tac_plus-ng cache issue #147

OlexanderH · 2025-03-04T16:23:17Z

OlexanderH
Mar 4, 2025

Hi, Mark.

I already wrote once that the cache works suspiciously.
I finally found the time to study its operation in more detail.

Do I understand correctly that the cache size is for 8 users?
#define USER_PROFILE_CACHE_SIZE 8

Do I understand correctly from this code that only the username is cached without being tied to the device?

tac_plus-ng/config.c -> static enum token lookup_user_profile:
if (session->ctx->user_profile_cache[i].user == session->user && session->ctx->user_profile_cache[i].crc32 == crc32)

The problem is that if one user has different accesses to different devices, the cache returns the same results to different devices, so the user can get permission where he is not allowed.

The workaround is to disable the cache at all, which is what I used:

	cache timeout = 0
	mavis cache timeout = 0

In general, it would be better if the username was cached somehow like this:
[email protected]

But unfortunately, this now creates security problems.

Thank you for your package.

MarcJHuber · 2025-03-04T16:55:39Z

MarcJHuber
Mar 4, 2025
Maintainer

Hi,

session->ctx basically references a single TACACS+ TCP connection from a device, so session->ctx->user_profile_cache is only valid for that particular device. (Side note: it requires single-connection to be enabled on both server and device.)

The per-ctx-cache is purely local to the connection, there's no chance for a mix-up between devices.

Cheers,

Marc

1 reply

OlexanderH Mar 4, 2025
Author

Yes, I use no single-connection, not all vendors supports this feature. Unfortunately I was able to catch such a situation when command authorization was mixed-up between devices from cache.

MarcJHuber · 2025-03-04T17:21:23Z

MarcJHuber
Mar 4, 2025
Maintainer

Hi,

ok, that's weird. Any way to reproduce this?

I currently don't see where I could have messed up that. Relevant functions would be config.c:cache_user_profile() and config.c:lookup_user_profile(), and both are per-connection and take user name (ore, more exactly, the internal user struct pointer) and client IP into account.

Cheers,

Marc

0 replies

OlexanderH · 2025-03-04T17:58:50Z

OlexanderH
Mar 4, 2025
Author

Ok, I will try to make a process model tomorrow. So, could you please prompt what are the necessary data should I collect in order to get the whole picture and where to route it so that this discussion not to be fluded. I am not sure that I will be able to change c code.

0 replies

MarcJHuber · 2025-03-04T18:18:40Z

MarcJHuber
Mar 4, 2025
Maintainer

Hi Olexander,

you could enable ACL or REGEX debugging (debug = ACL, e.g.). Whenever a cached profile is used there will be a

<username>@<client-ip:> cached: <permit|deny> (profile: <profile>)

line in the debug logs. Also, for the initial (uncached) profile look out for

<username>@<client-ip>: ACL <acl-name>: <permit|deny> (profile: <profile>)

lines, these are the initial profile assignments.

grep "profile:" /path/to/debuglog (or your syslog file, perhaps) should then show eventual inconsistencies.

I don't think this will actually flood this discussion, so let's just continue here.

Cheers,

Marc

0 replies

OlexanderH · 2025-03-05T05:47:52Z

OlexanderH
Mar 5, 2025
Author

Hi Marc,
I was able to reproduce it again.
Here is debug log, all names and addresses are fake.

Mar 05 06:42:35  tac_plus-ng[55061]: startup (version fc4574cfa5e96d228e8e9dd8f45432899bc4e7c9)
Mar 05 06:42:35  tac_plus-ng[55062]: epoll event notification mechanism is being used
Mar 05 06:42:35  tac_plus-ng[55066]: startup (version fc4574cfa5e96d228e8e9dd8f45432899bc4e7c9)
Mar 05 06:42:35  tac_plus-ng[55067]: epoll event notification mechanism is being used
Mar 05 06:42:35  tac_plus-ng[55067]: bind to [3.3.55.104]:49 succeeded
Mar 05 06:42:35  tac_plus-ng[55067]: bind to [3.3.37.104]:49 succeeded
Mar 05 06:42:35  tac_plus-ng[55068]: epoll event notification mechanism is being used
Mar 05 06:42:35  tac_plus-ng[55068]: - Version fc4574cfa5e96d228e8e9dd8f45432899bc4e7c9 initialized
Mar 05 06:42:36  tac_plus-ng[49149]: scm_send_msg: sendmsg: Connection refused
Mar 05 06:42:36  tac_plus-ng[49149]: - Exiting.

