Ruleset to catch VSA Juniper-Local-User-Name
14 views
Skip to first unread message
fukhell (fukhell)
Sep 3, 2025, 12:15:29 PMSep 3
to Event-Driven Servers
Hello,
my Radius servers sends VSA Juniper-Local-User-Name for Juniper devices depending connected user admin or noc.
I have a dict in conf file and ruleset
radius.dictionary juniper 2636 {
attribute Juniper-Local-User-Name 1 string
}
attribute Juniper-Local-User-Name 1 string
}
rule map-juniper-radius {
enabled = yes
script {
if (radius[juniper:Juniper-Local-User-Name] == neteng-template) {
profile = admin
permit
}
if (radius[juniper:Juniper-Local-User-Name] == gnoc-template) {
profile = noc
permit
}
}
}
enabled = yes
script {
if (radius[juniper:Juniper-Local-User-Name] == neteng-template) {
profile = admin
permit
}
if (radius[juniper:Juniper-Local-User-Name] == gnoc-template) {
profile = noc
permit
}
}
}
But tac doesn't catch that
[root@tacacs ~]# tac_plus-ng -d 512 /usr/local/etc/mavis/sample/tac_plus-ng.cfg
162841: 12:11:30.732 0/00000000: - Version 87ea4f497104ec39e27d937ae3363e967e40f09c initialized
162841: 12:11:57.087 0/ef48e94a: 10.52.1.53 evaluating ACL __internal__username_acl__
162841: 12:11:57.087 0/ef48e94a: 10.52.1.53 line 502: [user] regex '[]<>/()|=[*"':$]+' => false
162841: 12:11:57.087 0/ef48e94a: 10.52.1.53 line 502: [permit]
162841: 12:11:57.087 0/ef48e94a: 10.52.1.53 ACL __internal__username_acl__: match
162841: 12:11:57.087 0/ef48e94a: 10.52.1.53 looking for user user in MAVIS backend
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 result for user user is ACK [180 ms]
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 evaluating ACL map-juniper-radius
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 line 292: [radius] juniper:Juniper-Local-User-Name radius 'neteng-template' => false
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 line 296: [radius] juniper:Juniper-Local-User-Name radius 'gnoc-template' => false
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 ACL map-juniper-radius: no match
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 us...@10.235.9.18: ACL map-juniper-radius: <unknown> (profile: n/a)
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 evaluating ACL allow_all
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 line 305: [permit]
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 ACL allow_all: match
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 us...@10.235.9.18: ACL allow_all: permit (profile: n/a)
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 shell login for 'user' from 10.235.9.18 succeeded
162841: 12:11:57.273 1/8327d4da: 10.52.1.53 evaluating ACL map-juniper-radius
162841: 12:11:57.273 1/8327d4da: 10.52.1.53 line 292: [radius] juniper:Juniper-Local-User-Name radius 'neteng-template' => false
162841: 12:11:57.273 1/8327d4da: 10.52.1.53 line 296: [radius] juniper:Juniper-Local-User-Name radius 'gnoc-template' => false
162841: 12:11:57.273 1/8327d4da: 10.52.1.53 ACL map-juniper-radius: no match
162841: 12:11:57.273 1/8327d4da: 10.52.1.53 us...@10.235.9.18: ACL map-juniper-radius: <unknown> (profile: n/a)
162841: 12:11:57.273 1/8327d4da: 10.52.1.53 evaluating ACL allow_all
162841: 12:11:57.273 1/8327d4da: 10.52.1.53 line 305: [permit]
162841: 12:11:57.273 1/8327d4da: 10.52.1.53 ACL allow_all: match
162841: 12:11:57.273 1/8327d4da: 10.52.1.53 us...@10.235.9.18: ACL allow_all: permit (profile: n/a)
162841: 12:11:30.732 0/00000000: - Version 87ea4f497104ec39e27d937ae3363e967e40f09c initialized
162841: 12:11:57.087 0/ef48e94a: 10.52.1.53 evaluating ACL __internal__username_acl__
