<div dir="ltr">wild guess:<div><br></div><div>try adding pap = <span style="font-size:12.8px">cleartext "blahblahblah"</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Nov 20, 2017 at 8:54 AM, Andrew Villano <span dir="ltr"><<a href="mailto:andrew.villano@gmail.com" target="_blank">andrew.villano@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I have a switch that I recently upgraded to IOS XE 16 (Everest) from 3.x.x.<br>
It is the only switch that will not authenticate to tacacs. It does allow<br>
local authentication and I do see traffic during those exchanges.<br>
tac_plus.conf is setup to do file authentication from /etc/passwd .<br>
<br>
This is the debug log I pulled during the failure:<br>
<br>
Reading config<br>
Version F4.0.4.28 Initialized 1<br>
tac_plus server F4.0.4.28 starting<br>
socket FD 4 AF 2<br>
socket FD 5 AF 10<br>
uid=0 euid=0 gid=0 egid=0 s=37962240<br>
connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]<br>
cfg_get_hvalue: name=10.99.99.166 attr=key<br>
cfg_get_hvalue: no host named 10.99.99.166<br>
cfg_get_phvalue: returns NULL<br>
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt<br>
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn<br>
cfg_get_phvalue: returns NULL<br>
cfg_get_value: name=rancid isuser=1 attr=login rec=1<br>
cfg_get_value: recurse group = rancid<br>
cfg_get_pvalue: returns NULL<br>
cfg_get_value: name=rancid isuser=1 attr=login rec=1<br>
cfg_get_value: recurse group = rancid<br>
cfg_get_pvalue: returns NULL<br>
cfg_get_value: name=rancid isuser=1 attr=nopassword rec=1<br>
cfg_get_value: recurse group = rancid<br>
cfg_get_intvalue: returns 0<br>
cfg_get_value: name=rancid isuser=1 attr=login rec=1<br>
cfg_get_value: recurse group = rancid<br>
cfg_get_pvalue: returns NULL<br>
cfg_get_hvalue: name=10.99.99.166 attr=key<br>
cfg_get_hvalue: no host named 10.99.99.166<br>
cfg_get_phvalue: returns NULL<br>
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt<br>
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn<br>
cfg_get_phvalue: returns NULL<br>
cidf-06a.nyed.circ2.dcn tty2: fd 6 eof (connection closed)<br>
Read -1 bytes from cidf-06a.nyed.circ2.dcn tty2, expecting 12<br>
cidf-06a.nyed.circ2.dcn tty2: Null reply packet, expecting CONTINUE<br>
connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]<br>
cfg_get_hvalue: name=10.99.99.166 attr=key<br>
cfg_get_hvalue: no host named 10.99.99.166<br>
cfg_get_phvalue: returns NULL<br>
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt<br>
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn<br>
cfg_get_phvalue: returns NULL<br>
cfg_get_value: name=rancid isuser=1 attr=login rec=1<br>
cfg_get_value: recurse group = rancid<br>
cfg_get_pvalue: returns NULL<br>
cfg_get_value: name=rancid isuser=1 attr=login rec=1<br>
cfg_get_value: recurse group = rancid<br>
cfg_get_pvalue: returns NULL<br>
cfg_get_value: name=rancid isuser=1 attr=nopassword rec=1<br>
cfg_get_value: recurse group = rancid<br>
cfg_get_intvalue: returns 0<br>
cfg_get_value: name=rancid isuser=1 attr=login rec=1<br>
cfg_get_value: recurse group = rancid<br>
cfg_get_pvalue: returns NULL<br>
cfg_get_hvalue: name=10.99.99.166 attr=key<br>
cfg_get_hvalue: no host named 10.99.99.166<br>
cfg_get_phvalue: returns NULL<br>
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt<br>
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn<br>
cfg_get_phvalue: returns NULL<br>
cidf-06a.nyed.circ2.dcn tty2: fd 6 eof (connection closed)<br>
Read -1 bytes from cidf-06a.nyed.circ2.dcn tty2, expecting 12<br>
cidf-06a.nyed.circ2.dcn tty2: Null reply packet, expecting CONTINUE<br>
connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]<br>
cfg_get_hvalue: name=10.99.99.166 attr=key<br>
cfg_get_hvalue: no host named 10.99.99.166<br>
cfg_get_phvalue: returns NULL<br>
