Ldap ssl error and password attempts issue

[yash3339]

Hi Marc ,

thanks again for your code :

I have confidured ldap mavis for some external server as per ur intsrtuction , when I try to login the device it shows me error attacted in the screen shot , can u please help me where is the issue

2nd thing I configued password max attempt in the device section but it is not working , is it possible to use max password attempt to 3 and after that lock the user , i did not find aything related to lock the user on failed attempt in ur docs , thanks in advance

[MarcJHuber]

Hi,

the LDAP error might indicate that TLS isn't configured. Another possibility might be that LDAP_USER and LDAP_PASSWD aren't set. I don't recognize that error message.

"max password" is per-tacacs+-session and won't protect your backend. It just limits the number of password queries per session.

Cheers,

Marc

[yash3339]

Thanks marc , but where is the best place to put password max attempt = 3 , in the device level , or global level I just want to make it default for all , i tried to put in global level but it did not worked

[MarcJHuber]

Hi,

you can put it on global level, but will only limit the number of password iteration per session and will as such and per definition only work for inbound ASCII logins.

The main purpose of this option is not to stop anyone from retrying login attempts but to keep broken client implementation from automatically retrying a bad password in a single TACACS+ session, making the backend unhappy.

Cheers,

Marc

[yash3339]

Yes , so if I set it on device like for example in device it is set to 5 and i am setting it on 3 in tac config , is it possible to override and implement tacacs max 3 attempt not consider device 5 attempt

[MarcJHuber]

Hi,

this depends on the device side implementation. If your device opens a new TACACS+ session per authentication attempt then the daemon will not interfere with that. Could you please share some debug logs that illustrate the issue?

I had some thoughts about implementing a MAVIS module to restrict the number of failed password attempts. I guess I'd base this on the tacinfo_cache code which uses on-disk state for sharing between worker processes. This should be easy to implement and may be ready tomorrow or even today, eventually.

Cheers,

Marc

[MarcJHuber]

4c880ee527c080c6741dd99ac093a27dfd47d343

[yash3339]

Thanks marc for the update will try it , I am facing another issue now , I use same method to install the tac plus ng on new server which I used on my current server but its shows me error attached in the SS , I am not able to identify the issue here

[MarcJHuber]

Hi,

please try "sudo netstat -antp" | grep :49" (or whatever port you're using. It looks like there's already a TACACS+ server running that occupies the tcp port.

Cheers,

Marc

[yash3339]

Thanks marc I just sudo kill and it worked , however the enhancement u did for max attempt , I dont know how to implement it , please bear with me I am newbie here

[MarcJHuber]

Hi,

the mavis modules follow a layered approach. Putting

    mavis module = tacauth_limit {
            directory = /tmp/tacauth
            blacklist count = 3 # max retries
            blacklist time = 30 # seconds
    }

on top of your authentication module should work.

Cheers,

Marc

[yash3339]

Thanks, marc will test it however I see periodically I am receiving this message I have no clue what this is about and how to solve it.

[MarcJHuber]

Hi,

this is typically a TACACS+ key mismatch.

Cheers,

Marc

[yash3339]

But key are good I am able to authenticate with devices

[MarcJHuber]

Hi,

thinking more about this, the actual TACACS+ header isn't covered by the key, so it's a different issue. Could you run a tcpdump or WireShark to capture the packets?

Cheers,

Marc

[yash3339]

Unfortunately no marc sorry for that. I am implementing it in prod network can't share you the capture nor I can take it as of now but I am also trying to figure out why it is showing this error it seems some version issue in the program. 2nd thing i have few questions to the Mavis module i am implementing multi group model there so for example group A is allowed some specific device and group B is allowed some other device so how I limit that in mavis external module

[MarcJHuber]

Hi,

well, I wasn't actually asking for a capture, sorry if it sounded like that. I was rather suggesting that you could run one and check whether the "Illegal major version ..." is caused by non-TACACS+ traffic.

Regarding multi-group support, that's already there. In case you don't want to handle that via the configuration rule set you could have a look at

https://github.com/MarcJHuber/event-driven-servers/blob/master/mavis/perl/mavis_tacplus-ng-demo-database.pl

which moves most of the device and user logic to the backend script, easily allowing database integrations.

Cheers,

Marc

[yash3339]

What I have found is there is a security scanner server in the network and it is showing the error, any idea how I can change the version of my tacacs config to suppress this error.

