From norbert.kunth at now-it.de Thu Feb 4 10:04:43 2010 From: norbert.kunth at now-it.de (norbert.kunth at now-it.de) Date: Thu, 4 Feb 2010 11:04:43 +0100 Subject: [tac_plus] assign a host key to a group of hosts Message-ID: Hi, we have three groups of components that we want to authenticate to the tac_plus daemon. Is there a way to define a special key for a group of hosts? I have tried host = 192.186.1.0/24 { key = xyz } to define a key for all hosts in this subnet but this does not work :-( Regards Norbert Mit freundlichen Gr??en Norbert H. Kunth Gesch?ftsbereich Betrieb Arbeitsplatz und Kommunikationstechnik -- Telefon +49 341 9170-229 Telefax +49 341 9110806 E-Mail: norbert.kunth at drv-rzl.de NOW IT GmbH Lange Weihe 2/4, 30880 Laatzen Telefon 0511 829-0 www.now-it.de info at now-it.de Gesch?ftsf?hrung Dr. Bernd Kleine-Vo?beck (Vorsitzender), Andreas Grupe, Norbert L?ffler Vorsitzender des Aufsichtsrates Dr. Ralf Kreikebohm Amtsgericht Hannover HRB 204828 Ust-ID-Nr. DE267985473 Bankverbindung Nord/LB Hannover Bankleitzahl 250 500 00 Konto-Nr. 151 370 012 Unternehmensverbund NOW IT GmbH Rechenzentrum Nord GmbH Rechenzentrum Leipzig GmbH Zentrales Rechenzentrum West GmbH -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20100204/366825b1/attachment.html From alan.mckinnon at gmail.com Thu Feb 4 19:56:37 2010 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Thu, 4 Feb 2010 21:56:37 +0200 Subject: [tac_plus] Re: assign a host key to a group of hosts In-Reply-To: References: Message-ID: <201002042156.37980.alan.mckinnon@gmail.com> On Thursday 04 February 2010 12:04:43 norbert.kunth at now-it.de wrote: > Hi, > > we have three groups of components that we want to authenticate to the > tac_plus daemon. Is there a way to define a special key for a group of > hosts? > > I have tried > > host = 192.186.1.0/24 { > key = xyz > } > > to define a key for all hosts in this subnet but this does not work :-( I haven't tested this myself, but at least in the acl section the IP address is not in the familiar dotted-quad/bits format, it is a regular expression. Have you tried something like host = 192.168.1.* You'll need to escape the dots and use ^$ too of course. -- alan dot mckinnon at gmail dot com From henry.nicolas at tourneur.be Fri Feb 12 10:30:10 2010 From: henry.nicolas at tourneur.be (Henry-Nicolas Tourneur) Date: Fri, 12 Feb 2010 11:30:10 +0100 Subject: [tac_plus] PAM authentication and default user Message-ID: <5a6b03b3f077388f02bf9c2b49fdf1dd@webmail.tourneur.be> Hello everybody, ? In some cases, the PAM user won't be present in /etc/passwd (eg. pam LDAP backend). The current comportment of Tacacs+ is to check for the username in its configuration file. If it doesn't exist but that there is a DEFAULT user, the username is replaced by DEFAULT, therefore it won't work with PAM. ? What would be really very nice : Don't change the username to default if you see that the login method is PAM. That will allow the tacacs daemon to authenticate against remote server like LDAP (in such a case, the login information may not be present on the tacacs running server). It might be easy to patch the do_author.c file at line 86 but I guess it won't be enough or maybe we will need to do something in other parts of the daemon (like hash ?). ? The general picture would be : 1. Auth request with user name = xxy 2. I got no user name xxy in my tacacs conf but a DEFAULT user exist 3. The default user does authenticate against PAM, I won't change the username 4. Authenticate against PAM with username = xxy and return the result. ? If any tacacs+ hacker wants to implement this, it would be fabulous :) ? Please also note that I'm currently trying to get the Tacacs+ daemon to be shipped with Debian. It has been uploaded and is waiting for ftp masters approval : http://ftp-master.debian.org/new/tacacs+_4.0.4.19-2.html ? Regards, ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20100212/0965c9d4/attachment.html From alan.mckinnon at gmail.com Fri Feb 12 10:41:18 2010 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Fri, 12 Feb 2010 12:41:18 +0200 Subject: [tac_plus] Multiple groups Message-ID: <201002121241.18840.alan.mckinnon@gmail.com> My tac_plus.conf is starting to get out of hand, and what would solve this for me is if tac_plus supported multiple groups per user, as in user ... { member group1 member group2 } and the user gets the union of all attributes from both groups. A longish while back, I saw some patches to implement this, but I can't find them now. Anyone know where they might be? [I understand why the daemon works the way it does, so this isn't a feature request. I'm happy to maintain a local fork if that's what it takes, resolve the conflicts myself, and deal with the monster I create thereby :-) ] -- alan dot mckinnon at gmail dot com From kissg at ssg.ki.iif.hu Fri Feb 12 11:06:44 2010 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Fri, 12 Feb 2010 12:06:44 +0100 (CET) Subject: [tac_plus] Re: Multiple groups