User test connects first device cisco_router_reg1 1.1.10.4 with profile=cis_ro

Mar 05 06:43:18  tac_plus-ng[55068]: 0/dff9f94b: 1.1.10.4  regex: '[]<>/()|=[*"':$]+' <=> 'test' = 0
Mar 05 06:43:18  tac_plus-ng[55068]: 0/dff9f94b: 1.1.10.4 ACL __internal__username_acl__: match
Mar 05 06:43:18  tac_plus-ng[55068]: 0/dff9f94b: 1.1.10.4 looking for user test in MAVIS backend
Mar 05 06:43:18  tac_plus-ng[55068]: 0/dff9f94b: 1.1.10.4 result for user test is ACK [10 ms]
Mar 05 06:43:18  tac_plus-ng[55068]: 0/dff9f94b: 1.1.10.4 ACL rule1: no match
Mar 05 06:43:18  tac_plus-ng[55068]: 0/dff9f94b: 1.1.10.4 [email protected]: ACL rule1: <unknown> (profile: n/a)
Mar 05 06:43:18  tac_plus-ng[55068]: 0/dff9f94b: 1.1.10.4  pcre2: '^cisco_router.*' <=> 'cisco_router_reg1' = 1
Mar 05 06:43:18  tac_plus-ng[55068]: 0/dff9f94b: 1.1.10.4 ACL rule1: match
Mar 05 06:43:18  tac_plus-ng[55068]: 0/dff9f94b: 1.1.10.4 [email protected]: ACL rule1: permit (profile: cis_ro)
Mar 05 06:43:18  tac_plus-ng[55068]: 0/dff9f94b: 1.1.10.4 shell login for 'test' from 1.1.55.17 on /dev/pts/3 succeeded (profile=cis_ro)
Mar 05 06:43:18  tac_plus-ng[55068]: 1/6497f94c: 1.1.10.4 ACL rule1: no match
Mar 05 06:43:18  tac_plus-ng[55068]: 1/6497f94c: 1.1.10.4 [email protected]: ACL rule1: <unknown> (profile: n/a)
Mar 05 06:43:18  tac_plus-ng[55068]: 1/6497f94c: 1.1.10.4  pcre2: '^cisco_router.*' <=> 'cisco_router_reg1' = 1
Mar 05 06:43:18  tac_plus-ng[55068]: 1/6497f94c: 1.1.10.4 ACL rule1: match
Mar 05 06:43:18  tac_plus-ng[55068]: 1/6497f94c: 1.1.10.4 [email protected]: ACL rule1: permit (profile: cis_ro)
Mar 05 06:43:18  tac_plus-ng[55068]: 1/6497f94c: 1.1.10.4  cmp: 'shell' <=> 'shell' = 1
Mar 05 06:43:18  tac_plus-ng[55068]: 1/6497f94c: 1.1.10.4  pcre2: '^show' <=> '' = 0
Mar 05 06:43:18  tac_plus-ng[55068]: 1/6497f94c: 1.1.10.4  pcre2: '^dir' <=> '' = 0
Mar 05 06:43:18  tac_plus-ng[55068]: 1/6497f94c: 1.1.10.4  pcre2: '^ping' <=> '' = 0
Mar 05 06:43:18  tac_plus-ng[55068]: 1/6497f94c: 1.1.10.4  pcre2: '^traceroute' <=> '' = 0
Mar 05 06:43:18  tac_plus-ng[55068]: 1/6497f94c: 1.1.10.4  pcre2: '^mstat' <=> '' = 0
Mar 05 06:43:18  tac_plus-ng[55068]: 1/6497f94c: 1.1.10.4  pcre2: '^mtrace' <=> '' = 0
Mar 05 06:43:18  tac_plus-ng[55068]: 1/6497f94c: 1.1.10.4  pcre2: '^terminal' <=> '' = 0
Mar 05 06:43:18  tac_plus-ng[55068]: 1/6497f94c: 1.1.10.4  pcre2: '^telnet' <=> '' = 0
Mar 05 06:43:18  tac_plus-ng[55068]: 1/6497f94c: 1.1.10.4  pcre2: '^ssh' <=> '' = 0
Mar 05 06:43:18  tac_plus-ng[55068]: 1/6497f94c: 1.1.10.4  pcre2: '^stelnet' <=> '' = 0
Mar 05 06:43:18  tac_plus-ng[55068]: 1/6497f94c: 1.1.10.4  cmp: '' <=> '' = 1
Mar 05 06:43:18  tac_plus-ng[55068]: 2/00002cba: 1.1.10.4 ACL rule1: no match
Mar 05 06:43:18  tac_plus-ng[55068]: 2/00002cba: 1.1.10.4 [email protected]: ACL rule1: <unknown> (profile: n/a)
Mar 05 06:43:18  tac_plus-ng[55068]: 2/00002cba: 1.1.10.4  pcre2: '^cisco_router.*' <=> 'cisco_router_reg1' = 1
