tac_plus-ng + radius backend
94 views
Skip to first unread message
Paulo Roberto Tomasi
Mar 4, 2024, 1:56:52 PMMar 4
to Event-Driven Servers
hello, everyone
# vim /usr/local/etc/tac_conf/tac.conf
...
# You can use either the Perl module ...
mavis module = external {
exec = /usr/local/lib/mavis/mavis_tacplus_radius.pl
setenv RADIUS_HOST = 10.1.2.50:1812,10.1.2.35:1812 # could add more devices here, comma-separated
setenv RADIUS_SECRET = "N4E1V51!415G3Q566A5M"
setenv RADIUS_GROUP_ATTR = Class
setenv RADIUS_PASSWORD_ATTR = Password # defaults to: User-Password
}
# tac_plus-ng -P /usr/local/etc/tac_conf/tac.conf
# You can use either the Perl module ...
mavis module = external {
exec = /usr/local/lib/mavis/mavis_tacplus_radius.pl
setenv RADIUS_HOST = 10.1.2.50:1812,1
/usr/local/etc/tac_conf/tac.conf:38: Expected 'action', 'childs', 'exec', 'groupid', 'home', 'script', 'setenv', 'userid' or '}', but got ','
19173: /usr/local/etc/tac_conf/tac.conf:38: Expected 'action', 'childs', 'exec', 'groupid', 'home', 'script', 'setenv', 'userid' or '}', but got ','
19173: Detected fatal configuration error. Exiting.
I'm trying to compile and run tac_plus_ng on Debian 12 to learn the new syntax and also test radius backend integration.
At the beginning I had some difficult to install the dependencies, but after a lot of attempts, ./configure showed me it found LIB-PAM and LIB-PCRE2:
apt update
apt install net-tools build-essential git libpam0g-dev libpcre2-dev
apt install net-tools build-essential git libpam0g-dev libpcre2-dev
I tried to git clone + compile https://github.com/FreeRADIUS/freeradius-client (to solve message 'Development files were not found for: LIB-FREERADIUS_CLIENT') but I had no success and moved to Perl module: exec = /usr/local/lib/mavis/mavis_tacplus_radius.pl
# output from ./configure:
Development files were found for: LIB-CRYPT, LIB-PAM, LIB-PCRE2, LIB-PTHREAD
#
Now I'm trying to prepare the .conf file to initiate some tests, but it's not accepting two radius servers:
#=========================================================
# vim /usr/local/etc/tac_conf/tac.conf
...
# You can use either the Perl module ...
mavis module = external {
exec = /usr/local/lib/mavis/mavis_tacplus_radius.pl
setenv RADIUS_HOST = 10.1.2.50:1812,10.1.2.35:1812 # could add more devices here, comma-separated
setenv RADIUS_SECRET = "N4E1V51!415G3Q566A5M"
setenv RADIUS_GROUP_ATTR = Class
setenv RADIUS_PASSWORD_ATTR = Password # defaults to: User-Password
}
# tac_plus-ng -P /usr/local/etc/tac_conf/tac.conf
# You can use either the Perl module ...
mavis module = external {
exec = /usr/local/lib/mavis/mavis_tacplus_radius.pl
setenv RADIUS_HOST = 10.1.2.50:1812,1
/usr/local/etc/tac_conf/tac.conf:38: Expected 'action', 'childs', 'exec', 'groupid', 'home', 'script', 'setenv', 'userid' or '}', but got ','
19173: /usr/local/etc/tac_conf/tac.conf:38: Expected 'action', 'childs', 'exec', 'groupid', 'home', 'script', 'setenv', 'userid' or '}', but got ','
19173: Detected fatal configuration error. Exiting.
#=========================================================
What am I doing wrong? Could you give some suggestions?
Paulo Roberto Tomasi
Mar 6, 2024, 12:31:05 PMMar 6
to Event-Driven Servers
Hi,
I didn't find a solution (yet) to the previous approach, so I'm now testing tac_plug-ng with freeradius-client (radmavis) backend.