In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BCC7495C@che-exch-003.uplinkdata.com> References: <200911041507.15155.alan.mckinnon@gmail.com> <05CC562AFB5A9446A1BC3F66AD04A3BCC7495C@che-exch-003.uplinkdata.com> Message-ID: > My tac_plus.conf is starting to get out of hand, and what would solve this for > me is if tac_plus supported multiple groups per user, as in > A longish while back, I saw some patches to implement this, but I can't find > them now. Anyone know where they might be? http://bakacsin.ki.iif.hu/~kissg/pd/tac_plus/ Cheers Gabor From alan.mckinnon at gmail.com Fri Feb 12 12:25:35 2010 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Fri, 12 Feb 2010 14:25:35 +0200 Subject: [tac_plus] Re: Multiple groups In-Reply-To: References: <200911041507.15155.alan.mckinnon@gmail.com> <05CC562AFB5A9446A1BC3F66AD04A3BCC7495C@che-exch-003.uplinkdata.com> Message-ID: <201002121425.36121.alan.mckinnon@gmail.com> On Friday 12 February 2010 13:06:44 Kiss Gabor (Bitman) wrote: > > My tac_plus.conf is starting to get out of hand, and what would solve > > this for me is if tac_plus supported multiple groups per user, as in > > > > > > A longish while back, I saw some patches to implement this, but I can't > > find them now. Anyone know where they might be? > > http://bakacsin.ki.iif.hu/~kissg/pd/tac_plus/ > > Cheers > > Gabor Yes! Those are exactly the ones. Thanks very much -- alan dot mckinnon at gmail dot com From bruce.carleton at jasperwireless.com Tue Feb 16 17:53:02 2010 From: bruce.carleton at jasperwireless.com (Bruce Carleton) Date: Tue, 16 Feb 2010 09:53:02 -0800 Subject: [tac_plus] RPM spec file Message-ID: <48EF1AA16339F44499720B6A30897EDE03F69B@MV-EXCHANGE.corp.jaspersystems.com> I've been putting together a RPM specification file for tac_plus. I'm not sure who else is out there using REL 5 but I thought it was worth sharing. I've been testing with F4.0.4.19 on CentOS 5.4. The init file is inlined in the spec so you don't need to include it as a separate file. I'm still testing it out, so I haven't sorted out all the loose ends. Please let me know if there are any comments. Best, --Bruce -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20100216/7b9dfa56/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: tacacs+.spec Type: application/octet-stream Size: 2544 bytes Desc: tacacs+.spec Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20100216/7b9dfa56/attachment.obj From bruce.carleton at jasperwireless.com Tue Feb 16 18:01:23 2010 From: bruce.carleton at jasperwireless.com (Bruce Carleton) Date: Tue, 16 Feb 2010 10:01:23 -0800 Subject: [tac_plus] Re: RPM spec file In-Reply-To: <48EF1AA16339F44499720B6A30897EDE03F69B@MV-EXCHANGE.corp.jaspersystems.com> References: <48EF1AA16339F44499720B6A30897EDE03F69B@MV-EXCHANGE.corp.jaspersystems.com> Message-ID: <48EF1AA16339F44499720B6A30897EDE03F6BA@MV-EXCHANGE.corp.jaspersystems.com> It looks like Outlook did something dumb with the specification file. Here's a link: http://home.rbcarleton.com/rbc/tac_plus/tacacs+.spec Best, --Bruce -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Bruce Carleton Sent: Tuesday, February 16, 2010 9:53 AM To: tac_plus at shrubbery.net Subject: [tac_plus] RPM spec file I've been putting together a RPM specification file for tac_plus. I'm not sure who else is out there using REL 5 but I thought it was worth sharing. I've been testing with F4.0.4.19 on CentOS 5.4. The init file is inlined in the spec so you don't need to include it as a separate file. I'm still testing it out, so I haven't sorted out all the loose ends. Please let me know if there are any comments. Best, --Bruce -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20100216/7b9dfa5 6/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: tacacs+.spec Type: application/octet-stream Size: 2544 bytes Desc: tacacs+.spec Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20100216/7b9dfa5 6/attachment.obj _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From jeffrey.geist at pnpt.com Tue Feb 16 16:20:42 2010 From: jeffrey.geist at pnpt.com (Jeffrey S. Geist) Date: Tue, 16 Feb 2010 10:20:42 -0600 Subject: [tac_plus] Tacacas On Solaris 10 Message-ID: <7F6D3FC2DB95E44DAEF01815F0C15FAF03D32226D4@EXCHANGE07.pnpt.local> Hi, We are trying to get tacacs running on Solaris 10 and are looking for someone who may have done this in the past. We have tacacs running on Solaris 8 but are running into some issues on Solaris 10. If you know anyone who would be willing to work with us, please send this request to them or point us in the right direction. Thank you in advance, [cid:image001.png at 01CAAEF1.B1F0A550] Jeffrey S. Geist Systems Administrator PinPoint Communications 100 North 12th Street Suite 500 Lincoln, NE 68508 Work: (402) 438-6211 Cellular: (402) 580-0047 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20100216/c908ff4b/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 24202 bytes Desc: image001.png Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20100216/c908ff4b/attachment.png