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt<br>
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn<br>
cfg_get_phvalue: returns NULL<br>
cfg_get_value: name=rancid isuser=1 attr=login rec=1<br>
cfg_get_value: recurse group = rancid<br>
cfg_get_pvalue: returns NULL<br>
cfg_get_value: name=rancid isuser=1 attr=login rec=1<br>
cfg_get_value: recurse group = rancid<br>
cfg_get_pvalue: returns NULL<br>
cfg_get_value: name=rancid isuser=1 attr=nopassword rec=1<br>
cfg_get_value: recurse group = rancid<br>
cfg_get_intvalue: returns 0<br>
cfg_get_value: name=rancid isuser=1 attr=login rec=1<br>
cfg_get_value: recurse group = rancid<br>
cfg_get_pvalue: returns NULL<br>
cfg_get_hvalue: name=10.99.99.166 attr=key<br>
cfg_get_hvalue: no host named 10.99.99.166<br>
cfg_get_phvalue: returns NULL<br>
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt<br>
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn<br>
cfg_get_phvalue: returns NULL<br>
cidf-06a.nyed.circ2.dcn tty2: fd 6 eof (connection closed)<br>
Read -1 bytes from cidf-06a.nyed.circ2.dcn tty2, expecting 12<br>
cidf-06a.nyed.circ2.dcn tty2: Null reply packet, expecting CONTINUE<br>
connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]<br>
<br>
//successful connection//<br>
<br>
cfg_get_hvalue: name=10.99.99.166 attr=key<br>
cfg_get_hvalue: no host named 10.99.99.166<br>
cfg_get_phvalue: returns NULL<br>
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt<br>
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn<br>
cfg_get_phvalue: returns NULL<br>
cfg_get_value: name=root isuser=1 attr=login rec=1<br>
cfg_get_value: recurse group = admins<br>
cfg_get_pvalue: returns NULL<br>
cfg_get_value: name=root isuser=1 attr=login rec=1<br>
cfg_get_value: recurse group = admins<br>
cfg_get_pvalue: returns NULL<br>
cfg_get_value: name=root isuser=1 attr=nopassword rec=1<br>
cfg_get_value: recurse group = admins<br>
cfg_get_intvalue: returns 0<br>
cfg_get_value: name=root isuser=1 attr=login rec=1<br>
cfg_get_value: recurse group = admins<br>
cfg_get_pvalue: returns NULL<br>
cfg_get_hvalue: name=10.99.99.166 attr=key<br>
cfg_get_hvalue: no host named 10.99.99.166<br>
cfg_get_phvalue: returns NULL<br>
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt<br>
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn<br>
cfg_get_phvalue: returns NULL<br>
cidf-06a.nyed.circ2.dcn tty2: fd 6 eof (connection closed)<br>
Read -1 bytes from cidf-06a.nyed.circ2.dcn tty2, expecting 12<br>
cidf-06a.nyed.circ2.dcn tty2: Null reply packet, expecting CONTINUE<br>
connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]<br>
cfg_get_hvalue: name=10.99.99.166 attr=key<br>
cfg_get_hvalue: no host named 10.99.99.166<br>
cfg_get_phvalue: returns NULL<br>
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt<br>
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn<br>
cfg_get_phvalue: returns NULL<br>
cfg_get_value: name=root isuser=1 attr=acl rec=1<br>
cfg_get_value: recurse group = admins<br>
cfg_get_pvalue: returns NULL<br>
cfg_get_value: name=root isuser=1 attr=before rec=1<br>
cfg_get_value: recurse group = admins<br>
cfg_get_pvalue: returns NULL<br>
cfg_get_svc_node: username=root N_svc_exec proto= svcname= rec=1<br>
cfg_get_svc_node: recurse group = admins<br>
cfg_get_svc_node: found N_svc_exec proto= svcname=<br>
cfg_get_svc_node: username=root N_svc_exec proto= svcname= rec=1<br>
cfg_get_svc_node: recurse group = admins<br>
cfg_get_svc_node: found N_svc_exec proto= svcname=<br>
cfg_get_value: name=root isuser=1 attr=after rec=1<br>
cfg_get_value: recurse group = admins<br>
cfg_get_pvalue: returns NULL<br>
cfg_get_hvalue: name=10.99.99.166 attr=key<br>
cfg_get_hvalue: no host named 10.99.99.166<br>
cfg_get_phvalue: returns NULL<br>
