Login attempt first tries local user lookup instead of mavis Ldap backend
24 views
Skip to first unread message
Marco Bakker
Apr 15, 2024, 12:32:52 PMApr 15
to Event-Driven Servers
Hello,
First of all i would like to say that i really like this program! We made it possible to centralize our network device logons which is great!
Although I am having a issue with one thing. Currently i am trying to make TACACS+ NG work with our Cisco ASA devices. Logging in with the HTTPS ASDM interface. I can connect to the TACACS server but it seems that the TACACS+ ng first tries an user lookup for local users.
We are running the following configuration:
########################### The main tacacs.cfg config ################################
id = spawnd {
listen = { address = 0.0.0.0 port = 8900 realm = test }
listen = { address = 0.0.0.0 port = 8901 realm = cisco }
listen = { address = 0.0.0.0 port = 8910 realm = fortigate }
spawn = {
instances min = 1
instances max = 10
}
background = yes
}
id = tac_plus-ng {
log authzlog { destination = /var/log/tac_plus/authz/%Y/%m.log }
log authclog { destination = /var/log/tac_plus/authc/%Y/%m.log }
log acctlog { destination = /var/log/tac_plus/acct/%Y/%m.log }
accounting log = acctlog
authentication log = authclog
authorization log = authzlog
connection timeout = 1200
context timeout = 3600
realm test {
include = realm_test.cfg
}
realm cisco {
include = realm_cisco.cfg
}
realm fortigate {
include = realm_fortigate.cfg
}
}
########################## The realm_test.cfg content #################################
mavis module = groups {
memberof filter = /^CN=_TACACS_cisco/
}
mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "ldaps://domain.local"
setenv LDAP_SCOPE = sub
setenv LDAP_BASE = "DC=domain,DC=local"
setenv LDAP_FILTER = "(&(objectClass=user)(objectClass=person)(sAMAccountName=%s))"
setenv LDAP_USER = "xx...@domain.local"
setenv LDAP_PASSWD = "xxxxxxx"
setenv TACACS_GROUP_PREFIX = "_TACACS_"
setenv REQUIRE_TACACS_GROUP_PREFIX = 1
setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
exec = /usr/local/lib/mavis/mavis_tacplus-ng_ldap.pl
}
login backend = mavis
user backend = mavis
pap backend = mavis
host world {
address = 0.0.0.0/0
include = banner_welcome.cfg
include = banner_motd.cfg
include = banner_reject.cfg
key = <key>
}
profile cisco_readwrite {
script {
if (service == shell) {
if (cmd == "")
set priv-lvl = 15
permit
}
}
}
profile cisco_readonly {
enable = deny
script {
if (service == shell) {
if (cmd == "")
set priv-lvl = 1
permit
}
}
}
ruleset {
rule {
script {
if (memberof =~ /^CN=_TACACS_cisco_rw,/) { profile = cisco_readwrite permit }
if (memberof =~ /^CN=_TACACS_cisco_ro,/) { profile = cisco_readonly permit }
}
}
First of all i would like to say that i really like this program! We made it possible to centralize our network device logons which is great!
Although I am having a issue with one thing. Currently i am trying to make TACACS+ NG work with our Cisco ASA devices. Logging in with the HTTPS ASDM interface. I can connect to the TACACS server but it seems that the TACACS+ ng first tries an user lookup for local users.
