search

MarcJHuber / event-driven-servers

A collection of event-driven servers (currently: tac_plus, tac_plus-ng, ftpd, tcprelay)
https://www.pro-bono-publico.de/projects
Other
100 stars 25 forks source link

Radius backend seems not working #129

Open dc881927 opened 1 week ago

dc881927 commented 1 week ago

Hi, I use windows NPS as Radius server and try to use radius backend for user authentication. But the radius server does not seem to receive any request. my tac_plus.conf as following:

#!/usr/bin/env -S /usr/local/bin/tactrace.pl --user demo --conf

id = spawnd {
        background = no
#       single process = yes
        listen { port = 49 }
        spawn {
                instances min = 1
                instances max = 32
        }
}

id = tac_plus-ng {
        host world {
                address = 0.0.0.0/0
                key = demo
        }

        profile admin {
                script {
                        if (service == shell) {
                            if (cmd == "")
                                set priv-lvl = 15
                            permit
                        }
                }
        }

        user demo {
                password login = clear demo
                password pap = login
                profile = admin
        }

        mavis module=tacinfo_cache {
                directory = /tmp/tacinfo
        }

        mavis module = external {
                setenv RADIUS_HOST = 10.22.152.19:1812
                setenv RADIUS_SECRET = "test"
                setenv RADIUS_GROUP_ATTR = Class
                setenv RADIUS_PASSWORD_ATTR = Password
                exec = /usr/local/lib/mavis/mavis_tacplus_radius.pl
        }

        pap backend = mavis
        login backend = mavis

}
debug = ALL

The debug information only shows "looking for user xxxx in MAVIS backend" Is there something wrong with my configuration file? How can I fix it?

MarcJHuber commented 1 week ago

Hi,

I'd suspect that your system doesn't come with a suitable RADIUS Perl module. Try running the Perl script manually, it might complain about missing modules. If it doesn't, setting the environment variables in shell context and running

printf "0 TACPLUS\n4 yourUser\n50 yourPass\n49 AUTH\n=\n" | /usr/local/lib/mavis/mavis_tacplus_radius.pl

might give a clue.

Cheers,

Marc

dc881927 commented 1 week ago

Hi, thanks for your reply. I also found that this may be related to the lost of some modules. However, I'm having some issues working with the radius provided by Windows Server NPS. I'll try to debug first, and if I run into more difficult problems, I think I may need to continue asking questions. Thank you very much for your support!

dc881927 commented 1 week ago

Oh, I also tried to authenticate the user through LDAP backend at the same time. It seems that LDAP authentication passed, but there seems to be a problem with authorization.

The log has the following prompt. I would like to ask where this ACL is set?

161508: 17:37:09.112 0/cd2b49e4: 10.206.7.1 result for user dennis-cai is ACK [286 ms] 161508: 17:37:09.112 0/cd2b49e4: 10.206.7.1 shell login for 'dennis-cai' from 10.201.17.60 on vty0 denied by ACL

MarcJHuber commented 1 week ago

Hi,

your configuration seems to lack a ruleset definition. Please have a look at the various samples in tac_plus-ng/samples about that.

Cheers,

Marc