Ruleset to catch VSA Juniper-Local-User-Name

14 views
Skip to first unread message

fukhell (fukhell)

unread,
Sep 3, 2025, 12:15:29 PMSep 3
to Event-Driven Servers
Hello,

my Radius servers sends VSA Juniper-Local-User-Name for Juniper devices depending connected user admin or noc.

I have a dict in conf file and ruleset

radius.dictionary juniper 2636 {
        attribute Juniper-Local-User-Name 1 string
}

                rule map-juniper-radius {
                    enabled = yes
                    script {
                                if (radius[juniper:Juniper-Local-User-Name] == neteng-template) {
                                    profile = admin
                                    permit
                                    }
                                if (radius[juniper:Juniper-Local-User-Name] == gnoc-template) {
                                    profile = noc
                                    permit
                                    }
                    }
                }

But tac doesn't catch that 


[root@tacacs ~]# tac_plus-ng -d 512 /usr/local/etc/mavis/sample/tac_plus-ng.cfg
162841: 12:11:30.732 0/00000000: - Version 87ea4f497104ec39e27d937ae3363e967e40f09c initialized
162841: 12:11:57.087 0/ef48e94a: 10.52.1.53 evaluating ACL __internal__username_acl__
162841: 12:11:57.087 0/ef48e94a: 10.52.1.53  line 502: [user] regex '[]<>/()|=[*"':$]+' => false
162841: 12:11:57.087 0/ef48e94a: 10.52.1.53  line 502: [permit]
162841: 12:11:57.087 0/ef48e94a: 10.52.1.53 ACL __internal__username_acl__: match
162841: 12:11:57.087 0/ef48e94a: 10.52.1.53 looking for user user in MAVIS backend
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 result for user user is ACK [180 ms]
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 evaluating ACL map-juniper-radius
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53  line 292: [radius] juniper:Juniper-Local-User-Name radius 'neteng-template' => false
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53  line 296: [radius] juniper:Juniper-Local-User-Name radius 'gnoc-template' => false
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 ACL map-juniper-radius: no match
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 us...@10.235.9.18: ACL map-juniper-radius: <unknown> (profile: n/a)
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 evaluating ACL allow_all
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53  line 305: [permit]
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 ACL allow_all: match
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 us...@10.235.9.18: ACL allow_all: permit (profile: n/a)
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 shell login for 'user' from 10.235.9.18 succeeded
162841: 12:11:57.273 1/8327d4da: 10.52.1.53 evaluating ACL map-juniper-radius
162841: 12:11:57.273 1/8327d4da: 10.52.1.53  line 292: [radius] juniper:Juniper-Local-User-Name radius 'neteng-template' => false
162841: 12:11:57.273 1/8327d4da: 10.52.1.53  line 296: [radius] juniper:Juniper-Local-User-Name radius 'gnoc-template' => false
162841: 12:11:57.273 1/8327d4da: 10.52.1.53 ACL map-juniper-radius: no match
162841: 12:11:57.273 1/8327d4da: 10.52.1.53 us...@10.235.9.18: ACL map-juniper-radius: <unknown> (profile: n/a)
162841: 12:11:57.273 1/8327d4da: 10.52.1.53 evaluating ACL allow_all
162841: 12:11:57.273 1/8327d4da: 10.52.1.53  line 305: [permit]
162841: 12:11:57.273 1/8327d4da: 10.52.1.53 ACL allow_all: match
162841: 12:11:57.273 1/8327d4da: 10.52.1.53 us...@10.235.9.18: ACL allow_all: permit (profile: n/a)

Marc Huber

unread,
Sep 3, 2025, 1:49:41 PMSep 3
to event-driv...@googlegroups.com

Hi,

I'm not sure on what you're trying to achive-- are you using the built-in tac_plus-ng RADIUS functionality or are you using one of the MAVIS backends for RADIUS?

Cheers,

Marc

--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/393ca9f6-d811-4434-93ad-191b232ee04dn%40googlegroups.com.

fukhell

unread,
Sep 4, 2025, 1:09:25 AMSep 4
to event-driv...@googlegroups.com
Hi Marc,

I don't use tac_plus-ng RADIUS functionality.

I want to separate authorization based on user type.
Yes I am using the radmavis backend. When my Secured ID RSA Radius
answers with Access-Accept it carries Juniper VSA -
Juniper-Local-User-Name.
This VSA can be with value neteng-template or gnoc-template depending
username, Secure ID has attached radius profiles with this VSA for
users.
So I want to achieve authorization separation if neteng user is
connected it gest a full access, if gnoc user is connected it get a
read-only access.