Mar 05 06:43:18  tac_plus-ng[55068]: 2/00002cba: 1.1.10.4 ACL rule1: match
Mar 05 06:43:18  tac_plus-ng[55068]: 2/00002cba: 1.1.10.4 [email protected]: ACL rule1: permit (profile: cis_ro)
Mar 05 06:43:18  tac_plus-ng[55068]: 2/00002cba: 1.1.10.4  cmp: 'shell' <=> 'shell' = 1
Mar 05 06:43:18  tac_plus-ng[55068]: 2/00002cba: 1.1.10.4  pcre2: '^show' <=> '' = 0
Mar 05 06:43:18  tac_plus-ng[55068]: 2/00002cba: 1.1.10.4  pcre2: '^dir' <=> '' = 0
Mar 05 06:43:18  tac_plus-ng[55068]: 2/00002cba: 1.1.10.4  pcre2: '^ping' <=> '' = 0
Mar 05 06:43:18  tac_plus-ng[55068]: 2/00002cba: 1.1.10.4  pcre2: '^traceroute' <=> '' = 0
Mar 05 06:43:18  tac_plus-ng[55068]: 2/00002cba: 1.1.10.4  pcre2: '^mstat' <=> '' = 0
Mar 05 06:43:18  tac_plus-ng[55068]: 2/00002cba: 1.1.10.4  pcre2: '^mtrace' <=> '' = 0
Mar 05 06:43:18  tac_plus-ng[55068]: 2/00002cba: 1.1.10.4  pcre2: '^terminal' <=> '' = 0
Mar 05 06:43:18  tac_plus-ng[55068]: 2/00002cba: 1.1.10.4  pcre2: '^telnet' <=> '' = 0
Mar 05 06:43:18  tac_plus-ng[55068]: 2/00002cba: 1.1.10.4  pcre2: '^ssh' <=> '' = 0
Mar 05 06:43:18  tac_plus-ng[55068]: 2/00002cba: 1.1.10.4  pcre2: '^stelnet' <=> '' = 0
Mar 05 06:43:18  tac_plus-ng[55068]: 2/00002cba: 1.1.10.4  cmp: '' <=> '' = 1
Mar 05 06:43:22  tac_plus-ng[55068]: 3/710bf94d: 1.1.10.4 ACL rule1: no match
Mar 05 06:43:22  tac_plus-ng[55068]: 3/710bf94d: 1.1.10.4 [email protected]: ACL rule1: <unknown> (profile: n/a)
Mar 05 06:43:22  tac_plus-ng[55068]: 3/710bf94d: 1.1.10.4  pcre2: '^cisco_router.*' <=> 'cisco_router_reg1' = 1
Mar 05 06:43:22  tac_plus-ng[55068]: 3/710bf94d: 1.1.10.4 ACL rule1: match
Mar 05 06:43:22  tac_plus-ng[55068]: 3/710bf94d: 1.1.10.4 [email protected]: ACL rule1: permit (profile: cis_ro)
Mar 05 06:43:22  tac_plus-ng[55068]: 3/710bf94d: 1.1.10.4  cmp: 'shell' <=> 'shell' = 1
Mar 05 06:43:22  tac_plus-ng[55068]: 3/710bf94d: 1.1.10.4  pcre2: '^show' <=> 'configure terminal <cr>' = 0
Mar 05 06:43:22  tac_plus-ng[55068]: 3/710bf94d: 1.1.10.4  pcre2: '^dir' <=> 'configure terminal <cr>' = 0
Mar 05 06:43:22  tac_plus-ng[55068]: 3/710bf94d: 1.1.10.4  pcre2: '^ping' <=> 'configure terminal <cr>' = 0
Mar 05 06:43:22  tac_plus-ng[55068]: 3/710bf94d: 1.1.10.4  pcre2: '^traceroute' <=> 'configure terminal <cr>' = 0
Mar 05 06:43:22  tac_plus-ng[55068]: 3/710bf94d: 1.1.10.4  pcre2: '^mstat' <=> 'configure terminal <cr>' = 0
Mar 05 06:43:22  tac_plus-ng[55068]: 3/710bf94d: 1.1.10.4  pcre2: '^mtrace' <=> 'configure terminal <cr>' = 0
Mar 05 06:43:22  tac_plus-ng[55068]: 3/710bf94d: 1.1.10.4  pcre2: '^terminal' <=> 'configure terminal <cr>' = 0
Mar 05 06:43:22  tac_plus-ng[55068]: 3/710bf94d: 1.1.10.4  pcre2: '^telnet' <=> 'configure terminal <cr>' = 0
Mar 05 06:43:22  tac_plus-ng[55068]: 3/710bf94d: 1.1.10.4  pcre2: '^ssh' <=> 'configure terminal <cr>' = 0
Mar 05 06:43:22  tac_plus-ng[55068]: 3/710bf94d: 1.1.10.4  pcre2: '^stelnet' <=> 'configure terminal <cr>' = 0
Mar 05 06:43:22  tac_plus-ng[55068]: 3/710bf94d: 1.1.10.4  cmp: '' <=> 'configure terminal <cr>' = 0

