TACACS-NG, cisco and access via https
175 views
Skip to first unread message
merzly...@gmail.com
Oct 8, 2024, 1:39:38 AM10/8/24
to Event-Driven Servers
Hi Marc.
We have an interesting problem.
In Active Directory(AD) there are two groups that are identical in all characteristics.
Software_Tacacs_NET-GD-Write
Software_Tacacs_ALT-write
User1 is in the group Software_Tacacs_NET-GD-Write
User2 is in the group Software_Tacacs_ALT-write
The equipment is located in the network 10.122.12.0/24
Users have no problems accessing via CLI.
user1 logs into cisco via https without problems
user2 can't log in to cisco via https. There is an invitation to enter login and password. Then nothing happens.
I can't understand where or what the problem is
Here is part of the config from TACACS-NG
mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
setenv AD_GROUP_PREFIX = "Software_Tacacs_"
setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
#setenv REQUIRE_AD_GROUP_PREFIX = 1
setenv FLAG_USE_MEMBEROF = 1
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
login backend = mavis
user backend = mavis
pap backend = mavis
net MY-ORG_NET {
net GD_NET {
address = 172.31.0.0/16
}
net ALT_NET {
address = 10.122.0.0/16
address = 172.31.75.132/32
}
}
device MY-ORG_DEV {
key = "zzzzz"
welcome banner = "\nWe are watching you! We know your ip: %%c\n"
failed authentication banner ="\n%%u password is incorrect or access denied!!!\n"
enable 15 = clear secret
}
device ALT_DEV {
address = 10.122.0.0/16
parent = MY-ORG_DEV
}
profile prof_readwrite {
script {
if (service == shell) {
if (cmd == "") set priv-lvl = 15
permit
}
}
}
profile prof_read {
script {
if (service == shell) {
if (cmd == "") {
set priv-lvl = 15
permit
}
if (cmd =~ /^ping/) permit
if (cmd =~ /^tracert/) permit
if (cmd =~ /^display/) permit
if (cmd =~ /^show/) permit
if (cmd =~ /^screen-/) permit
}
}
}
group NET-GD-Write {
}
group NET-GD-Read {
}
group ALT-read {
}
group ALT-write {
}
ruleset {
rule GD_Read_Write {
enabled = yes
script {
if nas == MY-ORG_DEV {
if group == NET-GD-Write {
profile = prof_readwrite
permit
}
}
}
}
rule GD_read {
enabled = yes
script {
if nas == MY-ORG_DEV {
if group == NET-GD-Read {
profile = prof_read
permit
}
}
}
}
rule ALT_Write {
enabled = yes
script {
if (nas == ALT_DEV && nac == ALT_NET) {
if group == ALT-write {
profile = prof_readwrite
permit
}
}
}
}
rule ALT_read {
enabled = yes
script {
if (nas == ALT_DEV && nac == ALT_NET) {
if group == ALT-read {
profile = prof_read
permit
}
}
}
}
}
We have an interesting problem.
In Active Directory(AD) there are two groups that are identical in all characteristics.
Software_Tacacs_NET-GD-Write
Software_Tacacs_ALT-write
User1 is in the group Software_Tacacs_NET-GD-Write
User2 is in the group Software_Tacacs_ALT-write
The equipment is located in the network 10.122.12.0/24
Users have no problems accessing via CLI.
user1 logs into cisco via https without problems
user2 can't log in to cisco via https. There is an invitation to enter login and password. Then nothing happens.
I can't understand where or what the problem is
Here is part of the config from TACACS-NG
mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
setenv AD_GROUP_PREFIX = "Software_Tacacs_"
setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
#setenv REQUIRE_AD_GROUP_PREFIX = 1
setenv FLAG_USE_MEMBEROF = 1
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
login backend = mavis
user backend = mavis
pap backend = mavis
net MY-ORG_NET {
net GD_NET {
address = 172.31.0.0/16
}
net ALT_NET {
address = 10.122.0.0/16
address = 172.31.75.132/32
}
}
device MY-ORG_DEV {
key = "zzzzz"
welcome banner = "\nWe are watching you! We know your ip: %%c\n"
failed authentication banner ="\n%%u password is incorrect or access denied!!!\n"
enable 15 = clear secret
}
device ALT_DEV {
address = 10.122.0.0/16
parent = MY-ORG_DEV
}
profile prof_readwrite {
script {
if (service == shell) {
if (cmd == "") set priv-lvl = 15
permit
}
}
}
profile prof_read {
script {
if (service == shell) {
if (cmd == "") {
set priv-lvl = 15
permit
}
if (cmd =~ /^ping/) permit
if (cmd =~ /^tracert/) permit
if (cmd =~ /^display/) permit
if (cmd =~ /^show/) permit
if (cmd =~ /^screen-/) permit
}
}
}
group NET-GD-Write {
}
group NET-GD-Read {
}
group ALT-read {
}
group ALT-write {
}
ruleset {
rule GD_Read_Write {
enabled = yes
script {
if nas == MY-ORG_DEV {
if group == NET-GD-Write {
profile = prof_readwrite
permit
}
}
}
}
rule GD_read {
enabled = yes
script {
if nas == MY-ORG_DEV {
if group == NET-GD-Read {
profile = prof_read
permit
}
}
}
}
rule ALT_Write {
enabled = yes
script {
if (nas == ALT_DEV && nac == ALT_NET) {
if group == ALT-write {
profile = prof_readwrite
permit
}
}
}
}
rule ALT_read {
enabled = yes
script {
if (nas == ALT_DEV && nac == ALT_NET) {
if group == ALT-read {
profile = prof_read
permit
}
}
}
}
}
Marc Huber
Oct 8, 2024, 11:57:57 AM10/8/24
to event-driv...@googlegroups.com
Hi,
basically, for authentication/authorization it shouldn't matter whether
the user logs in via CLI or HTTP.
