Hi,
I am trying to configure TACACS+ on our SSM On-Prem server so that I am able to login on the Webinterface with my AD user. The TACACS+ configuration is done in Clearpass. And the test in the configuration window on the SSM server was successful.
But as soon as I try to login with my user on the login window it is not working:
In Clearpass everything looks fine and I am not sure how I could debug that issue on the SSM side.
This is how my config in Clearpass looks:
Is anybody using Clearpass for TACACS+ and SSM?
Thank you!
Cheers,
Marius
Just saw this message in the release notes:
So I guess I need to configure Clearpass to send back the correct user role. But I don't know which exact role I need to send and which service to use.
I think I found out what the issue and bug is and also how to fix it.
So the whole SSM on-prem is running multiple docker containers and one of them is called "tacacs-client". In this container you will find the following file which checks for the privilege level that is sent back from the TACACS+ server. The "arg.match" is looking for 'priv-lvl'.
/usr/local/bundle/bundler/gems/ochimus-d67b47ff0569/lib/ochimus/tacacs_packet/authorization/tacacs_reply_body.rb
# Authorization arguments from Tacacs+ server are AV pairs seperated by equal sign
# i.e. priv-lvl=10
def self.priv_lvl_extractor(args_length, raw_data)
priv_lvl = 0 #unauthorized initially
args_length.each do |arg_length|
arg = raw_data.read(arg_length)
File.open("/usr/src/authorize.log", "a") {|f| f.write("Privilege level raw data: #{arg}\n") }
if arg.match('priv-lvl')
priv_lvl = Integer(arg.partition('=').last)
end
end
priv_lvl
end
Now the issue is that SSM is not requesting 'priv-lvl' from the TACAS+ server but 'priv_lvl'! This is from the Clearpass log. Check out the very last argument "ArgList" here:
2024-05-03 07:59:52,431 [AAAModuleThread-0x7f79b099b700 h=996] DEBUG AAA.AuthorSession - handleAuthorRequest: TacacsAuthorRequest={{version=192, type=2, flags=0, seqNum=1, sessionId=465481928, length=47}{authenMethod=6, privLvl=0, authenType=3, authenMethod=6, service=3, userLen=6, portLen=2, remAddrLen=14, argCnt=1}(User=xxxxxxx, Port=49, RemAddr=ochimus_device, ArgList=service=priv_lvl)}
So now there are three things that can be done to fix it. Only one option is needed. #3 is the easiest one.
1. Fix the request on SSM that is sent to the TACAS+ server to request 'priv-lvl' instead of 'priv_lvl'
2. Fix the tacacs_reply_body.rb file so it accepts 'priv_lvl' additionally:
# Authorization arguments from Tacacs+ server are AV pairs seperated by equal sign
# i.e. priv-lvl=10
def self.priv_lvl_extractor(args_length, raw_data)
priv_lvl = 0 #unauthorized initially
args_length.each do |arg_length|
arg = raw_data.read(arg_length)
File.open("/usr/src/authorize.log", "a") {|f| f.write("Privilege level raw data: #{arg}\n") }
if arg.match('priv-lvl') || arg.match('priv_lvl')
priv_lvl = Integer(arg.partition('=').last)
end
end
priv_lvl
end
3. Create the service 'priv_lvl" with type 'priv_lvl' and send back 'priv-lvl' from the TACACS+ server. I tested it and it works. My Clearpass setup looks like this now for the profile:
This is how the Service Dictonary for Clearpass should look like:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
<TipsHeader exportTime="Thu May 02 13:44:05 CEST 2024" version="6.11"/>
<TacacsServiceDictionaries>
<TacacsServiceDictionary dispName="priv_lvl" name="priv_lvl">
<ServiceAttribute allowedValuesCsv="0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15" dataType="Unsigned32" dispName="Privilege level" name="priv-lvl"/>
</TacacsServiceDictionary>
</TacacsServiceDictionaries>
</TipsContents>
Hopefully someone can use this info to use Clearpass as well in future as the TACACS server for SSM.
Best,
Marius
