From teet.talviste at elion.ee Mon Sep 8 08:27:24 2008 From: teet.talviste at elion.ee (Teet Talviste) Date: Mon, 8 Sep 2008 11:27:24 +0300 Subject: [tac_plus] problem with tacplus 4.0.4.14 Message-ID: <200809081127.25267.teet.talviste@elion.ee> Hello, I read the changelon to .15, but didn't see anything concerning my particular problem, so i didn't want to upgrade yet, because it's rather bothersome. Now to the problem. I use before authorization bash script to determine if a host is hp or some other switch, which has different priv-lvls from cisco. The trouble is, that the script returns 1 most of the time. Although it should return 2 as you can see: #!/bin/sh if grep -q "^$2\$" /etc/tac-plus/hosts.txt ; then echo priv-lvl=3 else echo priv-lvl=15 fi exit 2 The weird thing is, the script functions fine, when i run it manually, even with tacacs user, also sometimes it returns 2 even when run by tacacs daemon, so users must try to log in 5 may-be 6 times before they can get authenticated. So, am i doing something wrong, or is it a problem with tacacs? Almost forgot, i'm using debian etch on x86. Log output of daemon: Mon Sep 8 11:09:24 2008 [1797]: cfg_get_value: name=master isuser=1 attr=login rec=1 Mon Sep 8 11:09:24 2008 [1797]: cfg_get_pvalue: returns des CSUMml1owULS2 Mon Sep 8 11:09:24 2008 [1797]: cfg_get_value: name=master isuser=1 attr=nopassword rec=1 Mon Sep 8 11:09:24 2008 [1797]: cfg_get_intvalue: returns 0 Mon Sep 8 11:09:24 2008 [1797]: cfg_get_hvalue: name=172.16.108.130 attr=key Mon Sep 8 11:09:24 2008 [1797]: cfg_get_hvalue: no host named 172.16.108.130 Mon Sep 8 11:09:24 2008 [1797]: cfg_get_phvalue: returns NULL Mon Sep 8 11:09:27 2008 [1797]: cfg_get_hvalue: name=172.16.108.130 attr=key Mon Sep 8 11:09:27 2008 [1797]: cfg_get_hvalue: no host named 172.16.108.130 Mon Sep 8 11:09:27 2008 [1797]: cfg_get_phvalue: returns NULL Mon Sep 8 11:09:27 2008 [1797]: cfg_get_value: name=master isuser=1 attr=time rec=1 Mon Sep 8 11:09:27 2008 [1797]: cfg_get_pvalue: returns NULL Mon Sep 8 11:09:27 2008 [1797]: cfg_get_value: name=master isuser=1 attr=login rec=1 Mon Sep 8 11:09:27 2008 [1797]: cfg_get_pvalue: returns des CSUMml1owULS2 Mon Sep 8 11:09:27 2008 [1797]: verify Mypassword CSUMml1owULS2 Mon Sep 8 11:09:27 2008 [1797]: Mypassword encrypts to CSUMml1owULS2 Mon Sep 8 11:09:27 2008 [1797]: Password is correct Mon Sep 8 11:09:27 2008 [1797]: cfg_get_value: name=master isuser=1 attr=expires rec=1 Mon Sep 8 11:09:27 2008 [1797]: cfg_get_pvalue: returns NULL Mon Sep 8 11:09:27 2008 [1797]: Password has not expired Mon Sep 8 11:09:27 2008 [1797]: login query for 'master' tty1 from 172.16.108.130 accepted Mon Sep 8 11:09:27 2008 [1797]: cfg_get_hvalue: name=172.16.108.130 attr=key Mon Sep 8 11:09:27 2008 [1797]: cfg_get_hvalue: no host named 172.16.108.130 Mon Sep 8 11:09:27 2008 [1797]: cfg_get_phvalue: returns NULL Mon Sep 8 11:09:27 2008 [1799]: cfg_get_hvalue: name=172.16.108.130 attr=key Mon Sep 8 11:09:27 2008 [1799]: cfg_get_hvalue: no host named 172.16.108.130 Mon Sep 8 11:09:27 2008 [1799]: cfg_get_phvalue: returns NULL Mon Sep 8 11:09:27 2008 [1799]: Start authorization request Mon Sep 8 11:09:27 2008 [1799]: cfg_get_value: name=master isuser=1 attr=before rec=1 Mon Sep 8 11:09:27 2008 [1799]: cfg_get_pvalue: returns /bin/bash /etc/tac- plus/hp-exec.sh $user $name Mon Sep 8 11:09:27 2008 [1799]: Before authorization call: /bin/bash /etc/tac-plus/hp-exec.sh $user $name Mon Sep 8 11:09:27 2008 [1799]: substitute: /bin/bash /etc/tac-plus/hp- exec.sh $user $name Mon Sep 8 11:09:27 