We are running the following configuration:
########################### The main tacacs.cfg config ################################
id = spawnd {
listen = { address = 0.0.0.0 port = 8900 realm = test }
listen = { address = 0.0.0.0 port = 8901 realm = cisco }
listen = { address = 0.0.0.0 port = 8910 realm = fortigate }
spawn = {
instances min = 1
instances max = 10
}
background = yes
}
id = tac_plus-ng {
log authzlog { destination = /var/log/tac_plus/authz/%Y/%m.log }
log authclog { destination = /var/log/tac_plus/authc/%Y/%m.log }
log acctlog { destination = /var/log/tac_plus/acct/%Y/%m.log }
accounting log = acctlog
authentication log = authclog
authorization log = authzlog
connection timeout = 1200
context timeout = 3600
realm test {
include = realm_test.cfg
}
realm cisco {
include = realm_cisco.cfg
}
realm fortigate {
include = realm_fortigate.cfg
}
}
########################## The realm_test.cfg content #################################
mavis module = groups {
memberof filter = /^CN=_TACACS_cisco/
}
mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "ldaps://domain.local"
setenv LDAP_SCOPE = sub
setenv LDAP_BASE = "DC=domain,DC=local"
setenv LDAP_FILTER = "(&(objectClass=user)(objectClass=person)(sAMAccountName=%s))"
setenv LDAP_USER = "xx...@domain.local"
setenv LDAP_PASSWD = "xxxxxxx"
setenv TACACS_GROUP_PREFIX = "_TACACS_"
setenv REQUIRE_TACACS_GROUP_PREFIX = 1
setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
exec = /usr/local/lib/mavis/mavis_tacplus-ng_ldap.pl
}
login backend = mavis
user backend = mavis
pap backend = mavis
host world {
address = 0.0.0.0/0
include = banner_welcome.cfg
include = banner_motd.cfg
include = banner_reject.cfg
key = <key>
}
profile cisco_readwrite {
script {
if (service == shell) {
if (cmd == "")
set priv-lvl = 15
permit
}
}
}
profile cisco_readonly {
enable = deny
script {
if (service == shell) {
if (cmd == "")
set priv-lvl = 1
permit
}
}
}
ruleset {
rule {
script {
if (memberof =~ /^CN=_TACACS_cisco_rw,/) { profile = cisco_readwrite permit }
if (memberof =~ /^CN=_TACACS_cisco_ro,/) { profile = cisco_readonly permit }
}
}
}
Startup the tacacs_plus-ng program with /usr/local/sbin/tac_plus-ng -f tacacs.cfg -d 4
When I connect with an device to port 8900 (test realm) and enter my administrator account as user name it says "user lookup failed".
14007: 14:55:48.125 3/efa63828: 192.168.127.221 authen: hdr->seq_no: 1
14007: 14:55:48.125 3/efa63828: 192.168.127.221 looking for user <my adminstrator username> realm test
14007: 14:55:48.125 3/efa63828: 192.168.127.221 user lookup failed
When I add the following to the realm_test.cfg:
user <my administrator username> {
}
I get the following result:
/usr/local/sbin/tac_plus-ng -f tacacs.cfg -d 4
14053: 15:00:39.419 0/00000000: - Version 982a4039609a0af4cafaa6f7d1a69ca93886712f initialized
14053: 15:00:48.103 0/bf039f07: 192.168.127.221 authen: hdr->seq_no: 1
14053: 15:00:48.103 0/bf039f07: 192.168.127.221 looking for user <my administrator username> realm test
14053: 15:00:48.103 0/bf039f07: 192.168.127.221 user lookup succeded
When I connect with an device to port 8900 (test realm) and enter my administrator account as user name it says "user lookup failed".
14007: 14:55:48.125 3/efa63828: 192.168.127.221 authen: hdr->seq_no: 1
14007: 14:55:48.125 3/efa63828: 192.168.127.221 looking for user <my adminstrator username> realm test
14007: 14:55:48.125 3/efa63828: 192.168.127.221 user lookup failed
When I add the following to the realm_test.cfg:
user <my administrator username> {
}
I get the following result:
/usr/local/sbin/tac_plus-ng -f tacacs.cfg -d 4
14053: 15:00:39.419 0/00000000: - Version 982a4039609a0af4cafaa6f7d1a69ca93886712f initialized
14053: 15:00:48.103 0/bf039f07: 192.168.127.221 authen: hdr->seq_no: 1
14053: 15:00:48.103 0/bf039f07: 192.168.127.221 looking for user <my administrator username> realm test
14053: 15:00:48.103 0/bf039f07: 192.168.127.221 user lookup succeded
It seems to me that the first lookup attempt is not being forwarded directly to the mavis backend but that there is first a check of local users.
