Successful TACACS authentication despite restrictions on AD groups

Vladislav Alyehsin

unread,

Jun 3, 2024, 9:49:11 AMJun 3

to Event-Driven Servers

Hello, colleagues.

A had a hard trouble with Tacacs authentication via mavis LDAP module.
A few days ago I get a strange behavior in authorization in my environment.

Active Directory users can authenticate to switches when they are not memebers in AD groups which not used in my tac_plus.cfg.

Example:

I have a domain user with login: us...@my.domain who member a APP_TC_TEST and he can successfully authenticate on commutator when i have a tac_plus.cfg below:

#!/usr/local/sbin/tac_plus
id = spawnd {
listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = yes
}

id = tac_plus {
# log files
access log = ">/var/log/tac_plus/access/%Y%m%d.log"
accounting log = ">/var/log/tac_plus/acct/%Y%m%d.log"
authentication log = ">/var/log/tac_plus/authentication/%Y%m%d.log"
authorization log = ">/var/log/tac_plus/authorization/%Y%m%d.log"

mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "ldap://my.domain:389"
setenv LDAP_SCOPE = sub
setenv LDAP_BASE = "dc=my,dc=domain"
setenv LDAP_FILTER = "(&(objectClass=user)(objectClass=person)(sAMAccountName=%s))"
setenv LDAP_USER = "cn=openldap,dc=my,dc=domain"
setenv LDAP_PASSWD = "qwe123"
setenv AD_GROUP_PREFIX = ""
setenv REQUIRE_AD_GROUP_PREFIX = 0
setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
#setenv USE_TLS = 0
setenv FLAG_USE_MEMBEROF = 1
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}

user = testuser3 {
password = clear testpass123
service = shell {
default cmd = permit
set priv-lvl = 15
}
}

login backend = mavis
#user backend = mavis
pap backend = mavis
skip missing groups = yes
skip conflicting groups = yes
mavis noauthcache
mavis cache timeout = 1

host = world {
address = ::/0
welcome banner = ""
#Crypt password generate by "openssl passwd -1 clear_text_password"
#enable 15 = crypt $1$eqIkg6p0$jzhK5.
key = "hY0p2Y34gdfgdfj6"
debug = ALL USERINPUT
}

group = APP_TC_Admins_SSH_IND_MS {
message = "[INFRA Admin privileges]"
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}

group = SRV_TC_Admins_MS {
message = "[SRV Admin privileges]"
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}

}

BUT it's wrong.⚠️⚠️⚠️
I can't understand why login is success.

Tacacs Server should reject this authentication and must give a "NAK" response.

But in tactest I got "ACK" despite config directives.

AD user member only in APP_TC_TEST group.

AD user membership.jpg

Successful login (It's not correct) 🚫

Please help me. 😢

Marc, if you here and see this, need your professional consultation!!

Marc Huber

unread,

Jun 3, 2024, 2:58:47 PMJun 3

to event-driv...@googlegroups.com

Hi Vladislav,

please have a look a the "default group" documentation in
https://projects.pro-bono-publico.de/event-driven-servers/doc/tac_plus.html
on how to deny login to users that aren't group members.

Cheers,

Marc

Vladislav Alyehsin

unread,

Jun 4, 2024, 9:52:42 AMJun 4

to Event-Driven Servers

Marc, thank you for your answer.

But my team found a better solution.

We try to use a script out directive with regexp, which check group membership.

script out = {
# Require group membership:
if ($TACMEMBER =~ /.*("APP_TC_Admins_UI_IND_MS").*/) set $RESULT = ACK
else if ($TACMEMBER =~ /.*("SRV_TC_Admins_MS").*/) set $RESULT = ACK
else if ($TACMEMBER =~ /.*("APP_TC_Admins_SSH_IND_MS").*/) set $RESULT = ACK
else set $RESULT = NAK