User test connects second device cisco_router_reg2 2.2.27.1 with profile=cis_admin

Mar 05 06:43:30  tac_plus-ng[55068]: 4/eaf5c193: 2.2.27.1  regex: '[]<>/()|=[*"':$]+' <=> 'test' = 0
Mar 05 06:43:30  tac_plus-ng[55068]: 4/eaf5c193: 2.2.27.1 ACL __internal__username_acl__: match
Mar 05 06:43:30  tac_plus-ng[55068]: 4/eaf5c193: 2.2.27.1 looking for user test in MAVIS backend
Mar 05 06:43:30  tac_plus-ng[55068]: 4/eaf5c193: 2.2.27.1 result for user test is ACK [3 ms]
Mar 05 06:43:30  tac_plus-ng[55068]: 4/eaf5c193: 2.2.27.1 ACL rule1: no match
Mar 05 06:43:30  tac_plus-ng[55068]: 4/eaf5c193: 2.2.27.1 [email protected]: ACL rule1: <unknown> (profile: n/a)
Mar 05 06:43:30  tac_plus-ng[55068]: 4/eaf5c193: 2.2.27.1  pcre2: '^cisco_router.*' <=> 'cisco_router_reg2' = 1
Mar 05 06:43:30  tac_plus-ng[55068]: 4/eaf5c193: 2.2.27.1 ACL rule1: match
Mar 05 06:43:30  tac_plus-ng[55068]: 4/eaf5c193: 2.2.27.1 [email protected]: ACL rule1: permit (profile: cis_admin)
Mar 05 06:43:30  tac_plus-ng[55068]: 4/eaf5c193: 2.2.27.1 shell login for 'test' from 1.1.55.17 on tty3 succeeded (profile=cis_admin)
Mar 05 06:43:31  tac_plus-ng[55068]: 5/2fb26821: 2.2.27.1 ACL rule1: no match
Mar 05 06:43:31  tac_plus-ng[55068]: 5/2fb26821: 2.2.27.1 [email protected]: ACL rule1: <unknown> (profile: n/a)
Mar 05 06:43:31  tac_plus-ng[55068]: 5/2fb26821: 2.2.27.1  pcre2: '^cisco_router.*' <=> 'cisco_router_reg2' = 1
Mar 05 06:43:31  tac_plus-ng[55068]: 5/2fb26821: 2.2.27.1 ACL rule1: match
Mar 05 06:43:31  tac_plus-ng[55068]: 5/2fb26821: 2.2.27.1 [email protected]: ACL rule1: permit (profile: cis_admin)
Mar 05 06:43:31  tac_plus-ng[55068]: 5/2fb26821: 2.2.27.1  cmp: 'shell' <=> 'shell' = 1
Mar 05 06:43:31  tac_plus-ng[55068]: 5/2fb26821: 2.2.27.1  cmp: '' <=> '' = 1
Mar 05 06:43:34  tac_plus-ng[55068]: 6/49e79221: 2.2.27.1 ACL rule1: no match
Mar 05 06:43:34  tac_plus-ng[55068]: 6/49e79221: 2.2.27.1 [email protected]: ACL rule1: <unknown> (profile: n/a)
Mar 05 06:43:34  tac_plus-ng[55068]: 6/49e79221: 2.2.27.1  pcre2: '^cisco_router.*' <=> 'cisco_router_reg2' = 1
Mar 05 06:43:34  tac_plus-ng[55068]: 6/49e79221: 2.2.27.1 ACL rule1: match
Mar 05 06:43:34  tac_plus-ng[55068]: 6/49e79221: 2.2.27.1 [email protected]: ACL rule1: permit (profile: cis_admin)
Mar 05 06:43:34  tac_plus-ng[55068]: 6/49e79221: 2.2.27.1  cmp: 'shell' <=> 'shell' = 1
Mar 05 06:43:34  tac_plus-ng[55068]: 6/49e79221: 2.2.27.1  cmp: '' <=> 'configure terminal <cr>' = 0

Here the cache returns the profile:cis_admin from the second session to the first session

Mar 05 06:43:38  tac_plus-ng[55068]: 7/b5c1f94e: 1.1.10.4 ACL rule1: no match
Mar 05 06:43:38  tac_plus-ng[55068]: 7/b5c1f94e: 1.1.10.4 [email protected]: ACL rule1: <unknown> (profile: n/a)
Mar 05 06:43:38  tac_plus-ng[55068]: 7/b5c1f94e: 1.1.10.4  pcre2: '^cisco_router.*' <=> 'cisco_router_reg1' = 1
Mar 05 06:43:38  tac_plus-ng[55068]: 7/b5c1f94e: 1.1.10.4 ACL rule1: match
Mar 05 06:43:38  tac_plus-ng[55068]: 7/b5c1f94e: 1.1.10.4 [email protected]: ACL rule1: permit (profile: cis_admin)
Mar 05 06:43:38  tac_plus-ng[55068]: 7/b5c1f94e: 1.1.10.4  cmp: 'shell' <=> 'shell' = 1
Mar 05 06:43:38  tac_plus-ng[55068]: 7/b5c1f94e: 1.1.10.4  cmp: '' <=> 'configure terminal <cr>' = 0

3 replies

OlexanderH Mar 5, 2025
Author

I looked at the log, it seems that it's not the cache that returns the permission, but with the cache disabled this doesn't happen.

OlexanderH Mar 5, 2025
Author

I also collected a log with the cache disabled, most likely we are talking about the Mavis cache.

