MarcJHuber / event-driven-servers

A collection of event-driven servers (currently: tac_plus, tac_plus-ng, ftpd, tcprelay)
https://www.pro-bono-publico.de/projects
Other
100 stars 25 forks source link

chap login failed (no clear text password set) #96

Closed dmgeurts closed 5 months ago

dmgeurts commented 5 months ago

I'm trying to make sense of this error in the tac_plus-ng logs.

Jun 12 19:37:59 tac0 tac_plus-ng[315]: 192.x.x.x looking for user dgeurts in MAVIS backend
Jun 12 19:37:59 tac0 tac_plus-ng[315]: 192.x.x.x result for user dgeurts is ACK
Jun 12 19:37:59 tac0 tac_plus-ng[315]: 192.x.x.x chap login for 'user' on tty10 failed (no clear text password set)

I'm using FreeIPA as LDAP source and auth works against that, so I'm thinking this must be chap specific? What am I missing? Is pap backend = mavis required for chap? Do I need to do something specific in my LDAP database?

My sanitised config:

#!/usr/local/sbin/tac_plus-ng
id = spawnd {
    listen = { address = 0.0.0.0 port = 49 }
    #Uncomment the line below for IPv6 support
    #listen = { address = :: port = 49 }
    spawn = {
        instances min = 1
        instances max = 10
    }
    background = yes
}

id = tac_plus-ng {
    log authzlog { destination = /var/log/tac_plus/authz/%Y/%m/%d.log }
    log authclog { destination = /var/log/tac_plus/authc/%Y/%m/%d.log }
    log acctlog  { destination = /var/log/tac_plus/acct/%Y/%m/%d.log }
    accounting log = acctlog
    authentication log = authclog
    authorization log = authzlog

    mavis module = external {
        # tac_plus-ng requires microsoft type for FreeIPA (officially only AD and openLDAP are supported)
        setenv LDAP_SERVER_TYPE = "microsoft"
        setenv LDAP_HOSTS = "ldaps://ipa.domain.com:636"
        setenv LDAP_CONNECT_TIMEOUT = 3
        setenv LDAP_SCOPE = sub

        setenv LDAP_USER = "uid=tacplusng,cn=sysaccounts,cn=etc,dc=DOMAIN,dc=COM"
        setenv LDAP_PASSWD = "********"

        setenv LDAP_BASE = "cn=users,cn=accounts,dc=domain,dc=com"
        setenv LDAP_FILTER = "(&(objectclass=posixaccount)(uid=%s))" #"(uid=%s)"
        setenv LDAP_BASE_GROUP = "cn=groups,cn=accounts,dc=domain,dc=com"
        setenv LDAP_FILTER_GROUP = "(&(objectclass=posixgroup)(memberOf=%s))"

        # Do not allow password changes via TACACS+
        setenv FLAG_CHPW = 0
        setenv FLAG_USE_ALIAS = 0
        setenv FLAG_USE_MEMBEROF = 1
        setenv LDAP_MEMBEROF_REGEX = "^cn=tac-([^,]+),cn=groups.*"

        # Setting REQUIRE_TACACS_GROUP_PREFIX to 1 will cause a NACK response if the AD account is not a member of a security group with the required prefix
        setenv REQUIRE_TACACS_GROUP_PREFIX = 1
        setenv TACACS_GROUP_PREFIX = tac-

        # DO NOT SET THE USE_TLS ENVIRONMENT VARIABLE, TLS WILL AUTOMATICALLY BE ENABLED IF NEEDED
        # FORCING THIS VARIABLE TO 1 WILL BREAK MAVIS IF TLS IS NEEDED
        #setenv USE_TLS = 0
        exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
    }

    login backend = mavis
    user backend = mavis
    #pap backend = mavis

    device corp {
        # Displayed before password prompt
        welcome banner = "Access is logged, your IP address is: $client.address.\n"
        # Shown after successful login
        motd banner = "Welcome to $host.name\n"
    }
    device corp-core {
        address = x.y.z.0/24
        key = "********"
        parent = corp
    }
    device corp-sbc {
        address = a.b.c.0/24
        key = "********"
        parent = corp
    }
    device world {
        # Allow any IPv4 device
        address = 0.0.0.0/0
        # Uncomment the line below for IPv6 support
        #address = ::/0
        key = "some key"
        parent = corp
    }

    profile cisco-admins {
        script {
            if (service == shell) {
                if (cmd == "")
                    set priv-lvl = 15
                    # Uncomment the line below for NX-OS support
                    set shell:roles = '"network-admin vdc-admin"'
                    # Uncomment the line below for IOS XR support
                    set task = "#root-system"
                permit
            }
        }
    }

    profile test-admins {
        script {
            if (service == shell) {
                if (cmd == "")
                    set priv-lvl = 15
                permit
            }
        }
    }

    # readonly = guest (in tac_plus-ng docs)
    profile readonly {
        enable = deny
        script {
            if (service == shell) {
                if (cmd == "")
                     set priv-lvl = 1
                permit
            }
        }
    }

    ruleset {
        rule {
            script { 
                if (memberof =~ /^CN=tac-eng,/) { profile = cisco-admins permit }
                if (memberof =~ /^CN=tac-test,/) { profile = test-admins permit }
                if (memberof =~ /^CN=tac-readonly,/) { profile = readonly permit }
            }
        }
    }

}
MarcJHuber commented 5 months ago

Hi,

CHAP will only work with clear-text passwords defined in user profiles. There's no way to let LDAP authenticate CHAP. You could perhaps modify your LDAP schema to add a CHAP clear-text password and adjust configuration and/or backend scripts to return that password to the daemon for verification, but I've doubts that that would be worth the effort.

I actually think the issue here is that your device (router, switch, whatever) is configured to use CHAP for authentication. If you absolutely need to use CHAP you can configure user with a dedicated clear-text password:

user demo { password chap = clear whatever }

Cheers,

Marc

dmgeurts commented 5 months ago

That's clear then, so my options are clear text or pap when using LDAP? Indeed I configured the device for chap assuming this to be the safer standard. However, after refreshing myself with TACACS encryption, I see clear text will do just fine.