From hailumeng at gmail.com Wed Feb 17 22:16:04 2010 From: hailumeng at gmail.com (Hailu Meng) Date: Wed, 17 Feb 2010 16:16:04 -0600 Subject: [tac_plus] Issue when starting up Message-ID: <8dabae5b1002171416u2f3d2574mf5eb22116fa10962@mail.gmail.com> Hi All, I have been running tac_plus in my redhat for couple of months. And I always run it as "tac_plus -C /etc/tac_plus.conf -t -d 120 -g" at frontground. Right now I try to setup a service for tac_plus and run as a daemon. But when I tried to run "tac_plus -C /etc/tac_plus.conf -t -d 120", I can't login my cisco switch. It still ask me for username. but it won't accept my password. The log shows: Wed Feb 17 15:44:44 2010 [25229]: Reading config Wed Feb 17 15:44:44 2010 [25229]: Version F4.0.4.19 Initialized 1 Wed Feb 17 15:44:44 2010 [25229]: tac_plus server F4.0.4.19 starting Wed Feb 17 15:44:44 2010 [25230]: Backgrounded Wed Feb 17 15:44:44 2010 [25231]: uid=505 euid=505 gid=505 egid=505 s=0 Wed Feb 17 15:44:54 2010 [25231]: session.peerip is 10.1.1.10 Wed Feb 17 15:44:54 2010 [25234]: connect from 10.1.1.10 [10.1.1.10] Wed Feb 17 15:44:55 2010 [25234]: pam_verify username Wed Feb 17 15:44:55 2010 [25234]: pam_tacacs received 1 pam_messages Wed Feb 17 15:44:55 2010 [25234]: Error 10.1.1.10 tty1: PAM_PROMPT_ECHO_OFF Wed Feb 17 15:44:59 2010 [25234]: pam_verify returns 1 Wed Feb 17 15:44:59 2010 [25234]: Password has not expired Wed Feb 17 15:44:59 2010 [25234]: login query for 'username' tty1 from 10.1.1.10 accepted Wed Feb 17 15:45:05 2010 [25231]: session.peerip is 10.1.1.10 Wed Feb 17 15:45:05 2010 [25238]: connect from 10.1.1.10 [10.1.1.10] After the above log, the switch pop up "Password" again asking me for the password. I compared the normal log. It is same with the above. Wondering why it already accepted but still keep asking me the password. Does anyone have idea about this? Thanks a lot. Lou -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20100217/8baf0ba4/attachment.html From heas at shrubbery.net Thu Feb 18 06:16:28 2010 From: heas at shrubbery.net (john heasley) Date: Thu, 18 Feb 2010 06:16:28 +0000 Subject: [tac_plus] Re: Issue when starting up In-Reply-To: <8dabae5b1002171416u2f3d2574mf5eb22116fa10962@mail.gmail.com> References: <8dabae5b1002171416u2f3d2574mf5eb22116fa10962@mail.gmail.com> Message-ID: <20100218061628.GG27716@shrubbery.net> Wed, Feb 17, 2010 at 04:16:04PM -0600, Hailu Meng: > Hi All, > > I have been running tac_plus in my redhat for couple of months. And I always > run it as "tac_plus -C /etc/tac_plus.conf -t -d 120 -g" at frontground. > Right now I try to setup a service for tac_plus and run as a daemon. But > when I tried to run > "tac_plus -C /etc/tac_plus.conf -t -d 120", I can't login my cisco switch. > It still ask me for username. but it won't accept my password. The log > shows: > > Wed Feb 17 15:44:44 2010 [25229]: Reading config > Wed Feb 17 15:44:44 2010 [25229]: Version F4.0.4.19 Initialized 1 > Wed Feb 17 15:44:44 2010 [25229]: tac_plus server F4.0.4.19 starting > Wed Feb 17 15:44:44 2010 [25230]: Backgrounded > Wed Feb 17 15:44:44 2010 [25231]: uid=505 euid=505 gid=505 egid=505 s=0 > Wed Feb 17 15:44:54 2010 [25231]: session.peerip is 10.1.1.10 > Wed Feb 17 15:44:54 2010 [25234]: connect from 10.1.1.10 [10.1.1.10] > Wed Feb 17 15:44:55 2010 [25234]: pam_verify username > Wed Feb 17 15:44:55 2010 [25234]: pam_tacacs received 1 pam_messages > Wed Feb 17 15:44:55 2010 [25234]: Error 10.1.1.10 tty1: PAM_PROMPT_ECHO_OFF > Wed Feb 17 15:44:59 2010 [25234]: pam_verify returns 1 > Wed Feb 17 15:44:59 2010 [25234]: Password has not expired set> > Wed Feb 17 15:44:59 2010 [25234]: login query for 'username' tty1 from > 10.1.1.10 accepted > Wed Feb 17 15:45:05 2010 [25231]: session.peerip is 10.1.1.10 > Wed Feb 17 15:45:05 2010 [25238]: connect from 10.1.1.10 [10.1.1.10] > > After the above log, the switch pop up "Password" again asking me for the > password. I compared the normal log. It is same with the above. Wondering > why it already accepted but still keep asking me the password. > > Does anyone have idea about this? you might try -d 256 and verify that the config on the device is correct. also inspect the syslog for messages from the device. From hailumeng at gmail.com Thu Feb 18 18:02:20 2010 From: hailumeng at gmail.com (Hailu Meng) Date: Thu, 18 Feb 2010 12:02:20 -0600 Subject: [tac_plus] Re: Issue when starting up In-Reply-To: <20100218061628.GG27716@shrubbery.net> References: <8dabae5b1002171416u2f3d2574mf5eb22116fa10962@mail.gmail.com> <20100218061628.GG27716@shrubbery.net> Message-ID: <8dabae5b1002181002g733eb460tde2059ce94078799@mail.gmail.com> Thanks John. I tried to debug aaa information in my switch. I deleted the authorization and accounting setup in my switch trying to make thing simple. Here is my current setup in swtich: aaa new-model aaa authentication login default group tacacs+ line aaa authentication enable default group tacacs+ enable Very simple one. And I compared the