tac_plus-ng : ldap auth working , but local tacacs account not working
29 views
Skip to first unread message
sergiu daniel
Jun 4, 2024, 3:23:21 PMJun 4
to Event-Driven Servers
Hello,
I am strugling with an issue for the last 2 days.
Based on my config , I am able to connect via ldap ad account, but when I use the local defined user which resides on the tacacs-ng config , it does not work.
I am not able to identify my issue.
Version: 51a7dfaa20a2ff5eccec5e26825d34e6acde3e69/PCRE2/CRYPTO/ARES/CURL/SSL
I appreciate any help or guidance, thank you.
I have the above configuration set up:
-----------------------------------------------------------------------
#!/usr/local/sbin/tac_plus-ng
id = spawnd {
listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = yes
}
id = tac_plus-ng
{
##### LDAP-Config-Start #####
mavis module = groups {
groups filter = /^(CN=AdminSupport,)|(CN=NetworkSupport)$/
memberof filter = /^(CN=AdminSupport,)|(CN=NetworkSupport)/
}
mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "ldaps://example.com:3269"
setenv LDAP_SCOPE = sub
setenv LDAP_BASE = "DC=contiwan,DC=com"
setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"
setenv LDAP_USER = "cn=service-account"
setenv LDAP_PASSWD = "password123"
setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
setenv AD_GROUP_PREFIX = ""
setenv FLAG_CACHE_CONNECTION = 1
setenv FLAG_USE_MEMBEROF = 1
exec = /usr/local/lib/mavis/mavis_tacplus-ng_ldap.pl
}
login backend = mavis
user backend = mavis
pap backend = mavis
##### LDAP-Config-End #####
##### Host/Devices-subnets-config-file-Start #####
device conti {
include = /config/world.locations
}
#content of world.locations
# device = local-it {
# address = 10.10.10.0/25
# welcome banner = "\nConnection by Tacacs Server ${hostname}\n"
# key = asdasdasd
# }
##### Host/Devices-subnets-config-file-End #####
##### Profiles-Config-Start #####
profile admins {
script {
if (service == shell) {
set priv-lvl = 15
permit
}
if (service == "ciscowlc") {
set role1 = "ALL"
permit
}
if (service == "cas-service") {
set protocol = "permit"
set custom-av-pair = "Role=SUPER-ADMIN-ROLE"
set priv-lvl = 15
permit
}
}
}
profile backups {
script {
if (service == shell) {
set priv-lvl = 15
permit
}
if (service == "ciscowlc") {
set role1 = "ALL"
permit
}
if (service == "cas-service") {
set protocol = "permit"
set custom-av-pair = "Role=RESTAPI"
set priv-lvl = 15
permit
}
}
}
profile admin_LIT {
script {
if (service == shell) {
if (cmd == "")
set priv-lvl = 15
permit
}
if (service == ciscowlc) {
if (cmd == "")
set role1 = ALL
permit
}
if (service == cas-service) {
if (cmd == "")
set priv-lvl = 15
set custom-av-pair="Role=LITM"
permit
}
}
}
group admins { member = admins }
group backups { member = backups }
group admin_LIT { member = admin_LIT }
user = swbackup {
password login = clear "test123"
member = backups
}
ruleset {
rule localaccounts {
enabled = yes
script {
if (member == admins) { profile = admins permit }
if (member == backups) { profile = backups permit }
}
}
rule scs {
enabled = yes
script {
if (memberof =~ /^CN=AdminSupport,/) { profile = admins permit }
}
}
rule localit {
enabled = yes
script {
########################NAFTA##
if (nas == local-it) { if (memberof =~ /^CN=NetworkSupport,/ ) {profile = admin_LIT permit}}
}
}
}
}
##### Rulset-Config-End #####
id = spawnd {
listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = yes
}
id = tac_plus-ng
{
##### LDAP-Config-Start #####
mavis module = groups {
groups filter = /^(CN=AdminSupport,)|(CN=NetworkSupport)$/
memberof filter = /^(CN=AdminSupport,)|(CN=NetworkSupport)/
}
mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "ldaps://example.com:3269"
setenv LDAP_SCOPE = sub
setenv LDAP_BASE = "DC=contiwan,DC=com"
setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"
setenv LDAP_USER = "cn=service-account"
setenv LDAP_PASSWD = "password123"
setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
setenv AD_GROUP_PREFIX = ""
setenv FLAG_CACHE_CONNECTION = 1
setenv FLAG_USE_MEMBEROF = 1
exec = /usr/local/lib/mavis/mavis_tacplus-ng_ldap.pl
}
login backend = mavis
user backend = mavis