Mar 05 07:58:04  tac_plus-ng[55281]: startup (version fc4574cfa5e96d228e8e9dd8f45432899bc4e7c9)
Mar 05 07:58:04  tac_plus-ng[55282]: epoll event notification mechanism is being used
Mar 05 07:58:04  tac_plus-ng[55286]: startup (version fc4574cfa5e96d228e8e9dd8f45432899bc4e7c9)
Mar 05 07:58:04  tac_plus-ng[55287]: epoll event notification mechanism is being used
Mar 05 07:58:04  tac_plus-ng[55287]: bind to [3.3.55.104]:49 succeeded
Mar 05 07:58:04  tac_plus-ng[55287]: bind to [3.3.37.104]:49 succeeded
Mar 05 07:58:04  tac_plus-ng[55288]: epoll event notification mechanism is being used
Mar 05 07:58:04  tac_plus-ng[55288]: - Version fc4574cfa5e96d228e8e9dd8f45432899bc4e7c9 initialized
Mar 05 07:58:04  tac_plus-ng[55093]: scm_send_msg: sendmsg: Connection refused
Mar 05 07:58:04  tac_plus-ng[55093]: - Exiting.
Mar 05 07:58:30  tac_plus-ng[55288]: 0/c503fc1c: 1.1.10.4  regex: '[]<>/()|=[*"':$]+' <=> 'test' = 0
Mar 05 07:58:30  tac_plus-ng[55288]: 0/c503fc1c: 1.1.10.4 ACL __internal__username_acl__: match
Mar 05 07:58:30  tac_plus-ng[55288]: 0/c503fc1c: 1.1.10.4 looking for user test in MAVIS backend
Mar 05 07:58:30  tac_plus-ng[55288]: 0/c503fc1c: 1.1.10.4 result for user test is ACK [11 ms]
Mar 05 07:58:30  tac_plus-ng[55288]: 0/c503fc1c: 1.1.10.4 ACL rule1: no match
Mar 05 07:58:30  tac_plus-ng[55288]: 0/c503fc1c: 1.1.10.4 [email protected]: ACL rule1: <unknown> (profile: n/a)
Mar 05 07:58:30  tac_plus-ng[55288]: 0/c503fc1c: 1.1.10.4  pcre2: '^cisco_router.*' <=> 'cisco_router_reg1' = 1
Mar 05 07:58:30  tac_plus-ng[55288]: 0/c503fc1c: 1.1.10.4 ACL rule1: match
Mar 05 07:58:30  tac_plus-ng[55288]: 0/c503fc1c: 1.1.10.4 [email protected]: ACL rule1: permit (profile: cis_ro)
Mar 05 07:58:30  tac_plus-ng[55288]: 0/c503fc1c: 1.1.10.4 shell login for 'test' from 1.1.55.17 on /dev/pts/3 succeeded (profile=cis_ro)
Mar 05 07:58:30  tac_plus-ng[55288]: 1/d183fc1d: 1.1.10.4  regex: '[]<>/()|=[*"':$]+' <=> 'test' = 0
Mar 05 07:58:30  tac_plus-ng[55288]: 1/d183fc1d: 1.1.10.4 ACL __internal__username_acl__: match
Mar 05 07:58:30  tac_plus-ng[55288]: 1/d183fc1d: 1.1.10.4 looking for user test in MAVIS backend
Mar 05 07:58:30  tac_plus-ng[55288]: 1/d183fc1d: 1.1.10.4 result for user test is ACK [0 ms]
Mar 05 07:58:30  tac_plus-ng[55288]: 1/d183fc1d: 1.1.10.4 ACL rule1: no match
Mar 05 07:58:30  tac_plus-ng[55288]: 1/d183fc1d: 1.1.10.4 [email protected]: ACL rule1: <unknown> (profile: n/a)
Mar 05 07:58:30  tac_plus-ng[55288]: 1/d183fc1d: 1.1.10.4  pcre2: '^cisco_router.*' <=> 'cisco_router_reg1' = 1
Mar 05 07:58:30  tac_plus-ng[55288]: 1/d183fc1d: 1.1.10.4 ACL rule1: match
Mar 05 07:58:30  tac_plus-ng[55288]: 1/d183fc1d: 1.1.10.4 [email protected]: ACL rule1: permit (profile: cis_ro)
Mar 05 07:58:30  tac_plus-ng[55288]: 1/d183fc1d: 1.1.10.4  cmp: 'shell' <=> 'shell' = 1
Mar 05 07:58:30  tac_plus-ng[55288]: 1/d183fc1d: 1.1.10.4  pcre2: '^show' <=> '' = 0
Mar 05 07:58:30  tac_plus-ng[55288]: 1/d183fc1d: 1.1.10.4  pcre2: '^dir' <=> '' = 0
Mar 05 07:58:30  tac_plus-ng[55288]: 1/d183fc1d: 1.1.10.4  pcre2: '^ping' <=> '' = 0
Mar 05 07:58:30  tac_plus-ng[55288]: 1/d183fc1d: 1.1.10.4  pcre2: '^traceroute' <=> '' = 0
Mar 05 07:58:30  tac_plus-ng[55288]: 1/d183fc1d: 1.1.10.4  pcre2: '^mstat' <=> '' = 0
Mar 05 07:58:30  tac_plus-ng[55288]: 1/d183fc1d: 1.1.10.4  pcre2: '^mtrace' <=> '' = 0
Mar 05 07:58:30  tac_plus-ng[55288]: 1/d183fc1d: 1.1.10.4  pcre2: '^terminal' <=> '' = 0
Mar 05 07:58:30  tac_plus-ng[55288]: 1/d183fc1d: 1.1.10.4  pcre2: '^netconf' <=> '' = 0
Mar 05 07:58:30  tac_plus-ng[55288]: 1/d183fc1d: 1.1.10.4  pcre2: '^telnet' <=> '' = 0
Mar 05 07:58:30  tac_plus-ng[55288]: 1/d183fc1d: 1.1.10.4  pcre2: '^ssh' <=> '' = 0
Mar 05 07:58:30  tac_plus-ng[55288]: 1/d183fc1d: 1.1.10.4  pcre2: '^stelnet' <=> '' = 0
