access. Please help me to fix this
ruleset {
rule {
script {
# For RW group (common to FortiGate and Cisco)
if (memberof =~ /(?i)^cn=Networkinginfrastructure-RW,ou=static groups/) {
if (device.address == "172.17.12.158") {
# FortiGate
set memberof = "ADMIN-RW"
set admin_prof = "rw_admin"
}
profile = netadmin
permit
# For RO group on FortiGate
} else if (memberof =~ /(?i)^cn=Networkinginfrastructure-RO-SG,ou=static groups/) {
if (device.address == "172.17.12.158") {
set memberof = "ADMIN-RO"
set admin_prof = "soc_admin_readonly"
}
profile = readonly
permit
} else {
deny
}
}
}
}
}
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 evaluating ACL __internal__username_acl__
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 regex: '[]<>/()|=[*"':$]+' <=> 'sujith.sudhakaran1' = 0
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 line 502: [user] regex '[]<>/()|=[*"':$]+' => false
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 line 502: [permit]
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 ACL __internal__username_acl__: match
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 looking for user sujith.sudhakaran1 in MAVIS backend
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 result for user sujith.sudhakaran1 is ACK [32 ms]
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 looking for user sujith.sudhakaran1 realm default
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 user lookup succeded
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 evaluating ACL default#0
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 pcre2: '(?i)^cn=Networkinginfrastructure-RW,ou=static groups' <=> 'CN=Networkinginfrastructure-RW,OU=Static Groups,OU=Domain Groups,DC=envestnetpmc,DC=net' = 1
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 line 112: [memberof] <pcre-regex> '(?i)^cn=Networkinginfrastructure-RW,ou=static groups' => true
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 line 113: [nas] address '172.17.12.158' => true
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 line 115: [set] 'memberof=ADMIN-RW'
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 line 116: [set] 'admin_prof=rw_admin'
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 line 118: [profile] 'netadmin'
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 line 119: [permit]
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 ACL default#0: match
To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/cac0e9b4-bbab-4fd6-be5a-6ea7042e66d3n%40googlegroups.com.
Message has been deleted
Message has been deleted
Marc Huber
Jul 8, 2025, 12:22:45 PMJul 8
to event-driv...@googlegroups.com
Hi,
your debug output shows an authentication request, but authorization
attributes (and I'd rather set those at at profile level, but not in the
rule set) will show up in authorization packets only. Please
double-check your debug output for authorization packets. Authorization
should happen just after authentication.
Cheers,
Marc
On 08.07.2025 16:44, Sujith S wrote:
> Hi Marc,
>
> Please refer this detailed article for fortigate configuration
> https://sharifulhoque.blogspot.com/2019/09/fortigate-using-radius-server-windows_4.html
>
> Currently, we are using Cisco ISE, and it's working fine with most
> devices.
>
> In Active Directory (AD), we have two user groups:
>
> Networkinginfrastructure-RW
>
> Networkinginfrastructure-RO
>
> Expected Behavior:
>
> Members of Networkinginfrastructure-RW should receive full admin access.
>
> Members of Networkinginfrastructure-RO should receive read-only access.
>
> Issue:
> This configuration is working as expected for Cisco and Palo Alto devices.
> However, on the FortiGate, members of the Networkinginfrastructure-RW
> group are incorrectly getting read-only access instead of full admin.
>
> Below is the ruleset configuration I am using. I suspect the issue
> might lie here. Could you please review and confirm?