Yesterday I installed radmavis (freeradius-client) from source (git) and the error about LIB-FREERADIUS_CLIENT was solved:
git clone https://github.com/FreeRADIUS/freeradius-client freeradius-client.git
cd freeradius-client.git/
./configure
make
make install
git clone https://github.com/FreeRADIUS/freeradius-client freeradius-client.git
cd freeradius-client.git/
./configure
make
make install
The code for the perl modude is now disabled and radmavis is enabled in /usr/local/etc/tac_plus-ng.cfg:
mavis module = external {
exec = /usr/local/sbin/radmavis "radmavis" "group_attribute=Class" "authserver=10.1.2.50:1812:Shar3d@S3cr3t"
}
exec = /usr/local/sbin/radmavis "radmavis" "group_attribute=Class" "authserver=10.1.2.50:1812:Shar3d@S3cr3t"
}
#
Is it possible to configure more than one radius server using radmavis, for high availability?
I didn't find much documentation about the possible arguments/options of radmavis (freeradius-client)
#
Is this the correct way to test authentication from Linux terminal?:
root@tac_plus-ng:/# printf "0 TACPLUS\n4 tomasi\n8 password@123\n49 AUTH\n=\n" | radmavis "group_attribute=Class" "authserver=10.1.2.50:1812:Shar3d@S3cr3t"
0 TACPLUS
4 tomasi
8 password@123
49 AUTH
47 o▒▒
52 1
36 password@123
6 ACK
=0
root@tac_plus-ng:/#
0 TACPLUS
4 tomasi
8 password@123
49 AUTH
47 o▒▒
52 1
36 password@123
6 ACK
=0
root@tac_plus-ng:/#
It showed me: 6 ACK
I'm not sure about the command and output information, could you guide me?
Thanks
Marc Huber
Mar 6, 2024, 3:06:09 PMMar 6
to event-driv...@googlegroups.com
Hi Paulo,
yes, your "printf .." looks fine (although attribute 47 in your
copy-paste looks weird, as it's not ASCII).
You can check out
https://github.com/FreeRADIUS/freeradius-client/blob/master/etc/radiusclient.conf.in
for libfreeradius-client configuration directives. Multiple servers are
definitely possible, and radmavis(-mt) will accept a configuration file
in freeradius-client syntax, too.
Cheers,
Marc
> <http://mavis_tacplus_radius.pl>
> setenv RADIUS_HOST = 10.1.2.50:1812
> <http://10.1.2.50:1812>,10.1.2.35:1812 <http://10.1.2.35:1812> #
> setenv RADIUS_HOST = 10.1.2.50:1812 <http://10.1.2.50:1812>,1
> You received this message because you are subscribed to the Google
> Groups "Event-Driven Servers" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to event-driven-ser...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/event-driven-servers/ee73e048-a722-4402-9757-dfcceb0a90aan%40googlegroups.com
> <https://groups.google.com/d/msgid/event-driven-servers/ee73e048-a722-4402-9757-dfcceb0a90aan%40googlegroups.com?utm_medium=email&utm_source=footer>.
yes, your "printf .." looks fine (although attribute 47 in your
copy-paste looks weird, as it's not ASCII).
You can check out
https://github.com/FreeRADIUS/freeradius-client/blob/master/etc/radiusclient.conf.in
for libfreeradius-client configuration directives. Multiple servers are
definitely possible, and radmavis(-mt) will accept a configuration file
in freeradius-client syntax, too.
Cheers,
Marc
>
> # output from ./configure:
> Development files were found for: LIB-CRYPT, LIB-PAM, LIB-PCRE2,
> LIB-PTHREAD
>
> #
>
> Now I'm trying to prepare the .conf file to initiate some tests,
> but it's not accepting two radius servers:
>
> #=========================================================
>
> # vim /usr/local/etc/tac_conf/tac.conf
> ...