Is there a way to force the user lookup to the mavis backend? I dont want to configure the users in the tacacs configuration
The Fortigate and the Cisco realm do the same. with the Cisco IOS device ssh logins I first need to enter the username, I get the welcome_banner and need to enter my password. After that I am logged in. In the console i see the following:
/usr/local/sbin/tac_plus-ng -f tacacs.cfg -d 4
14069: 15:05:31.563 0/00000000: - Version 982a4039609a0af4cafaa6f7d1a69ca93886712f initialized
14069: 15:05:35.105 0/4787991c: 192.168.127.23 authen: hdr->seq_no: 1
14069: 15:05:35.105 0/4787991c: 192.168.127.23 looking for user <my admin username> realm cisco
14069: 15:05:35.105 0/4787991c: 192.168.127.23 user lookup failed
# Now the i get asked to enter my password
14069: 15:05:38.919 0/4787991c: 192.168.127.23 authen: hdr->seq_no: 3
14069: 15:05:38.919 0/4787991c: 192.168.127.23 looking for user <my admin username> realm cisco
14069: 15:05:38.919 0/4787991c: 192.168.127.23 user lookup failed
14069: 15:05:38.919 0/4787991c: 192.168.127.23 looking for user <my admin username> in MAVIS backend
{ member = "cisco_rw",
_adm_marco:1: Group 'cisco_rw' not found.
14069: _adm_marco:1: Group 'cisco_rw' not found.
{ member = "cisco_rw","fortigate_rw"
_adm_marco:1: Group 'fortigate_rw' not found.
14069: _adm_marco:1: Group 'fortigate_rw' not found.
14069: 15:05:39.131 0/4787991c: 192.168.127.23 result for user <my admin username> is ACK
14069: 15:05:39.131 0/4787991c: 192.168.127.23 looking for user <my admin username> realm cisco
14069: 15:05:39.131 0/4787991c: 192.168.127.23 user lookup succeded
14069: 15:05:39.131 0/4787991c: 192.168.127.23 shell login for ' <my admin username> ' (realm: cisco) from 192.168.127.142 on tty11 succeeded
(profile=cisco_readwrite)
Is there a way to force the user lookup to the mavis backend? I dont want to configure the users in the tacacs configuration
The Fortigate and the Cisco realm do the same. with the Cisco IOS device ssh logins I first need to enter the username, I get the welcome_banner and need to enter my password. After that I am logged in. In the console i see the following:
/usr/local/sbin/tac_plus-ng -f tacacs.cfg -d 4
14069: 15:05:31.563 0/00000000: - Version 982a4039609a0af4cafaa6f7d1a69ca93886712f initialized
14069: 15:05:35.105 0/4787991c: 192.168.127.23 authen: hdr->seq_no: 1
14069: 15:05:35.105 0/4787991c: 192.168.127.23 looking for user <my admin username> realm cisco
14069: 15:05:35.105 0/4787991c: 192.168.127.23 user lookup failed
# Now the i get asked to enter my password
14069: 15:05:38.919 0/4787991c: 192.168.127.23 authen: hdr->seq_no: 3
14069: 15:05:38.919 0/4787991c: 192.168.127.23 looking for user <my admin username> realm cisco
14069: 15:05:38.919 0/4787991c: 192.168.127.23 user lookup failed
14069: 15:05:38.919 0/4787991c: 192.168.127.23 looking for user <my admin username> in MAVIS backend
{ member = "cisco_rw",
_adm_marco:1: Group 'cisco_rw' not found.
14069: _adm_marco:1: Group 'cisco_rw' not found.
