chap login failed (no clear text password set)
Closed this issue · 2 comments
I'm trying to make sense of this error in the tac_plus-ng logs.
Jun 12 19:37:59 tac0 tac_plus-ng[315]: 192.x.x.x looking for user dgeurts in MAVIS backend
Jun 12 19:37:59 tac0 tac_plus-ng[315]: 192.x.x.x result for user dgeurts is ACK
Jun 12 19:37:59 tac0 tac_plus-ng[315]: 192.x.x.x chap login for 'user' on tty10 failed (no clear text password set)
I'm using FreeIPA as LDAP source and auth works against that, so I'm thinking this must be chap specific? What am I missing? Is pap backend = mavis required for chap? Do I need to do something specific in my LDAP database?
My sanitised config:
#!/usr/local/sbin/tac_plus-ng
id = spawnd {
listen = { address = 0.0.0.0 port = 49 }
#Uncomment the line below for IPv6 support
#listen = { address = :: port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = yes
}
id = tac_plus-ng {
log authzlog { destination = /var/log/tac_plus/authz/%Y/%m/%d.log }
log authclog { destination = /var/log/tac_plus/authc/%Y/%m/%d.log }
log acctlog { destination = /var/log/tac_plus/acct/%Y/%m/%d.log }
accounting log = acctlog
authentication log = authclog
authorization log = authzlog
mavis module = external {
# tac_plus-ng requires microsoft type for FreeIPA (officially only AD and openLDAP are supported)
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "ldaps://ipa.domain.com:636"
setenv LDAP_CONNECT_TIMEOUT = 3
setenv LDAP_SCOPE = sub
setenv LDAP_USER = "uid=tacplusng,cn=sysaccounts,cn=etc,dc=DOMAIN,dc=COM"
setenv LDAP_PASSWD = "********"
setenv LDAP_BASE = "cn=users,cn=accounts,dc=domain,dc=com"
setenv LDAP_FILTER = "(&(objectclass=posixaccount)(uid=%s))" #"(uid=%s)"
setenv LDAP_BASE_GROUP = "cn=groups,cn=accounts,dc=domain,dc=com"
setenv LDAP_FILTER_GROUP = "(&(objectclass=posixgroup)(memberOf=%s))"
# Do not allow password changes via TACACS+
setenv FLAG_CHPW = 0
setenv FLAG_USE_ALIAS = 0
setenv FLAG_USE_MEMBEROF = 1
setenv LDAP_MEMBEROF_REGEX = "^cn=tac-([^,]+),cn=groups.*"
# Setting REQUIRE_TACACS_GROUP_PREFIX to 1 will cause a NACK response if the AD account is not a member of a security group with the required prefix
setenv REQUIRE_TACACS_GROUP_PREFIX = 1
setenv TACACS_GROUP_PREFIX = tac-
# DO NOT SET THE USE_TLS ENVIRONMENT VARIABLE, TLS WILL AUTOMATICALLY BE ENABLED IF NEEDED
# FORCING THIS VARIABLE TO 1 WILL BREAK MAVIS IF TLS IS NEEDED
#setenv USE_TLS = 0
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
login backend = mavis
user backend = mavis
#pap backend = mavis
device corp {
# Displayed before password prompt
welcome banner = "Access is logged, your IP address is: $client.address.\n"
# Shown after successful login
motd banner = "Welcome to $host.name\n"
}
device corp-core {
address = x.y.z.0/24
key = "********"
parent = corp
}
device corp-sbc {
address = a.b.c.0/24
key = "********"
parent = corp
}
device world {
# Allow any IPv4 device
address = 0.0.0.0/0
# Uncomment the line below for IPv6 support
#address = ::/0
key = "some key"
parent = corp
}
profile cisco-admins {
script {
if (service == shell) {
if (cmd == "")
set priv-lvl = 15
# Uncomment the line below for NX-OS support
set shell:roles = '"network-admin vdc-admin"'
# Uncomment the line below for IOS XR support
set task = "#root-system"
permit
}
}
}
profile test-admins {
script {
if (service == shell) {
if (cmd == "")
set priv-lvl = 15
permit
}
}
}
# readonly = guest (in tac_plus-ng docs)
profile readonly {
enable = deny
script {
if (service == shell) {
if (cmd == "")
set priv-lvl = 1
permit
}
}
}
ruleset {
rule {
script {
if (memberof =~ /^CN=tac-eng,/) { profile = cisco-admins permit }
if (memberof =~ /^CN=tac-test,/) { profile = test-admins permit }
if (memberof =~ /^CN=tac-readonly,/) { profile = readonly permit }
}
}
}
}
Hi,
CHAP will only work with clear-text passwords defined in user profiles. There's no way to let LDAP authenticate CHAP. You could perhaps modify your LDAP schema to add a CHAP clear-text password and adjust configuration and/or backend scripts to return that password to the daemon for verification, but I've doubts that that would be worth the effort.
I actually think the issue here is that your device (router, switch, whatever) is configured to use CHAP for authentication. If you absolutely need to use CHAP you can configure user with a dedicated clear-text password:
user demo { password chap = clear whatever }
Cheers,
Marc
That's clear then, so my options are clear text or pap when using LDAP? Indeed I configured the device for chap assuming this to be the safer standard. However, after refreshing myself with TACACS encryption, I see clear text will do just fine.