Mar 05 07:58:30  tac_plus-ng[55288]: 1/d183fc1d: 1.1.10.4  cmp: '' <=> '' = 1
Mar 05 07:58:30  tac_plus-ng[55288]: 2/00002cf4: 1.1.10.4  regex: '[]<>/()|=[*"':$]+' <=> 'test' = 0
Mar 05 07:58:30  tac_plus-ng[55288]: 2/00002cf4: 1.1.10.4 ACL __internal__username_acl__: match
Mar 05 07:58:30  tac_plus-ng[55288]: 2/00002cf4: 1.1.10.4 looking for user test in MAVIS backend
Mar 05 07:58:30  tac_plus-ng[55288]: 2/00002cf4: 1.1.10.4 result for user test is ACK [0 ms]
Mar 05 07:58:30  tac_plus-ng[55288]: 2/00002cf4: 1.1.10.4 ACL rule1: no match
Mar 05 07:58:30  tac_plus-ng[55288]: 2/00002cf4: 1.1.10.4 [email protected]: ACL rule1: <unknown> (profile: n/a)
Mar 05 07:58:30  tac_plus-ng[55288]: 2/00002cf4: 1.1.10.4  pcre2: '^cisco_router.*' <=> 'cisco_router_reg1' = 1
Mar 05 07:58:30  tac_plus-ng[55288]: 2/00002cf4: 1.1.10.4 ACL rule1: match
Mar 05 07:58:30  tac_plus-ng[55288]: 2/00002cf4: 1.1.10.4 [email protected]: ACL rule1: permit (profile: cis_ro)
Mar 05 07:58:30  tac_plus-ng[55288]: 2/00002cf4: 1.1.10.4  cmp: 'shell' <=> 'shell' = 1
Mar 05 07:58:30  tac_plus-ng[55288]: 2/00002cf4: 1.1.10.4  pcre2: '^show' <=> '' = 0
Mar 05 07:58:30  tac_plus-ng[55288]: 2/00002cf4: 1.1.10.4  pcre2: '^dir' <=> '' = 0
Mar 05 07:58:30  tac_plus-ng[55288]: 2/00002cf4: 1.1.10.4  pcre2: '^ping' <=> '' = 0
Mar 05 07:58:30  tac_plus-ng[55288]: 2/00002cf4: 1.1.10.4  pcre2: '^traceroute' <=> '' = 0
Mar 05 07:58:30  tac_plus-ng[55288]: 2/00002cf4: 1.1.10.4  pcre2: '^mstat' <=> '' = 0
Mar 05 07:58:30  tac_plus-ng[55288]: 2/00002cf4: 1.1.10.4  pcre2: '^mtrace' <=> '' = 0
Mar 05 07:58:30  tac_plus-ng[55288]: 2/00002cf4: 1.1.10.4  pcre2: '^terminal' <=> '' = 0
Mar 05 07:58:30  tac_plus-ng[55288]: 2/00002cf4: 1.1.10.4  pcre2: '^netconf' <=> '' = 0
Mar 05 07:58:30  tac_plus-ng[55288]: 2/00002cf4: 1.1.10.4  pcre2: '^telnet' <=> '' = 0
Mar 05 07:58:30  tac_plus-ng[55288]: 2/00002cf4: 1.1.10.4  pcre2: '^ssh' <=> '' = 0
Mar 05 07:58:30  tac_plus-ng[55288]: 2/00002cf4: 1.1.10.4  pcre2: '^stelnet' <=> '' = 0
Mar 05 07:58:30  tac_plus-ng[55288]: 2/00002cf4: 1.1.10.4  cmp: '' <=> '' = 1
Mar 05 07:58:37  tac_plus-ng[55288]: 3/264a0d43: 2.2.27.1  regex: '[]<>/()|=[*"':$]+' <=> 'test' = 0
Mar 05 07:58:37  tac_plus-ng[55288]: 3/264a0d43: 2.2.27.1 ACL __internal__username_acl__: match
Mar 05 07:58:37  tac_plus-ng[55288]: 3/264a0d43: 2.2.27.1 looking for user test in MAVIS backend
Mar 05 07:58:37  tac_plus-ng[55288]: 3/264a0d43: 2.2.27.1 result for user test is ACK [3 ms]
Mar 05 07:58:37  tac_plus-ng[55288]: 3/264a0d43: 2.2.27.1 ACL rule1: no match
Mar 05 07:58:37  tac_plus-ng[55288]: 3/264a0d43: 2.2.27.1 [email protected]: ACL rule1: <unknown> (profile: n/a)
Mar 05 07:58:37  tac_plus-ng[55288]: 3/264a0d43: 2.2.27.1  pcre2: '^cisco_router.*' <=> 'cisco_router_reg2' = 1
Mar 05 07:58:37  tac_plus-ng[55288]: 3/264a0d43: 2.2.27.1 ACL rule1: match
Mar 05 07:58:37  tac_plus-ng[55288]: 3/264a0d43: 2.2.27.1 [email protected]: ACL rule1: permit (profile: cis_admin)
Mar 05 07:58:37  tac_plus-ng[55288]: 3/264a0d43: 2.2.27.1 shell login for 'test' from 1.1.55.17 on tty3 succeeded (profile=cis_admin)
Mar 05 07:58:37  tac_plus-ng[55288]: 4/3172cff8: 2.2.27.1  regex: '[]<>/()|=[*"':$]+' <=> 'test' = 0
Mar 05 07:58:37  tac_plus-ng[55288]: 4/3172cff8: 2.2.27.1 ACL __internal__username_acl__: match
Mar 05 07:58:37  tac_plus-ng[55288]: 4/3172cff8: 2.2.27.1 looking for user test in MAVIS backend
Mar 05 07:58:37  tac_plus-ng[55288]: 4/3172cff8: 2.2.27.1 result for user test is ACK [0 ms]
Mar 05 07:58:37  tac_plus-ng[55288]: 4/3172cff8: 2.2.27.1 ACL rule1: no match
Mar 05 07:58:37  tac_plus-ng[55288]: 4/3172cff8: 2.2.27.1 [email protected]: ACL rule1: <unknown> (profile: n/a)
Mar 05 07:58:37  tac_plus-ng[55288]: 4/3172cff8: 2.2.27.1  pcre2: '^cisco_router.*' <=> 'cisco_router_reg2' = 1
