[tac_plus] Re: Misc Items

Todd Bertolozzi tbertolozzi at msufcu.org
Thu Apr 23 22:26:28 UTC 2009 

It appears to be something to do with ssh as when using telnet I do
receive the expected "Username:" prompt.

Todd

-----Original Message-----
From: john heasley [mailto:heas at shrubbery.net] 
Sent: Thursday, April 23, 2009 2:47 PM
To: Todd Bertolozzi
Subject: Re: [tac_plus] Re: Misc Items

Thu, Apr 23, 2009 at 02:17:15PM -0400, Todd Bertolozzi:
> I have debugging set to 16 but don't think I'm really seeing anything
> useful. Here's some of the log file:
> 
> Thu Apr 23 14:14:32 2009 [12309]: session.peerip is x.x.x.x
> Thu Apr 23 14:14:32 2009 [12317]: authorization query for 'admin' tty2
> from x.x.x.x accepted
> Thu Apr 23 14:14:32 2009 [12309]: session.peerip is x.x.x.x
> Thu Apr 23 14:14:41 2009 [12309]: session.peerip is x.x.x.x
> Thu Apr 23 14:14:41 2009 [12319]: authorization query for 'admin' tty2
> from x.x.x.x accepted
> Thu Apr 23 14:14:41 2009 [12309]: session.peerip is x.x.x.x
> Thu Apr 23 14:15:01 2009 [12309]: session.peerip is x.x.x.x
> Thu Apr 23 14:15:01 2009 [12321]: login query for 'berto' tty3 from
> x.x.x.x accepted
> Thu Apr 23 14:15:01 2009 [12309]: session.peerip is 10.100.220.243
> Thu Apr 23 14:15:01 2009 [12322]: authorization query for 'berto' tty3
> from x.x.x.x accepted
> Thu Apr 23 14:15:01 2009 [12309]: session.peerip is x.x.x.x
> 
> It's my understanding that the daemon actually provides the login
prompt
> of Username: but I could be completely wrong.

it provides the string IFF the device starts an authentication session
with an empty username, but the device does what it wants with it
anyway.  the cisco, for example, begins with the username already
supplied, so maybe its broken and no one else has ever seem the problem.

otherwise, the string will be "Username: ",
"\nUser Access Verification\n\nUsername: ", or tacplus.conf defined.

i guess you'd have to use packet debugging to see it.

> Thanks,
> 
> Todd
> 
> -----Original Message-----
> From: john heasley [mailto:heas at shrubbery.net] 
> Sent: Thursday, April 23, 2009 11:52 AM
> To: Todd Bertolozzi
> Cc: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] Re: Misc Items
> 
> Thu, Apr 23, 2009 at 08:41:53AM -0400, Todd Bertolozzi:
> > Can anyone point me in the right direction as far as why the daemon
> > isn't providing a Username: prompt? I assume it is supposed to?
> 
> my guess is that its not the daemon, but the device.  but, prove me
> right
> with debugging, tac_plus -d 16 should show the AVPs
> 
> > Thanks,
> > 
> > Todd
> > 
> > -----Original Message-----
> > From: tac_plus-bounces at shrubbery.net
> > [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Todd Bertolozzi
> > Sent: Tuesday, April 21, 2009 2:49 PM
> > To: tac_plus at shrubbery.net
> > Subject: [tac_plus] Misc Items
> > 
> > Hello people,
> > 
> >  
> > 
> > I've been searching around for answers to a few questions but
haven't
> > had much luck.  Thanks in advance for anyone who can either answer
or
> > point me in the right direction.
> > 
> >  
> > 
> > -          I'm used to seeing the Username prompt when using tacacs.
> > However, I don't get that prompt. Is that available with tac_plus
and
> if
> > so can I set the username prompt in the conf file so that I know
it's
> > actually hitting the tac_plus server.
> > 
> > -          Are there other login options that can be set in the conf
> > file such as max number of failed connection attempts? I don't
really
> > see anything in the man page. Currently there appears to be no
limit.
> > Some of device commands like certain aaa commands don't appear to
have
> > an effect (i.e.  aaa authentication attempts login 3).  The only
thing
> I
> > really see in the man pages is a password 'expires' option.
> > 
> > -          What about a login timeout? I am able to set 'ip ssh
> time-out
> > x'  that actually works but if I set the above aaa command or a 'ip
> ssh
> > authentication-retries 3' it has no effect.
> > 
> >  
> > 
> > Thanks,
> > 
> >  
> > 
> > Todd
> > 
> > 
> > 
> > -------------------------------------------------------
> > This electronic transmission and any information that it contains is
> the
> > property of MSU Federal Credit Union and is intended for the use of
> the
> > intended recipient. If you are not the intended recipient, any
> > disclosure, copying or other use of this information is strictly
> > prohibited. If you acquired this transmission in error or feel that
> any
> > of the information contained within it is offensive or
inappropriate,
> > please contact internalaudit at msufcu.org.
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL:
> >
>
http://www.shrubbery.net/pipermail/tac_plus/attachments/20090421/edafbb1
> > 3/attachment.html 
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> > 
> > 
> > -------------------------------------------------------
> > This electronic transmission and any information that it contains is
> the property of MSU Federal Credit Union and is intended for the use
of
> the intended recipient. If you are not the intended recipient, any
> disclosure, copying or other use of this information is strictly
> prohibited. If you acquired this transmission in error or feel that
any
> of the information contained within it is offensive or inappropriate,
> please contact internalaudit at msufcu.org.
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> 
> 
> -------------------------------------------------------
> This electronic transmission and any information that it contains is
the property of MSU Federal Credit Union and is intended for the use of
the intended recipient. If you are not the intended recipient, any
disclosure, copying or other use of this information is strictly
prohibited. If you acquired this transmission in error or feel that any
of the information contained within it is offensive or inappropriate,
please contact internalaudit at msufcu.org.


-------------------------------------------------------
This electronic transmission and any information that it contains is the property of MSU Federal Credit Union and is intended for the use of the intended recipient. If you are not the intended recipient, any disclosure, copying or other use of this information is strictly prohibited. If you acquired this transmission in error or feel that any of the information contained within it is offensive or inappropriate, please contact internalaudit at msufcu.org.

More information about the tac_plus mailing list