162841: 12:11:57.087 0/ef48e94a: 10.52.1.53 line 502: [user] regex '[]<>/()|=[*"':$]+' => false
162841: 12:11:57.087 0/ef48e94a: 10.52.1.53 line 502: [permit]
162841: 12:11:57.087 0/ef48e94a: 10.52.1.53 ACL __internal__username_acl__: match
162841: 12:11:57.087 0/ef48e94a: 10.52.1.53 looking for user user in MAVIS backend
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 result for user user is ACK [180 ms]
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 evaluating ACL map-juniper-radius
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 line 292: [radius] juniper:Juniper-Local-User-Name radius 'neteng-template' => false
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 line 296: [radius] juniper:Juniper-Local-User-Name radius 'gnoc-template' => false
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 ACL map-juniper-radius: no match
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 us...@10.235.9.18: ACL map-juniper-radius: <unknown> (profile: n/a)
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 evaluating ACL allow_all
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 line 305: [permit]
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 ACL allow_all: match
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 us...@10.235.9.18: ACL allow_all: permit (profile: n/a)
162841: 12:11:57.267 0/ef48e94a: 10.52.1.53 shell login for 'user' from 10.235.9.18 succeeded
162841: 12:11:57.273 1/8327d4da: 10.52.1.53 evaluating ACL map-juniper-radius
162841: 12:11:57.273 1/8327d4da: 10.52.1.53 line 292: [radius] juniper:Juniper-Local-User-Name radius 'neteng-template' => false
162841: 12:11:57.273 1/8327d4da: 10.52.1.53 line 296: [radius] juniper:Juniper-Local-User-Name radius 'gnoc-template' => false
162841: 12:11:57.273 1/8327d4da: 10.52.1.53 ACL map-juniper-radius: no match
162841: 12:11:57.273 1/8327d4da: 10.52.1.53 us...@10.235.9.18: ACL map-juniper-radius: <unknown> (profile: n/a)
162841: 12:11:57.273 1/8327d4da: 10.52.1.53 evaluating ACL allow_all
162841: 12:11:57.273 1/8327d4da: 10.52.1.53 line 305: [permit]
162841: 12:11:57.273 1/8327d4da: 10.52.1.53 ACL allow_all: match
162841: 12:11:57.273 1/8327d4da: 10.52.1.53 us...@10.235.9.18: ACL allow_all: permit (profile: n/a)
Marc Huber
Sep 3, 2025, 1:49:41 PMSep 3
to event-driv...@googlegroups.com
Hi,
I'm not sure on what you're trying to achive-- are you using the built-in tac_plus-ng RADIUS functionality or are you using one of the MAVIS backends for RADIUS?
Cheers,
Marc
--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/393ca9f6-d811-4434-93ad-191b232ee04dn%40googlegroups.com.
fukhell
Sep 4, 2025, 1:09:25 AMSep 4
to event-driv...@googlegroups.com
Hi Marc,
I don't use tac_plus-ng RADIUS functionality.
I want to separate authorization based on user type.
Yes I am using the radmavis backend. When my Secured ID RSA Radius
answers with Access-Accept it carries Juniper VSA -
Juniper-Local-User-Name.
This VSA can be with value neteng-template or gnoc-template depending
username, Secure ID has attached radius profiles with this VSA for
users.
So I want to achieve authorization separation if neteng user is
connected it gest a full access, if gnoc user is connected it get a
read-only access.
ср, 3 сент. 2025 г. в 22:49, Marc Huber <marc.j...@gmail.com>:
> To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/73d17b22-cb18-44e5-a27e-b4433407de87%40googlemail.com.
I don't use tac_plus-ng RADIUS functionality.
I want to separate authorization based on user type.
Yes I am using the radmavis backend. When my Secured ID RSA Radius
answers with Access-Accept it carries Juniper VSA -
Juniper-Local-User-Name.