Mar 05 07:58:37  tac_plus-ng[55288]: 4/3172cff8: 2.2.27.1 ACL rule1: match
Mar 05 07:58:37  tac_plus-ng[55288]: 4/3172cff8: 2.2.27.1 [email protected]: ACL rule1: permit (profile: cis_admin)
Mar 05 07:58:37  tac_plus-ng[55288]: 4/3172cff8: 2.2.27.1  cmp: 'shell' <=> 'shell' = 1
Mar 05 07:58:37  tac_plus-ng[55288]: 4/3172cff8: 2.2.27.1  cmp: '' <=> '' = 1
Mar 05 07:58:41  tac_plus-ng[55288]: 5/1fe4cf5b: 2.2.27.1  regex: '[]<>/()|=[*"':$]+' <=> 'test' = 0
Mar 05 07:58:41  tac_plus-ng[55288]: 5/1fe4cf5b: 2.2.27.1 ACL __internal__username_acl__: match
Mar 05 07:58:41  tac_plus-ng[55288]: 5/1fe4cf5b: 2.2.27.1 looking for user test in MAVIS backend
Mar 05 07:58:41  tac_plus-ng[55288]: 5/1fe4cf5b: 2.2.27.1 result for user test is ACK [0 ms]
Mar 05 07:58:41  tac_plus-ng[55288]: 5/1fe4cf5b: 2.2.27.1 ACL rule1: no match
Mar 05 07:58:41  tac_plus-ng[55288]: 5/1fe4cf5b: 2.2.27.1 [email protected]: ACL rule1: <unknown> (profile: n/a)
Mar 05 07:58:41  tac_plus-ng[55288]: 5/1fe4cf5b: 2.2.27.1  pcre2: '^cisco_router.*' <=> 'cisco_router_reg2' = 1
Mar 05 07:58:41  tac_plus-ng[55288]: 5/1fe4cf5b: 2.2.27.1 ACL rule1: match
Mar 05 07:58:41  tac_plus-ng[55288]: 5/1fe4cf5b: 2.2.27.1 [email protected]: ACL rule1: permit (profile: cis_admin)
Mar 05 07:58:41  tac_plus-ng[55288]: 5/1fe4cf5b: 2.2.27.1  cmp: 'shell' <=> 'shell' = 1
Mar 05 07:58:41  tac_plus-ng[55288]: 5/1fe4cf5b: 2.2.27.1  cmp: '' <=> 'configure terminal <cr>' = 0
Mar 05 07:58:47  tac_plus-ng[55288]: 7/bd6cfc20: 1.1.10.4  regex: '[]<>/()|=[*"':$]+' <=> 'test' = 0
Mar 05 07:58:47  tac_plus-ng[55288]: 7/bd6cfc20: 1.1.10.4 ACL __internal__username_acl__: match
Mar 05 07:58:47  tac_plus-ng[55288]: 7/bd6cfc20: 1.1.10.4 looking for user test in MAVIS backend
Mar 05 07:58:47  tac_plus-ng[55288]: 7/bd6cfc20: 1.1.10.4 result for user test is ACK [0 ms]
Mar 05 07:58:47  tac_plus-ng[55288]: 7/bd6cfc20: 1.1.10.4 ACL rule1: no match
Mar 05 07:58:47  tac_plus-ng[55288]: 7/bd6cfc20: 1.1.10.4 [email protected]: ACL rule1: <unknown> (profile: n/a)
Mar 05 07:58:47  tac_plus-ng[55288]: 7/bd6cfc20: 1.1.10.4  pcre2: '^cisco_router.*' <=> 'cisco_router_reg1' = 1
Mar 05 07:58:47  tac_plus-ng[55288]: 7/bd6cfc20: 1.1.10.4 ACL rule1: match
Mar 05 07:58:47  tac_plus-ng[55288]: 7/bd6cfc20: 1.1.10.4 [email protected]: ACL rule1: permit (profile: cis_ro)
Mar 05 07:58:47  tac_plus-ng[55288]: 7/bd6cfc20: 1.1.10.4  cmp: 'shell' <=> 'shell' = 1
Mar 05 07:58:47  tac_plus-ng[55288]: 7/bd6cfc20: 1.1.10.4  pcre2: '^show' <=> 'configure terminal <cr>' = 0
Mar 05 07:58:47  tac_plus-ng[55288]: 7/bd6cfc20: 1.1.10.4  pcre2: '^dir' <=> 'configure terminal <cr>' = 0
Mar 05 07:58:47  tac_plus-ng[55288]: 7/bd6cfc20: 1.1.10.4  pcre2: '^ping' <=> 'configure terminal <cr>' = 0
Mar 05 07:58:47  tac_plus-ng[55288]: 7/bd6cfc20: 1.1.10.4  pcre2: '^traceroute' <=> 'configure terminal <cr>' = 0
Mar 05 07:58:47  tac_plus-ng[55288]: 7/bd6cfc20: 1.1.10.4  pcre2: '^mstat' <=> 'configure terminal <cr>' = 0
Mar 05 07:58:47  tac_plus-ng[55288]: 7/bd6cfc20: 1.1.10.4  pcre2: '^mtrace' <=> 'configure terminal <cr>' = 0
Mar 05 07:58:47  tac_plus-ng[55288]: 7/bd6cfc20: 1.1.10.4  pcre2: '^terminal' <=> 'configure terminal <cr>' = 0
Mar 05 07:58:47  tac_plus-ng[55288]: 7/bd6cfc20: 1.1.10.4  pcre2: '^netconf' <=> 'configure terminal <cr>' = 0
Mar 05 07:58:47  tac_plus-ng[55288]: 7/bd6cfc20: 1.1.10.4  pcre2: '^telnet' <=> 'configure terminal <cr>' = 0
Mar 05 07:58:47  tac_plus-ng[55288]: 7/bd6cfc20: 1.1.10.4  pcre2: '^ssh' <=> 'configure terminal <cr>' = 0
Mar 05 07:58:47  tac_plus-ng[55288]: 7/bd6cfc20: 1.1.10.4  pcre2: '^stelnet' <=> 'configure terminal <cr>' = 0
Mar 05 07:58:47  tac_plus-ng[55288]: 7/bd6cfc20: 1.1.10.4  cmp: '' <=> 'configure terminal <cr>' = 0

