about use mavis tacauth_limit module with tac_plus, config snapshot,need help
Aruforce
now we use tac_plus. wany some feature like fail to lock, i found module tacauth_limit,
try with next snapshot :
id = spawnd {
listen = {
address = 127.0.0.1
port = 10049
}
spawn {
instances min = 1
instances max = 1
users min = 100
users max = 100
}
}
id = tac_plus {
debug = ALL
log = stderr {
destination = /dev/stderr
}
log = authentication_log {
destination = "/var/log/tac_plus/authentication/authentication.log"
log separator = "|!|"
}
log = authorization_log {
destination = "/var/log/tac_plus/authorization/authorization.log"
log separator = "|!|"
}
log = accounting_log {
destination = "/var/log/tac_plus/accounting/accounting.log"
log separator = "|!|"
}
authentication log = authentication_log
authorization log = authorization_log
accounting log = accounting_log#
connection timeout = 300
context timeout = 3600
password max-attempts = 1
password backoff = 1
separation tag = "*"
skip conflicting groups = yes
skip missing groups = yes
single-connection = no
mavis module = tacauth_limit {
blacklist time = 900
blacklist count = 3
hash = USER
directory = /opt/blacklist/
}
user backend = mavis
login backend = mavis
####LIST OF DEVICE GROUPS####
host = test {
address = "0.0.0.0/0"
key = "streamkey"
}
group = adminHUAWEIRoute {
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
message deny = "Denied '%c %a' "
}
}
group = role_1 {
member = adminHUA...@x.x.x.x
}
user = test {
login = crypt "$1$Bm24z9s2$tNiN96UdMXd/mb2PEGkZO/"
pap = login # Clone login
enable = crypt "$1$Bm24z9s2$tNiN96UdMXd/mb2PEGkZO/"
valid from = 1697514703
valid until = 1792425599
member = role_1
}
}
tac_plus can parse it but it seems not work as expected, try 3 time wrong pass and 1 correct with in 21 minute the last login unexpected
Marc Huber
Hi,
tacauth_limit is a MAVIS module, and it should keep track of lower-level MAVIS authentication failures.
However, you're probably testing with your local "test" user, so the MAVIS backend isn't involved at all and tacauth_limit won't see these authentications.
Cheers,
Marc
tac_plus can parse it but it seems not work as expected, try 3 time wrong pass and 1 correct with in 21 minute the last login unexpected --
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/9a9bb98d-87a1-4847-8eb0-333a65aef8f5n%40googlegroups.com.
Aruforce
Yes, I am testing with the local test user... but the purpose of "fail to lock" is to counteract brute force password cracking, whether it's for local or MAVIS users...
Is this supported and how ? or will be supported?
Thanks
Marc Huber
Hi,
no, "fail to lock" isn't an implemented feature for local users, neither for tac_plus nor for tac_plus-ng. Also, development is focused on the latter, so the legacy tac_plus won't see any new features.
Cheers,
Marc
Hi,
Yes, I am testing with the local test user... but the purpose of "fail to lock" is to counteract brute force password cracking, whether it's for local or MAVIS users...
Is this supported and how ? or will be supported?
Thanks在2026年4月30日星期四 UTC+8 00:56:50<Marc Huber> 写道:
Hi,
tacauth_limit is a MAVIS module, and it should keep track of lower-level MAVIS authentication failures.
However, you're probably testing with your local "test" user, so the MAVIS backend isn't involved at all and tacauth_limit won't see these authentications.
Cheers,
Marc
<snip>