The tacacs config in my switch is simple:<br>tacacs-server host 10.20.1.72<br>tacacs-server key 7 xxxxxxxxx<br><br>The tac_plus.conf in server:<br>accounting file = /var/log/tacacs_acct<br>key = mykey<br><br>user = $enab15$ {<br>
login = des "DKxtKRZ/XeEgM"<br>}<br><br>group = admin {<br> default service = permit<br>
service = exec {<br> priv-lvl = 15<br> }<br>}<br><br>group = limited {<br> default service = deny<br> service = exec {<br> priv-lvl = 1<br> }<br> cmd = show {<br> permit ip<br> permit interface<br>
}<br>}<br><br>user = testuser{<br> member = admin<br> login = PAM<br>}<br><br>Thanks a lot John. From this configuration, I can't tell this is requesting another authentication.<br><br><div class="gmail_quote">
On Thu, Feb 18, 2010 at 7:18 PM, john heasley <span dir="ltr"><<a href="mailto:heas@shrubbery.net">heas@shrubbery.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Thu, Feb 18, 2010 at 07:05:57PM -0600, Hailu Meng:<br>
<div class="im">> Thanks John. My tacacs+ configuration in switch is simple:<br>
><br>
> aaa new-model<br>
> aaa authentication login default group tacacs+ line<br>
> aaa authentication enable default group tacacs+ enable<br>
<br>
</div>thats the aaa config, what about tacacs.<br>
<div><div></div><div class="h5"><br>
><br>
><br>
><br>
> On Thu, Feb 18, 2010 at 5:45 PM, john heasley <<a href="mailto:heas@shrubbery.net">heas@shrubbery.net</a>> wrote:<br>
><br>
> > Thu, Feb 18, 2010 at 02:02:46PM -0600, Hailu Meng:<br>
> > > Thu Feb 18 13:42:22 2010 [27117]: Writing AUTHEN/SUCCEED size=18<br>
> > > Thu Feb 18 13:42:22 2010 [27117]: PACKET: key=mykey<br>
> > > Thu Feb 18 13:42:22 2010 [27117]: version 192 (0xc0), type 1, seq no 6,<br>
> > > flags 0x1<br>
> > > Thu Feb 18 13:42:22 2010 [27117]: session_id 3918696952 (0xe99291f8),<br>
> > Data<br>
> > > length 6 (0x6)<br>
> > > Thu Feb 18 13:42:22 2010 [27117]: End header<br>
> > > Thu Feb 18 13:42:22 2010 [27117]: type=AUTHEN status=1 (AUTHEN/SUCCEED)<br>
> > > flags=0x0<br>
> > > Thu Feb 18 13:42:22 2010 [27117]: msg_len=0, data_len=0<br>
> > > Thu Feb 18 13:42:22 2010 [27117]: msg:<br>
> > > Thu Feb 18 13:42:22 2010 [27117]: data:<br>
> > > Thu Feb 18 13:42:22 2010 [27117]: End packet<br>
> > > Thu Feb 18 13:42:22 2010 [27117]: <a href="http://10.1.2.1" target="_blank">10.1.2.1</a>: disconnect<br>
> > > *<------ This above is the same as successful one, from here, I got<br>
> > another<br>
> > > "Password" Prompt asking for password*. *Even I input my correct password<br>
> > > for the 2nd time, it just doesn't allow me in*.* I also tried wrong<br>
> > password<br>
> > > for the first time password input on purpose, I did get rejected message<br>
> > > like "login query for 'testuser' tty1 from 10.1.2.1 rejected"*<br>
> ><br>
> > > Thu Feb 18 13:42:28 2010 [27116]: session request from 10.1.2.1 sock=2<br>
> > > Thu Feb 18 13:42:28 2010 [27135]: connect from 10.1.2.1 [10.1.2.1]<br>
> > > Thu Feb 18 13:42:28 2010 [27135]: Waiting for packet<br>
> > > Thu Feb 18 13:42:28 2010 [27135]: Read AUTHEN/START size=35<br>
> > > Thu Feb 18 13:42:28 2010 [27135]: validation request from 10.1.2.1<br>
> > > Thu Feb 18 13:42:28 2010 [27135]: PACKET: key=mykey<br>
> > > Thu Feb 18 13:42:28 2010 [27135]: version 192 (0xc0), type 1, seq no 1,<br>
> > > flags 0x1<br>
> > > Thu Feb 18 13:42:28 2010 [27135]: session_id 3154815253 (0xbc0aa915),<br>
> > Data<br>
> > > length 23 (0x17)<br>
> ><br>
> > its starting a new auth connection.<br>
> ><br>
> > whats the tacacs conf on the device?<br>
> ><br>
</div></div></blockquote></div><br>