clearpass minor version one
25 views
Skip to first unread message
johol...@gmail.com
Jun 24, 2022, 11:00:55 AM6/24/22
to Event-Driven Servers
Hello list,
I have difficulties with a clearpass device.
Authentication is working but authorization failed.
I had a look with wireshark and see a tacacs+ minor version 1
I fixed it with the patch below but I'm not sure if it is the right way.
diff -up PROJECTS/tac_plus/packet.c.palto PROJECTS/tac_plus/packet.c
--- PROJECTS/tac_plus/packet.c.orig 2022-04-14 15:54:43.405769387 +0200
+++ PROJECTS/tac_plus/packet.c 2022-04-14 16:00:29.588770961 +0200
@@ -545,14 +545,14 @@ void tac_read(struct context *ctx, int c
break;
case TAC_PLUS_AUTHOR:
- if (!bogus && (ctx->in->hdr.version == TAC_PLUS_VER_DEFAULT || (session->bug_compatibility & CLIENT_BUG_BAD_VERSION)))
+ if (!bogus && (ctx->in->hdr.version == TAC_PLUS_VER_DEFAULT || (session->bug_compatibility & CLIENT_BUG_BAD_VERSION) || ctx->in->hdr.version == TAC_PLUS_VER_ONE))
author(session, &ctx->in->hdr);
else
send_author_reply(session, TAC_PLUS_AUTHOR_STATUS_ERROR, msg, NULL, 0, NULL);
break;
case TAC_PLUS_ACCT:
- if (!bogus && (ctx->in->hdr.version == TAC_PLUS_VER_DEFAULT || (session->bug_compatibility & CLIENT_BUG_BAD_VERSION)))
+ if (!bogus && (ctx->in->hdr.version == TAC_PLUS_VER_DEFAULT || (session->bug_compatibility & CLIENT_BUG_BAD_VERSION) || ctx->in->hdr.version == TAC_PLUS_VER_ONE))
accounting(session, &ctx->in->hdr);
else
send_acct_reply(session, TAC_PLUS_ACCT_STATUS_ERROR, msg, NULL);
Kind regards,
Jörg
I have difficulties with a clearpass device.
Authentication is working but authorization failed.
I had a look with wireshark and see a tacacs+ minor version 1
I fixed it with the patch below but I'm not sure if it is the right way.
diff -up PROJECTS/tac_plus/packet.c.palto PROJECTS/tac_plus/packet.c
--- PROJECTS/tac_plus/packet.c.orig 2022-04-14 15:54:43.405769387 +0200
+++ PROJECTS/tac_plus/packet.c 2022-04-14 16:00:29.588770961 +0200
@@ -545,14 +545,14 @@ void tac_read(struct context *ctx, int c
break;
case TAC_PLUS_AUTHOR:
- if (!bogus && (ctx->in->hdr.version == TAC_PLUS_VER_DEFAULT || (session->bug_compatibility & CLIENT_BUG_BAD_VERSION)))
+ if (!bogus && (ctx->in->hdr.version == TAC_PLUS_VER_DEFAULT || (session->bug_compatibility & CLIENT_BUG_BAD_VERSION) || ctx->in->hdr.version == TAC_PLUS_VER_ONE))
author(session, &ctx->in->hdr);
else
send_author_reply(session, TAC_PLUS_AUTHOR_STATUS_ERROR, msg, NULL, 0, NULL);
break;
case TAC_PLUS_ACCT:
- if (!bogus && (ctx->in->hdr.version == TAC_PLUS_VER_DEFAULT || (session->bug_compatibility & CLIENT_BUG_BAD_VERSION)))
+ if (!bogus && (ctx->in->hdr.version == TAC_PLUS_VER_DEFAULT || (session->bug_compatibility & CLIENT_BUG_BAD_VERSION) || ctx->in->hdr.version == TAC_PLUS_VER_ONE))
accounting(session, &ctx->in->hdr);
else
send_acct_reply(session, TAC_PLUS_ACCT_STATUS_ERROR, msg, NULL);
Kind regards,
Jörg
Marc Huber
Jun 24, 2022, 1:47:31 PM6/24/22
to event-driv...@googlegroups.com
HI,
"client bug = 2" in host context would quite likely work around that
Aruba ClearPass implementation bug.
Cheers,
Marc
"client bug = 2" in host context would quite likely work around that
Aruba ClearPass implementation bug.
Cheers,
Marc
johol...@gmail.com
Jun 27, 2022, 5:29:40 AM6/27/22
to Event-Driven Servers
Hello Marc,
thanks for the hint and your excellent support.
Kind regrads,
Jörg
Reply all
Reply to author
Forward
0 new messages