2008 [1799]: Dollar substitution: /bin/bash /etc/tac- plus/hp-exec.sh master 172.16.108.130 Mon Sep 8 11:09:27 2008 [1799]: input service=shell Mon Sep 8 11:09:27 2008 [1799]: input cmd* Mon Sep 8 11:09:27 2008 [1799]: Error 172.16.108.130: Process write failure Mon Sep 8 11:09:27 2008 [1799]: cmd /bin/bash /etc/tac-plus/hp-exec.sh $user $name returns 1 (unconditional deny) Mon Sep 8 11:09:27 2008 [1799]: cfg_get_hvalue: name=172.16.108.130 attr=key Mon Sep 8 11:09:27 2008 [1799]: cfg_get_hvalue: no host named 172.16.108.130 Mon Sep 8 11:09:27 2008 [1799]: cfg_get_phvalue: returns NULL Mon Sep 8 11:09:27 2008 [1799]: authorization query for 'master' tty1 from 172.16.108.130 rejected -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20080908/7400e1e6/attachment.html From kissg at ssg.ki.iif.hu Tue Sep 9 07:22:40 2008 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Tue, 9 Sep 2008 09:22:40 +0200 (CEST) Subject: [tac_plus] Re: problem with tacplus 4.0.4.14 In-Reply-To: <200809081127.25267.teet.talviste@elion.ee> References: <200809081127.25267.teet.talviste@elion.ee> Message-ID: > trouble is, that the script returns 1 most of the time. Although it should > return 2 as you can see: > #!/bin/sh > if grep -q "^$2\$" /etc/tac-plus/hosts.txt ; then > echo priv-lvl=3 > else > echo priv-lvl=15 > fi > exit 2 Theoretically no way to get exit status 1 _from_ this script. If you get 1 it comes from elsewhere. > The weird thing is, the script functions fine, when i run it manually, even > with tacacs user, also sometimes it returns 2 even when run by tacacs daemon, > so users must try to log in 5 may-be 6 times before they can get > authenticated. So, am i doing something wrong, or is it a problem with tacacs? You can figure out what happens if you attach a strace to tacacs daemon: strace -fF -o /tmp/trace -p PID_OF_DAEMON Do some logins then check file /tmp/trace. Can you see successful fork and execve system calls? It is your script above that runs? What if exit status of grep? Is echo (write(1,...)) executed well? Etc. Regards Gabor -- E-mail = m-mail * c-mail ^ 2 From teet.talviste at elion.ee Fri Sep 12 09:45:47 2008 From: teet.talviste at elion.ee (Teet Talviste) Date: Fri, 12 Sep 2008 12:45:47 +0300 Subject: [tac_plus] before authorization script problem with 4.0.4.14 Message-ID: <200809121245.47730.teet.talviste@elion.ee> Bitman asked me to mention my problem and solution on the list, so here it goes. We use before authorization script to determine priv-lvl of a user for particular hosts. The trouble started, when i moved tacacs from and old P3 to a proper dual-core HP proliant debian server. Tacacs version change was from 4.0.4.9 to 4.0.4.14. The trouble iself is that before authorization script returns 1 (at least tacacs thinks it does.) most of the time, sometimes it worked fine. There is no way the script would return 1, it always returns 2... Log shows: Mon Sep 8 11:09:27 2008 [1799]: Error 172.16.108.130: Process write failure Mon Sep 8 11:09:27 2008 [1799]: cmd /bin/bash /etc/tac-plus/hp-exec.sh $user $name returns 1 (unconditional deny) There is a fix however. Turns out, the script is too fast on the new machine, so adding a line like sleep 1 to a bash script fixes this behaviour. Which in itself is strange. I actually wrote a perl script, to test, maybe there was some problem with my previous bash script. But perl script run even faster and i couldn't log in at all, but introducing even 10 microseconds of delay, again fixed the problem. I know for sure that if the script runs under: real 0m0.002s, then there will be problems. I discovered it when Bitman advised me to run strace against tacacs, and when running strace everything worked fine. I was quite confused atthat point. But then he suggested it was probably time related, so i tried to introduce some lag to my script, and it worked. This by the way is with: Linux version 2.6.18-4-686 (Debian 2.6.18.dfsg.1-12etch2) (gcc version 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20080912/47e7c03a/attachment.html From dave_stempien at urmc.rochester.edu Thu Sep 18 15:54:47 2008 From: dave_stempien at urmc.rochester.edu (David Stempien) Date: Thu, 18 Sep 2008 11:54:47 -0400 Subject: [tac_plus] WCS Authentication Message-ID: Has anyone gotten authentication to the Cisco Wireless Control System (WCS) to work? AFAIK, the service is "Wireless-WCS", protocol "HTTP", returning "role0=SuperUsers". I can't seem to figure out the syntax within the config file correctly. From dave_stempien at urmc.rochester.edu Thu Sep 18 18:06:45 2008 From: dave_stempien at urmc.rochester.edu (David Stempien) Date: Thu, 18 Sep 2008 14:06:45 -0400 Subject: [tac_plus] Re: WCS Authentication In-Reply-To: <8423e7bb0809181008i66c27282ne47592b1a94f55b7@mail.gmail.com> Message-ID: There is in the version I'm looking at (4.2.97.0). Here's the Cisco documentation for setting up TACACS+ authentication to WCS: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080 851f7c.shtml#topic5 Of course, it's written assuming ACS is being used as the auth server... On 9/18/08 1:08 PM, "Lance Vermilion" wrote: > David, > > Unless something has changed recently with the WCS software it only > supports local users. Was there and upgrade to support users in an > external database other than its local store? > > On Thu, Sep 18, 2008 at 8:54 AM, David Stempien > wrote: >> Has anyone gotten authentication to the Cisco Wireless Control System (WCS) >> to work? AFAIK, the service is "Wireless-WCS", protocol "HTTP", returning >> "role0=SuperUsers". >> >> I can't seem to figure out the syntax within the config file correctly. >> >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >> From tacplus at gheek.net Thu Sep 18 17:08:18 2008 From: tacplus at gheek.net (Lance Vermilion) Date: Thu, 18 Sep 2008 10:08:18 -0700 Subject: [tac_plus] Re: WCS Authentication In-Reply-To: References: Message-ID: <8423e7bb0809181008i66c27282ne47592b1a94f55b7@mail.gmail.com> David, Unless something has changed recently with the WCS software it only supports local users. Was there and upgrade to support users in an external database other than its local store? On Thu, Sep 18, 2008 at 8:54 AM, David Stempien wrote: > Has anyone gotten authentication to the Cisco Wireless Control System (WCS) > to work? AFAIK, the service is "Wireless-WCS", protocol "HTTP", returning > "role0=SuperUsers". > > I can't seem to figure out the syntax within the config file correctly. > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > From heas at shrubbery.net Thu Sep 18 18:46:55 2008 From: heas at shrubbery.net (john heasley) Date: Thu, 18 Sep 2008 11:46:55 -0700 Subject: [tac_plus] Re: WCS Authentication In-Reply-To: References: Message-ID: <20080918184655.GF5792@shrubbery.net> Thu, Sep 18, 2008 at 11:54:47AM -0400, David Stempien: > Has anyone gotten authentication to the Cisco Wireless Control System (WCS) > to work? AFAIK, the service is "Wireless-WCS", protocol "HTTP", returning > "role0=SuperUsers". > > I can't seem to figure out the syntax within the config file correctly. > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus the "service" is interesting; i'd suggest that you enable debugging and watch for that to appear in the logs. From tacplus at gheek.net Thu Sep 18 18:35:36 2008 From: tacplus at gheek.net (Lance Vermilion) Date: Thu, 18 Sep 2008 11:35:36 -0700 Subject: [tac_plus] Re: WCS Authentication In-Reply-To: References: <8423e7bb0809181008i66c27282ne47592b1a94f55b7@mail.gmail.com> Message-ID: <8423e7bb0809181135i1d2a7266t63a1c6bc3f831960@mail.gmail.com> Have you tried to exclude the service portions? I don't recall ever setting up a service the WLC I configured back when i worked at a different company that had WLC/WCS. On Thu, Sep 18, 2008 at 11:06 AM, David Stempien wrote: > There is in the version I'm looking at (4.2.97.0). > > Here's the Cisco documentation for setting up TACACS+ authentication to WCS: > > http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080 > 851f7c.shtml#topic5 > > Of course, it's written assuming ACS is being used as the auth server... > > > On 9/18/08 1:08 PM, "Lance Vermilion" wrote: > >> David, >> >> Unless something has changed recently with the WCS software it only >> supports local users. Was there and upgrade to support users in an >> external database other than its local store? >> >> On Thu, Sep 18, 2008 at 8:54 AM, David Stempien >> wrote: >>> Has anyone gotten authentication to the Cisco Wireless Control System (WCS) >>> to work? AFAIK, the service is "Wireless-WCS", protocol "HTTP", returning >>> "role0=SuperUsers". >>> >>> I can't seem to figure out the syntax within the config file correctly. >>> >>> _______________________________________________ >>> tac_plus mailing list >>> tac_plus at shrubbery.net >>> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >>> > > From dave_stempien at urmc.rochester.edu Fri Sep 19 15:30:03 2008 From: dave_stempien at urmc.rochester.edu (David Stempien) Date: Fri, 19 Sep 2008 11:30:03 -0400 Subject: [tac_plus] Re: WCS Authentication In-Reply-To: <20080918184655.GF5792@shrubbery.net> Message-ID: Something like this? Thu Sep 18 11:27:44 2008 [4586]: session.peerip is 172.18.154.167 Thu Sep 18 11:27:44 2008 [4586]: connect from 172.18.154.167 [172.18.154.167] Thu Sep 18 11:27:44 2008 [4586]: pap-login query for 'dstempien' Wireless-WCS HTTP from 172.18.154.167 rejected Thu Sep 18 11:27:44 2008 [4586]: login failure: dstempien 172.18.154.167 (172.18.154.167) Wireless-WCS HTTP On 9/18/08 2:46 PM, "john heasley" wrote: > Thu, Sep 18, 2008 at 11:54:47AM -0400, David Stempien: >> Has anyone gotten authentication to the Cisco Wireless Control System (WCS) >> to work? AFAIK, the service is "Wireless-WCS", protocol "HTTP", returning >> "role0=SuperUsers". >> >> I can't seem to figure out the syntax within the config file correctly. >> >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > the "service" is interesting; i'd suggest that you enable debugging > and watch for that to appear in the logs. From heas at shrubbery.net Fri Sep 19 17:36:29 2008 From: heas at shrubbery.net (john heasley) Date: Fri, 19 Sep 2008 10:36:29 -0700 Subject: [tac_plus] Re: WCS Authentication In-Reply-To: References: <20080918184655.GF5792@shrubbery.net> Message-ID: <20080919173629.GA26158@shrubbery.net> So its a PAP auth request, vs something new. make sure you're configured properly for that. Fri, Sep 19, 2008 at 11:30:03AM -0400, David Stempien: > Something like this? > > Thu Sep 18 11:27:44 2008 [4586]: session.peerip is 172.18.154.167 > Thu Sep 18 11:27:44 2008 [4586]: connect from 172.18.154.167 > [172.18.154.167] > Thu Sep 18 