Has anyone ever tried to get Entra to work as a backend authenticator?

[mdnnetworksolutionsllc]

Good evening,

Im trying to get entra ID as an authenticator for tacplus ng and getting stuck having the mavis backend execute either my python script or my bash script which wraps the python script. When I run the script manually it correctly authenticates to entra without issue so I know that part will work.

Below is a snippet of the various configuration files (scrubbed for obvious reasons):

tacplus.conf:
#!/usr/local/sbin/tac_plus-ng
id = spawnd {
listen { address = 0.0.0.0 port = 49 }

spawn = {
exec = /usr/local/sbin/mavisd
config = /etc/tacacs-ng/mavis.conf
}

spawn = {
exec = /usr/local/sbin/tac_plus-ng
config = /etc/tacacs-ng/tacplus.conf
}

background = yes
}

id = tac_plus-ng {
log authzlog { destination = /var/log/tac_plus/authz/%Y/%m/%d.log }
log authclog { destination = /var/log/tac_plus/authc/%Y/%m/%d.log }
log acctlog { destination = /var/log/tac_plus/acct/%Y/%m/%d.log }
accounting log = acctlog
authentication log = authclog
authorization log = authzlog

user backend = mavis
login backend = mavis
pap backend = mavis

mavis module = external {
exec = /etc/tacacs-ng/mavis.d/entra-auth-wrapper.sh
}

host = world {
#Allow any device to connect
address = 0.0.0.0/0

Give a prompt to the user when they log in.

welcome banner = "My warning to you"
key =
}
}

mavis.conf:
debug = 255

id = mavisd {
chain = entra
}

id = entra {
module = entra {
exec = /etc/tacacs-ng/mavis.d/entra-auth-wrapper.sh
}
}

entra-auth-wrapper.sh:
#!/bin/bash

LOG_FILE="/var/log/entra-auth-wrapper.log"
TIMESTAMP=$(date -Iseconds)

echo "[$TIMESTAMP] entra-auth-wrapper.sh was invoked with arguments: $@" >> "$LOG_FILE"

Call the actual Python script

/opt/entra-auth-venv/bin/python3 /etc/tacacs-ng/mavis.d/entra-auth.py "$@" >> "$LOG_FILE" 2>&1

entra-auth.py:
#!/opt/entra-auth-venv/bin/python3

try:
with open("/var/log/entra-auth.log", "a") as f:
f.write(f"[{datetime.now().isoformat()}] entra-auth.py script called (TOP OF SCRIPT)\n")
except Exception as e:
pass

import sys
import json
import msal
import datetime
import logging
from msal import ConfidentialClientApplication

=== Configuration ===

CLIENT_ID = ""
TENANT_ID = ""
AUTHORITY = f"https://login.microsoftonline.com/{TENANT_ID}"
SCOPES = ["https://graph.microsoft.com/.default"]

Optional: enable debugging log file

LOG_FILE = "/var/log/entra-auth.log"

logging.basicConfig(
filename='/var/log/entra-auth.log',
level=logging.DEBUG,
format='%(asctime)s %(levelname)s %(message)s'
)

def log(msg):
logging.debug(msg)
try:
with open(LOG_FILE, "a") as f:
timestamp = datetime.datetime.now().isoformat()
f.write(f"{timestamp} - {msg}\n")
except Exception:
pass

def main():
try:
# Parse MAVIS input
user = None
password = None
for line in sys.stdin:
line = line.strip()
if line == "":
break
if line.startswith("user = "):
user = line.split("=", 1)[1].strip()
elif line.startswith("password = "):
password = line.split("=", 1)[1].strip()

    if not user or not password:
        print("password_fail\n")
        log(f"Missing user or password input: user={user}")
        return

    # Start MSAL auth
    app = msal.PublicClientApplication(CLIENT_ID, authority=AUTHORITY)
    result = app.acquire_token_by_username_password(username=user, password=password, scopes=SCOPES)

    if "access_token" in result:
        print("password_ok\n")
        log(f"Login success for user {user}")
    else:
        print("password_fail\n")
        log(f"Login failed for user {user}: {result.get('error_description', 'Unknown error')}")

except Exception as e:
    print("password_fail\n")
    log(f"Exception occurred: {str(e)}")

if name == "main":
main()

Now the entra-auth.py and wrapper scripts works but I feel like Im missing some connection to get tacplus to call it correctly. Any help is appreciated. I feel like I'm THIS close..