{ member = "cisco_rw","fortigate_rw"
_adm_marco:1: Group 'fortigate_rw' not found.
14069: _adm_marco:1: Group 'fortigate_rw' not found.
14069: 15:05:39.131 0/4787991c: 192.168.127.23 result for user <my admin username> is ACK
14069: 15:05:39.131 0/4787991c: 192.168.127.23 looking for user <my admin username> realm cisco
14069: 15:05:39.131 0/4787991c: 192.168.127.23 user lookup succeded
14069: 15:05:39.131 0/4787991c: 192.168.127.23 shell login for ' <my admin username> ' (realm: cisco) from 192.168.127.142 on tty11 succeeded
(profile=cisco_readwrite)
In the LDAP I got 4 groups:
_TACACS_cisco_rw
_TACACS_cisco_ro
_TACACS_fortigate_rw
_TACACS_fortigate_ro
My administrator account is member of both rw groups.
Any help is much appreciated.
_TACACS_cisco_rw
_TACACS_cisco_ro
_TACACS_fortigate_rw
_TACACS_fortigate_ro
My administrator account is member of both rw groups.
Any help is much appreciated.
Marc Huber
Apr 15, 2024, 2:57:16 PMApr 15
to event-driv...@googlegroups.com
Hi Marco,
please start with validating your Perl backend configuration. Something
along the lines of
printf "0 TACPLUS\n4 <your admin username>\n49 INFO\n=\n" | \
env LDAP_HOSTS="ldaps://domain.local"
LDAP_BASE="DC=domain,DC=local" ...
/usr/local/lib/mavis/mavis_tacplus-ng_ldap.pl
should succeed.
Yes, local user lookup is tried first, but there's no need to configure
non-local users, this is cared for with the "user backend = mavis"
configuration you already have in place.
The "Group '...' not found." warnings are non-fatal and just hint to
possible configuration errors. You can safely ignore those if you're
evaluating the memberOf attribute only.
Also, I strongly recommend using tac_plus-ng/perl/tactrace.pl to
simplify configuration validation.
Cheers,
Marc
On 15.04.2024 15:13, Marco Bakker wrote:
> Hello,
>
> First of all i would like to say that i really like this program! We
> made it possible to centralize our network device logons which is great!
>
> Although I am having a issue with one thing. Currently i am trying to
> make TACACS+ NG work with our Cisco ASA devices. Logging in with the
> HTTPS ASDM interface. I can connect to the TACACS server but it seems
> that the TACACS+ ng first tries an user lookup for local users.
>
> We are running the following configuration:
<snip>
please start with validating your Perl backend configuration. Something
along the lines of
printf "0 TACPLUS\n4 <your admin username>\n49 INFO\n=\n" | \
env LDAP_HOSTS="ldaps://domain.local"
LDAP_BASE="DC=domain,DC=local" ...
/usr/local/lib/mavis/mavis_tacplus-ng_ldap.pl
should succeed.
Yes, local user lookup is tried first, but there's no need to configure
non-local users, this is cared for with the "user backend = mavis"
configuration you already have in place.
The "Group '...' not found." warnings are non-fatal and just hint to
possible configuration errors. You can safely ignore those if you're
evaluating the memberOf attribute only.
Also, I strongly recommend using tac_plus-ng/perl/tactrace.pl to
simplify configuration validation.
Cheers,
Marc
On 15.04.2024 15:13, Marco Bakker wrote:
> Hello,
>
> First of all i would like to say that i really like this program! We
> made it possible to centralize our network device logons which is great!
>
> Although I am having a issue with one thing. Currently i am trying to
> make TACACS+ NG work with our Cisco ASA devices. Logging in with the
> HTTPS ASDM interface. I can connect to the TACACS server but it seems
> that the TACACS+ ng first tries an user lookup for local users.
>
> We are running the following configuration:
Reply all
Reply to author
Forward
0 new messages