> # You can use either the Perl module ...
> mavis module = external {
> exec = /usr/local/lib/mavis/mavis_tacplus_radius.pl
> <http://mavis_tacplus_radius.pl>
> # output from ./configure:
> Development files were found for: LIB-CRYPT, LIB-PAM, LIB-PCRE2,
> LIB-PTHREAD
>
> #
>
> Now I'm trying to prepare the .conf file to initiate some tests,
> but it's not accepting two radius servers:
>
> #=========================================================
>
> # vim /usr/local/etc/tac_conf/tac.conf
> ...
> # You can use either the Perl module ...
> mavis module = external {
> exec = /usr/local/lib/mavis/mavis_tacplus_radius.pl
> setenv RADIUS_HOST = 10.1.2.50:1812
> <http://10.1.2.50:1812>,10.1.2.35:1812 <http://10.1.2.35:1812> #
> could add more devices here, comma-separated
> setenv RADIUS_SECRET = "N4E1V51!415G3Q566A5M"
> setenv RADIUS_GROUP_ATTR = Class
> setenv RADIUS_PASSWORD_ATTR = Password # defaults to:
> User-Password
> }
>
>
> # tac_plus-ng -P /usr/local/etc/tac_conf/tac.conf
>
> # You can use either the Perl module ...
> mavis module = external {
> exec = /usr/local/lib/mavis/mavis_tacplus_radius.pl
> <http://mavis_tacplus_radius.pl>
> setenv RADIUS_SECRET = "N4E1V51!415G3Q566A5M"
> setenv RADIUS_GROUP_ATTR = Class
> setenv RADIUS_PASSWORD_ATTR = Password # defaults to:
> User-Password
> }
>
>
> # tac_plus-ng -P /usr/local/etc/tac_conf/tac.conf
>
> # You can use either the Perl module ...
> mavis module = external {
> exec = /usr/local/lib/mavis/mavis_tacplus_radius.pl
> setenv RADIUS_HOST = 10.1.2.50:1812 <http://10.1.2.50:1812>,1
> /usr/local/etc/tac_conf/tac.conf:38: Expected 'action', 'childs',
> 'exec', 'groupid', 'home', 'script', 'setenv', 'userid' or '}',
> but got ','
> 19173: /usr/local/etc/tac_conf/tac.conf:38: Expected 'action',
> 'childs', 'exec', 'groupid', 'home', 'script', 'setenv', 'userid'
> or '}', but got ','
> 19173: Detected fatal configuration error. Exiting.
>
> #=========================================================
>
> What am I doing wrong? Could you give some suggestions?
>
> --
> 'exec', 'groupid', 'home', 'script', 'setenv', 'userid' or '}',
> but got ','
> 19173: /usr/local/etc/tac_conf/tac.conf:38: Expected 'action',
> 'childs', 'exec', 'groupid', 'home', 'script', 'setenv', 'userid'
> or '}', but got ','
> 19173: Detected fatal configuration error. Exiting.
>
> #=========================================================
>
> What am I doing wrong? Could you give some suggestions?
>
> You received this message because you are subscribed to the Google
> Groups "Event-Driven Servers" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to event-driven-ser...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/event-driven-servers/ee73e048-a722-4402-9757-dfcceb0a90aan%40googlegroups.com
> <https://groups.google.com/d/msgid/event-driven-servers/ee73e048-a722-4402-9757-dfcceb0a90aan%40googlegroups.com?utm_medium=email&utm_source=footer>.
Paulo Roberto Tomasi
Mar 7, 2024, 7:15:36 AMMar 7
to Event-Driven Servers
Hi,
I'm using Windows Server NPS as radius backend
Maybe that strange additional (and abnormal) attribute 47 is a bug of NPS
#
After some tests with freeradius-client, tac_plus-ng allowed me to login to switch-01
command 'ping' was permitted for the group read-only just after login:
switch-01# ping 10.0.0.5
PING 10.0.0.5 (10.0.0.5) 56(84) bytes of data.