> Readonly user Girish
>
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 looking for user Girish.Kumar in MAVIS backend
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 result for user Girish.Kumar is ACK [18 ms]
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 looking for user Girish.Kumar realm default
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 user lookup succeded
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 evaluating ACL default#0
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 pcre2: '(?i)^cn=Networkinginfrastructure-RW,ou=static
> groups' <=> 'CN=NetworkingInfrastructure-RO-SG,OU=Static
> Groups,OU=Domain Groups,DC=estnetpmc,DC=net' = 0
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 line 112: [else]
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 pcre2:
> '(?i)^cn=Networkinginfrastructure-RO-SG,ou=static groups' <=>
> 'CN=NetworkingInfrastructure-RO-SG,OU=Static Groups,OU=Domain
> Groups,DC=estnetpmc,DC=net' = 1
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 line 122: [memberof] <pcre-regex>
> '(?i)^cn=Networkinginfrastructure-RO-SG,ou=static groups' => true
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 line 123: [nas] address '172.17.12.158' => true
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 line 124: [set] 'memberof=ADMIN-RO'
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 line 125: [set] 'admin_prof=soc_admin_readonly'
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 line 127: [profile] 'readonly'
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 line 128: [permit]
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 ACL default#0: match
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 Girish.Kumar 172.16.100.102: ACL default#0: permit
> (profile: readonly)
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 pap login for 'Girish.Kumar' from 172.16.100.102
> succeeded (profile=readonly)
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 Writing AUTHEN/PASS size=18
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 ---<start packet>---
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 key used: Mykey
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 version: 193, type: 1, seq no: 2, flags: unencrypted
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 session id: 43177bd5, data length: 6
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 AUTHEN, status=1 (AUTHEN/PASS) flags=0x0
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 msg_len=0, data_len=0
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 msg (len: 0):
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 data (len: 0):
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 ---<end packet>---
>
>
>
> Readwrite user sujith.sudhakaran1
>
> handle_req-Rcvd auth req 152767791 for sujith.sudhakaran1 in ADMIN-RO
> opt=0001c001 prot=11
> [489] __compose_group_list_from_req-Group 'ADMIN-RO', type 1
> [616] fnbamd_pop3_start-sujith.sudhakaran1
> [378] radius_start-Didn't find radius servers (0)
> [1235] __tac_plus_try_next_server-Try CHI-ISE:10.152.10.51
> [361] __tac_plus_dns_cb-Resolved CHI-ISE:10.152.10.51 to 10.152.10.51,
> cur stack size:1
> [281] sock_connect-connecting CHI-ISE:10.152.10.51: 10.152.10.51
> [1235] __tac_plus_try_next_server-Try TEST:172.17.12.204
> [361] __tac_plus_dns_cb-Resolved TEST:172.17.12.204 to 172.17.12.204,
> cur stack size:1
> [281] sock_connect-connecting TEST:172.17.12.204: 172.17.12.204
> [497] ldap_start-Didn't find ldap servers
> [480] fnbamd_cfg_get_ext_idp_list-
> [454] __fnbamd_cfg_get_ext_idp_list_by_group-
> [460] __fnbamd_cfg_get_ext_idp_list_by_group-Group 'ADMIN-RO'
> [490] fnbamd_cfg_get_ext_idp_list-Total external identity provider
> servers to try: 0
> [652] create_auth_session-Total 2 server(s) to try
> [1980] handle_req-r=4
> [393] is_sock_connected-tcp connected
> [500] build_authen_start-building authen start packet: authen_type=2(pap)
> [803] tac_plus_result-Authen sending request
> [408] pak_send-Encrypting pkt
> [1231] fsm_tac_plus_update_result-Continue pending for req 152767791
> [813] tac_plus_result-Authen receiving reply
> [465] pak_recv-read all header, data len 6
> [1231] fsm_tac_plus_update_result-Continue pending for req 152767791
> [813] tac_plus_result-Authen receiving reply
> [560] parse_authen_reply-authen result=1(pass)
> [1623] fnbam_user_auth_group_match-req id: 152767791, server: TEST,
> local auth: 0, dn match: 0
> [292] find_matched_usr_grps-Passed group matching
> [209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req
> 152767791, len=2540
> [808] destroy_auth_session-delete session 152767791
> [1244] tac_plus_destroy-CHI-ISE
> [1244] tac_plus_destroy-TEST
> [1086] fnbamd_ext_idps_destroy-
> [208] __fnbamd_remote_ca_refresh-
> [2507] handle_req-Rcvd auth_cert req id=152767792, len=1599, opt=8
> [983] __cert_auth_ctx_init-req_id=152767792, opt=8
> [992] __cert_auth_ctx_init-OCSP resp is found.