successful and unsuccessful login debug here. I also checked my Active Directory server, the events there are totally same for successful and unsuccessful login. Successful login: Feb 18 11:21:30.813 CST: tty1 AAA/DISC: 1/"User Request" Feb 18 11:21:30.817 CST: tty1 AAA/DISC/EXT: 1020/"User Request" Feb 18 11:21:30.817 CST: tty1 AAA/DISC: 9/"NAS Error" Feb 18 11:21:30.817 CST: tty1 AAA/DISC/EXT: 1002/"Unknown" Feb 18 11:21:30.817 CST: AAA/MEMORY: free_user (0x80CF5BDC) user='' ruser='' port='tty1' rem_addr='10.1.10.1' authen_type=ASCII service=LOGIN priv=1 Unsuccessful login: Feb 18 11:47:45.392 CST: tty1 AAA/DISC: 1/"User Request" Feb 18 11:47:45.392 CST: tty1 AAA/DISC/EXT: 1020/"User Request" Feb 18 11:47:45.392 CST: tty1 AAA/DISC: 9/"NAS Error" Feb 18 11:47:45.396 CST: tty1 AAA/DISC/EXT: 1002/"Unknown" Feb 18 11:47:45.396 CST: AAA/MEMORY: free_user (0x80CEAC74) user='testuser' ruser='' port='tty1' rem_addr='10.1.10.1' authen_type=ASCII service=LOGIN priv=1 Feb 18 11:48:00.248 CST: AAA: parse name=tty1 idb type=-1 tty=-1 Feb 18 11:48:00.248 CST: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0 Feb 18 11:48:00.248 CST: AAA/MEMORY: create_user (0x80D7FC00) user='' ruser='' port='tty1' rem_addr='10.1.10.1' authen_type=ASCII service=LOGIN priv=1 The difference here is when the successful login happens, the "user" name is empty but unsuccessful login has real user name "testuser" value. This sounds weird to me. Total opposite to my thinking. I did several comparisons. All same log. I just wonder why background and foreground has this difference. In addition, not sure "NAS error" is a problem or not. It exists in successful login too. Thanks for your help. Really appreciated. Lou On Thu, Feb 18, 2010 at 12:16 AM, john heasley wrote: > Wed, Feb 17, 2010 at 04:16:04PM -0600, Hailu Meng: > > Hi All, > > > > I have been running tac_plus in my redhat for couple of months. And I > always > > run it as "tac_plus -C /etc/tac_plus.conf -t -d 120 -g" at frontground. > > Right now I try to setup a service for tac_plus and run as a daemon. But > > when I tried to run > > "tac_plus -C /etc/tac_plus.conf -t -d 120", I can't login my cisco > switch. > > It still ask me for username. but it won't accept my password. The log > > shows: > > > > Wed Feb 17 15:44:44 2010 [25229]: Reading config > > Wed Feb 17 15:44:44 2010 [25229]: Version F4.0.4.19 Initialized 1 > > Wed Feb 17 15:44:44 2010 [25229]: tac_plus server F4.0.4.19 starting > > Wed Feb 17 15:44:44 2010 [25230]: Backgrounded > > Wed Feb 17 15:44:44 2010 [25231]: uid=505 euid=505 gid=505 egid=505 s=0 > > Wed Feb 17 15:44:54 2010 [25231]: session.peerip is 10.1.1.10 > > Wed Feb 17 15:44:54 2010 [25234]: connect from 10.1.1.10 [10.1.1.10] > > Wed Feb 17 15:44:55 2010 [25234]: pam_verify username > > Wed Feb 17 15:44:55 2010 [25234]: pam_tacacs received 1 pam_messages > > Wed Feb 17 15:44:55 2010 [25234]: Error 10.1.1.10 tty1: > PAM_PROMPT_ECHO_OFF > > Wed Feb 17 15:44:59 2010 [25234]: pam_verify returns 1 > > Wed Feb 17 15:44:59 2010 [25234]: Password has not expired date > > set> > > Wed Feb 17 15:44:59 2010 [25234]: login query for 'username' tty1 from > > 10.1.1.10 accepted > > Wed Feb 17 15:45:05 2010 [25231]: session.peerip is 10.1.1.10 > > Wed Feb 17 15:45:05 2010 [25238]: connect from 10.1.1.10 [10.1.1.10] > > > > After the above log, the switch pop up "Password" again asking me for the > > password. I compared the normal log. It is same with the above. Wondering > > why it already accepted but still keep asking me the password. > > > > Does anyone have idea about this? > > you might try -d 256 and verify that the config on the device is correct. > also inspect the syslog for messages from the device. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20100218/42a2816d/attachment.html From heas at shrubbery.net Thu Feb 18 19:21:27 2010 From: heas at shrubbery.net (john heasley) Date: Thu, 18 Feb 2010 11:21:27 -0800 Subject: [tac_plus] Re: Issue when starting up In-Reply-To: <8dabae5b1002181002g733eb460tde2059ce94078799@mail.gmail.com> References: <8dabae5b1002171416u2f3d2574mf5eb22116fa10962@mail.gmail.com> <20100218061628.GG27716@shrubbery.net> <8dabae5b1002181002g733eb460tde2059ce94078799@mail.gmail.com> Message-ID: <20100218192127.GE21216@shrubbery.net> Thu, Feb 18, 2010 at 12:02:20PM -0600, Hailu Meng: > Thanks John. I tried to debug aaa information in my switch. I deleted the > authorization and accounting setup in my switch trying to make thing simple. > Here is my current setup in swtich: > aaa new-model > aaa authentication login default group tacacs+ line > aaa authentication enable default group tacacs+ enable > > Very simple one. > > And I compared the successful and unsuccessful login debug here. I also > checked my Active Directory server, the events there are totally same for > successful and unsuccessful login. > > Successful login: > Feb 18 11:21:30.813 CST: tty1 AAA/DISC: 1/"User Request" > Feb 18 11:21:30.817 CST: tty1 AAA/DISC/EXT: 1020/"User Request" > Feb 