This VSA can be with value neteng-template or gnoc-template depending
username, Secure ID has attached radius profiles with this VSA for
users.
So I want to achieve authorization separation if neteng user is
connected it gest a full access, if gnoc user is connected it get a
read-only access.
ср, 3 сент. 2025 г. в 22:49, Marc Huber <marc.j...@gmail.com>:
Marc Huber
Sep 4, 2025, 10:57:54 AMSep 4
to event-driv...@googlegroups.com
Hi,
radmavis uses RADIUS as a backend but doesn't propagate RADIUS AV pair
as-is to tac_plus-ng. You can try running radmavis with the
group_attribute=... option, that one should map the selected RADIUS
attribute to a MAVIS TACMEMBER attribute. Something like
radmavis -c /etc/radcli/radiusclient.conf
group_attribute="juniper:Juniper-Local-User-Name"
where "juniper:Juniper-Local-User-Name" needs to be defined in the
radcli (or freeradius-client) RADIUS dictionary.
Basic functionality testing via CLI:
printf "0 TACPLUS\n4 $USER\n8 $PASS\n49 AUTH\n=\n" | radmavis -c
/etc/radcli/radiusclient.conf
group_attribute="juniper:Juniper-Local-User-Name"
Cheers,
Marc
radmavis uses RADIUS as a backend but doesn't propagate RADIUS AV pair
as-is to tac_plus-ng. You can try running radmavis with the
group_attribute=... option, that one should map the selected RADIUS
attribute to a MAVIS TACMEMBER attribute. Something like
radmavis -c /etc/radcli/radiusclient.conf
group_attribute="juniper:Juniper-Local-User-Name"
where "juniper:Juniper-Local-User-Name" needs to be defined in the
radcli (or freeradius-client) RADIUS dictionary.
Basic functionality testing via CLI:
printf "0 TACPLUS\n4 $USER\n8 $PASS\n49 AUTH\n=\n" | radmavis -c
/etc/radcli/radiusclient.conf
group_attribute="juniper:Juniper-Local-User-Name"
Cheers,
Marc
fukhell
Sep 4, 2025, 12:20:23 PMSep 4
to event-driv...@googlegroups.com
Hi Marc,
Yes, I've already defined this attr in dictionary.
But I have a lack of knowledge about group_attribute= , how can I use
it in ruleset to compare this is admin or noc user?
чт, 4 сент. 2025 г. в 19:57, Marc Huber <marc.j...@gmail.com>:
> To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/5d9ab6cc-9a75-4a9b-b04a-75ff4616c5e8%40googlemail.com.
Yes, I've already defined this attr in dictionary.
But I have a lack of knowledge about group_attribute= , how can I use
it in ruleset to compare this is admin or noc user?
чт, 4 сент. 2025 г. в 19:57, Marc Huber <marc.j...@gmail.com>:
Marc Huber
Sep 4, 2025, 12:45:55 PMSep 4
to event-driv...@googlegroups.com
Hi,
tha "group_member" RADIUS value is mapped to a TACMEMBER attribute which
in turn is getting mapped to "member" in ruleset context, so e.g. "if
(member == neteng-template)" would work.
Cheers,
Marc
tha "group_member" RADIUS value is mapped to a TACMEMBER attribute which
in turn is getting mapped to "member" in ruleset context, so e.g. "if
(member == neteng-template)" would work.
Cheers,
Marc
fukhell
Sep 5, 2025, 3:08:44 AMSep 5
to event-driv...@googlegroups.com
Hi Marc,
Looks like it didn't help, how can I check what contains var member?
