Patch to fix Palo Alto Panorama / PAN-OS authorization
1,191 views
Skip to first unread message
Andy Gatward
Aug 15, 2017, 12:00:07 PM8/15/17
to Event-Driven Servers
Hi,
Please find a patch attached which was required to fix Palo Alto's Panorama and PAN-OS devices picking up authorization from tac_plus. Without the patch, there'd be log entries such as show below, and the Palo Alto platform would return "Not Authorized":
Aug 15 10:02:20 SYSLOG tacplus[8047]: 1/30f53afd: 192.0.2.1 msg (len: 39): Illegal packet (version=0xc1 type=0x02)
Hopefully others may also find this useful.
Andy
Marc Huber
Aug 15, 2017, 1:36:40 PM8/15/17
to event-driv...@googlegroups.com
Hi Andy,
thanks! Alas, I'm not sure whether this should be added. All the public
TACACS+ drafts state that both authorization and accounting have to use
a minor version of 0 (that's true for everything from
draft-grant-tacacs-02.txt to draft-ietf-opsawg-tacacs-06.txt).
Are Cisco ACS and ISE compatible with the PAN implementation? If yes,
then optionally permitting minor version 1 might be worth considering.
Cheers,
Marc
TACACS+ drafts state that both authorization and accounting have to use
a minor version of 0 (that's true for everything from
draft-grant-tacacs-02.txt to draft-ietf-opsawg-tacacs-06.txt).
Are Cisco ACS and ISE compatible with the PAN implementation? If yes,
then optionally permitting minor version 1 might be worth considering.
Cheers,
Marc
Evan Sink
Jun 3, 2018, 12:13:36 PM6/3/18
to Event-Driven Servers
Marc,
How would one go about optionally permitting minor version 1? Is this something that can be done in the tac_plus config file, or is this something that would need to be adjusted in the code?
Omid Khazdooz
Oct 23, 2018, 5:00:20 PM10/23/18
to Event-Driven Servers
Hello ,
I am having the same issue , after spending the whole day trying the figure out the problem , I came across this topic , how and where in the server do we apply this patch ?
Aleksey Mochalin
Oct 26, 2018, 7:07:40 AM10/26/18
to Event-Driven Servers
Hi there!
Could anyone re-upload the file tac_plus-palo-alto.patch? I need it.
I can see that Palo Alto authenticated successful on the first step (authentication).
Device Request:
Tacacs Daemon response:
The error appeared on the second step (authorization), when device is trying to get attributes.
Device Request:
Tacacs Daemon response:
hex 0x11 equal decimal 17 and that why the Palo Alto is writing Return code: 17
Also user that used in tac_plus configuration:
user = paloalto {
login = clear 123123
pap = clear 123123
chap = clear 123123
enable = clear 123123
member = paloalto
default service = permit
### PREDEFINED SERVICE - paloalto
service = PaloAlto {
protocol = firewall
set PaloAlto-Admin-Role = CustomRole
set priv-lvl = 1
}
} #END OF paloaltoI think that issue can resolve only Mark.
Mark we need your help.
Best Regards, Aleksey
Daniel Hartmeier
Oct 26, 2018, 7:39:16 AM10/26/18
to event-driv...@googlegroups.com
On Fri, Oct 26, 2018 at 04:07:40AM -0700, Aleksey Mochalin wrote:
> Could anyone re-upload the file tac_plus-palo-alto.patch? I need it.
You can download the patch from the mailing list archive on
> Could anyone re-upload the file tac_plus-palo-alto.patch? I need it.
https://groups.google.com/forum/#!topic/event-driven-servers/cAxoaXIYgig
The patch still applies cleanly to the current sources
http://www.pro-bono-publico.de/projects/src/DEVEL.201712190728.tar.bz2
if you call patch with -l (ignore whitespace) and -p1 (strip one leading
path component), i.e.
$ patch -l -p1 < tac_plus-palo-alto.patch
Then you'll have to build the binary from sources and install it,
see PROJECTS/README.
And repeat these steps whenever you upgrade, of course.
HTH,
Daniel
Aleksey Mochalin
Oct 26, 2018, 8:34:07 AM10/26/18
to Event-Driven Servers
Hello Daniel,
Thank you for your answer! You are my hero! It works correctly now!
For others, what I did. Open file ~/PROJECTS/tac_plus/packet.c and replace the line number 472:
- if (ctx->in->hdr.version == TAC_PLUS_VER_DEFAULT) {
+ if (ctx->in->hdr.version == TAC_PLUS_VER_DEFAULT || ctx->in->hdr.version == TAC_PLUS_VER_ONE) {
and then replace line 485:
- if (ctx->in->hdr.version == TAC_PLUS_VER_DEFAULT) {
+ if (ctx->in->hdr.version == TAC_PLUS_VER_DEFAULT || ctx->in->hdr.version == TAC_PLUS_VER_ONE) {
then build the binary. Now it works!
Daniel thank you one more time.
Best Regards, Aleksey
Omid Khazdooz
Oct 27, 2018, 12:32:30 AM10/27/18
to Event-Driven Servers
Hello Aleksey Mochalin
I had the same issue a couple days ago and was able to resolve thanks to that patch .
I was reading the comments today and I saw the snap shot of your configuration file , I should say it was pretty impressive , I liked the way it was organized.
I work in data center with different vendors F5 , Arista , Cisco , Paloalto , Accelops ,
I was wondering if you could give me a copy of your config so I can use it as a reference .
I am grateful for the help
Message has been deleted
Aleksey Mochalin
Oct 27, 2018, 1:54:04 AM10/27/18
to Event-Driven Servers
Hello Omid,
I don't have any config. I have the project --> tacacsgui. It is based on the daemon of Mark Huber.
Best Regards, Aleksey
caixing yang
Mar 20, 2020, 3:08:31 PM3/20/20
to Event-Driven Servers
Hi Aleksey,
Would you please share me how to build the binary after replace these lines, thanks very much.
在 2018年10月26日星期五 UTC+8下午8:34:07,Aleksey Mochalin写道:
在 2018年10月26日星期五 UTC+8下午8:34:07,Aleksey Mochalin写道:
caixing yang
Mar 20, 2020, 3:08:32 PM3/20/20
to Event-Driven Servers
Hi Aleksey,
Would please share how to build the binary after replace these lines, thanks very much.
在 2018年10月26日星期五 UTC+8下午8:34:07,Aleksey Mochalin写道:
Hello Daniel,
Reply all
Reply to author
Forward
0 new messages