18 11:21:30.817 CST: tty1 AAA/DISC: 9/"NAS Error" > Feb 18 11:21:30.817 CST: tty1 AAA/DISC/EXT: 1002/"Unknown" > Feb 18 11:21:30.817 CST: AAA/MEMORY: free_user (0x80CF5BDC) user='' ruser='' > port='tty1' rem_addr='10.1.10.1' authen_type=ASCII service=LOGIN priv=1 > > Unsuccessful login: > Feb 18 11:47:45.392 CST: tty1 AAA/DISC: 1/"User Request" > Feb 18 11:47:45.392 CST: tty1 AAA/DISC/EXT: 1020/"User Request" > Feb 18 11:47:45.392 CST: tty1 AAA/DISC: 9/"NAS Error" > Feb 18 11:47:45.396 CST: tty1 AAA/DISC/EXT: 1002/"Unknown" > Feb 18 11:47:45.396 CST: AAA/MEMORY: free_user (0x80CEAC74) user='testuser' > ruser='' port='tty1' rem_addr='10.1.10.1' authen_type=ASCII service=LOGIN > priv=1 > Feb 18 11:48:00.248 CST: AAA: parse name=tty1 idb type=-1 tty=-1 > Feb 18 11:48:00.248 CST: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 > adapter=0 port=1 channel=0 > Feb 18 11:48:00.248 CST: AAA/MEMORY: create_user (0x80D7FC00) user='' > ruser='' port='tty1' rem_addr='10.1.10.1' authen_type=ASCII service=LOGIN > priv=1 > > > The difference here is when the successful login happens, the "user" name is > empty but unsuccessful login has real user name "testuser" value. This > sounds weird to me. Total opposite to my thinking. I did several > comparisons. All same log. what was in the tac_plus packet log (-d 256) ? > I just wonder why background and foreground has this difference. In > addition, not sure "NAS error" is a problem or not. It exists in successful > login too. > > Thanks for your help. Really appreciated. > > Lou > > On Thu, Feb 18, 2010 at 12:16 AM, john heasley wrote: > > > Wed, Feb 17, 2010 at 04:16:04PM -0600, Hailu Meng: > > > Hi All, > > > > > > I have been running tac_plus in my redhat for couple of months. And I > > always > > > run it as "tac_plus -C /etc/tac_plus.conf -t -d 120 -g" at frontground. > > > Right now I try to setup a service for tac_plus and run as a daemon. But > > > when I tried to run > > > "tac_plus -C /etc/tac_plus.conf -t -d 120", I can't login my cisco > > switch. > > > It still ask me for username. but it won't accept my password. The log > > > shows: > > > > > > Wed Feb 17 15:44:44 2010 [25229]: Reading config > > > Wed Feb 17 15:44:44 2010 [25229]: Version F4.0.4.19 Initialized 1 > > > Wed Feb 17 15:44:44 2010 [25229]: tac_plus server F4.0.4.19 starting > > > Wed Feb 17 15:44:44 2010 [25230]: Backgrounded > > > Wed Feb 17 15:44:44 2010 [25231]: uid=505 euid=505 gid=505 egid=505 s=0 > > > Wed Feb 17 15:44:54 2010 [25231]: session.peerip is 10.1.1.10 > > > Wed Feb 17 15:44:54 2010 [25234]: connect from 10.1.1.10 [10.1.1.10] > > > Wed Feb 17 15:44:55 2010 [25234]: pam_verify username > > > Wed Feb 17 15:44:55 2010 [25234]: pam_tacacs received 1 pam_messages > > > Wed Feb 17 15:44:55 2010 [25234]: Error 10.1.1.10 tty1: > > PAM_PROMPT_ECHO_OFF > > > Wed Feb 17 15:44:59 2010 [25234]: pam_verify returns 1 > > > Wed Feb 17 15:44:59 2010 [25234]: Password has not expired > date > > > set> > > > Wed Feb 17 15:44:59 2010 [25234]: login query for 'username' tty1 from > > > 10.1.1.10 accepted > > > Wed Feb 17 15:45:05 2010 [25231]: session.peerip is 10.1.1.10 > > > Wed Feb 17 15:45:05 2010 [25238]: connect from 10.1.1.10 [10.1.1.10] > > > > > > After the above log, the switch pop up "Password" again asking me for the > > > password. I compared the normal log. It is same with the above. Wondering > > > why it already accepted but still keep asking me the password. > > > > > > Does anyone have idea about this? > > > > you might try -d 256 and verify that the config on the device is correct. > > also inspect the syslog for messages from the device. > > From hailumeng at gmail.com Thu Feb 18 20:02:46 2010 From: hailumeng at gmail.com (Hailu Meng) Date: Thu, 18 Feb 2010 14:02:46 -0600 Subject: [tac_plus] Re: Issue when starting up In-Reply-To: <20100218192127.GE21216@shrubbery.net> References: <8dabae5b1002171416u2f3d2574mf5eb22116fa10962@mail.gmail.com> <20100218061628.GG27716@shrubbery.net> <8dabae5b1002181002g733eb460tde2059ce94078799@mail.gmail.com> <20100218192127.GE21216@shrubbery.net> Message-ID: <8dabae5b1002181202s32f1c0a8r390e4daacc8debf6@mail.gmail.com> Sorry, I forgot to post the log, I just did the comparison again: Successful login tac_plus log: Thu Feb 18 13:33:30 2010 [26189]: Reading config Thu Feb 18 13:33:30 2010 [26189]: Version F4.0.4.19 Initialized 1 Thu Feb 18 13:33:30 2010 [26189]: tac_plus server F4.0.4.19 starting Thu Feb 18 13:33:30 2010 [26189]: uid=505 euid=505 gid=505 egid=505 s=4 Thu Feb 18 13:33:37 2010 [26189]: session request from 10.1.2.1 sock=5 Thu Feb 18 13:33:37 2010 [26189]: connect from 10.1.2.1 [10.1.2.1] Thu Feb 18 13:33:37 2010 [26189]: Waiting for packet Thu Feb 18 13:33:37 2010 [26189]: Read AUTHEN/START size=35 Thu Feb 18 13:33:37 2010 [26189]: validation request from 10.1.2.1 Thu Feb 18 13:33:37 2010 [26189]: PACKET: key=mykey Thu Feb 18 13:33:37 2010 [26189]: version 192 (0xc0), type 1, seq no 1, flags 0x1 Thu Feb 18 13:33:37 2010 [26189]: session_id 1034326774 (0x3da692f6), Data length 23 (0x17) Thu Feb 18 13:33:37 2010 [26189]: End header Thu Feb 18 13:33:37 2010 [26189]: type=AUTHEN/START, priv_lvl = 1 Thu Feb 18 13:33:37 2010 [26189]: action=login Thu Feb 18 13:33:37 2010 [26189]: authen_type=ascii Thu Feb 18 13:33:37 2010 [26189]: service=login Thu Feb 18 13:33:37 2010 [26189]: user_len=0 port_len=4 (0x4), rem_addr_len=11 (0xb) Thu Feb 18 13:33:37 2010 [26189]: data_len=0 Thu Feb 18 13:33:37 2010 [26189]: User: Thu Feb 18 13:33:37 2010 [26189]: port: Thu Feb 18 13:33:37 2010 [26189]: tty1 Thu Feb 18 13:33:37 2010 [26189]: rem_addr: Thu Feb 18 13:33:37 2010 [26189]: 10.1.10.1 Thu Feb 18 13:33:37 2010 [26189]: data: Thu Feb 18 13:33:37 2010 [26189]: End packet Thu Feb 18 13:33:37 2010 [26189]: Authen Start request Thu Feb 18 13:33:37 2010 [26189]: choose_authen returns 1 Thu Feb 18 13:33:37 2010 [26189]: Writing AUTHEN/GETUSER size=55 Thu Feb 18 13:33:37 2010 [26189]: PACKET: key=mykey Thu Feb 18 13:33:37 2010 [26189]: version 192 (0xc0), type 1, seq no 2, flags 0x1 Thu Feb 18 13:33:37 2010 [26189]: session_id 1034326774 (0x3da692f6), Data length 43 (0x2b) Thu Feb 18 13:33:37 2010 [26189]: End header Thu Feb 18 13:33:37 2010 [26189]: type=AUTHEN status=4 (AUTHEN/GETUSER) flags=0x0 Thu Feb 18 13:33:37 2010 [26189]: msg_len=37, data_len=0 Thu Feb 18 13:33:37 2010 [26189]: msg: Thu Feb 18 13:33:37 2010 [26189]: 0xa User Access Verification 0xa Thu Feb 18 13:33:37 2010 [26189]: data: Thu Feb 18 13:33:37 2010 [26189]: End packet Thu Feb 18 13:33:37 2010 [26189]: Waiting for packet Thu Feb 18 13:33:39 2010 [26189]: Read AUTHEN/CONT size=23 Thu Feb 18 13:33:39 2010 [26189]: PACKET: key=mykey Thu Feb 18 13:33:39 2010 [26189]: version 192 (0xc0), type 1, seq no 3, flags 0x1 Thu Feb 18 13:33:39 2010 [26189]: session_id 1034326774 (0x3da692f6), Data length 11 (0xb) Thu Feb 18 13:33:39 2010 [26189]: End header Thu Feb 18 13:33:39 2010 [26189]: type=AUTHEN/CONT Thu Feb 18 13:33:39 2010 [26189]: user_msg_len 6 (0x6), user_data_len 0 (0x0) Thu Feb 18 13:33:39 2010 [26189]: flags=0x0 Thu Feb 18 13:33:39 2010 [26189]: User msg: Thu Feb 18 13:33:39 2010 [26189]: *testuser* *<-- Input my username* Thu Feb 18 13:33:39 2010 [26189]: User data: Thu Feb 18 13:33:39 2010 [26189]: End packet Thu Feb 18 13:33:39 2010 [26189]: choose_authen chose default_fn Thu Feb 18 13:33:39 2010 [26189]: Calling authentication function Thu Feb 18 13:33:40 2010 [26189]: Writing AUTHEN/GETPASS size=28 Thu Feb 18 13:33:40 2010 [26189]: PACKET: key=mykey Thu Feb 18 13:33:40 2010 [26189]: version 192 (0xc0), type 1, seq no 4, flags 0x1 Thu Feb 18 13:33:40 2010 [26189]: session_id 1034326774 (0x3da692f6), Data length 16 (0x10) Thu Feb 18 13:33:40 2010 [26189]: End header Thu Feb 18 13:33:40 2010 [26189]: type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1 Thu Feb 18 13:33:40 2010 [26189]: msg_len=10, data_len=0 Thu Feb 18 13:33:40 2010 [26189]: msg: Thu Feb 18 13:33:40 2010 [26189]: Password: Thu Feb 18 13:33:40 2010 [26189]: data: Thu Feb 18 13:33:40 2010 [26189]: End packet Thu Feb 18 13:33:40 2010 [26189]: Waiting for packet Thu Feb 18 13:33:46 2010 [26189]: Read AUTHEN/CONT size=28 Thu Feb 18 13:33:46 2010 [26189]: PACKET: key=mykey Thu Feb 18 13:33:46 2010 [26189]: version 192 (0xc0), type 1, seq no 5, flags 0x1 Thu Feb 18 13:33:46 2010 [26189]: session_id 1034326774 (0x3da692f6), Data length 16 (0x10) Thu Feb 18 13:33:46 2010 [26189]: End header Thu Feb 18 13:33:46 2010 [26189]: type=AUTHEN/CONT Thu Feb 18 13:33:46 2010 [26189]: user_msg_len 11 (0xb), user_data_len 0 (0x0) Thu Feb 18 13:33:46 2010 [26189]: flags=0x0 Thu Feb 18 13:33:46 2010 [26189]: User msg: Thu Feb 18 13:33:46 2010 [26189]: *mypassword* *<-- Input my password* Thu Feb 18 13:33:46 2010 [26189]: User data: Thu Feb 18 13:33:46 2010 [26189]: End packet Thu Feb 18 13:33:46 2010 [26189]: *login query for 'testuser' tty1 from 10.1.69.89 accepted* *<-- Succeeded* Thu Feb 18 13:33:46 2010 [26189]: Writing AUTHEN/SUCCEED size=18 Thu Feb 18 13:33:46 2010 [26189]: PACKET: key=mykey Thu Feb 18 13:33:46 2010 [26189]: version 192 (0xc0), type 1, seq no 6, flags 0x1 Thu Feb 18 13:33:46 2010 [26189]: session_id 1034326774 (0x3da692f6), Data length 6 (0x6) Thu Feb 18 13:33:46 2010 [26189]: End header Thu Feb 18 13:33:46 2010 [26189]: type=AUTHEN status=1 (AUTHEN/SUCCEED) flags=0x0 Thu Feb 18 13:33:46 2010 [26189]: msg_len=0, data_len=0 Thu Feb 18 13:33:46 2010 [26189]: msg: Thu Feb 18 13:33:46 2010 [26189]: data: Thu Feb 18 13:33:46 2010 [26189]: End packet Thu Feb 18 13:33:46 2010 [26189]: 10.1.2.1: disconnect Unsuccessful login: Thu Feb 18 13:42:14 2010 [27114]: Reading config Thu Feb 18 13:42:14 2010 [27114]: Version F4.0.4.19 Initialized 1 Thu Feb 18 13:42:14 2010 [27114]: tac_plus server F4.0.4.19 starting Thu Feb 18 13:42:14 2010 [27115]: *Backgrounded* Thu Feb 18 13:42:14 2010 [27116]: uid=505 euid=505 gid=505 egid=505 s=0 Thu Feb 18 13:42:17 2010 [27116]: session request from 10.1.2.1 sock=2 Thu Feb 18 13:42:17 2010 [27117]: connect from 10.1.2.1 [10.1.2.1] Thu Feb 18 13:42:17 2010 [27117]: Waiting for packet Thu Feb 18 13:42:17 2010 [27117]: Read AUTHEN/START size=35 Thu Feb 18 13:42:17 2010 [27117]: validation request from 10.1.2.1 Thu Feb 18 13:42:17 2010 [27117]: PACKET: key=mykey Thu Feb 18 13:42:17 2010 [27117]: version 192 (0xc0), type 1, seq no 1, flags 0x1 Thu Feb 18 13:42:17 2010 [27117]: session_id 3918696952 (0xe99291f8), Data length 23 (0x17) Thu Feb 18 13:42:17 2010 [27117]: End header Thu Feb 18 13:42:17 2010 [27117]: type=AUTHEN/START, priv_lvl = 1 Thu Feb 18 13:42:17 2010 [27117]: action=login Thu Feb 18 13:42:17 2010 [27117]: authen_type=ascii Thu Feb 18 13:42:17 2010 [27117]: service=login Thu Feb 18 13:42:17 2010 [27117]: user_len=0 port_len=4 (0x4), rem_addr_len=11 (0xb) Thu Feb 18 13:42:17 2010 [27117]: data_len=0 Thu Feb 18 13:42:17 2010 [27117]: User: Thu Feb 18 13:42:17 2010 [27117]: port: Thu Feb 18 13:42:17 2010 [27117]: tty1 Thu Feb 18 13:42:17 2010 [27117]: rem_addr: Thu Feb 18 13:42:17 2010 [27117]: 10.1.10.1 Thu Feb 18 13:42:17 2010 [27117]: data: Thu Feb 18 13:42:17 2010 [27117]: End packet Thu Feb 18 13:42:17 2010 [27117]: Authen Start request Thu Feb 18 13:42:17 2010 [27117]: choose_authen returns 1 Thu Feb 18 13:42:17 2010 [27117]: Writing AUTHEN/GETUSER size=55 Thu Feb 18 13:42:17 2010 [27117]: PACKET: key=mykey Thu Feb 18 13:42:17 2010 [27117]: version 192 (0xc0), type 1, seq no 2, flags 0x1 Thu Feb 18 13:42:17 2010 [27117]: session_id 3918696952 (0xe99291f8), Data length 43 (0x2b) Thu Feb 18 13:42:17 2010 [27117]: End header Thu Feb 18 13:42:17 2010 [27117]: type=AUTHEN status=4 (AUTHEN/GETUSER) flags=0x0 Thu Feb 18 13:42:17 2010 [27117]: msg_len=37, data_len=0 Thu Feb 18 13:42:17 2010 [27117]: msg: Thu Feb 18 13:42:17 2010 [27117]: 0xa User Access Verification 0xa Thu Feb 18 13:42:17 2010 [27117]: data: Thu Feb 18 13:42:17 2010 [27117]: End packet Thu Feb 18 13:42:17 2010 [27117]: Waiting for packet Thu Feb 18 13:42:18 2010 [27117]: Read AUTHEN/CONT size=23 Thu Feb 18 13:42:18 2010 [27117]: PACKET: key=mykey Thu Feb 18 13:42:18 2010 [27117]: version 192 (0xc0), type 1, seq no 3, flags 0x1 Thu Feb 18 13:42:18 2010 [27117]: session_id 3918696952 (0xe99291f8), Data length 11 (0xb) Thu Feb 18 13:42:18 2010 [27117]: End header Thu Feb 18 13:42:18 2010 [27117]: type=AUTHEN/CONT Thu Feb 18 13:42:18 2010 [27117]: user_msg_len 6 (0x6), user_data_len 0 (0x0) Thu Feb 18 13:42:18 2010 [27117]: flags=0x0 Thu Feb 18 13:42:18 2010 [27117]: User msg: Thu Feb 18 13:42:18 2010 [27117]: *testuser* *<-- Input my username* Thu Feb 18 13:42:18 2010 [27117]: User data: Thu Feb 18 13:42:18 2010 [27117]: End packet Thu Feb 18 13:42:18 2010 [27117]: choose_authen chose default_fn Thu Feb 18 13:42:18 2010 [27117]: Calling authentication function Thu Feb 18 13:42:18 2010 [27117]: Writing AUTHEN/GETPASS size=28 Thu Feb 18 13:42:18 2010 [27117]: PACKET: key=mykey Thu Feb 18 13:42:18 2010 [27117]: version 192 (0xc0), type 1, seq no 4, flags 0x1 Thu Feb 18 13:42:18 2010 [27117]: session_id 3918696952 (0xe99291f8), Data length 16 (0x10) Thu Feb 18 13:42:18 2010 [27117]: End header Thu Feb 18 13:42:18 2010 [27117]: type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1 Thu Feb 18 13:42:18 2010 [27117]: msg_len=10, data_len=0 Thu Feb 18 13:42:18 2010 [27117]: msg: Thu Feb 18 13:42:18 2010 [27117]: Password: Thu Feb 18 13:42:18 2010 [27117]: data: Thu Feb 18 13:42:18 2010 [27117]: End packet Thu Feb 18 13:42:18 2010 [27117]: Waiting for packet Thu Feb 18 13:42:22 2010 [27117]: Read AUTHEN/CONT size=28 Thu Feb 18 13:42:22 2010 [27117]: PACKET: key=mykey Thu Feb 18 13:42:22 2010 [27117]: version 192 (0xc0), type 1, seq no 5, flags 0x1 Thu Feb 18 13:42:22 2010 [27117]: session_id 3918696952 (0xe99291f8), Data length 16 (0x10) Thu Feb 18 13:42:22 2010 [27117]: End header Thu Feb 18 13:42:22 2010 [27117]: type=AUTHEN/CONT Thu Feb 18 13:42:22 2010 [27117]: user_msg_len 11 (0xb), user_data_len 0 (0x0) Thu Feb 18 13:42:22 2010 [27117]: flags=0x0 Thu Feb 18 13:42:22 2010 [27117]: User msg: Thu Feb 18 13:42:22 2010 [27117]: *mypassword* *<-- Input my password* Thu Feb 18 13:42:22 2010 [27117]: User data: Thu Feb 18 13:42:22 2010 [27117]: End packet Thu Feb 18 13:42:22 2010 [27117]: *login query for 'hxmeng' tty1 from 10.1.2.1 accepted* *<-- Succeeded* Thu Feb 18 13:42:22 2010 [27117]: Writing AUTHEN/SUCCEED size=18 Thu Feb 18 13:42:22 2010 [27117]: PACKET: key=mykey Thu Feb 18 13:42:22 2010 [27117]: version 192 (0xc0), type 1, seq no 6, flags 0x1 Thu Feb 18 13:42:22 2010 [27117]: session_id 3918696952 (0xe99291f8), Data length 6 (0x6) Thu Feb 18 13:42:22 2010 [27117]: End header Thu Feb 18 13:42:22 2010 [27117]: type=AUTHEN status=1 (AUTHEN/SUCCEED) flags=0x0 Thu Feb 18 13:42:22 2010 [27117]: msg_len=0, data_len=0 Thu Feb 18 13:42:22 2010 [27117]: msg: Thu Feb 18 13:42:22 2010 [27117]: data: Thu Feb 18 13:42:22 2010 [27117]: End packet Thu Feb 18 13:42:22 2010 [27117]: 10.1.2.1: disconnect *<------ This above is the same as successful one, from here, I got another "Password" Prompt asking for password*. *Even I input my correct password for the 2nd time, it just doesn't allow me in*.