ср, 3 сент. 2025 г. в 22:49, Marc Huber <marc.j...@gmail.com>:
> To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/73d17b22-cb18-44e5-a27e-b4433407de87%40googlemail.com.
изображение.png

Marc Huber

unread,
Sep 4, 2025, 10:57:54 AMSep 4
to event-driv...@googlegroups.com
Hi,

radmavis uses RADIUS as a backend but doesn't propagate RADIUS AV pair
as-is to tac_plus-ng. You can try running radmavis with the
group_attribute=... option, that one should map the selected RADIUS
attribute to a MAVIS TACMEMBER attribute. Something like

radmavis -c /etc/radcli/radiusclient.conf
group_attribute="juniper:Juniper-Local-User-Name"

where "juniper:Juniper-Local-User-Name" needs to be defined in the
radcli (or freeradius-client) RADIUS dictionary.

Basic functionality testing via CLI:

printf "0 TACPLUS\n4 $USER\n8 $PASS\n49 AUTH\n=\n" | radmavis -c
/etc/radcli/radiusclient.conf
group_attribute="juniper:Juniper-Local-User-Name"

Cheers,

Marc

fukhell

unread,
Sep 4, 2025, 12:20:23 PMSep 4
to event-driv...@googlegroups.com
Hi Marc,

Yes, I've already defined this attr in dictionary.
But I have a lack of knowledge about group_attribute= , how can I use
it in ruleset to compare this is admin or noc user?

чт, 4 сент. 2025 г. в 19:57, Marc Huber <marc.j...@gmail.com>:
> To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/5d9ab6cc-9a75-4a9b-b04a-75ff4616c5e8%40googlemail.com.

Marc Huber

unread,
Sep 4, 2025, 12:45:55 PMSep 4
to event-driv...@googlegroups.com
Hi,

tha "group_member" RADIUS value is mapped to a TACMEMBER attribute which
in turn is getting mapped to "member" in ruleset context, so e.g. "if
(member == neteng-template)" would work.

Cheers,

Marc

fukhell

unread,
Sep 5, 2025, 3:08:44 AMSep 5
to event-driv...@googlegroups.com
Hi Marc,

Looks like it didn't help, how can I check what contains var member?

mavis module = external {
    exec = /usr/local/sbin/radmavis -c "/etc/radcli/radiusclient.conf" group_attribute "juniper:Juniper-Local-User-Name"
}



Ruleset

rule map-juniper-radius {
    enabled = yes
    script {
        if (member == neteng-template) {
            profile = admin
            permit
           }
         if (member == gnoc-template) {
            profile = noc
            permit
          }
    }
}

In this case do I need to activate the group module - mavis module = groups ?


[root@tacacs ~]# tac_plus-ng -d 512 /usr/local/etc/mavis/sample/tac_plus-ng.cfg
335103: 03:03:47.360 0/00000000: - Version 87ea4f497104ec39e27d937ae3363e967e40f09c initialized
335103: 03:04:03.146 0/b7769ba5: 10.52.1.53 evaluating ACL __internal__username_acl__
335103: 03:04:03.146 0/b7769ba5: 10.52.1.53  line 502: [user] regex '[]<>/()|=[*"':$]+' => false
335103: 03:04:03.146 0/b7769ba5: 10.52.1.53  line 502: [permit]
335103: 03:04:03.146 0/b7769ba5: 10.52.1.53 ACL __internal__username_acl__: match
335103: 03:04:03.146 0/b7769ba5: 10.52.1.53 looking for user user in MAVIS backend

Tactrace doesn't work correctly

[root@tacacs perl]# ./tactrace.pl   --authenmethod=tacacsplus --user user --password 84871317
Version: 87ea4f497104ec39e27d937ae3363e967e40f09c
127.0.0.1 ---<start packet>---
127.0.0.1 session id: 00000001, data length: 52
127.0.0.1 Packet malformed, skipping detailed dump.
127.0.0.1 ---<end packet>---
127.0.0.1 Writing AUTHOR/ERROR size=57
127.0.0.1 ---<start packet>---
127.0.0.1 session id: 00000001, data length: 45
127.0.0.1 AUTHOR/REPLY, status=17 (AUTHOR/ERROR)
127.0.0.1 msg_len=39, data_len=0, arg_cnt=0
127.0.0.1 msg (len: 39): Illegal packet (version=0xc0 type=0x02)
127.0.0.1 data (len: 0):
127.0.0.1 ---<end packet>---
- exit status=0
[root@tacacs perl]#



чт, 4 сент. 2025 г. в 21:45, Marc Huber <marc.j...@gmail.com>:
--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.

Marc Huber

unread,
Sep 5, 2025, 8:42:37 AMSep 5
to event-driv...@googlegroups.com

Hi,

the "exec" line in the "mavis module" section should read

exec = /usr/local/sbin/radmavis radmavis -c /etc/radcli/radiusclient.conf "group_attribute=juniper:Juniper-Local-User-Name"

This also fixes the badly placed quotation mark from my previous example.