[yash3339]

Hi,

the mavis modules follow a layered approach. Putting

    mavis module = tacauth_limit {
            directory = /tmp/tacauth
            blacklist count = 3 # max retries
            blacklist time = 30 # seconds
    }

on top of your authentication module should work.

Cheers,

Marc

This is not working I am only using external module

[MarcJHuber]

Hi,

no, this just indicates that you didn't build with current source or didn't bother to install the current binaries.

Cheers,

Marc

[yash3339]

HI Marc , thanks I updated the source code , however after testing I saw it creates a file like below and it is not readable

Any chances , I want it to be human readable l, my requirements is that I can unblock specific client or username like removing the specific entries from the files

[MarcJHuber]

Hi,

well, yes, the cache files currently just contain the number of failed password attempts, in binary. Changing that to ASCII with some context will not be issues, I'll have a look at that later this day.

Cheers,

Marc

[MarcJHuber]

2e282af60b66791eda1c489d1878f90d60153263

[yash3339]

Thanks, Marc , I will test it and let you know , thank you very much for being so supportive.

[yash3339]

Hey marc , I tested the new code it is working fine the limit and blacklist is working good , but it is not generating any files in the path defined.

[MarcJHuber]

Hi,

the code doesn't keep data in memory, so I can't imagine it working without on-disk storage. Please check again, sudo find /path/to/hashdir should easily show the files created.

Cheers,

Marc

[yash3339]

Hey marc , I tested it on multiple scenario, I think this new code is not even working anymore its now not even limiting the attempts now , plus I saw u named this mode same as tac_info cache module #define MAVIS_name "tacinfo_cache" is it mistake or it should work in this manner only , I tried to change the name in the code to tacauth_limit and call the same name in tac config still it did not worked

[MarcJHuber]

Hi,

you're right, the module name should be "tacauth_limit", thanks for pointing this out.

However, this has no impact on functionality. I've just retried, the code just works. You might have a file permission issue. Please double-check that the user that's running tac_plus-ng has full permission to the directory you've specified.

Cheers,

Marc

[yash3339]

I tested it restarted all processes given full 777 permission to DIRno files are created , can u suggest what to check

[MarcJHuber]

HI,

could you please provide a sample config that illustrates the issue? I've used the config below for testing, no issues.

Cheers,

Marc

id = spawnd {
        background = yes
        listen { port = 4949 }
}

id = tac_plus-ng {

        mavis module = tacauth_limit {
                directory = /tmp/tacauth blacklist count = 3 blacklist time = 30
        }

        mavis module pam-external = external {
                exec = /usr/local/sbin/pammavis pammavis -s "mavis"
        }

        user backend = mavis
        login backend = mavis chpass
        pap backend = mavis
        pap password = login

        device world {
                address = 0.0.0.0/0 welcome banner = "Welcome\n" key = demo
        }

        profile admin {
                script { if (cmd == "") set priv-lvl = 15 permit }
        }
        ruleset {
                rule { script {set profile = engineering permit }}
        }
}

[yash3339]

Hi March I am using this config

id = tac_plus-ng {

            debug = ALL
            log authclog { destination = /var/log/tac_plus_logs/authen_logs/authn_%Y%m%d.log }
            log acctlog { destination = /var/log/tac_plus_logs/author_logs/author_%Y%m%d.log }
            log authorlog { destination = /var/log/tac_plus_logs/accounting_logs/acct_%Y%m%d.log }

            authentication log = authclog
            authorization log = authorlog
            accounting log = acctlog

            pap password = login

     mavis module = tacauth_limit {
            directory = /var/log/lockout
            blacklist count = 2 # max retries
            blacklist time = 900 # seconds
            }

BSVADM Auth setup

     mavis module = external {

[MarcJHuber]

Hi,

I still suspect a permission issue. You could try with "directory = /tmp/tacauth". If that works while using /var/log/lockout doesn't (despite open permissions) I'd suggest to check the apparmor config. I've seen distributions that limit access to /var/log.

Cheers,

Marc

[yash3339]

Yes I switched to tmp tac auth , still the same , I dont know not able to figure out why it is not working.

[yash3339]

okay mark I figure out the problem , sorry my bad , I was testing with local tacacs user created in .confg file not the ldap user , this works well for ldap user.

[MarcJHuber]

Hi,

thanks, glad you've resolved this. Please close this GitHub issue if/when you think it's safe to do so.

Cheers,

Marc

[yash3339]

thanks marc , how I used this to also enable the same for tac config created users ?

[MarcJHuber]

Hi,

only external users are supported, so no, tacauth_limit will not work with config-only users.

Cheers,

Marc