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt<br>
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn<br>
cfg_get_phvalue: returns NULL<br>
<br>
<br>
<br>
Debug from the Switch:<br>
<br>
Nov 20 15:43:09.239: TPLUS: Client is not responding Forcefully closing the<br>
socket<br>
Nov 20 15:43:09.240: TPLUS: Details of client session<br>
Nov 20 15:43:09.240: Client PID : 502<br>
Nov 20 15:43:09.240: Allocator PC : 0<br>
Nov 20 15:43:09.240: Transaction Type : Authentication<br>
Nov 20 15:43:09.240: Transaction Status : GET_PASSWORD<br>
Nov 20 15:43:09.240: Service : none<br>
Nov 20 15:43:09.240: Protocol : none<br>
Nov 20 15:47:59.067: TPLUS(00000FCA) login timer stopped<br>
Nov 20 15:47:59.067: TPLUS(00000FCA)/0/None: Started 120 sec timeout<br>
Nov 20 15:48:02.055: TPLUS(00000FCA) login timer stopped<br>
Nov 20 15:48:02.055: TPLUS(00000FCA)/1/None: Started 120 sec timeout<br>
Nov 20 15:48:10.509: TPLUS: Ignore unknown socket 0<br>
Nov 20 15:48:10.511: TPLUS: Ignore unknown socket 1<br>
Nov 20 15:48:17.445: TPLUS(00000FCA)/1/IDLE/<wbr>FF97E186F0: AAA id is not<br>
matching between 1 (00000000)<br>
Nov 20 15:48:17.445: TPLUS(00000FCA) login timer stopped<br>
Nov 20 15:48:17.445: TPLUS(00000000)/1/None: Timer Stoped<br>
Nov 20 15:48:19.462: TPLUS(00000FCA) login timer stopped<br>
Nov 20 15:48:19.462: TPLUS(00000FCA)/0/None: Started 120 sec timeout<br>
Nov 20 15:48:50.072: TPLUS(00000FCB) login timer stopped<br>
Nov 20 15:48:50.073: TPLUS: Invalid Client information received as input<br>
Nov 20 15:48:59.169: TPLUS(00000FCB) login timer stopped<br>
Nov 20 15:48:59.170: TPLUS: Invalid Client information received as input<br>
Nov 20 15:49:19.976: TPLUS(00000FCC) login timer stopped<br>
Nov 20 15:49:19.977: TPLUS: Invalid Client information received as input<br>
Nov 20 15:49:27.798: TPLUS(00000FCC) login timer stopped<br>
Nov 20 15:49:27.799: TPLUS: Invalid Client information received as input<br>
<br>
Tac_plus.conf:<br>
<br>
key = stuffgoeshere<br>
default authentication = file /etc/passwd<br>
accounting file = /var/log/tac\_plus.acct<br>
<br>
user = $enable$ {<br>
login = cleartext "blahblahblah"<br>
}<br>
<br>
user = rancid {<br>
member = rancid<br>
}<br>
<br>
user = root {<br>
member = admins<br>
}<br>
<br>
group = admins {<br>
default service = permit<br>
service = exec {<br>
priv-lvl = 15<br>
}<br>
}<br>
<br>
group = rancid {<br>
default service = deny<br>
service = exec {<br>
priv-lvl = 15<br>
}<br>
cmd = write {<br>
permit .*<br>
}<br>
cmd = dir {<br>
permit .*<br>
}<br>
cmd = copy {<br>
permit running-config<br>
}<br>
cmd = show {<br>
permit .*<br>
}<br>
cmd = terminal {<br>
permit length<br>
}<br>
cmd=enable {<br>
permit .*<br>
}<br>
cmd=exit {<br>
permit .*<br>
}<br>
cmd = admin {<br>
permit .*<br>
}<br>
cmd = more {<br>
permit .*<br>
}<br>
}<br>
<br>
<br>
do_auth.conf<br>
[users]<br>
<br>
root =<br>
vdxgroup<br>
<br>
admin =<br>
vdxgroup<br>
<br>
rancid =<br>
vdxgroup<br>
<br>
<br>
<br>
[vdxgroup]<br>
host_allow =<br>
.*<br>
device_permit =<br>
.*<br>
command_permit =<br>
.*<br>
av_pairs =<br>
priv-lvl=15<br>
<br>
shell:roles="network-admin"<br>
<br>
<br>
<br>
<br>
Thanks in Advance.<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20171120/679ba8d7/attachment.html" rel="noreferrer" target="_blank">http://www.shrubbery.net/<wbr>pipermail/tac_plus/<wbr>attachments/20171120/679ba8d7/<wbr>attachment.html</a>><br>
______________________________<wbr>_________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo/tac_plus" rel="noreferrer" target="_blank">http://www.shrubbery.net/<wbr>mailman/listinfo/tac_plus</a><br>
</blockquote></div><br></div>
<br>
<br>E-Mail to and from me, in connection with the transaction <br>of public business, is subject to the Wyoming Public Records <br>Act and may be disclosed to third parties.<br>