search

MarcJHuber / event-driven-servers

A collection of event-driven servers (currently: tac_plus, tac_plus-ng, ftpd, tcprelay)
https://www.pro-bono-publico.de/projects
Other
91 stars 24 forks source link

tac_plus-ng: A device.tag reference in a profile script where no tag present on any device, will break tacacs #104

Closed sanjmonkey closed 1 month ago

sanjmonkey commented 1 month ago

Hi Marc,

Not a biggie at all, but I happened to notice that if a config does not have any tag entries on any device somewhere in its config, but yet a profile script section tries to match a device.tag somewhere, will break tacacs authentication + authorisation.

this will break:

    device foo-router {
        address = 1.1.1.1/32
        key = "mykey"
    }

    device bar-router {
        address = 2.2.2.2/32
        key = "mykey"
    }

    profile bar-router-admins {
        script {
            if (device.tag == bar) {
                set this = that
                permit
            }
        }
    }

but setting just one tag on any device will fix this:

    device foo-router {
        address = 1.1.1.1/32
        key = "mykey"
        tag = whatever-tag
    }

    device bar-router {
        address = 2.2.2.2/32
        key = "mykey"
    }

    profile bar-router-admins {
        script {
            if (device.tag == bar) {
                set this = that
                permit
            }
        }
    }
MarcJHuber commented 1 month ago

Hi Sandy,

thanks for reporting, I'll push a fix.

Cheers,

Marc