> [103] __cert_chg_st- 'Init'
>
your debug output shows an authentication request, but authorization
attributes (and I'd rather set those at at profile level, but not in the
rule set) will show up in authorization packets only. Please
double-check your debug output for authorization packets. Authorization
should happen just after authentication.
Cheers,
Marc
On 08.07.2025 16:44, Sujith S wrote:
> Hi Marc,
>
> Please refer this detailed article for fortigate configuration
> https://sharifulhoque.blogspot.com/2019/09/fortigate-using-radius-server-windows_4.html
>
> Currently, we are using Cisco ISE, and it's working fine with most
> devices.
>
> In Active Directory (AD), we have two user groups:
>
> Networkinginfrastructure-RW
>
> Networkinginfrastructure-RO
>
> Expected Behavior:
>
> Members of Networkinginfrastructure-RW should receive full admin access.
>
> Members of Networkinginfrastructure-RO should receive read-only access.
>
> Issue:
> This configuration is working as expected for Cisco and Palo Alto devices.
> However, on the FortiGate, members of the Networkinginfrastructure-RW
> group are incorrectly getting read-only access instead of full admin.
>
> Below is the ruleset configuration I am using. I suspect the issue
> might lie here. Could you please review and confirm?
>
> ruleset {
> rule {
> script {
> # For RW group (common to FortiGate and Cisco)
> if (service == fortigate){
> ruleset {
> rule {
> script {
> # For RW group (common to FortiGate and Cisco)
>
> if (memberof =~
> /(?i)^cn=Networkinginfrastructure-RW,ou=static groups/) {
> if (device.address == "172.17.12.158") {
> # FortiGate
> set memberof = "ADMIN-RW"
> set admin_prof = "env_rw_admin"
> if (memberof =~
> /(?i)^cn=Networkinginfrastructure-RW,ou=static groups/) {
> if (device.address == "172.17.12.158") {
> # FortiGate
> set memberof = "ADMIN-RW"
>
> }
> profile = netadmin
> permit
>
> # For RO group on FortiGate
> } else if (memberof =~
> /(?i)^cn=Networkinginfrastructure-RO-SG,ou=static groups/) {
> if (device.address == "172.17.12.158") {
> set memberof = "ADMIN-RO"
> set admin_prof = "soc_admin_readonly"
> }
> profile = readonly
> permit
>
> } else {
> deny
> }
> }
> }
> }
> }
>
> Logs
> }
> profile = netadmin
> permit
>
> # For RO group on FortiGate
> } else if (memberof =~
> /(?i)^cn=Networkinginfrastructure-RO-SG,ou=static groups/) {
> if (device.address == "172.17.12.158") {
> set memberof = "ADMIN-RO"
> set admin_prof = "soc_admin_readonly"
> }
> profile = readonly
> permit
>
> } else {
> deny
> }
> }
> }
> }
> }
>
> Readonly user Girish
>
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 looking for user Girish.Kumar in MAVIS backend
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 result for user Girish.Kumar is ACK [18 ms]
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 looking for user Girish.Kumar realm default
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 user lookup succeded
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 evaluating ACL default#0
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 pcre2: '(?i)^cn=Networkinginfrastructure-RW,ou=static
> groups' <=> 'CN=NetworkingInfrastructure-RO-SG,OU=Static
> Groups,OU=Domain Groups,DC=estnetpmc,DC=net' = 0
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 line 112: [memberof] <pcre-regex>
> '(?i)^cn=Networkinginfrastructure-RW,ou=static groups' => false
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 line 112: [else]
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 pcre2:
> '(?i)^cn=Networkinginfrastructure-RO-SG,ou=static groups' <=>
> 'CN=NetworkingInfrastructure-RO-SG,OU=Static Groups,OU=Domain
> Groups,DC=estnetpmc,DC=net' = 1
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 line 122: [memberof] <pcre-regex>
> '(?i)^cn=Networkinginfrastructure-RO-SG,ou=static groups' => true
