cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

153
Views
10
Helpful
2
Replies
Beginner

External Auth remote IP

Trying to implement fail2ban onto the NSO service fro external auth.  According to the docs NSO sends via stdin username and password. See the picture below.

 

Is it possible to add other fields to this? More specifically the remote IP of the auth request. This way we can implement fail2ban. Currently, the audit.log shows the from <HOST> but using a custom script for auth only sends via stdin (username, password).

 

So something like this:
#logging.info("userpass info: {}".format(user_pass_split))
username = user_pass_split[0]
password = user_pass_split[1]

remote_ip = user_pass_split[2]

Capture.PNG

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: External Auth remote IP

You can configure "/ncs-config/aaa/external-authentication/include-extra" to "true" in ncs.conf.

From the man page for ncs.conf:

       /ncs-config/aaa/external-authentication/include-extra (boolean) [false]
           When set to 'true', additional information items will be provided to the executable: 
source IP address and port, context, and protocol. I.e. the complete format will be '[${USER};${PASS};${IP};${PORT};${CONTEXT};${PROTO};]\n'.
Example: '[bob;secret;192.168.1.1;12345;cli;ssh;]\n'.

/Ram

View solution in original post

2 REPLIES 2
Cisco Employee

Re: External Auth remote IP

You can configure "/ncs-config/aaa/external-authentication/include-extra" to "true" in ncs.conf.

From the man page for ncs.conf:

       /ncs-config/aaa/external-authentication/include-extra (boolean) [false]
           When set to 'true', additional information items will be provided to the executable: 
source IP address and port, context, and protocol. I.e. the complete format will be '[${USER};${PASS};${IP};${PORT};${CONTEXT};${PROTO};]\n'.
Example: '[bob;secret;192.168.1.1;12345;cli;ssh;]\n'.

/Ram

View solution in original post

Beginner

Re: External Auth remote IP

Thank you /Ram.

 

That did the trick. After changing the ncs.conf

 <aaa>
    <ssh-server-key-dir>${NCS_CONFIG_DIR}/ssh</ssh-server-key-dir>

    <!-- Depending on OS - and also depending on user requirements -->
    <!-- the pam service value value must be tuned. -->

    <pam>
      <enabled>true</enabled>
      <service>common-auth</service>
    </pam>
    <external-authentication>
      <enabled>true</enabled>
      <include-extra>true</include-extra>
      <executable>python /sbin/tacacs_test.py</executable>
    </external-authentication>

    <local-authentication>
      <enabled>false</enabled>
    </local-authentication>

    <expiration-warning>prompt</expiration-warning>
  </aaa>

I can now filter and send the rem ip and port.

tail: /var/log/nso_external_auth.log: file truncated
11-14 11:26 root INFO username: BAD_User, authen response: False, HOST: 192.168.99.10, PORT: 50850