Closed shepes closed 1 year ago
MarcJHuber
commented
1 year ago Hi,
thanks, I've pushed a commit that should fix the PCRE(2) issue.
Regarding the "malformed packet" issue: That looks like a key mismatch. Did you configure the Testing123 key on your ASA without quotes?
Thanks,
Marc
shepes
commented
1 year ago Hi Marc,
Heres the config on the ASA
aaa-server testing protocol tacacs+ aaa-server testing (inside) host 192.168.1.116 key Testing123
I can also decrypt the tacacs request in wireshark using that key so I know it is good on that front, something in tac_plus-ng doesnt appear to like it though im struggling to see where else I can look
shepes
commented
1 year ago Also still go the same PCRE issue with the latest version
MarcJHuber
commented
1 year ago Hi,
thanks ... the "malformed packet" issue looks like a GCC bug. Please git pull, make clean and rebuild. I've removed the "-O2" optimization.
Regarding PCRE2: When building, do you see any "-DWITH_PCRE2" flag?
Thanks,
Marc
shepes
commented
1 year ago Just trying that now, and with regards to the PCRE question yes that flag is there " -DWITH_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8 -DHAVE_EXECINFO_H -"
shepes
commented
1 year ago INFO: Attempting Authentication test to IP address <192.168.1.116> (timeout: 12 seconds) INFO: Authentication Successful ciscoasa#
Thats better!
MarcJHuber
commented
1 year ago Hi,
great ... and the PCRE2 issue is in fact resolved too? No more "binary wasn't compiled with PCRE" messages?
Thanks,
Marc
shepes
commented
1 year ago Hi,
great ... and the PCRE2 issue is in fact resolved too? No more "binary wasn't compiled with PCRE" messages?
Thanks,
Marc
Unfortunately the PCRE issue still remains
default-config:35: You're using PCRE syntax, but this binary wasn't compiled with PCRE support. 54098: default-config:35: You're using PCRE syntax, but this binary wasn't compiled with PCRE support. 54098: Detected fatal configuration error. Exiting.
MarcJHuber
commented
1 year ago Hi,
that's weird. The relevant code snippet in tac_plus-ng/config.c reads
#ifdef WITH_PCRE
#else
#ifdef WITH_PCRE2
#else
... wasn't compiled with PCRE support ...
#endif
#endifso you should never see that particular message with WITH_PCRE2 set.
I've no idea where that could come from. You did run "make clean" before building?
Thanks,
Marc
shepes
commented
1 year ago Yup ran make clean but still get
"./default:35: You're using PCRE syntax, but this binary wasn't compiled with PCRE support. 55125: ./default:35: You're using PCRE syntax, but this binary wasn't compiled with PCRE support. 55125: Detected fatal configuration error. Exiting."
When using the config file as is from here "https://www.pro-bono-publico.de/projects/unpacked/tac_plus-ng/sample/tac_plus-ng.cfg"
shepes
commented
1 year ago So jsut deployed another clean VM and started again, the PCRE issue is gone now, thanks for a speedy resolution of the above
There is one more issue with the default config that comes up now though and thats that pammavis module doesnt seem to exist though im not sure ill be needing this tbh was more an observation
./default:44: /usr/local/sbin/pammavis: No such file or directory 58829: ./default:44: /usr/local/sbin/pammavis: No such file or directory 58829: Detected fatal configuration error. Exiting.
MarcJHuber
commented
1 year ago Hi,
pammavis depends on the PAM development headers (libpam0g-dev on Ubuntu, IIRC, with probably similar names on other distributions). Are those available?
Thanks,
Marc
shepes
commented
1 year ago Ahh Thanks, installing that has resolved! Thanks again for a quick resolution to this much appreciated!
MarcJHuber
commented
1 year ago Hi,
great, thanks a lot!
Printing some info on what's auto-detected would likely make sense, I might have a look at that.
And it's really sad to see that GCC optimization doesn't work as expected ... I hadn't seen that coming, as there were no issues with clang at all ...
Thanks,
Marc
Trying to test authenticating an ASAv in my lab and the only response I seem to be able to get from tac_plus-ng is an Illegal packet response, Ive captured and checked with wireshark and using the "Testing123" key that ive set I can decrypt the packet from the device to the tac_plus-ng server but the response from tac_plus show as a malformed packet.
40250: 16:16:06.381 0/9255de32: 192.168.1.44 New session 40250: 16:16:06.381 0/9255de32: 192.168.1.44 ------
40250: 16:16:06.381 0/9255de32: 192.168.1.44 key used: Testing123
40250: 16:16:06.381 0/9255de32: 192.168.1.44 version: 192, type: 1, seq no: 1, flags: unencrypted
40250: 16:16:06.381 0/9255de32: 192.168.1.44 session id: 32de5592, data length: 21
40250: 16:16:06.381 0/9255de32: 192.168.1.44 packet body (len: 21): \001\001\023\032Qk��V~�w��V0.��R
40250: 16:16:06.381 0/9255de32: 192.168.1.44 0000 01 01 13 1a 51 6b 5f ad a4 56 7e c1 77 e9 cc 56 ....Qk. .V~.w..V
40250: 16:16:06.381 0/9255de32: 192.168.1.44 0010 30 2e 83 c9 52 0...R
40250: 16:16:06.381 0/9255de32: 192.168.1.44 Packet malformed, skipping detailed dump.
40250: 16:16:06.381 0/9255de32: 192.168.1.44 ------
40250: 16:16:06.381 0/9255de32: 192.168.1.44 192.168.1.44 (null): Illegal packet (version=0xc0 type=0x01)
40250: 16:16:06.381 0/9255de32: 192.168.1.44 Writing AUTHEN/ERROR size=57
Also if I use the example config here "https://www.pro-bono-publico.de/projects/unpacked/tac_plus-ng/sample/tac_plus-ng.cfg" and try and run tac_plus I get the error below thats after using the configure command of "./configure --with-pcre2 tac_plus-ng"
"default.conf:35: You're using PCRE syntax, but this binary wasn't compiled with PCRE support. 41229: default.conf:35: You're using PCRE syntax, but this binary wasn't compiled with PCRE support. 41229: Detected fatal configuration error. Exiting."