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 line 123: [nas] address '172.17.12.158' => true
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 line 124: [set] 'memberof=ADMIN-RO'
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 line 125: [set] 'admin_prof=soc_admin_readonly'
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 line 127: [profile] 'readonly'
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 line 128: [permit]
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 ACL default#0: match
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 Girish.Kumar 172.16.100.102: ACL default#0: permit
> (profile: readonly)
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 pap login for 'Girish.Kumar' from 172.16.100.102
> succeeded (profile=readonly)
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 Writing AUTHEN/PASS size=18
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 ---<start packet>---
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 key used: Mykey
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 version: 193, type: 1, seq no: 2, flags: unencrypted
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 session id: 43177bd5, data length: 6
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 AUTHEN, status=1 (AUTHEN/PASS) flags=0x0
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 msg_len=0, data_len=0
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 msg (len: 0):
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 data (len: 0):
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 ---<end packet>---
>
>
>
> Readwrite user sujith.sudhakaran1
>
> handle_req-Rcvd auth req 152767791 for sujith.sudhakaran1 in ADMIN-RO
> opt=0001c001 prot=11
> [489] __compose_group_list_from_req-Group 'ADMIN-RO', type 1
> [616] fnbamd_pop3_start-sujith.sudhakaran1
> [378] radius_start-Didn't find radius servers (0)
> [1235] __tac_plus_try_next_server-Try CHI-ISE:10.152.10.51
> [361] __tac_plus_dns_cb-Resolved CHI-ISE:10.152.10.51 to 10.152.10.51,
> cur stack size:1
> [281] sock_connect-connecting CHI-ISE:10.152.10.51: 10.152.10.51
> [1235] __tac_plus_try_next_server-Try TEST:172.17.12.204
> [361] __tac_plus_dns_cb-Resolved TEST:172.17.12.204 to 172.17.12.204,
> cur stack size:1
> [281] sock_connect-connecting TEST:172.17.12.204: 172.17.12.204
> [497] ldap_start-Didn't find ldap servers
> [480] fnbamd_cfg_get_ext_idp_list-
> [454] __fnbamd_cfg_get_ext_idp_list_by_group-
> [460] __fnbamd_cfg_get_ext_idp_list_by_group-Group 'ADMIN-RO'
> [490] fnbamd_cfg_get_ext_idp_list-Total external identity provider
> servers to try: 0
> [652] create_auth_session-Total 2 server(s) to try
> [1980] handle_req-r=4
> [393] is_sock_connected-tcp connected
> [500] build_authen_start-building authen start packet: authen_type=2(pap)
> [803] tac_plus_result-Authen sending request
> [408] pak_send-Encrypting pkt
> [1231] fsm_tac_plus_update_result-Continue pending for req 152767791
> [813] tac_plus_result-Authen receiving reply
> [465] pak_recv-read all header, data len 6
> [1231] fsm_tac_plus_update_result-Continue pending for req 152767791
> [813] tac_plus_result-Authen receiving reply
> [560] parse_authen_reply-authen result=1(pass)
> [1623] fnbam_user_auth_group_match-req id: 152767791, server: TEST,
> local auth: 0, dn match: 0
> [292] find_matched_usr_grps-Passed group matching
> [209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req
> 152767791, len=2540
> [808] destroy_auth_session-delete session 152767791
> [1244] tac_plus_destroy-CHI-ISE
> [1244] tac_plus_destroy-TEST
> [1086] fnbamd_ext_idps_destroy-
> [208] __fnbamd_remote_ca_refresh-
> [2507] handle_req-Rcvd auth_cert req id=152767792, len=1599, opt=8
> [983] __cert_auth_ctx_init-req_id=152767792, opt=8
> [992] __cert_auth_ctx_init-OCSP resp is found.
> [103] __cert_chg_st- 'Init'
>
Reply all
Reply to author
Forward
0 new messages