<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Hello -<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I am trying to use a tac_plus server with a client that uses the open source nss_tacplus library (<a href="https://github.com/benschumacher/nss_tacplus">https://github.com/benschumacher/nss_tacplus</a>). This library attempts to sufficient
information for a Linux-based operating system login process via its “nss” subsystem. To do this it tries to leverage the AVPs/VSAs returned from a tacacs+ server during an authorization query.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Unfortunately, I have not had any luck devising a tac_plus configuration that will work. The client connects, and the user name is apparently recognized, but the required AVPs are not being passed back. The log messages I get from the
nss_tacplus library look like: <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">May 29 06:50:08 nscd: src/nss_tacplus.c: `/etc/tacplus.conf' no change at cycle=23750<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">May 29 06:50:08 nscd: src/nss_tacplus.c: begin lookup: user=`joan', server=`10.1.27.136:49'<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">May 29 06:50:08 nscd: Args cnt 0<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">May 29 06:50:08 nscd: src/nss_tacplus.c: found match: user=`joan', server=`10.1.27.136:49', status=1, attributes? no<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">May 29 06:50:08 nscd: src/nss_tacplus.c: missing required attribute 'UID'<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">May 29 06:50:08 nscd: src/nss_tacplus.c: missing required attribute 'GID'<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">May 29 06:50:08 nscd: src/nss_tacplus.c: missing required attribute 'HOME'<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">May 29 06:50:08 nscd: src/nss_tacplus.c: missing required attribute 'SHELL'<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">May 29 06:50:08 sshd[19451]: Invalid user joan from 10.11.12.44 port 55294<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Do you have any experience inter-operating with this (nss_tacplus) library? Does tac_plus respond to authorization queries with AVPs in its response? Our use of the nss_tacplus library has been validated with Cisco ACS 5.5.0.46.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Below is the tac_plus.conf file that I have used : <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">key = cisco<o:p></o:p></p>
<p class="MsoNormal">accounting file = /var/log/tac.log<o:p></o:p></p>
<p class="MsoNormal">group = admin {<o:p></o:p></p>
<p class="MsoNormal"> default service = permit<o:p></o:p></p>
<p class="MsoNormal"># service = adva-exec {<o:p></o:p></p>
<p class="MsoNormal"># uid=1012<o:p></o:p></p>
<p class="MsoNormal"># gid=1014<o:p></o:p></p>
<p class="MsoNormal"># home=/home<o:p></o:p></p>
<p class="MsoNormal"># shell=/bin/bash<o:p></o:p></p>
<p class="MsoNormal"># service = adva-exec {<o:p></o:p></p>
<p class="MsoNormal"># uid="2000"<o:p></o:p></p>
<p class="MsoNormal"># gid="504"<o:p></o:p></p>
<p class="MsoNormal"># home="/home"<o:p></o:p></p>
<p class="MsoNormal"># shell="/bin/bash"<o:p></o:p></p>
<p class="MsoNormal"># }<o:p></o:p></p>
<p class="MsoNormal"># }<o:p></o:p></p>
<p class="MsoNormal">}<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">user=joan {<o:p></o:p></p>
<p class="MsoNormal"> member = admin<o:p></o:p></p>
<p class="MsoNormal"> service = adva-exec {<o:p></o:p></p>
<p class="MsoNormal"> uid="2000"<o:p></o:p></p>
<p class="MsoNormal"> gid="504"<o:p></o:p></p>
<p class="MsoNormal"> home="/home"<o:p></o:p></p>
<p class="MsoNormal"> shell="/bin/bash"<o:p></o:p></p>
<p class="MsoNormal"> }<o:p></o:p></p>
<p class="MsoNormal">}<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thank you,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Ken Webb<o:p></o:p></p>
<p class="MsoNormal">Sr Software Engineer<o:p></o:p></p>
<p class="MsoNormal">ADVA<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p style="font-size: 7pt; font-family: 'SegoeUI';">Please see our privacy statement at https://www.adva.com/en/about-us/legal/privacy-statement for details of how ADVA processes personal information.</p>
</body>
</html>