11:27:44 2008 [4586]: pap-login query for 'dstempien' > Wireless-WCS HTTP from 172.18.154.167 rejected > Thu Sep 18 11:27:44 2008 [4586]: login failure: dstempien 172.18.154.167 > (172.18.154.167) Wireless-WCS HTTP > > > On 9/18/08 2:46 PM, "john heasley" wrote: > > > Thu, Sep 18, 2008 at 11:54:47AM -0400, David Stempien: > >> Has anyone gotten authentication to the Cisco Wireless Control System (WCS) > >> to work? AFAIK, the service is "Wireless-WCS", protocol "HTTP", returning > >> "role0=SuperUsers". > >> > >> I can't seem to figure out the syntax within the config file correctly. > >> > >> _______________________________________________ > >> tac_plus mailing list > >> tac_plus at shrubbery.net > >> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > > the "service" is interesting; i'd suggest that you enable debugging > > and watch for that to appear in the logs. > From heas at shrubbery.net Fri Sep 19 18:15:34 2008 From: heas at shrubbery.net (john heasley) Date: Fri, 19 Sep 2008 11:15:34 -0700 Subject: [tac_plus] Re: before authorization script problem with 4.0.4.14 In-Reply-To: <200809121245.47730.teet.talviste@elion.ee> References: <200809121245.47730.teet.talviste@elion.ee> Message-ID: <20080919181534.GC26158@shrubbery.net> Fri, Sep 12, 2008 at 12:45:47PM +0300, Teet Talviste: > Bitman asked me to mention my problem and solution on the list, so here it > goes. > > We use before authorization script to determine priv-lvl of a user for > particular hosts. The trouble started, when i moved tacacs from and old P3 to > a proper dual-core HP proliant debian server. Tacacs version change was from > 4.0.4.9 to 4.0.4.14. The trouble iself is that before authorization script > returns 1 (at least tacacs thinks it does.) most of the time, sometimes it > worked fine. There is no way the script would return 1, it always returns 2... > Log shows: > Mon Sep 8 11:09:27 2008 [1799]: Error 172.16.108.130: Process write failure > Mon Sep 8 11:09:27 2008 [1799]: cmd /bin/bash /etc/tac-plus/hp-exec.sh $user > $name returns 1 (unconditional deny) The problem is that tacacs expects to write AVPs to the script. if writing (sending) them to the process fails, such as if your script doesn't read any of them and the "stdout" buffer fills or you simply close stdin before it can occur, tacacs considers it a failure. I suppose it could be changed to ignore that and use the exit code of the child/script. It seems more determinate to leave it as is. > There is a fix however. Turns out, the script is too fast on the new machine, > so adding a line like sleep 1 to a bash script fixes this behavior. Which in > itself is strange. I actually wrote a perl script, to test, maybe there was > some problem with my previous bash script. But perl script run even faster and > i couldn't log in at all, but introducing even 10 microseconds of delay, again > fixed the problem. > > I know for sure that if the script runs under: real 0m0.002s, then there will > be problems. > > I discovered it when Bitman advised me to run strace against tacacs, and when > running strace everything worked fine. I was quite confused atthat point. But > then he suggested it was probably time related, so i tried to introduce some > lag to my script, and it worked. > > This by the way is with: > Linux version 2.6.18-4-686 (Debian 2.6.18.dfsg.1-12etch2) (gcc version 4.1.2 > 20061115 (prerelease) (Debian 4.1.1-21)) > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20080912/47e7c03a/attachment.html > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus