Hello, colleagues.
A had a hard trouble with Tacacs authentication via mavis LDAP module.
A few days ago I get a strange behavior in authorization in my environment.
Active Directory users can authenticate to switches when they are not memebers in AD groups which not used in my tac_plus.cfg.
Example:
I have a domain user with login: us...@my.domain who member a APP_TC_TEST and he can successfully authenticate on commutator when i have a tac_plus.cfg below:
#!/usr/local/sbin/tac_plus
id = spawnd {
listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = yes
}
id = tac_plus {
# log files
access log = ">/var/log/tac_plus/access/%Y%m%d.log"
accounting log = ">/var/log/tac_plus/acct/%Y%m%d.log"
authentication log = ">/var/log/tac_plus/authentication/%Y%m%d.log"
authorization log = ">/var/log/tac_plus/authorization/%Y%m%d.log"
mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "ldap://my.domain:389"
setenv LDAP_SCOPE = sub
setenv LDAP_BASE = "dc=my,dc=domain"
setenv LDAP_FILTER = "(&(objectClass=user)(objectClass=person)(sAMAccountName=%s))"
setenv LDAP_USER = "cn=openldap,dc=my,dc=domain"
setenv LDAP_PASSWD = "qwe123"
setenv AD_GROUP_PREFIX = ""
setenv REQUIRE_AD_GROUP_PREFIX = 0
setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
#setenv USE_TLS = 0
setenv FLAG_USE_MEMBEROF = 1
exec = /usr/local/lib/mavis/
mavis_tacplus_ldap.pl }
user = testuser3 {
password = clear testpass123
service = shell {
default cmd = permit
set priv-lvl = 15
}
}
login backend = mavis
#user backend = mavis
pap backend = mavis
skip missing groups = yes
skip conflicting groups = yes
mavis noauthcache
mavis cache timeout = 1
host = world {
address = ::/0
welcome banner = ""
#Crypt password generate by "openssl passwd -1 clear_text_password"
#enable 15 = crypt $1$eqIkg6p0$jzhK5.
key = "hY0p2Y34gdfgdfj6"
debug = ALL USERINPUT
}
group = APP_TC_Admins_SSH_IND_MS {
message = "[INFRA Admin privileges]"
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
group = SRV_TC_Admins_MS {
message = "[SRV Admin privileges]"
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
}
BUT it's wrong.⚠️⚠️⚠️
I can't understand why login is success.
Tacacs Server should reject this authentication and must give a "NAK" response.
But in tactest I got "ACK" despite config directives.