Looks like it didn't help, how can I check what contains var member?
mavis module = external {
exec = /usr/local/sbin/radmavis -c "/etc/radcli/radiusclient.conf" group_attribute "juniper:Juniper-Local-User-Name"
}
exec = /usr/local/sbin/radmavis -c "/etc/radcli/radiusclient.conf" group_attribute "juniper:Juniper-Local-User-Name"
}
Ruleset
rule map-juniper-radius {
enabled = yes
script {
if (member == neteng-template) {
profile = admin
permit
}
if (member == gnoc-template) {
profile = noc
permit
}
}
}
profile = admin
permit
}
if (member == gnoc-template) {
profile = noc
permit
}
}
}
In this case do I need to activate the group module - mavis module = groups ?
[root@tacacs ~]# tac_plus-ng -d 512 /usr/local/etc/mavis/sample/tac_plus-ng.cfg
335103: 03:03:47.360 0/00000000: - Version 87ea4f497104ec39e27d937ae3363e967e40f09c initialized
335103: 03:04:03.146 0/b7769ba5: 10.52.1.53 evaluating ACL __internal__username_acl__
335103: 03:04:03.146 0/b7769ba5: 10.52.1.53 line 502: [user] regex '[]<>/()|=[*"':$]+' => false
335103: 03:04:03.146 0/b7769ba5: 10.52.1.53 line 502: [permit]
335103: 03:04:03.146 0/b7769ba5: 10.52.1.53 ACL __internal__username_acl__: match
335103: 03:04:03.146 0/b7769ba5: 10.52.1.53 evaluating ACL __internal__username_acl__
335103: 03:04:03.146 0/b7769ba5: 10.52.1.53 line 502: [user] regex '[]<>/()|=[*"':$]+' => false
335103: 03:04:03.146 0/b7769ba5: 10.52.1.53 line 502: [permit]
335103: 03:04:03.146 0/b7769ba5: 10.52.1.53 ACL __internal__username_acl__: match
335103: 03:04:03.146 0/b7769ba5: 10.52.1.53 looking for user user in MAVIS backend
Tactrace doesn't work correctly
[root@tacacs perl]# ./tactrace.pl --authenmethod=tacacsplus --user user --password 84871317
Version: 87ea4f497104ec39e27d937ae3363e967e40f09c
127.0.0.1 ---<start packet>---
127.0.0.1 session id: 00000001, data length: 52
127.0.0.1 Packet malformed, skipping detailed dump.
127.0.0.1 ---<end packet>---
127.0.0.1 Writing AUTHOR/ERROR size=57
127.0.0.1 ---<start packet>---
127.0.0.1 session id: 00000001, data length: 45
127.0.0.1 AUTHOR/REPLY, status=17 (AUTHOR/ERROR)
127.0.0.1 msg_len=39, data_len=0, arg_cnt=0
127.0.0.1 msg (len: 39): Illegal packet (version=0xc0 type=0x02)
127.0.0.1 data (len: 0):
127.0.0.1 ---<end packet>---
- exit status=0
[root@tacacs perl]#
Version: 87ea4f497104ec39e27d937ae3363e967e40f09c
127.0.0.1 ---<start packet>---
127.0.0.1 session id: 00000001, data length: 52
127.0.0.1 Packet malformed, skipping detailed dump.
127.0.0.1 ---<end packet>---
127.0.0.1 Writing AUTHOR/ERROR size=57
127.0.0.1 ---<start packet>---
127.0.0.1 session id: 00000001, data length: 45
127.0.0.1 AUTHOR/REPLY, status=17 (AUTHOR/ERROR)
127.0.0.1 msg_len=39, data_len=0, arg_cnt=0
127.0.0.1 msg (len: 39): Illegal packet (version=0xc0 type=0x02)
127.0.0.1 data (len: 0):
127.0.0.1 ---<end packet>---
- exit status=0
[root@tacacs perl]#
чт, 4 сент. 2025 г. в 21:45, Marc Huber <marc.j...@gmail.com>:
--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/70972cbc-a0c8-46ff-9a37-58576670062a%40googlemail.com.