Could you share any debug logs (or tactrace.pl output) that would allow
for comparing the TACACS+ queries and responses?
Thanks,
Marc
basically, for authentication/authorization it shouldn't matter whether
the user logs in via CLI or HTTP.
Could you share any debug logs (or tactrace.pl output) that would allow
for comparing the TACACS+ queries and responses?
Thanks,
Marc
merzly...@gmail.com
Oct 9, 2024, 2:19:14 AM10/9/24
to Event-Driven Servers
How to properly configure and view the debug log?
Or maybe the problem is in the ruleset?
Users from the AD group Software_Tacacs_NET-GD-Write have access via HTTPS without any problems
Users from the AD group Software_Tacacs_NET-GD-Write have access via HTTPS without any problems
вторник, 8 октября 2024 г. в 20:57:57 UTC+5, Marc Huber:
Marc Huber
Oct 10, 2024, 12:34:34 PM10/10/24
to Marc Huber, event-driv...@googlegroups.com
Hi,
oh, great, closing the browser sends a message. Well, never mind.
You can enable debugging using "debug = <debug level", e.g. "debug = -1"
in user context, or at the command line, or at device level. There's
also a "debug redirect = <file>" configuration option to redirect the
output from stderr to a file.
Please see
https://projects.pro-bono-publico.de/event-driven-servers/doc/mavis.html#AEN63
regarding debug levels.
There's also
https://github.com/MarcJHuber/event-driven-servers/wiki/Debug-options-for-TAC_PLUS%E2%80%90NG
Cheers,
Marc
On 10.10.2024 18:27, Marc Huber wrote:
> Hi,
>
>
>
> Am Mi., 9. Okt. 2024 um 08:19 Uhr schrieb merzly...@gmail.com
> <merzly...@gmail.com>:
> You received this message because you are subscribed to the Google
> Groups "Event-Driven Servers" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to event-driven-ser...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/event-driven-servers/e90dd74b-9390-47f7-a1ef-80ab7cd5951bn%40googlegroups.com
> <https://groups.google.com/d/msgid/event-driven-servers/e90dd74b-9390-47f7-a1ef-80ab7cd5951bn%40googlegroups.com?utm_medium=email&utm_source=footer>.
>
oh, great, closing the browser sends a message. Well, never mind.
You can enable debugging using "debug = <debug level", e.g. "debug = -1"
in user context, or at the command line, or at device level. There's
also a "debug redirect = <file>" configuration option to redirect the
output from stderr to a file.
Please see
https://projects.pro-bono-publico.de/event-driven-servers/doc/mavis.html#AEN63
regarding debug levels.
There's also
https://github.com/MarcJHuber/event-driven-servers/wiki/Debug-options-for-TAC_PLUS%E2%80%90NG
Cheers,
Marc
On 10.10.2024 18:27, Marc Huber wrote:
> Hi,
>
>
>
> Am Mi., 9. Okt. 2024 um 08:19 Uhr schrieb merzly...@gmail.com
> <merzly...@gmail.com>:
>
> How to properly configure and view the debug log?
>
> Or maybe the problem is in the ruleset?
> Users from the AD group Software_Tacacs_NET-GD-Write have access
> via HTTPS without any problems
>
>
>
> вторник, 8 октября 2024 г. в 20:57:57 UTC+5, Marc Huber:
>
> Hi,
>
> basically, for authentication/authorization it shouldn't
> matter whether
> the user logs in via CLI or HTTP.
>
> Could you share any debug logs (or tactrace.pl
> <http://tactrace.pl> output) that would allow
> How to properly configure and view the debug log?
>
> Or maybe the problem is in the ruleset?
> Users from the AD group Software_Tacacs_NET-GD-Write have access
> via HTTPS without any problems
>
>
>
> вторник, 8 октября 2024 г. в 20:57:57 UTC+5, Marc Huber:
>
> Hi,
>
> basically, for authentication/authorization it shouldn't
> matter whether
> the user logs in via CLI or HTTP.