Regards,
Jason

[mdnnetworksolutionsllc]

Just to add a little more flavor to this:

3780: 09:35:38.291 0/00000000: 107.207.216.225 connection request from 107.207.216.225 (realm: default)
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 New tacacs session
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 ------
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 key used:
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 version: 192, type: 1, seq no: 1, flags: unencrypted
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 session id: aab7a6e4, data length: 37
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 packet body (len: 37):
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 0000 01 01 01 01 0d 04 0c 00 6d 64 6e 63 6f 6e 73 75 ........ mdnconsu
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 0010 6c 74 69 6e 67 74 74 79 32 31 30 2e 35 35 2e 36 ltingtty 210.55.6
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 0020 31 2e 31 30 33 1.103
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 AUTHEN/START, priv_lvl=1
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 action=login (1)
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 authen_type=ascii (1)
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 service=login (1)
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 user_len=13 port_len=4 rem_addr_len=12
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 data_len=0
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 user (len: 13): mdnconsulting
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 port (len: 4): tty2
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 rem_addr (len: 12): 10.55.61.103
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 ------
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 authen: hdr->seq_no: 1
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 looking for user mdnconsulting realm default
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 user lookup failed
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 Writing AUTHEN/GETPASS size=125
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 ------
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 key used:
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 version: 192, type: 1, seq no: 2, flags: unencrypted
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 session id: aab7a6e4, data length: 113
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 packet body (len: 113):
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 0000 05 01 00 6b 00 00 54 68 69 73 20 64 65 76 69 63 ...k..Th is devic
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 0010 65 20 69 73 20 74 68 65 20 70 72 6f 70 65 72 74 e is the propert
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 0020 79 20 6f 66 20 4e 48 43 2e 20 42 79 20 61 63 63 y of NHC . By acc
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 0030 65 73 73 69 6e 67 20 69 74 20 79 6f 75 20 61 67 essing i t you ag
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 0040 72 65 65 20 74 6f 20 61 6c 6c 20 63 6f 6e 76 65 ree to a ll conve
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 0050 6e 61 6e 63 65 73 20 61 6c 6c 6f 77 65 64 20 62 nances a llowed b
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 0060 79 20 6c 61 77 2e 0a 50 61 73 73 77 6f 72 64 3a y law..P assword:
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 0070 20
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 AUTHEN, status=5 (AUTHEN/GETPASS) flags=0x1
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 msg_len=107, data_len=0
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 msg (len: 107): This device is the property of NHC. By accessing it you agree to all convenances allowed by law.\nPassword:
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 data (len: 0):
3780: 09:35:38.291 0/aab7a6e4: 107.207.216.225 ------
3780: 09:35:46.814 0/aab7a6e4: 107.207.216.225 ------
3780: 09:35:46.814 0/aab7a6e4: 107.207.216.225 key used:
3780: 09:35:46.814 0/aab7a6e4: 107.207.216.225 version: 192, type: 1, seq no: 3, flags: unencrypted
3780: 09:35:46.814 0/aab7a6e4: 107.207.216.225 session id: aab7a6e4, data length: 18
3780: 09:35:46.814 0/aab7a6e4: 107.207.216.225 packet body [partially masked] (len: 13):
3780: 09:35:46.814 0/aab7a6e4: 107.207.216.225 0000 00 0d 00 00 00 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a .....*** ********
3780: 09:35:46.814 0/aab7a6e4: 107.207.216.225 0010 2a 2a **
3780: 09:35:46.814 0/aab7a6e4: 107.207.216.225 AUTHEN/CONT user_msg_len=13, user_data_len=0
3780: 09:35:46.814 0/aab7a6e4: 107.207.216.225 ------
3780: 09:35:46.814 0/aab7a6e4: 107.207.216.225 authen: hdr->seq_no: 3
3780: 09:35:46.814 0/aab7a6e4: 107.207.216.225 looking for user mdnconsulting realm default
3780: 09:35:46.814 0/aab7a6e4: 107.207.216.225 user lookup failed
3780: 09:35:46.814 0/aab7a6e4: 107.207.216.225 looking for user mdnconsulting in MAVIS backend

It basically dies here ^

which is where the mavis script should kick in.

