Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
692
Views
10
Helpful
2
Replies

External Auth remote IP

Go to solution
tsiemers1
Spotlight
Spotlight

‎11-14-2019 09:08 AM

Trying to implement fail2ban onto the NSO service fro external auth.  According to the docs NSO sends via stdin username and password. See the picture below.

 

Is it possible to add other fields to this? More specifically the remote IP of the auth request. This way we can implement fail2ban. Currently, the audit.log shows the from <HOST> but using a custom script for auth only sends via stdin (username, password).

 

So something like this:
#logging.info("userpass info: {}".format(user_pass_split))
username = user_pass_split[0]
password = user_pass_split[1]

remote_ip = user_pass_split[2]

Capture.PNG

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ramkraja
Cisco Employee
Cisco Employee

‎11-14-2019 09:19 AM

You can configure "/ncs-config/aaa/external-authentication/include-extra" to "true" in ncs.conf.

From the man page for ncs.conf:

       /ncs-config/aaa/external-authentication/include-extra (boolean) [false]
           When set to 'true', additional information items will be provided to the executable: 
           source IP address and port, context, and protocol. I.e. the complete format
           will be '[${USER};${PASS};${IP};${PORT};${CONTEXT};${PROTO};]\n'. 
           Example: '[bob;secret;192.168.1.1;12345;cli;ssh;]\n'.

/Ram

View solution in original post

2 Replies 2

Go to solution
ramkraja
Cisco Employee
Cisco Employee

‎11-14-2019 09:19 AM

You can configure "/ncs-config/aaa/external-authentication/include-extra" to "true" in ncs.conf.

From the man page for ncs.conf:

       /ncs-config/aaa/external-authentication/include-extra (boolean) [false]
           When set to 'true', additional information items will be provided to the executable: 
           source IP address and port, context, and protocol. I.e. the complete format
           will be '[${USER};${PASS};${IP};${PORT};${CONTEXT};${PROTO};]\n'. 
           Example: '[bob;secret;192.168.1.1;12345;cli;ssh;]\n'.

/Ram

Go to solution
tsiemers1
Spotlight
Spotlight
In response to ramkraja

‎11-14-2019 09:30 AM

Thank you /Ram.

 

That did the trick. After changing the ncs.conf

 <aaa>
    <ssh-server-key-dir>${NCS_CONFIG_DIR}/ssh</ssh-server-key-dir>

    <!-- Depending on OS - and also depending on user requirements -->
    <!-- the pam service value value must be tuned. -->

    <pam>
      <enabled>true</enabled>
      <service>common-auth</service>
    </pam>
    <external-authentication>
      <enabled>true</enabled>
      <include-extra>true</include-extra>
      <executable>python /sbin/tacacs_test.py</executable>
    </external-authentication>

    <local-authentication>
      <enabled>false</enabled>
    </local-authentication>

    <expiration-warning>prompt</expiration-warning>
  </aaa>

I can now filter and send the rem ip and port.

tail: /var/log/nso_external_auth.log: file truncated
11-14 11:26 root INFO username: BAD_User, authen response: False, HOST: 192.168.99.10, PORT: 50850
0 Helpful
Customers Also Viewed These Support Documents