For initial attribute checking

printf "0 TACPLUS\n4 $USER\n8 $PASS\n49 AUTH\n=\n" | radmavis -c /etc/radcli/radiusclient.conf "group_attribute=juniper:Juniper-Local-User-Name"

should work.

Cheers,

Marc

fukhell

unread,
Sep 8, 2025, 3:20:24 AMSep 8
to event-driv...@googlegroups.com
Hi Marc,

Thank you for your answer

What I have now.
Still no success 

mavis module = external {
#    setenv RADIUS_HOST=10.48.58.8 # could add more devices here, comma-separated
#    setenv RADIUS_PORT=1812
#    setenv RADIUS_SECRET="tacacs"
#    setenv RADIUS_GROUP_ATTR=Class
#    setenv RADIUS_PASSWORD_ATTR=Password # defaults to: User-Password
#    setenv RADCLI_CONF=/etc/radcli/radiusclient.conf
#    exec = /usr/local/lib/mavis/mavis_tacplus_radius.pl
#    exec = /usr/local/sbin/radmavis -c "/etc/radcli/radiusclient.conf" group_attribute "juniper:Juniper-Local-User-Name"

exec = /usr/local/sbin/radmavis radmavis -c /etc/radcli/radiusclient.conf "group_attribute=juniper:Juniper-Local-User-Name"
}


[root@tacacs sample]# cat /etc/radcli/radiusclient.conf
authserver 10.48.58.8:1812
acctserver 10.48.58.8
nas-ip 10.52.1.53
dictionary /etc/radcli/dictionary
servers /etc/radcli/servers
radius_timeout 10
radius_retries  3

[root@tacacs sample]# cat /etc/radcli/dictionary | grep INCL
#$INCLUDE /etc/radcli/dictionary.microsoft
#$INCLUDE /etc/radcli/dictionary.roaringpenguin
$INCLUDE /etc/radcli/dictionary.juniper

[root@tacacs sample]# cat /etc/radcli/dictionary.juniper
VENDOR          Juniper          2636

BEGIN-VENDOR    Juniper
ATTRIBUTE       Juniper-Local-User-Name      1   string
END-VENDOR      Juniper

Rueleset 

rule map-juniper-radius {
    enabled = yes
    script {
        if (member == 'neteng-template') {

            profile = admin
            permit
           }
         if (member == gnoc-template) {
            profile = noc
            permit
          }
    }
}
[root@tacacs ~]#  tac_plus-ng -d 512 /usr/local/etc/mavis/sample/tac_plus-ng.cfg
890996: 03:12:28.496 0/00000000: - Version 87ea4f497104ec39e27d937ae3363e967e40f09c initialized
890996: 03:12:43.048 0/0d07581f: 10.52.1.53 evaluating ACL __internal__username_acl__
890996: 03:12:43.048 0/0d07581f: 10.52.1.53  line 502: [user] regex '[]<>/()|=[*"':$]+' => false
890996: 03:12:43.048 0/0d07581f: 10.52.1.53  line 502: [permit]
890996: 03:12:43.048 0/0d07581f: 10.52.1.53 ACL __internal__username_acl__: match
890996: 03:12:43.048 0/0d07581f: 10.52.1.53 looking for user user in MAVIS backend
890996: 03:12:43.202 0/0d07581f: 10.52.1.53 result for user user is ACK [153 ms]
890996: 03:12:43.202 0/0d07581f: 10.52.1.53 evaluating ACL map-juniper-radius
890996: 03:12:43.202 0/0d07581f: 10.52.1.53  line 286: [member] member 'neteng-template' => false
890996: 03:12:43.202 0/0d07581f: 10.52.1.53  line 290: [member] member 'gnoc-template' => false
890996: 03:12:43.202 0/0d07581f: 10.52.1.53 ACL map-juniper-radius: no match
890996: 03:12:43.202 0/0d07581f: 10.52.1.53 us...@10.235.0.225: ACL map-juniper-radius: <unknown> (profile: n/a)
890996: 03:12:43.202 0/0d07581f: 10.52.1.53 shell login for 'user' from 10.235.0.225 denied by ACL


пт, 5 сент. 2025 г. в 17:42, Marc Huber <marc.j...@gmail.com>:

fukhell

unread,
Sep 8, 2025, 7:21:13 AMSep 8
to event-driv...@googlegroups.com
Hi Marc,

Nevermind, got it working by 

exec = /usr/local/sbin/radmavis radmavis -c /etc/radcli/radiusclient.conf "group_attribute=Juniper-Local-User-Name"

Since I already have correct dictionary configuration, it looks like I do not need to refer to a vendor. 

пн, 8 сент. 2025 г. в 12:20, fukhell <helpde...@gmail.com>:
Reply all
Reply to author
Forward
0 new messages