64 bytes from 10.0.0.5: icmp_seq=1 ttl=59 time=6.52 ms
64 bytes from 10.0.0.5: icmp_seq=2 ttl=59 time=6.25 ms
64 bytes from 10.0.0.5: icmp_seq=3 ttl=59 time=6.21 ms
64 bytes from 10.0.0.5: icmp_seq=4 ttl=59 time=6.41 ms
64 bytes from 10.0.0.5: icmp_seq=5 ttl=59 time=6.20 ms
--- 10.0.0.5 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 6.198/6.316/6.518/0.125 ms
switch-01#
#
it seems the session is being controlled in /tmp/tacinfo/ directory:
root@tpng:/# cat /tmp/tacinfo/49/491aacf1c1bbe2fccb2692e4023493f2
47 read-only,o▒y
37 1
root@tpng:/#
#
root@tac:/# tac_plus-ng /usr/local/etc/tac_plus-ng.cfg -f -d 4 showed:
9376: 17:25:11.595 12/f42f4318: 10.0.66.198 Start authorization request
9376: 17:25:11.595 12/f42f4318: 10.0.66.198 looking for user tomasi in MAVIS backend
9376: 17:25:11.595 12/f42f4318: 10.0.66.198 result for user tomasi is NAK
9376: 17:25:11.595 12/f42f4318: 10.0.66.198 user 'tomasi' not found, denied by default
9376: 17:25:11.595 12/f42f4318: 10.0.66.198 Writing AUTHOR/FAIL size=18
#
I saw something about radius timeout and session cache here in the discussion list, but I didn't find a solution
That's the current config for mavis:
id = tac_plus-ng {
mavis module = tacinfo_cache {
directory = /tmp/tacinfo0
}
mavis module = external {
exec = /usr/local/sbin/radmavis "radmavis" "group_attribute=Class" "authserver=10.1.2.50:1812:Shar3d@S3cr3t" "authserver=10.1.2.70:1812:Shar3d@S3cr3t"
}
login backend = mavis chpass
pap backend = mavis
Thanks, Marc for your help
" yes, your "printf .." looks fine (although attribute 47 in your
copy-paste looks weird, as it's not ASCII)."
copy-paste looks weird, as it's not ASCII)."
I'm using Windows Server NPS as radius backend
Maybe that strange additional (and abnormal) attribute 47 is a bug of NPS
#
After some tests with freeradius-client, tac_plus-ng allowed me to login to switch-01
command 'ping' was permitted for the group read-only just after login:
switch-01# ping 10.0.0.5
PING 10.0.0.5 (10.0.0.5) 56(84) bytes of data.
64 bytes from 10.0.0.5: icmp_seq=1 ttl=59 time=6.52 ms
64 bytes from 10.0.0.5: icmp_seq=2 ttl=59 time=6.25 ms
64 bytes from 10.0.0.5: icmp_seq=3 ttl=59 time=6.21 ms
64 bytes from 10.0.0.5: icmp_seq=4 ttl=59 time=6.41 ms
64 bytes from 10.0.0.5: icmp_seq=5 ttl=59 time=6.20 ms
--- 10.0.0.5 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 6.198/6.316/6.518/0.125 ms
switch-01#
#
but some time later (~1 minute) the command was denied:
switch-01# ping 10.0.0.5
Aborted: permission denied
switch-01#
#
switch-01# ping 10.0.0.5
Aborted: permission denied
switch-01#
#
it seems the session is being controlled in /tmp/tacinfo/ directory:
root@tpng:/# cat /tmp/tacinfo/49/491aacf1c1bbe2fccb2692e4023493f2
47 read-only,o▒y
37 1
root@tpng:/#
#
root@tac:/# tac_plus-ng /usr/local/etc/tac_plus-ng.cfg -f -d 4 showed:
9376: 17:25:11.595 12/f42f4318: 10.0.66.198 Start authorization request
9376: 17:25:11.595 12/f42f4318: 10.0.66.198 looking for user tomasi in MAVIS backend
9376: 17:25:11.595 12/f42f4318: 10.0.66.198 result for user tomasi is NAK
9376: 17:25:11.595 12/f42f4318: 10.0.66.198 user 'tomasi' not found, denied by default
9376: 17:25:11.595 12/f42f4318: 10.0.66.198 Writing AUTHOR/FAIL size=18
#
I saw something about radius timeout and session cache here in the discussion list, but I didn't find a solution
That's the current config for mavis:
id = tac_plus-ng {
mavis module = tacinfo_cache {
directory = /tmp/tacinfo0
}
mavis module = external {
exec = /usr/local/sbin/radmavis "radmavis" "group_attribute=Class" "authserver=10.1.2.50:1812:Shar3d@S3cr3t" "authserver=10.1.2.70:1812:Shar3d@S3cr3t"
}
login backend = mavis chpass
pap backend = mavis
Could you help me to solve this?