OlexanderH Mar 5, 2025
Author

indeed, with the cache setting
cache timeout = 600
mavis cache timeout = 0
mixing-up does not occur

MarcJHuber · 2025-03-05T15:12:46Z

MarcJHuber
Mar 5, 2025
Maintainer

Hi,

could you please repeat that test with both ACL and REGEX debugging enabled and share the corresponding ruleset part of your configuration?

If you feel not safe about sharing that output in public please send it via personal mail to [email protected]

This really doesn't look like a cross-connection issue, I'd rather think that some user attribute that's used in one of your conditions gets lost in the user caching process.

Thanks,

Marc

0 replies

tac_plus-ng cache issue #147

Uh oh!

OlexanderH Mar 4, 2025

Replies: 6 comments · 4 replies

Uh oh!

MarcJHuber Mar 4, 2025 Maintainer

Uh oh!

OlexanderH Mar 4, 2025 Author

Uh oh!

MarcJHuber Mar 4, 2025 Maintainer

Uh oh!

OlexanderH Mar 4, 2025 Author

Uh oh!

MarcJHuber Mar 4, 2025 Maintainer

Uh oh!

OlexanderH Mar 5, 2025 Author

Uh oh!

OlexanderH Mar 5, 2025 Author

Uh oh!

OlexanderH Mar 5, 2025 Author

Uh oh!

OlexanderH Mar 5, 2025 Author

Uh oh!

MarcJHuber Mar 5, 2025 Maintainer

OlexanderH
Mar 4, 2025

Replies: 6 comments 4 replies

MarcJHuber
Mar 4, 2025
Maintainer

OlexanderH Mar 4, 2025
Author

MarcJHuber
Mar 4, 2025
Maintainer

OlexanderH
Mar 4, 2025
Author

MarcJHuber
Mar 4, 2025
Maintainer

OlexanderH
Mar 5, 2025
Author

OlexanderH Mar 5, 2025
Author

OlexanderH Mar 5, 2025
Author

OlexanderH Mar 5, 2025
Author

MarcJHuber
Mar 5, 2025
Maintainer