pap backend = mavis
##### LDAP-Config-End #####
##### Host/Devices-subnets-config-file-Start #####
device conti {
include = /config/world.locations
}
#content of world.locations
# device = local-it {
# address = 10.10.10.0/25
# welcome banner = "\nConnection by Tacacs Server ${hostname}\n"
# key = asdasdasd
# }
##### Host/Devices-subnets-config-file-End #####
##### Profiles-Config-Start #####
profile admins {
script {
if (service == shell) {
set priv-lvl = 15
permit
}
if (service == "ciscowlc") {
set role1 = "ALL"
permit
}
if (service == "cas-service") {
set protocol = "permit"
set custom-av-pair = "Role=SUPER-ADMIN-ROLE"
set priv-lvl = 15
permit
}
}
}
profile backups {
script {
if (service == shell) {
set priv-lvl = 15
permit
}
if (service == "ciscowlc") {
set role1 = "ALL"
permit
}
if (service == "cas-service") {
set protocol = "permit"
set custom-av-pair = "Role=RESTAPI"
set priv-lvl = 15
permit
}
}
}
profile admin_LIT {
script {
if (service == shell) {
if (cmd == "")
set priv-lvl = 15
permit
}
if (service == ciscowlc) {
if (cmd == "")
set role1 = ALL
permit
}
if (service == cas-service) {
if (cmd == "")
set priv-lvl = 15
set custom-av-pair="Role=LITM"
permit
}
}
}
group admins { member = admins }
group backups { member = backups }
group admin_LIT { member = admin_LIT }
user = swbackup {
password login = clear "test123"
member = backups
}
ruleset {
rule localaccounts {
enabled = yes
script {
if (member == admins) { profile = admins permit }
if (member == backups) { profile = backups permit }
}
}
rule scs {
enabled = yes
script {
if (memberof =~ /^CN=AdminSupport,/) { profile = admins permit }
}
}
rule localit {
enabled = yes
script {
########################NAFTA##
if (nas == local-it) { if (memberof =~ /^CN=NetworkSupport,/ ) {profile = admin_LIT permit}}
}
}
}
}
##### Rulset-Config-End #####
---------------------------------------------------------------------------------------
sergiu daniel
Jun 5, 2024, 2:15:24 AMJun 5
to Event-Driven Servers
As an update: If I move the swbackup user from group backups to group admins, then the authentication works.
If I move it back to group backups, authentication fails.
Marc Huber
Jun 6, 2024, 4:34:30 AMJun 6
to event-driv...@googlegroups.com
Hi,
the "service == shell" condition from the backup profile seems
malformed. It lacks the 'if (cmd = "")' part, resulting in priv-lvl=15
being set unconditionally. I'd try adjusting this first. Please provide
some debug output if that doesn't fix the issue.
Cheers,
Marc
On 05.06.2024 08:15, sergiu daniel wrote:
> As an update: If I move the swbackup user from group backups to group
> admins, then the authentication works.
> If I move it back to group backups, authentication fails.
>
the "service == shell" condition from the backup profile seems
malformed. It lacks the 'if (cmd = "")' part, resulting in priv-lvl=15
being set unconditionally. I'd try adjusting this first. Please provide
some debug output if that doesn't fix the issue.
Cheers,
Marc
On 05.06.2024 08:15, sergiu daniel wrote:
> As an update: If I move the swbackup user from group backups to group
> admins, then the authentication works.
> If I move it back to group backups, authentication fails.
>
> profile backups {
> script {
> if (service == shell) {
> set priv-lvl = 15
> permit
> }
>
> script {
> if (service == shell) {
> set priv-lvl = 15
> permit
> }
>
sergiu daniel
Jun 6, 2024, 7:55:32 AMJun 6
to Event-Driven Servers
Hi Marc,
script {
if (service == shell) {
if (cmd == "") {set priv-lvl = 15 permit }
}
}
}
if (member == admins) { profile = admins permit }
}
}
I also used the:
profile backup {
script {
if (service == shell) {
if (cmd == "") {set priv-lvl = 15 permit }
}
}
}
I managed to solve it (maybe it is a workaround) by using this:
rule localaccounts {
enabled = yes
script {
enabled = yes
script {
if (user == swbackup) { profile = usertest permit }
if (member == admins) { profile = admins permit }
}
}
in ruleset(bold line, simply defining user == instead of member ==).
I am not sure if this would be the normal method/behavior.
Reply all
Reply to author
Forward
0 new messages