[tac_plus] host acl always denies

Ignas Kazlauskas ignas.kazlauskas at ittc.vu.lt
Mon Jan 23 08:22:04 UTC 2012 

On 2012.01.21 01:44, heasley wrote:
> Fri, Jan 13, 2012 at 11:52:30AM +0200, Ignas Kazlauskas:
>>
>>
>> On 2012.01.12 18:47, heasley wrote:
>>> Thu, Jan 12, 2012 at 10:17:23AM +0200, Ignas Kazlauskas:
>>>> Hello,
>>>> I have a simple tac_plus config with a host acl. The problem is I always
>>>> get denied, even with ".*". Tried versions tacacs+-F4.0.4.20 and
>>>> tacacs+-F5.0.0a1. What's wrong (Linux CentOS6, Debian6)?
>>>>
>>>> tac_plus.conf
>>>> =============
>>>>
>>>> accounting file = /var/log/tacacs/acc.log
>>>> key = testing123
>>>>
>>>> acl = alist {
>>>>     permit = .*
>>>>     permit = ^192.*
>>>>     permit = 192.168.111\.12$
>>>>     permit = 192.168.111.12
>>>>     permit = 192\.168\.111.*
>>>>     permit = ^192\.168\.111\.12$
>>>> }
>>>
>>> perhaps trailing whitespace or non-printable characters?
>>
>> I have deleted all unnecessary whitespaces and checked for non-printable
>> characters with ":set list" in vim - no changes.
> 
> have you verified that the client (router/device) is connecting with the
> ip address that you're trying to match in the acl?

tacacs+-F4.0.4.20
=================
Yes I did today with tcpdump on tac_plus server and IPs were
OK. I also noticed that host acl seems inverted (just as the other
person on this mailing list said). For example if

acl = alist {
    permit = ^192\.168\.111\.12$
}

then I get denied from 192.168.111.12 and allowed from everywhere else.
But lets move to tacacs+-F4.0.4.21

tacacs+-F4.0.4.21
=================
First of all, thank you for the new version! This version seemed to
behave like the v20, until I did this and recompiled:

--- config.c.orig       2012-01-23 09:31:32.771632186 +0200
+++ config.c    2012-01-23 09:31:46.107154201 +0200
@@ -2044,7 +2044,7 @@

     next = acl->nodes;
     while (next) {
-       if (regexec((regex_t *)next->value1, ip, 0, NULL, 0) != REG_OK) {
+       if (regexec((regex_t *)next->value1, ip, 0, NULL, 0) == REG_OK) {
            if (debug & DEBUG_AUTHEN_FLAG)
                report(LOG_DEBUG, "ip %s matched %s regex %s of acl
filter %s",
                        ip, next->type == S_deny ? "deny" : "permit",


Now acls works as they should, it seems.

-- 
Ignas K.

More information about the tac_plus mailing list