[tac_plus] Adding users to tacacs passwd file

Jeffrey S. Geist jeffrey.geist at pnpt.com
Wed Aug 18 13:34:06 UTC 2010 

Hi,

We are running tacacs on CentOS 5.5 and have setup tacacs to use the
passwd/shadow file under /etc for authentication.

We downloaded this version of tacacs from:

wget
ftp://ftp.muug.mb.ca/mirror/redhat/contrib/libc6/i386/tac_plus-4.0.3-2.i386.
rpm

Here is our tac_plus.cfg file:

-------------------begin----------------------------------------------------
-----
# Created by Devrim SERAL(devrim at tef.gazi.edu.tr)
# It's very simple configuration file
# Please read user_guide and tacacs+ FAQ to more information to do more
# complex tacacs+ configuration files.
#
# Put your NAS key below
key = xibmac

# Use /etc/passwd.loc file to do authentication
# it's must be in passwd file format. So you must mix shadow-passwd files to
do it

default authentication = file /etc/passwd

# Where is the accounting records to go

accounting file = /var/log/tacacs.log

user = foobar {
        login = cleartext engage
}

# End config file

------------------end-------------------------------------------------------
---------

Unfortunately, our test user fails to log into our router. Here is what we
see in /var/log/messages:

Aug 18 07:28:41 dsn2 tac_plus[9493]: login query for 'test' tty0 from
192.168.8.16 rejected
Aug 18 07:29:14 dsn2 tac_plus[9494]: Error 192.168.8.16 tty0: Null reply
packet, expecting CONTINUE


Here is the information we see from the router:

sername: ire 12 header bytes (expect 43 bytes data)
*Mar  9 22:01:27.591: TPLUS(00000121)/0/READ: socket event 1
*Mar  9 22:01:27.591: TPLUS(00000121)/0/READ: read entire 55 bytes response
*Mar  9 22:01:27.591: TPLUS(00000121)/0/4B148A0: Processing the reply packet
*Mar  9 22:01:27.591: TPLUS: Received authen response status GET_USER (7)

User Access Verification

Username: test
Password:
*Mar  9 22:01:39.989: TPLUS: Queuing AAA Authentication request 289 for
processing
*Mar  9 22:01:39.989: TPLUS: processing authentication continue request id
289
*Mar  9 22:01:39.989: TPLUS: Authentication continue packet generated for
289
*Mar  9 22:01:39.989: TPLUS(00000121)/0/WRITE/4EA85A0: Started 5 sec timeout
*Mar  9 22:01:39.989: TPLUS(00000121)/0/WRITE: wrote entire 21 bytes request
*Mar  9 22:01:39.989: TPLUS(00000121)/0/READ: socket event 1
*Mar  9 22:01:39.989: TPLUS(00000121)/0/READ: read entire 12 header bytes
(expect 16 bytes data)
*Mar  9 22:01:39.989: TPLUS(00000121)/0/READ: socket event 1
*Mar  9 22:01:39.989: TPLUS(00000121)/0/READ: read entire 28 bytes response
*Mar  9 22:01:39.989: TPLUS(00000121)/0/4EA85A0: Processing the reply packet
*Mar  9 22:01:39.989: TPLUS: Received authen response status GET_PASSWORD
(8)

*Mar  9 22:01:49.645: TPLUS: Queuing AAA Authentication request 289 for
processing
*Mar  9 22:01:49.645: TPLUS: processing authentication continue request id
289
*Mar  9 22:01:49.645: TPLUS: Authentication continue packet generated for
289
*Mar  9 22:01:49.645: TPLUS(00000121)/0/WRITE/4B148A0: Started 5 sec timeout
*Mar  9 22:01:49.645: TPLUS(00000121)/0/WRITE: wrote entire 21 bytes request
*Mar  9 22:01:49.645: TPLUS(00000121)/0/READ: socket event 1
*Mar  9 22:01:49.645: TPLUS(00000121)/0/READ: read entire 12 header bytes
(expect 6 bytes data)
*Mar  9 22:01:49.645: TPLUS(00000121)/0/READ: socket event 1
*Mar  9 22:01:49.645: TPLUS(00000121)/0/READ: read entire 18 bytes response
*Mar  9 22:01:49.645: TPLUS(00000121)/0/4B148A0: Processing the reply packet
*Mar  9 22:01:49.645: TPLUS: Received authen response status FAIL (3)
% Authentication failed

We don't see any information in the /var/log/tacacs.log file. We assume that
no information will happen in this file until we authenticate with tacacs.

We do have tacacs running on another CentOS server but we are not using the
passwd/shadow files. We are using a passwd file that has username and
encrypted passwd in the same file (auth-passwd). We are able to authenticate
to this server. This custom passwd file was created by a Solaris script on a
Solaris server. We are trying to get away from Solaris.

If we copy the passwd file (auth-passwd) from the working tacacs server into
our new tacacs server and point the tac_plug.cfg to "auth-passwd", then it
works! So, we are not sure what needs to be done in order to use the system
passwd/shadow files.

Please let us know if there is other information to would help to resolve
this issue.

TIA,

Jeffrey

-----Original Message-----
From: dterry at dollartree.com [mailto:dterry at dollartree.com] 
Sent: Thursday, August 12, 2010 10:24 AM
To: Jeffrey S. Geist
Cc: Mark Urbach; tac_plus at shrubbery.net; tac_plus-bounces at shrubbery.net
Subject: RE: [tac_plus] Adding users to tacacs passwd file

I am quite certain that you are being too cautious. If you used something
like rsync to sync the password files between the two servers and also make
a backup copy each time, you have pretty much zero chance of anything
becoming corrupt. I have used this method for a long time without issue.

----------------------------------------------------------------------------
-------

We run two tacacs servers to provide failover and we "scp" the tacacs
passwd
files between the two servers to keep them "in sync". We thought about
using
the system passwd and shadow files, but we are concerned about copying
these
files back and forth between the two tacacs servers and having one or both
of these files getting corrupted due to the copying (network "hiccup").
Could make it so we are not able to login into the server as one of the
local users or root. Right? Maybe we are being too cautious.

-----Original Message-----
From: dterry at dollartree.com [mailto:dterry at dollartree.com]
Sent: Thursday, August 12, 2010 8:28 AM
To: Jeffrey S. Geist
Cc: Mark Urbach; tac_plus at shrubbery.net; tac_plus-bounces at shrubbery.net
Subject: Re: [tac_plus] Adding users to tacacs passwd file


Why wouldn't you want to use the Linux shadow / passwd files?

----------------------------------------------------------------------------


Hi,

We are currently migrating Tacacs from  Solaris to Linux. We haven't had
any issues getting Tacacs to run on CentOS and users are authenticating
through CentOS (using the old tacacs passwd file from Solaris). The issue
we are facing is trying to convert the old Solaris script, that creates the
users entries in the tacacs passwd file, over to a script that runs on
CentOS. The Solaris script creates a user with a unique "uid". We were
wondering if anyone knows of a Linux script that will accomplish the same
results. We have a fairly good understanding of Tacacs, but we are no
experts.


Jeffrey S. Geist
Systems Administrator
PinPoint Communications
100 North 12th Street
Suite 500
Lincoln, NE  68508
Work: (402) 438-6211
Cellular: (402) 580-0047

More information about the tac_plus mailing list