Hello,
First of all i would like to say that i really like this program! We made it possible to centralize our network device logons which is great!
Although I am having a issue with one thing. Currently i am trying to make TACACS+ NG work with our Cisco ASA devices. Logging in with the HTTPS ASDM interface. I can connect to the TACACS server but it seems that the TACACS+ ng first tries an user lookup for local users.
We are running the following configuration:
########################### The main tacacs.cfg config ################################
id = spawnd {
listen = { address = 0.0.0.0 port = 8900 realm = test }
listen = { address = 0.0.0.0 port = 8901 realm = cisco }
listen = { address = 0.0.0.0 port = 8910 realm = fortigate }
spawn = {
instances min = 1
instances max = 10
}
background = yes
}
id = tac_plus-ng {
log authzlog { destination = /var/log/tac_plus/authz/%Y/%m.log }
log authclog { destination = /var/log/tac_plus/authc/%Y/%m.log }
log acctlog { destination = /var/log/tac_plus/acct/%Y/%m.log }
accounting log = acctlog
authentication log = authclog
authorization log = authzlog
connection timeout = 1200
context timeout = 3600
realm test {
include = realm_test.cfg
}
realm cisco {
include = realm_cisco.cfg
}
realm fortigate {
include = realm_fortigate.cfg
}
}
########################## The realm_test.cfg content #################################
mavis module = groups {
memberof filter = /^CN=_TACACS_cisco/
}
mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "ldaps://domain.local"
setenv LDAP_SCOPE = sub
setenv LDAP_BASE = "DC=domain,DC=local"
setenv LDAP_FILTER = "(&(objectClass=user)(objectClass=person)(sAMAccountName=%s))"
setenv LDAP_USER = "xx...@domain.local"
setenv LDAP_PASSWD = "xxxxxxx"
setenv TACACS_GROUP_PREFIX = "_TACACS_"
setenv REQUIRE_TACACS_GROUP_PREFIX = 1
setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
exec = /usr/local/lib/mavis/
mavis_tacplus-ng_ldap.pl}
login backend = mavis
user backend = mavis
pap backend = mavis
host world {
address =
0.0.0.0/0 include = banner_welcome.cfg
include = banner_motd.cfg
include = banner_reject.cfg
key = <key>
}
profile cisco_readwrite {
script {
if (service == shell) {
if (cmd == "")
set priv-lvl = 15
permit
}
}
}
profile cisco_readonly {
enable = deny
script {
if (service == shell) {
if (cmd == "")
set priv-lvl = 1
permit
}
}
}
ruleset {
rule {
script {
if (memberof =~ /^CN=_TACACS_cisco_rw,/) { profile = cisco_readwrite permit }
if (memberof =~ /^CN=_TACACS_cisco_ro,/) { profile = cisco_readonly permit }
}
}
}
Startup the tacacs_plus-ng program with /usr/local/sbin/tac_plus-ng -f tacacs.cfg -d 4
When I connect with an device to port 8900 (test realm) and enter my administrator account as user name it says "user lookup failed".
14007: 14:55:48.125 3/efa63828: 192.168.127.221 authen: hdr->seq_no: 1
14007: 14:55:48.125 3/efa63828: 192.168.127.221 looking for user <my adminstrator username> realm test
14007: 14:55:48.125 3/efa63828: 192.168.127.221 user lookup failed
When I add the following to the realm_test.cfg:
user <my administrator username> {
}
I get the following result:
/usr/local/sbin/tac_plus-ng -f tacacs.cfg -d 4
14053: 15:00:39.419 0/00000000: - Version 982a4039609a0af4cafaa6f7d1a69ca93886712f initialized
14053: 15:00:48.103 0/bf039f07: 192.168.127.221 authen: hdr->seq_no: 1
14053: 15:00:48.103 0/bf039f07: 192.168.127.221 looking for user
<my administrator username>
realm test
14053: 15:00:48.103 0/bf039f07: 192.168.127.221 user lookup succeded
It seems to me that the first lookup attempt is not being forwarded directly to the mavis backend but that there is first a check of local users.
Is there a way to force the user lookup to the mavis backend? I dont want to configure the users in the tacacs configuration
The Fortigate and the Cisco realm do the same. with the Cisco IOS device ssh logins I first need to enter the username, I get the welcome_banner and need to enter my password. After that I am logged in. In the console i see the following:
/usr/local/sbin/tac_plus-ng -f tacacs.cfg -d 4
14069: 15:05:31.563 0/00000000: - Version 982a4039609a0af4cafaa6f7d1a69ca93886712f initialized
14069: 15:05:35.105 0/4787991c: 192.168.127.23 authen: hdr->seq_no: 1
14069: 15:05:35.105 0/4787991c: 192.168.127.23 looking for user <my admin username> realm cisco
14069: 15:05:35.105 0/4787991c: 192.168.127.23 user lookup failed
# Now the i get asked to enter my password
14069: 15:05:38.919 0/4787991c: 192.168.127.23 authen: hdr->seq_no: 3
14069: 15:05:38.919 0/4787991c: 192.168.127.23 looking for user
<my admin username>
realm cisco
14069: 15:05:38.919 0/4787991c: 192.168.127.23 user lookup failed
14069: 15:05:38.919 0/4787991c: 192.168.127.23 looking for user
<my admin username>
in MAVIS backend
{ member = "cisco_rw",
_adm_marco:1: Group 'cisco_rw' not found.
14069: _adm_marco:1: Group 'cisco_rw' not found.
{ member = "cisco_rw","fortigate_rw"
_adm_marco:1: Group 'fortigate_rw' not found.
14069: _adm_marco:1: Group 'fortigate_rw' not found.
14069: 15:05:39.131 0/4787991c: 192.168.127.23 result for user
<my admin username>
is ACK
14069: 15:05:39.131 0/4787991c: 192.168.127.23 looking for user
<my admin username>
realm cisco
14069: 15:05:39.131 0/4787991c: 192.168.127.23 user lookup succeded
14069: 15:05:39.131 0/4787991c: 192.168.127.23 shell login for '
<my admin username>
' (realm: cisco) from 192.168.127.142 on tty11 succeeded
(profile=cisco_readwrite)
In the LDAP I got 4 groups:
_TACACS_cisco_rw
_TACACS_cisco_ro
_TACACS_fortigate_rw
_TACACS_fortigate_ro
My administrator account is member of both rw groups.
Any help is much appreciated.