tac_plus-ng doesn't seem to start socket even though service reports up and operational.
jmessenger51 opened this issue · 6 comments
I followed:
https://www.pro-bono-publico.de/projects/howto-tac_plus-ng-ads.html and stuck with a basic configuration to test access. However, the service doesn't start the socket to recieve packets.
#!/usr/local/sbin/tac_plus-ng
id = spawnd {
listen = { address = 0.0.0.0 port = 4949 }
}
id = tac_plus-ng {
host IPv4only {
address = 0.0.0.0/0
welcome banner = "\n Welcome to TACACS+NG\n\n"
key = <<<>>
}
profile netadmin {
script {
if (service == shell) {
if (cmd == "") {
set priv-lvl = 15
permit
}
}
}
}
group admin
user cisco {
password login = clear cisco
member = admin
}
ruleset {
rule {
script {
if (member == admin) { profile = netadmin permit }
}
}
}
}
and have Arista setup to hit the server
tacacs-server key 7 <<>>
tacacs-server host <<>> key 7 <<>>
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ local
I start the service with debugging
tacacs@tacacs01:~/tac_plugng$ tac_plus-ng -f basic.cfg -d 4
21056: 18:13:42.748 0/00000000: - Version 70da485 initialized
21055: 18:13:42.748 0/00000000: - Version 70da485 initialized
however, a pcap shows that the server does a TCP reset immediately upon receiving a packer on port 49
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens18, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:21:16.673625 IP 201-r0102-08-oobds.16.172.in-addr.arpa.48714 > tacacs01.tacacs: Flags [S], seq 2855777150, win 64240, options [mss 1460,sackOK,TS val 3947280169 ecr 0,nop,wscale 7], length 0
18:21:16.673645 IP tacacs01.tacacs > 201-r0102-08-oobds.16.172.in-addr.arpa.48714: Flags [R.], seq 0, ack 2855777151, win 0, length 0
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel
and ss shows that 49 is not active
tacacs@tacacs01:~$ ss | grep 49
u_str ESTAB 0 0 /run/systemd/journal/stdout 35150 * 35149
u_str ESTAB 0 0 * 35149 * 35150
u_str ESTAB 0 0 * 47496 * 47495
u_str ESTAB 0 0 * 28690 * 28349
u_str ESTAB 0 0 * 47495 * 47496
u_str ESTAB 0 0 /run/systemd/journal/stdout 28349 * 28690
What would cause the service to not start recieving on port 49?
UFW & iptables are disabled
System information:
tacacs@tacacs01:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.3 LTS
Release: 22.04
Codename: jammy
kernel version:
5.15.0-91-generic
Hi,
your server config specifies "port = 4949", but your Aruba system tries to connect to port 49?
Cheers,
Marc
I changed the port number, still no good. however, I think I'm missing some of the perl modules.
I built a new vm to start with something fresh and tried:
sudo apt -y install libnet-ip-perl libnet-rawip-perl libnet-write-perl libnet-frame-perl libunix-syslog-perl libnet-ldap-perl libauthen-tacacsplus-perl libauthen-simple-passwd-perl libcrypt-cbc-perl libcryptx-perl libtemplate-plugin-posix-perl perl-openssl-defaults
sudo apt -y install libcrypt-gcrypt-perl libwww-curl-perl libauthen-radius-perl libauthen-pam-perl libsctp-dev libpoe-filter-ssl-perl libnet-ssleay-perl libssl-dev openssl libnet-smtp-tls-perl libcompress-raw-zlib-perl
sudo apt -y install libperl-dev libfreeradius-dev libfreeradius3 libpcre3-dev libalberta-dev libnet-ldap-sid-perl libauthen-simple-ldap-perl libdbd-ldap-perl libnet-ldap-filterbuilder-perl libnet-ldap-perl libnet-ldap-server-perl libnet-ldap-server-test-perl libnet-ldap-sid-perl libnet-ldapapi-perl libtest-net-ldap-perl libauthen-pam-perl libauthen-simple-pam-perl libbio-tools-phylo-paml-perl libcompress-raw-zlib-perl
sudo apt -y install libcurl4-gnutls-dev libcurl4-nss-dev libcurl4-openssl-dev
as well as
cpan Net::Curl
cpan WWW::Curl
cpan Authen::Radius
cpan FreeRADIUS::Database
cpan App::LDAP
cpan Net::LDAP
cpan pam
cpan Authen::PAM
cpan Authen::Simple::PAM
cpan Authen::PAM::Module
cpan Net::Radius::Server::PAM
cpan Net::IP
cpan Net::RawIP
cpan Net::Write::Layer
cpan Net::Write::Layer3
cpan Net::Frame::Simple
cpan Net::Frame::Layer::IPv4
cpan Net::Frame::Layer::IPv6
cpan Net::Frame::Layer::UDP
cpan Sys::Syslog
cpan Net::LDAP
cpan Net::RawIP
cpan Net::TacacsPlus
cpan Authen::Simple::RADIUS
cpan Crypt::Passwd::XS
cpan POSIX
but the system still reports development files not found.
