<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div><span>Hi John,</span></div><div><br><span></span></div><div><span>I not see any abnormal log from debugging on my cisco switch, do you any idea about running debug for tac_plus on FreeBSD 8.2 and are you ever experience this situation before?</span></div><div><br><span></span></div><div><span>Thanks,</span></div><div><span>Ricki<br></span></div><div><br></div> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <font face="Arial" size="2"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> john heasley <heas@shrubbery.net><br> <b><span style="font-weight: bold;">To:</span></b> Ricki Z <rz.bangka@yahoo.com> <br><b><span style="font-weight: bold;">Cc:</span></b>
tac_plus@shrubbery.net <br> <b><span style="font-weight: bold;">Sent:</span></b> Friday, December 9, 2011 12:42 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [tac_plus] tac_plus login and enable password issue<br> </font> <br>
Wed, Dec 07, 2011 at 07:54:49PM -0800, Ricki Z:<br>> Hi John,<br>> <br>> Previously thanks for your info. I have done change config with default service under group but i still experience the same problem. My problem exactly is why? i can login to cisco switch using "login password" or "enable password" and why i can enter priviledge mode using "login password" or "enable password" too.<br>> <br>> Below is my new config for tac-plus server:<br>> -----------------------------------cut-----------------------------------<br>> user = user1 {<br>> ??? ??? ??? ??? member = admin<br>> ??? ??? ??? ??? login = cleartext user1<br>> ??? ??? ??? ??? enable = cleartext enauser1<br>> }<br>> <br>> user = user2 {<br>> ??? ??? ??? ??? member = admin<br>> ??? ??? ??? ??? login = cleartext user2<br>> ??? ??? ??? ??? enable = cleartext enauser2<br>> }<br>> group = admin {<br>> ??????? default service = permit<br>>
}<br>> -----------------------------------cut-----------------------------------<br>> And below my cisco switch config for tac-plus authentication:<br>> <br>> -----------------------------------cut-----------------------------------<br>> aaa new-model<br>> aaa authentication login default group tacacs+ local line<br>> aaa authentication login user group tacacs+ local<br>> aaa authentication login net_admin group tacacs+ line enable<br>> aaa authentication enable default group tacacs+ enable<br>> aaa authorization exec default group tacacs+ if-authenticated<br>> aaa authorization commands 0 default group tacacs+ if-authenticated<br>> aaa authorization commands 1 default group tacacs+ if-authenticated<br>> aaa authorization commands 7 default group tacacs+ if-authenticated<br>> aaa authorization commands 15 default group tacacs+ if-authenticated<br>> aaa authorization network default group tacacs+
if-authenticated<br>> aaa accounting exec user start-stop group tacacs+<br>> aaa accounting commands 0 user start-stop group tacacs+<br>> aaa accounting commands 1 user start-stop group tacacs+<br>> aaa accounting commands 7 user start-stop group tacacs+<br>> aaa accounting commands 15 user start-stop group tacacs+<br>> aaa accounting network user start-stop group tacacs+<br>> aaa accounting connection user start-stop group tacacs<br>> !<br>> line con 0<br>> ?login authentication net_admin<br>> line vty 0 4<br><br> login authentication default<br><br>otherwise, looks ok. try debugging options on the router and the tacacs<br>daemon to figure out why its not working as you expect.<br><br>> ?accounting connection user<br>> ?accounting commands 0 user<br>> ?accounting commands 1 user<br>> ?accounting commands 7 user<br>> ?accounting commands 15 user<br>> ?accounting exec user<br>> line vty 5
15<br>> ?accounting connection user<br>> ?accounting commands 0 user<br>> ?accounting commands 1 user<br>> ?accounting commands 7 user<br>> ?accounting commands 15 user<br>> ?accounting exec user<br>> -----------------------------------cut-----------------------------------<br>> <br>> Here the illustration for login to cisco switch:<br>> -----------------------------------cut-----------------------------------<br>> User Access Verification<br>> <br>> Username: user1<br>> Password: user1<br>> <br>> or <br>> <br>> <br>> Username: user1<br>> Password: enauser1<br>> -----------------------------------cut-----------------------------------<br>> Here the illustration for enter priviledge to cisco switch:<br>> -----------------------------------cut-----------------------------------<br>> cisco-sw>en<br>> Password: enauser1<br>> <br>> or<br>> <br>> cisco-sw>en<br>>
