tacacs configuration file parsing failed with tac_plus-ng while with tac_plus it's working

Question

tacacs configuration file parsing failed with tac_plus-ng while with tac_plus it's working

jayeshkumarbhoi opened this issue 4 months ago · 3 comments

Hello i recently switch our tacacs server from tac_plus to tac_plus-ng and with this our internal script for config check started getting failed with this new tac_plus-ng. See below full logs

12: /etc/tac-plus-ng/tacacs.conf:25: Expected 'access', 'accounting', 'acl', 'alias', 'anonymous-enable', 'augmented-enable', 'authentication', 'authorization', 'bug', 'cache', 'connection', 'context', 'coredump', 'debug', 'device', 'dns', 'enable', 'group', 'host', 'key', 'log', 'login', 'mavis', 'max-rounds', 'message', 'motd', 'net', 'pap', 'parent', 'password', 'permit', 'proctitle', 'profile', 'realm', 'reject', 'retire', 'ruleset', 'script', 'script-order', 'session', 'single-connection', 'skip', 'syslog', 'time', 'timespec', 'tls', 'trace', 'umask', 'user', 'warning' or 'welcome', but got 'date'
12: Detected fatal configuration error. Exiting. 

Traceback (most recent call last):
  File "/etc/tac-plus-ng/config_file_check.py", line 213, in <module>
    main()
  File "/etc/tac-plus-ng/config_file_check.py", line 201, in main
    config_fails = test_tac_config()
  File "/etc/tac-plus-ng/config_file_check.py", line 47, in test_tac_config
    proc = subprocess.check_output('/tacacs/sbin/tac_plus-ng -P %s' % outputfile, shell=True)
  File "/usr/lib/python3.10/subprocess.py", line 421, in check_output
    return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
  File "/usr/lib/python3.10/subprocess.py", line 526, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '/tacacs/sbin/tac_plus-ng -P /etc/tac-plus-ng/tacacs.conf' returned non-zero exit status 78.

Any idea why this working configuration with tac_plus failing with tac_plus-ng?

Answer 1 · 2024-05-30T06:19:33.000Z

Hi,

tac_plus-ng and tac_plus are not syntax compatible. Configurations are somewhat similar, but not the same.

Cheers,

Marc

Answer 2 · 2024-05-31T06:51:48.000Z

Thanks @MarcJHuber for quick answer.

Is there in any guide line or document from where i can find what have changed? As my current server have plenty of configuration file for this i need to check one by one and correct it. i.e for below logging got error

Remote logging to syslog00

log authz {
destination =
syslog facility = LOCAL7 # sets log facility
syslog level = INFO # sets log level
syslog ident = Authorization
log separator = "\t"
}

11: /etc/tac-plus-ng/tacacs.conf:36: Expected 'access', 'accounting', 'authorization', 'connection', 'destination', 'syslog' or '}', but got 'log'
11: Detected fatal configuration error. Exiting.

So it will be good if have any guideline or sample config which covers all changes.

Answer 3 · 2024-06-02T06:22:25.000Z

Hi,

alas, there's no migration guide. Never had the time for that. The HTML/PDF documentation comes with configuration samples, and comparing tac_plus/sample/tac_plus.cfg to tac_plus-ng/sample/tac_plus-ng.cfg might give some ad hoc insights.

tac_plus is more based on "objects" (users, groups), with certain attributes assigned (e.g. services). tac_plus-ng on the other hand moves most of those attributes to "profile" objects, and a profile is assigned to a session based on session and user parameters, which is a fundamental different approach. Also, logging has changed and is now fully customizable (that's why you're seeing the error message at "log separator").

Cheers,

Marc