Jason

[MarcJHuber]

Hi,

there are sample scripts in mavis/python/ that illustrate custom Python backends for MAVIS.

Cheers,

Marc

[mdnnetworksolutionsllc]

I suppose my question would be geared more towards where the best place would be to put the calling of the python file:

for example I had it in here:
mavis.conf:
debug = 255

id = mavisd {
chain = entra
}

id = entra {
module = entra {
exec = /etc/tacacs-ng/mavis.d/entra-auth-wrapper.sh
}
}

and that wasnt working so I put it in tacplus's config file and that doesnt seem to work either.
mavis module = external {
exec = /etc/tacacs-ng/mavis.d/entra-auth-wrapper.sh
}

I did have it as the following also - which didnt make it get called and why i made a wrapper bash script in its place:

exec = /usr/bin/python3 /etc/tacacs-ng/mavis.d/entra-auth.py

Neither samples really go over this, unless Im missing something, which may be the case.

Regards,
Jason

[MarcJHuber]

Hi Jason,

id = tac_plus-ng {
...
    mavis module = external {
        exec = /etc/tacacs-ng/mavis.d/entra-auth-wrapper.sh
    }
...
}

is the right place for the backend script. The backend script is expected to communicate with the "external" module via stdin/stdout, and messing with those inside your wrapper (e.g. by redirecting stdout to a file) will break that.

Cheers,

Marc

[mdnnetworksolutionsllc]

understood, thanks Ill play some more.

Jason

[mdnnetworksolutionsllc]

just in case anyone else wants it. this now works:

tacplus config:

mavis module = external {
exec = /etc/tacacs-ng/mavis.d/entra-auth.py
}

entra-auth.py file:

#!/opt/entra-auth-venv/bin/python3

import sys
import datetime
from mavis import (
Mavis,
MAVIS_DOWN, MAVIS_FINAL,
AV_V_RESULT_OK, AV_V_RESULT_ERROR, AV_V_RESULT_FAIL,
AV_V_RESULT_NOTFOUND
)
import msal
import logging

=== Configuration ===

CLIENT_ID = ""
TENANT_ID = ""
AUTHORITY = f"https://login.microsoftonline.com/{TENANT_ID}"
SCOPES = ["https://graph.microsoft.com/.default"]

Logging setup

LOG_FILE = "/var/log/entra-auth.log"
logging.basicConfig(
filename=LOG_FILE,
level=logging.DEBUG,
format='%(asctime)s %(levelname)s %(message)s'
)

def log(msg):
logging.debug(msg)

def main():
while True:
D = Mavis()

    if not D.is_tacplus():
        D.write(MAVIS_DOWN, None, None)
        continue

    if not D.valid():
        D.write(MAVIS_FINAL, AV_V_RESULT_ERROR, "Invalid input.")
        continue

    username = D.user
    password = D.password

    if not username or not password:
        log(f"Missing credentials: user={username}")
        D.write(MAVIS_FINAL, AV_V_RESULT_FAIL, "Missing credentials.")
        continue

    try:
        app = msal.PublicClientApplication(CLIENT_ID, authority=AUTHORITY)
        result = app.acquire_token_by_username_password(username=username, password=password, scopes=SCOPES)

        if "access_token" in result:
            log(f"Login success for user {username}")
            D.write(MAVIS_FINAL, AV_V_RESULT_OK, None)
        else:
            error_desc = result.get("error_description", "Unknown error")
            log(f"Login failed for {username}: {error_desc}")
            D.write(MAVIS_FINAL, AV_V_RESULT_FAIL, error_desc)

    except Exception as e:
        log(f"Exception: {str(e)}")
        D.write(MAVIS_FINAL, AV_V_RESULT_ERROR, str(e))

if name == "main":
main()

Thanks for the push in the right direction Marc

[MarcJHuber]

Hi Jason,

nice, thanks for sharing!

Cheers,

Marc