Thanks
Paulo Roberto Tomasi
Mar 7, 2024, 4:29:53 PMMar 7
to Event-Driven Servers
Hi,
I made some changes to the config:
* added 'mavis noauthcache' to try solving the timeout authorization (which was ocurring after ~1 minute)
* changed radmavis to radmavis-mt to allow multithread
* changed group_attribute 'class' to 'reply-message' to get rid of that weird previous response coming from NPS
Is it an acceptable way to configure tac_plus-ng? Am I missing some crucial parameters?
# config
id = tac_plus-ng {
#========================== MAVIS ========================
mavis noauthcache
mavis module = external-mt {
exec = /usr/local/sbin/radmavis-mt radmavis-mt "group_attribute=Reply-Message" "authserver=10.1.2.50:1812:Shar3d@S3cr3t" "authserver=10.1.2.70:1812:Shar3d@S3cr3t"
}
user backend = mavis
login backend = mavis
pap backend = mavis
...
# radmavis-mt login test using reply-message attribute:
root@tac:~# printf "0 TACPLUS\n4 tomasi\n8 password@123\n49 AUTH\n=\n" | radmavis-mt group_attribute=Reply-Message authserver=10.1.2.50:1812:Shar3d@S3cr3t authserver=10.1.2.70:1812:Shar3d@S3cr3t radius_timeout=2 radius_retries=2
0 TACPLUS
4 tomasi
6 ACK
8 password@123
17 administrator
36 password@123
47 "administrator"
49 AUTH
52 1
=0
root@tac:~#
Marc Huber
Mar 8, 2024, 10:16:27 AMMar 8
to event-driv...@googlegroups.com
Hi Paulo,
I just ran a couple of tests in my lab, without any issues. Could you
please test using the "tactrace.pl" utility?
Yes, the /tmp/tacinfo/49/491aacf1c1bbe2fccb2692e4023493f2 file you're
seeing is actually caching group memberships and other attributes for
authorization. The hex string is the MD5 sum of username, server IP,
client IP and realm. If the TACACS+ request matches that checksum, then
the cached data will be used.
Cheers,
Marc
On 07.03.2024 13:15, Paulo Roberto Tomasi wrote:
> Hi,
>
> copy-paste looks weird, as it's not ASCII)."/
I just ran a couple of tests in my lab, without any issues. Could you
please test using the "tactrace.pl" utility?
Yes, the /tmp/tacinfo/49/491aacf1c1bbe2fccb2692e4023493f2 file you're
seeing is actually caching group memberships and other attributes for
authorization. The hex string is the MD5 sum of username, server IP,
client IP and realm. If the TACACS+ request matches that checksum, then
the cached data will be used.
