search

MarcJHuber / event-driven-servers

A collection of event-driven servers (currently: tac_plus, tac_plus-ng, ftpd, tcprelay)
https://www.pro-bono-publico.de/projects
Other
100 stars 25 forks source link

Arista + TACPLUS-NG #74

Closed bkyarnell closed 1 year ago

bkyarnell commented 1 year ago

Is there a clear guide available that shows the configuration for Arista and tacplus-ng configuration?

I have tacplug-ng installed on RHEL 8.6, netstat shows I'm listenting on TCP 49, but TCP6? To confirm, both IPv4 and IPv6 are running?

netstat -tupln | grep tac tcp6 0 0 :::49 :::* LISTEN 1412997/tac_plus-ng

I'm not seeing any activity from my Arista switch: Aaa: %AAA-4-AUTHZ_FALLBACK: Authorization method 'group tacacs+' is currently unavailable; falling back to next method for action 'command15'.

tcpdump on the server running tacplug-ng isn't showing any communication on port 49. Firewalld and iptables are disabled.

my tac_plus-ng config file:

#!/usr/local/sbin/tac_plus-ng

id = spawnd {
        background = no
#       single process = yes
        listen { port = 49 }
        spawn {
                instances min = 1
                instances max = 32
        }
}

id = tac_plus-ng-test {

        log authenlog {
                destination = /var/log/tac_plus/authentication/%Y/%m/%d.log
        }
        log authorlog {
                destination = /var/log/tac_plus/authortization/%Y/%m/%d.log
        }
        log acctlog {
                destination = /var/log/tac_plus/accounting/%Y/%m/%d.log
        }
        authentication log = authenlog
        authorization log = authorlog
        accounting log = acctlog

        group testgroup

        user testuser {
                password {
                        login = clear asdfzxcv1234
                }
                member = testgroup
        }

        device test {
                address = 0.0.0.0/0
                welcome banner = "Welcome to TAC_PLUS !!!\n\n\n"
                key = arista
        }

        profile = admin {
            script {
                if (service == shell) {
                    if (cmd == "") {
                        set priv-lvl = 15
                        permit
                    }
                }
            }
        }

        profile = testuser {
            script {
                if (service == shell) {
                    if (cmd == "") {
                        set priv-lvl = 15
                        deny
                    }
                }
            }
        }
}

debug = ALL USERINPUT
MarcJHuber commented 1 year ago

Hi,

tcp6 includes tcp4. In case your Arista switch comes with a "telnet" command it might be possible to validate that the port on your server is open and reachable.

I've no hands-on experience with Arista devices and can't help you with Arista configuration issues.

Cheers,

Marc