<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Hello,<br><br>I am setting up a Centos server to run tac_plus and am trying to use it with PAM. Currently, I am trying to use tac_plus to authenticate users who are VPN'ing into the network. The users are able to VPN in however, the pam_tally2 is indicating is a bad login and incrementing the attempts so after a period of time the user gets locked out. I am sure it is some step I have missed in my configuration. I have seen where some other people had a similar problem but, I haven't seen what their resolution was. I did look in the past archives but, I didn't see anything specific to this. I apologize if I missed it.<br><br>My current tac_plus.conf appears like this. I just started testing this so it is only slightly modified from the default currently.<br><br>key = "xxxxxxxx" -removed <br>accounting file = /var/log/tac.acct<br># authentication users not appearing elsewhere via<br># the file /etc/passwd<br>#default authentication = file /etc/passwd<br><br>acl = default {<br> #permit = 192\.168\.0\.<br> <br><br>}<br><br># Example of host-specific configuration:<br>host = 192.168.2.1 {<br> prompt = "Enter your Unix username and password, Username: "<br> # Enable password for the router, generate a new one with tac_pwd<br> #enable = des 4P8MBRmulyloo<br>}<br><br># Group that is allowed to do most configuration on all interfaces etc.<br>group = admin {<br> # group members who don't have their own login password will be<br> # looked up in /etc/passwd<br> #login = file /etc/passwd<br> #login = PAM<br><br> # group members who have no expiry date set will use this one<br> #expires = "Jan 1 1997"<br><br> # only allow access to specific routers<br> acl = default<br><br><br> # Needed for the router to make commands available to user (subject<br> # to authorization if so configured on the router<br> service = exec {<br> priv-lvl = 15<br> #default service = permit<br> }<br><br> cmd = username {<br> permit .*<br> }<br> cmd = enable {<br> permit .*<br> }<br> cmd = show {<br> permit .*<br> }<br> cmd = exit {<br> permit .*<br> }<br> cmd = configure {<br> permit .*<br> }<br> cmd = interface {<br> permit .*<br> }<br> cmd = switchport {<br> permit .*<br> }<br> cmd = description {<br> permit .*<br> }<br> cmd = no {<br> permit shutdown<br> }<br><br><br>}<br><br># A group that can change some limited configuration on switchports<br># related to host-side network configuration<br>group = sysadmin {<br> # group members who don't have their own login password will be<br> # looked up in /etc/passwd:<br> #login = file /etc/passwd<br> # or authenticated via PAM:<br> login = PAM<br> acl = default<br><br> # Needed for the router to make commands available to user (subject<br> # to authorization if so configured on the router<br> service = exec {<br> priv-lvl = 15<br> }<br> cmd = enable {<br> permit .*<br> }<br> cmd = show {<br> permit .*<br> }<br> cmd = exit {<br> permit .*<br> }<br> cmd = configure {<br> permit .*<br> }<br> cmd = interface {<br> permit FastEthernet.*<br> permit GigabitEthernet.*<br> }<br> cmd = switchport {<br> permit "access vlan.*"<br> permit "trunk encapsulation.*"<br> permit "mode.*"<br> permit "trunk allowed vlan.*"<br> }<br> cmd = description {<br> permit .*<br> }<br><br> cmd = no {<br> permit shutdown<br> }<br><br>}<br><br>user = joe {<br> login = PAM<br> #member = sysadmin<br> member = admin<br>}<br>user=kdavis {<br> login = PAM<br>}<br><br>user = fred {<br> login = PAM<br> member = sysadmin<br>}<br><br># User account configured for use with "rancid"<br>user = rancid {<br> # Generate a new password with tac_pwd<br> #login = des LXUxLCkFhGpwA<br><br> service = exec {<br> priv-lvl = 15<br> }<br><br> cmd = show { permit .* }<br> cmd = exit { permit .* }<br> cmd = dir { permit .* }<br> cmd = write { permit term }<br>}<br><br># Global enable level 15 password, generate a new one with tac_pwd<br>user = $enab15$ {<br> #login = des 97cZOIgSXU/4I<br>}<br><br>#user = DEFAULT {<br># login = PAM<br>#member = default<br>#}<br><br>I did turn on debugging when my user logged in and saw this:<br><br>cfg_get_hvalue: name=192.168.0.1 attr=key<br>cfg_get_hvalue: no host named 192.168.0.1<br>cfg_get_phvalue: returns NULL<br>cfg_get_hvalue: name=192.168.0.1 attr=key<br>cfg_get_hvalue: no host named 192.168.0.1<br>cfg_get_phvalue: returns NULL<br>cfg_get_value: name=kdavis isuser=1 attr=expires rec=1<br>cfg_get_pvalue: returns NULL<br>cfg_get_value: name=kdavis isuser=1 attr=acl rec=1<br>cfg_get_pvalue: returns NULL<br>login query for 'kdavis' 1032192 from 192.168.0.1 accepted<br>cfg_get_hvalue: name=192.168.0.1 attr=key<br>cfg_get_hvalue: no host named 192.168.0.1<br>cfg_get_phvalue: returns NULL<br><br>I wonder if its something with these Null values that is somehow impacting things. Any suggestions or help would be appreciated.<br><br><br><br> </div></body>
</html>