>
> Could you share any debug logs (or tactrace.pl
> for comparing the TACACS+ queries and responses?
>
> Thanks,
>
> Marc
>
>
> On 08.10.2024 07:39, merzly...@gmail.com wrote:
> > Hi Marc.
> >
> > We have an interesting problem.
> >
> > In Active Directory(AD) there are two groups that are
> identical in all
> > characteristics.
> > Software_Tacacs_NET-GD-Write
> > Software_Tacacs_ALT-write
> >
> > User1 is in the group Software_Tacacs_NET-GD-Write
> > User2 is in the group Software_Tacacs_ALT-write
> >
> > The equipment is located in the network 10.122.12.0/24
> <http://10.122.12.0/24>
>
> Thanks,
>
> Marc
>
>
> On 08.10.2024 07:39, merzly...@gmail.com wrote:
> > Hi Marc.
> >
> > We have an interesting problem.
> >
> > In Active Directory(AD) there are two groups that are
> identical in all
> > characteristics.
> > Software_Tacacs_NET-GD-Write
> > Software_Tacacs_ALT-write
> >
> > User1 is in the group Software_Tacacs_NET-GD-Write
> > User2 is in the group Software_Tacacs_ALT-write
> >
> > The equipment is located in the network 10.122.12.0/24
> >
> > Users have no problems accessing via CLI.
> >
> > user1 logs into cisco via https without problems
> >
> > user2 can't log in to cisco via https. There is an
> invitation to enter
> > login and password. Then nothing happens.
> >
> > I can't understand where or what the problem is
> >
>
> --
> > Users have no problems accessing via CLI.
> >
> > user1 logs into cisco via https without problems
> >
> > user2 can't log in to cisco via https. There is an
> invitation to enter
> > login and password. Then nothing happens.
> >
> > I can't understand where or what the problem is
> >
>
> You received this message because you are subscribed to the Google
> Groups "Event-Driven Servers" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to event-driven-ser...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/event-driven-servers/e90dd74b-9390-47f7-a1ef-80ab7cd5951bn%40googlegroups.com
> <https://groups.google.com/d/msgid/event-driven-servers/e90dd74b-9390-47f7-a1ef-80ab7cd5951bn%40googlegroups.com?utm_medium=email&utm_source=footer>.
>
merzly...@gmail.com
Oct 14, 2024, 5:24:26 AM10/14/24
to Event-Driven Servers
Hi,
before change
rule ALT_Write {
enabled = yes
script {
if (nas == ALT_DEV && nac == ALT_NET) {
if group == ALT-write {
profile = prof_readwrite
permit
}
}
}
}
enabled = yes
script {
if (nas == ALT_DEV && nac == ALT_NET) {
if group == ALT-write {
profile = prof_readwrite
permit
}
}
}
}
after change
rule ALT_Write {
enabled = yes
script {
enabled = yes
script {
if nas == ALT_DEV {
if group == ALT-write {
profile = prof_readwrite
permit
}
}
}
}
Web access now available
How to do it correctly so that there is a check that access goes from a specific network to a specific network, as well as a check for group membership?
четверг, 10 октября 2024 г. в 21:34:34 UTC+5, Marc Huber:
Marc Huber
Oct 14, 2024, 11:07:37 AM10/14/24
to event-driv...@googlegroups.com
Hi,
your original syntax ("if (nas == ALT_DEV && nac == ALT_NET) {") looks fine.
Given that CLI login did work but HTTP didn't, is there a chance that
user2 has a web proxy configured? That would certainly cause the the
client IP to differ to the one used by ssh/telnet.
Cheers,
Marc
your original syntax ("if (nas == ALT_DEV && nac == ALT_NET) {") looks fine.
Given that CLI login did work but HTTP didn't, is there a chance that
user2 has a web proxy configured? That would certainly cause the the
client IP to differ to the one used by ssh/telnet.
Cheers,
Marc
merzly...@gmail.com
Oct 23, 2024, 3:08:09 AM10/23/24
to Event-Driven Servers
Hi Marc,
At the moment I have disabled the restrictions. Everything works.
I don't have enough time to debug the problem using the links you sent earlier.
I don't have enough time to debug the problem using the links you sent earlier.
Please see
https://projects.pro-bono-publico.de/event-driven-servers/doc/mavis.html#AEN63
regarding debug levels.
There's also
https://github.com/MarcJHuber/event-driven-servers/wiki/Debug-options-for-TAC_PLUS%E2%80%90NG
https://projects.pro-bono-publico.de/event-driven-servers/doc/mavis.html#AEN63
regarding debug levels.
There's also
https://github.com/MarcJHuber/event-driven-servers/wiki/Debug-options-for-TAC_PLUS%E2%80%90NG
понедельник, 14 октября 2024 г. в 20:07:37 UTC+5, Marc Huber:
Reply all
Reply to author
Forward
0 new messages