Cheers,
Marc
On 07.03.2024 13:15, Paulo Roberto Tomasi wrote:
> Hi,
>
> Thanks, Marc for your help
>
> /" yes, your "printf .." looks fine (although attribute 47 in your
>
> copy-paste looks weird, as it's not ASCII)."/
Paulo Roberto Tomasi
Mar 8, 2024, 10:29:22 AMMar 8
to Event-Driven Servers
Hi,
mavis module = tacinfo_cache {
directory = /tmp/tacinfo
}
Thanks for your reply
I think I found the solution. Instead of 'mavis noauthcache' I configured 1h for cache timeout:
mavis cache timeout = 3600
mavis module = tacinfo_cache {
directory = /tmp/tacinfo
}
Now I can execute the authorized commands for exactly 1 hour (as expected)
# login at 09:50:21
switch-01# who
Session User Context From Proto Date Mode
*23264 tomasi cli 10.1.1.10 ssh 09:50:21 operational
switch-01#
# command 'ping 10.1.0.5' authorized at 10:50:20 (within the 1h cache timeout)
switch-01# who
Session User Context From Proto Date Mode
*23264 tomasi cli 10.1.1.10 ssh 09:50:21 operational
switch-01#
# command 'ping 10.1.0.5' authorized at 10:50:20 (within the 1h cache timeout)
# command 'ping 10.1.0.5' denied at 10:50:26
(outside the 1h cache timeout)
2024-03-08 10:49:04 -0400 10.1.1.198 tomasi mgmt 10.1.1.10 config permit shell ping 10.1.0.5 <cr>
2024-03-08 10:50:20 -0400 10.1.1.198 tomasi mgmt 10.1.1.10 config permit shell ping 10.1.0.5 <cr>
2024-03-08 10:50:26 -0400 10.1.1.198 tomasi mgmt 10.1.1.10 deny shell ping 10.1.0.5 <cr>
2024-03-08 10:49:04 -0400 10.1.1.198 tomasi mgmt 10.1.1.10 config permit shell ping 10.1.0.5 <cr>
2024-03-08 10:50:20 -0400 10.1.1.198 tomasi mgmt 10.1.1.10 config permit shell ping 10.1.0.5 <cr>
2024-03-08 10:50:26 -0400 10.1.1.198 tomasi mgmt 10.1.1.10 deny shell ping 10.1.0.5 <cr>
#
It seems the default mavis cache timeout is 1 minute without the '
mavis cache timeout' configured, right?
Best regards,
Paulo Roberto Tomasi
Marc Huber
Mar 9, 2024, 3:18:26 AMMar 9
to event-driv...@googlegroups.com
Hi Paulo,
"mavis cache timeout" defaults to 120 seconds. Increasing that may help
if the switch always connects to the same tac_plus-ng worker process
(e.g. because of single-connection).
The tacinfo_cache module places the user attributes on disk, making it
available to all worker processes. I've no idea why this doesn't work
for you.
Cheers,
Marc
On 08.03.2024 16:29, Paulo Roberto Tomasi wrote:
> Hi,
>
"mavis cache timeout" defaults to 120 seconds. Increasing that may help
if the switch always connects to the same tac_plus-ng worker process
(e.g. because of single-connection).
The tacinfo_cache module places the user attributes on disk, making it
available to all worker processes. I've no idea why this doesn't work
for you.
Cheers,
Marc
On 08.03.2024 16:29, Paulo Roberto Tomasi wrote:
> Hi,
>
Paulo Roberto Tomasi
Mar 10, 2024, 7:13:13 PMMar 10
to Event-Driven Servers
Hi,
It's working now
After all the exhausting tests I think I got it:
I can use either:
I can use either:
* 'mavis noauthcache' to disable local caching and ask authorization to radius server for each command (worked perfectly, but overloads radius server) or...
* combine 'mavis cache timeout' with a higher value than default (120 seconds like you said) + 'mavis module = tacinfo_cache' to cache authorization locally for the period defined by the 'mavis cache timeout' parameter (also worked perfectly)
Thanks for all the information provided
Thanks for all the information provided
Best regards,
Paulo Roberto Tomasi
Reply all
Reply to author
Forward
0 new messages