Password: user1<br>> -----------------------------------cut-----------------------------------<br>> Is there any abnormal with my config on tac-plus server or cisco switch?<br>> <br>> Tx,<br>> Ricki<br>> <br>> <br>> <br>> ________________________________<br>> From: john heasley <<a ymailto="mailto:heas@shrubbery.net" href="mailto:heas@shrubbery.net">heas@shrubbery.net</a>><br>> To: Ricki Z <<a ymailto="mailto:rz.bangka@yahoo.com" href="mailto:rz.bangka@yahoo.com">rz.bangka@yahoo.com</a>> <br>> Cc: "<a ymailto="mailto:tac_plus@shrubbery.net" href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a>" <<a ymailto="mailto:tac_plus@shrubbery.net" href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a>> <br>> Sent: Thursday, December 8, 2011 5:51 AM<br>> Subject: Re: [tac_plus] tac_plus login and enable password issue<br>> <br>> Sun, Nov 27, 2011 at 08:58:15PM -0800,
Ricki Z:<br>> > Hi All,<br>> > <br>> > <br>> > <br>> > I have issue when i using enable password per user (not on global config with user $enab15$ etc.) and every user using different password for cisco enable on tac_plus server. Refer to the config that i send before i can using AAA for cisco devices with tac_plus but if i login using user1, then i can use password "user1" or "enauser1" and after login success, i can enter privilege mode using password "user1" or "enauser1" and same for user2. In normal condition should be i just can login using user1 with password "user1" (failed if using password "enauser1" and i just can enter priviledge mode using password "enauser1" (failed if using "user1").<br>> > <br>> > user = user1 {<br>> > ??? ??? ??? ??? default service = permit<br>> default service does not belong under user configuration.<br>> <br>> otherwise, i can not reproduce the problem that i
think you are describing.<br>> given two users configured with different passwords, one can not use the<br>> other's passwords to login or enable.<br>> <br>> I'd guess that you have a device configuration problem or there is some<br>> strange problem with how you've compiled tac_plus.? more likely the former.<br>> <br>> > ??? ??? ??? ??? login = cleartext user1<br>> > ??? ??? ??? ??? enable = cleartext enauser1<br>> > }<br>> > <br>> > user = user2 {<br>> > ??? ??? ??? ??? default service = permit<br>> > ??? ??? ??? ??? login = cleartext user2<br>> > ??? ??? ??? ??? enable = cleartext enauser2<br>> > }<br>> > <br>> > And if i configure enable password per user and every user using the same enable password (like config below), all<br>> >? working like suppose to be it mean if i login using user1 i just can using password "user1" (can't using password "enapwd") and i
just can enter priviledge mode using password "enauser" (can't using password "user1").<br>> > user = user1 {<br>> > ??? ??? ??? ??? default service = permit<br>> > ??? ??? ??? ??? login = cleartext user1<br>> > ??? ??? ??? ??? enable = cleartext enauser<br>> > }<br>> > <br>> > user = user2 {<br>> > ??? ??? ??? ??? default service = permit<br>> > ??? ??? ??? ??? login = cleartext user2<br>> > ??? ??? ??? ??? enable = cleartext enauser<br>> > }<br>> > <br>> > Need your advice for solve this issue.<br>> > <br>> > Tx,<br>> > Ricki<br>> > -------------- next part --------------<br>> > An HTML attachment was scrubbed...<br>> > URL: <<a href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20111127/71681cee/attachment.html"
target="_blank">http://www.shrubbery.net/pipermail/tac_plus/attachments/20111127/71681cee/attachment.html</a>><br>> > _______________________________________________<br>> > tac_plus mailing list<br>> > <a ymailto="mailto:tac_plus@shrubbery.net" href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>> > <a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a><br><br><br> </div> </div> </div></body></html>