Marc Huber
Sep 5, 2025, 8:42:37 AMSep 5
to event-driv...@googlegroups.com
Hi,
the "exec" line in the "mavis module" section should read
exec = /usr/local/sbin/radmavis radmavis -c /etc/radcli/radiusclient.conf "group_attribute=juniper:Juniper-Local-User-Name"
This also fixes the badly placed quotation mark from my previous example.
For initial attribute checking
printf "0 TACPLUS\n4 $USER\n8 $PASS\n49 AUTH\n=\n" | radmavis -c /etc/radcli/radiusclient.conf "group_attribute=juniper:Juniper-Local-User-Name"
should work.
Cheers,
Marc
fukhell
Sep 8, 2025, 3:20:24 AMSep 8
to event-driv...@googlegroups.com
Hi Marc,
Thank you for your answer
What I have now.
Still no success
mavis module = external {
# setenv RADIUS_HOST=10.48.58.8 # could add more devices here, comma-separated
# setenv RADIUS_PORT=1812
# setenv RADIUS_SECRET="tacacs"
# setenv RADIUS_GROUP_ATTR=Class
# setenv RADIUS_PASSWORD_ATTR=Password # defaults to: User-Password
# setenv RADCLI_CONF=/etc/radcli/radiusclient.conf
# exec = /usr/local/lib/mavis/mavis_tacplus_radius.pl
# exec = /usr/local/sbin/radmavis -c "/etc/radcli/radiusclient.conf" group_attribute "juniper:Juniper-Local-User-Name"
# setenv RADIUS_HOST=10.48.58.8 # could add more devices here, comma-separated
# setenv RADIUS_PORT=1812
# setenv RADIUS_SECRET="tacacs"
# setenv RADIUS_GROUP_ATTR=Class
# setenv RADIUS_PASSWORD_ATTR=Password # defaults to: User-Password
# setenv RADCLI_CONF=/etc/radcli/radiusclient.conf
# exec = /usr/local/lib/mavis/mavis_tacplus_radius.pl
# exec = /usr/local/sbin/radmavis -c "/etc/radcli/radiusclient.conf" group_attribute "juniper:Juniper-Local-User-Name"
exec = /usr/local/sbin/radmavis radmavis -c /etc/radcli/radiusclient.conf "group_attribute=juniper:Juniper-Local-User-Name"
}
[root@tacacs sample]# cat /etc/radcli/radiusclient.conf
authserver 10.48.58.8:1812
acctserver 10.48.58.8
nas-ip 10.52.1.53
dictionary /etc/radcli/dictionary
servers /etc/radcli/servers
radius_timeout 10
radius_retries 3
authserver 10.48.58.8:1812
acctserver 10.48.58.8
nas-ip 10.52.1.53
dictionary /etc/radcli/dictionary
servers /etc/radcli/servers
radius_timeout 10
radius_retries 3
[root@tacacs sample]# cat /etc/radcli/dictionary | grep INCL
#$INCLUDE /etc/radcli/dictionary.microsoft
#$INCLUDE /etc/radcli/dictionary.roaringpenguin
$INCLUDE /etc/radcli/dictionary.juniper
#$INCLUDE /etc/radcli/dictionary.microsoft
#$INCLUDE /etc/radcli/dictionary.roaringpenguin
$INCLUDE /etc/radcli/dictionary.juniper
[root@tacacs sample]# cat /etc/radcli/dictionary.juniper
VENDOR Juniper 2636
BEGIN-VENDOR Juniper
ATTRIBUTE Juniper-Local-User-Name 1 string
END-VENDOR Juniper
VENDOR Juniper 2636
BEGIN-VENDOR Juniper
ATTRIBUTE Juniper-Local-User-Name 1 string
END-VENDOR Juniper
Rueleset
rule map-juniper-radius {
enabled = yes
script {
enabled = yes
script {
if (member == 'neteng-template') {
profile = admin
permit
}
if (member == gnoc-template) {
profile = noc