Development files were not found for: LIB-CURL, LIB-FREERADIUS_CLIENT, LIB-LBER, LIB-LDAP, LIB-PAM, LIB-ZLIB
I found:
sudo apt -y install libcurl4-gnutls-dev
sudo apt -y install libldap-dev
sudo apt -y install libpam0g-dev
sudo apt -y install zlib1g-dev
which resolved all but the LIB-FREERADIUS_CLIENT dependancy
It was the missing modules, I never found the lib-freeradius_client depectancy. however, now it accepts users.
Here is the process from fresh Ubuntu 22.04 install to running tacacs_plus-ng (excluding the config file as thats above)
Process:
1.) Fresh installation of Ubuntu 22.04.3
- select ubuntu server not minimal
2.) update & upgrade base os
sudo apt update & sudo apt upgrade
3.) install git & curl
sudo apt install git curl
4.) clone the repository
git clone https://github.com/MarcJHuber/event-driven-servers.git
5.) review ~/event-driven-servers/PREREQUISITES.txt
- GNU make
- a recent C compiler, preferably CLANG
- libpcre2 development headers + libraries
- libc-ares for DNS reverse lookups, if required
- Perl. Plus a couple of modules:
- Net::IP
- Net::RawIP
- Net::Write::Layer
- Net::Write::Layer3
- Net::Frame::Simple
- Net::Frame::Layer::IPv4
- Net::Frame::Layer::IPv6
- Net::Frame::Layer::UDP
- Sys::Syslog
- Net::LDAP
- Net::RawIP
- Net::TacacsPlus
- Authen::Simple::RADIUS
- Crypt::Passwd::XS
- POSIX
... and possibly others.
- Python (optional)
6.) Install Prerequisites
sudo apt -y install perl make clang libpcre2-dev libc-ares-dev
7.) Install Perl Modules:
sudo apt -y install libnet-ip-perl libnet-rawip-perl libnet-write-perl libnet-frame-perl libunix-syslog-perl libnet-ldap-perl libauthen-tacacsplus-perl libauthen-simple-passwd-perl libcrypt-cbc-perl libcryptx-perl libtemplate-plugin-posix-perl perl-openssl-defaults
sudo apt -y install libcrypt-gcrypt-perl libwww-curl-perl libauthen-radius-perl libauthen-pam-perl libsctp-dev libpoe-filter-ssl-perl libnet-ssleay-perl libssl-dev openssl libnet-smtp-tls-perl libcompress-raw-zlib-perl
sudo apt -y install libperl-dev libfreeradius-dev libfreeradius3 libpcre3-dev libalberta-dev libnet-ldap-sid-perl libauthen-simple-ldap-perl libdbd-ldap-perl libnet-ldap-filterbuilder-perl libnet-ldap-perl libnet-ldap-server-perl libnet-ldap-server-test-perl libnet-ldap-sid-perl libnet-ldapapi-perl libtest-net-ldap-perl libauthen-pam-perl libauthen-simple-pam-perl libbio-tools-phylo-paml-perl libcompress-raw-zlib-perl
sudo apt -y install libcurl4-gnutls-dev libcurl4-nss-dev libcurl4-openssl-dev
sudo apt -y install libcurl4-gnutls-dev
sudo apt -y install libldap-dev
sudo apt -y install libpam0g-dev
sudo apt -y install zlib1g-dev
some of the packages are not needed, but they also didn't cause conflicts.
Hi,
glad you've managed to make it work.
freeradius-client is available from https://github.com/FreeRADIUS/freeradius-client, last I've looked there was no Ubuntu package available.
Cheers,
Marc