tac_plus-ng: strange behaviour at user lookup

170 views
Skip to first unread message

Filip Beran

unread,
Feb 14, 2023, 6:54:17 AM2/14/23
to Event-Driven Servers

Hi Marc,
actually I faces strange behavior of tac_plus-ng at looking up user's password. Please, see the attachments where is my test configuration and debug  outputs for login attempts (filename contains the type of attempt to which device).
I need to set specific A/V for specific devices, so I filter them in profile body by condition "if (acl = device_ACI)". I'm not sure if my profile "shell_RW" and such applied acl is/isn't correctly evaluated?
Here is a short snapshot of my config:

    acl device_ACI {if ( nas-name =~ /^apic.*\.dscen\.cz$/) permit deny}

    profile shell_RW {
        script {
            if (service == shell) {
                if ( user =~ /test_fb$/) {
                    if (acl = device_ACI) {
                    #if ( nas-name =~ /^apic/) {
                        set shell:domains = all/admin/
                        permit
                    }
                    if (cmd == "") {
                        set priv-lvl = 15
                        permit
                    }
                }
                deny
            }
        }
    }


I expect locally configured password (in tac_plus-ng.conf) has the highest preference, unfortunately at my configuration it is not always true. I would like to understand why?
I use account "test_fb" which is a standard linux user and also localy configured in tac_plus-ng.conf with specific password (local password is different than linux user has).
Actually I faces the same user "test_fb" needs different password for condition "if (acl = device_ACI) {
If I try to login with user="test_fb" to an apic device, then authentication accepts locally stored password in tac_plus-ng.cfg  (this I think is ok).
If I try to login with user="test_fb" to any other device except apic device, then the authentication process accepts only linux account password (for locally password I get DENY from tac_plus-ng server).
This is quite strange behavior and I don't understand why is not required always the same password for the same username?
I would expect the same username is always evaluated to the same password (either linux account password or local password in tac_plus-ng.conf)

Have I missed something in tac_plus-ng documentation? Or is it a bug?

Thank you.

Regards,
Filip
tac_plus-ng.cfg_20230214
test_fb__access_to_cisco_router___linux_passwd__ACCEPT.txt
test_fb__access_to_cisco_router___local_tacplusng_passwd__DENY.txt
test_fb__access_to_cisco_apic___local_tacplusng_passwd__ACCEPT.txt

Marc Huber

unread,
Feb 14, 2023, 10:37:20 AM2/14/23
to Event-Driven Servers
Hi  Filip,

if a PAP password is set in user context then PAP requests will not be handled by the MAVIS backend. The same is true for login passwords. Your APIC device issues a PAP request, and that results in the pre-set PAP password being used:

60088: 12:22:41.575 0/01009d46: 100.64.127.75 AUTHEN/START, priv_lvl=1
60088: 12:22:41.575 0/01009d46: 100.64.127.75 action=login (1)
60088: 12:22:41.575 0/01009d46: 100.64.127.75 authen_type=pap (2)
60088: 12:22:41.575 0/01009d46: 100.64.127.75 service=login (1)

The other device uses ASCII login and, as no login password is set, queries PAM (via the MAVIS backend):
60088: 12:29:58.450 4/b60aaa9e: 100.64.127.77 AUTHEN/START, priv_lvl=1
60088: 12:29:58.450 4/b60aaa9e: 100.64.127.77 action=login (1)
60088: 12:29:58.450 4/b60aaa9e: 100.64.127.77 authen_type=ascii (1)
60088: 12:29:58.450 4/b60aaa9e: 100.64.127.77 service=login (1)

Cheers,

Marc

Filip Beran

unread,
Feb 14, 2023, 1:04:02 PM2/14/23
to Event-Driven Servers
Hi Marc,

thank you a lot for very quick response!  Now it is clear for me:-).
I wasn't probably enough carefully at reading documentation. Actually I lookup again in the documentation and probally sections 4.2.3.12 and  4.2.3.18 explains this logic. 

Another my question regarding to use syntax "if (acl = device_ACI) {}" in a profile shell_RW. Is that correct usage in my config? I'm a little affraid with debug output at evaluating such condition at login to an ACI  device:
60088: 12:22:41.581 1/0100a52e: 100.64.127.75 evaluating ACL device_ACI
60088: 12:22:41.581 1/0100a52e: 100.64.127.75 pcre2: '^apic' <=> 'apic2.dscen.cz' = 1
60088: 12:22:41.581 1/0100a52e: 100.64.127.75  line 97: [nas-name] <pcre-regex> '^apic' => true
60088: 12:22:41.581 1/0100a52e: 100.64.127.75  line 97: [permit]
60088: 12:22:41.581 1/0100a52e: 100.64.127.75 ACL device_ACI: match
60088: 12:22:41.581 1/0100a52e: 100.64.127.75  line 103: [<unknown>] acl '' => true

What exactly does the output says:  [<unknown>] acl '' => true   ?


Thank you a lot,

Regards,

Filip
Reply all
Reply to author
Forward
0 new messages