permit
}
}
}
[root@tacacs ~]# tac_plus-ng -d 512 /usr/local/etc/mavis/sample/tac_plus-ng.cfg
890996: 03:12:28.496 0/00000000: - Version 87ea4f497104ec39e27d937ae3363e967e40f09c initialized
890996: 03:12:43.048 0/0d07581f: 10.52.1.53 evaluating ACL __internal__username_acl__
890996: 03:12:43.048 0/0d07581f: 10.52.1.53 line 502: [user] regex '[]<>/()|=[*"':$]+' => false
890996: 03:12:43.048 0/0d07581f: 10.52.1.53 line 502: [permit]
890996: 03:12:43.048 0/0d07581f: 10.52.1.53 ACL __internal__username_acl__: match
890996: 03:12:43.048 0/0d07581f: 10.52.1.53 looking for user user in MAVIS backend
890996: 03:12:43.202 0/0d07581f: 10.52.1.53 result for user user is ACK [153 ms]
890996: 03:12:43.202 0/0d07581f: 10.52.1.53 evaluating ACL map-juniper-radius
890996: 03:12:43.202 0/0d07581f: 10.52.1.53 line 286: [member] member 'neteng-template' => false
890996: 03:12:43.202 0/0d07581f: 10.52.1.53 line 290: [member] member 'gnoc-template' => false
890996: 03:12:43.202 0/0d07581f: 10.52.1.53 ACL map-juniper-radius: no match
890996: 03:12:43.202 0/0d07581f: 10.52.1.53 us...@10.235.0.225: ACL map-juniper-radius: <unknown> (profile: n/a)
890996: 03:12:43.202 0/0d07581f: 10.52.1.53 shell login for 'user' from 10.235.0.225 denied by ACL
890996: 03:12:43.048 0/0d07581f: 10.52.1.53 evaluating ACL __internal__username_acl__
890996: 03:12:43.048 0/0d07581f: 10.52.1.53 line 502: [user] regex '[]<>/()|=[*"':$]+' => false
890996: 03:12:43.048 0/0d07581f: 10.52.1.53 line 502: [permit]
890996: 03:12:43.048 0/0d07581f: 10.52.1.53 ACL __internal__username_acl__: match
890996: 03:12:43.048 0/0d07581f: 10.52.1.53 looking for user user in MAVIS backend
890996: 03:12:43.202 0/0d07581f: 10.52.1.53 result for user user is ACK [153 ms]
890996: 03:12:43.202 0/0d07581f: 10.52.1.53 evaluating ACL map-juniper-radius
890996: 03:12:43.202 0/0d07581f: 10.52.1.53 line 286: [member] member 'neteng-template' => false
890996: 03:12:43.202 0/0d07581f: 10.52.1.53 line 290: [member] member 'gnoc-template' => false
890996: 03:12:43.202 0/0d07581f: 10.52.1.53 ACL map-juniper-radius: no match
890996: 03:12:43.202 0/0d07581f: 10.52.1.53 us...@10.235.0.225: ACL map-juniper-radius: <unknown> (profile: n/a)
890996: 03:12:43.202 0/0d07581f: 10.52.1.53 shell login for 'user' from 10.235.0.225 denied by ACL
пт, 5 сент. 2025 г. в 17:42, Marc Huber <marc.j...@gmail.com>:
To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/f31ce82d-ff8f-4211-9a66-34de95332189%40googlemail.com.
fukhell
Sep 8, 2025, 7:21:13 AMSep 8
to event-driv...@googlegroups.com
Hi Marc,
Nevermind, got it working by
exec = /usr/local/sbin/radmavis radmavis -c /etc/radcli/radiusclient.conf "group_attribute=Juniper-Local-User-Name"
Since I already have correct dictionary configuration, it looks like I do not need to refer to a vendor.
пн, 8 сент. 2025 г. в 12:20, fukhell <helpde...@gmail.com>:
Reply all
Reply to author
Forward
0 new messages