tac_plus-ng. No client address received

[MrShy]

Hi Marc

We have some old devices that do not send the client address in the tacacs packet.  We can see entries in the log like this. These are two devices from the same vendor. Some run old versions some are new. I changed IP to 1.2.3.4 from the real IP we got.

2024-02-29 19:09:27 +1100       10.65.90.18     eshy    tty10           pap login succeeded
2024-02-29 19:10:25 +1100       10.65.90.30     eshy    tty10   1.2.3.4      pap login succeeded

Is there a way to check if the client's address is empty? Or was not received?

Regards

Elad

[Marc Huber]

Hi Elad,

On 03.03.2024 01:13, MrShy wrote:
> Is there a way to check if the client's address is empty? Or was not
> received?

Wireshark can decode TACACS+ packets (IIRC the key can be set via
Preferences > Protocols > TACACS+), but I wouldn't run that in a
production environment because it will show the passwords, too.

Other options: running the daemon in debug mode or enabling client-side
debugging.

Cheers,

Marc

[MrShy]

Hi Marc

I mean more in the config file. We are very strict on the source address.  If there is no client address do you set the value to null? Or it is just not defined?

Can a comparison like this be done?

if (client == null)  {

}

If I put an ACL for a list of addresses that are allowed as clients then the devices that do not send the client address fail. When I run in debug it does show that ACL is false. Which is correct. 

As a result, I now need to allow any client address because for some I have nothing to compare to.

I hope that makes sense. I can provide a config sample and collect debug info if needed. 

Cheers,

Elad

[Marc Huber]

Hi Elad,

if (client.adddress == "") { ... }

should work.

Cheers,

Marc

[MrShy]

Hi Marc

That did work.

Thank you

Elad