* I also tried wrong password for the first time password input on purpose, I did get rejected message like "login query for 'testuser' tty1 from 10.1.2.1 rejected"* Thu Feb 18 13:42:28 2010 [27116]: session request from 10.1.2.1 sock=2 Thu Feb 18 13:42:28 2010 [27135]: connect from 10.1.2.1 [10.1.2.1] Thu Feb 18 13:42:28 2010 [27135]: Waiting for packet Thu Feb 18 13:42:28 2010 [27135]: Read AUTHEN/START size=35 Thu Feb 18 13:42:28 2010 [27135]: validation request from 10.1.2.1 Thu Feb 18 13:42:28 2010 [27135]: PACKET: key=mykey Thu Feb 18 13:42:28 2010 [27135]: version 192 (0xc0), type 1, seq no 1, flags 0x1 Thu Feb 18 13:42:28 2010 [27135]: session_id 3154815253 (0xbc0aa915), Data length 23 (0x17) Thu Feb 18 13:42:28 2010 [27135]: End header Thu Feb 18 13:42:28 2010 [27135]: type=AUTHEN/START, priv_lvl = 1 Thu Feb 18 13:42:28 2010 [27135]: action=login Thu Feb 18 13:42:28 2010 [27135]: authen_type=ascii Thu Feb 18 13:42:28 2010 [27135]: service=login Thu Feb 18 13:42:28 2010 [27135]: user_len=0 port_len=4 (0x4), rem_addr_len=11 (0xb) Thu Feb 18 13:42:28 2010 [27135]: data_len=0 Thu Feb 18 13:42:28 2010 [27135]: User: Thu Feb 18 13:42:28 2010 [27135]: port: Thu Feb 18 13:42:28 2010 [27135]: tty1 Thu Feb 18 13:42:28 2010 [27135]: rem_addr: Thu Feb 18 13:42:28 2010 [27135]: 10.1.10.1 Thu Feb 18 13:42:28 2010 [27135]: data: Thu Feb 18 13:42:28 2010 [27135]: End packet Thu Feb 18 13:42:28 2010 [27135]: Authen Start request Thu Feb 18 13:42:28 2010 [27135]: choose_authen returns 1 Thu Feb 18 13:42:28 2010 [27135]: Writing AUTHEN/GETUSER size=55 Thu Feb 18 13:42:28 2010 [27135]: PACKET: key=mykey Thu Feb 18 13:42:28 2010 [27135]: version 192 (0xc0), type 1, seq no 2, flags 0x1 Thu Feb 18 13:42:28 2010 [27135]: session_id 3154815253 (0xbc0aa915), Data length 43 (0x2b) Thu Feb 18 13:42:28 2010 [27135]: End header Thu Feb 18 13:42:28 2010 [27135]: type=AUTHEN status=4 (AUTHEN/GETUSER) flags=0x0 Thu Feb 18 13:42:28 2010 [27135]: msg_len=37, data_len=0 Thu Feb 18 13:42:28 2010 [27135]: msg: Thu Feb 18 13:42:28 2010 [27135]: 0xa User Access Verification 0xa Thu Feb 18 13:42:28 2010 [27135]: data: Thu Feb 18 13:42:28 2010 [27135]: End packet Thu Feb 18 13:42:28 2010 [27135]: Waiting for packet So weird thing is why it accepted my login but ask for password again. Background and foreground can give this difference. It's really weird. Thanks John for the help. Lou On Thu, Feb 18, 2010 at 1:21 PM, john heasley wrote: > Thu, Feb 18, 2010 at 12:02:20PM -0600, Hailu Meng: > > Thanks John. I tried to debug aaa information in my switch. I deleted the > > authorization and accounting setup in my switch trying to make thing > simple. > > Here is my current setup in swtich: > > aaa new-model > > aaa authentication login default group tacacs+ line > > aaa authentication enable default group tacacs+ enable > > > > Very simple one. > > > > And I compared the successful and unsuccessful login debug here. I also > > checked my Active Directory server, the events there are totally same for > > successful and unsuccessful login. > > > > Successful login: > > Feb 18 11:21:30.813 CST: tty1 AAA/DISC: 1/"User Request" > > Feb 18 11:21:30.817 CST: tty1 AAA/DISC/EXT: 1020/"User Request" > > Feb 18 11:21:30.817 CST: tty1 AAA/DISC: 9/"NAS Error" > > Feb 18 11:21:30.817 CST: tty1 AAA/DISC/EXT: 1002/"Unknown" > > Feb 18 11:21:30.817 CST: AAA/MEMORY: free_user (0x80CF5BDC) user='' > ruser='' > > port='tty1' rem_addr='10.1.10.1' authen_type=ASCII service=LOGIN priv=1 > > > > Unsuccessful login: > > Feb 18 11:47:45.392 CST: tty1 AAA/DISC: 1/"User Request" > > Feb 18 11:47:45.392 CST: tty1 AAA/DISC/EXT: 1020/"User Request" > > Feb 18 11:47:45.392 CST: tty1 AAA/DISC: 9/"NAS Error" > > Feb 18 11:47:45.396 CST: tty1 AAA/DISC/EXT: 1002/"Unknown" > > Feb 18 11:47:45.396 CST: AAA/MEMORY: free_user (0x80CEAC74) > user='testuser' > > ruser='' port='tty1' rem_addr='10.1.10.1' authen_type=ASCII service=LOGIN > > priv=1 > > Feb 18 11:48:00.248 CST: AAA: parse name=tty1 idb type=-1 tty=-1 > > Feb 18 11:48:00.248 CST: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 > > adapter=0 port=1 channel=0 > > Feb 18 11:48:00.248 CST: AAA/MEMORY: create_user (0x80D7FC00) user='' > > ruser='' port='tty1' rem_addr='10.1.10.1' authen_type=ASCII service=LOGIN > > priv=1 > > > > > > The difference here is when the successful login happens, the "user" name > is > > empty but unsuccessful login has real user name "testuser" value. This > > sounds weird to me. Total opposite to my thinking. I did several > > comparisons. All same log. > > what was in the tac_plus packet log (-d 256) ? > > > I just wonder why background and foreground has this difference. In > > addition, not sure "NAS error" is a problem or not. It exists in > successful > > login too. > > > > Thanks for your help. Really appreciated. > > > > Lou > > > > On Thu, Feb 18, 2010 at 12:16 AM, john heasley > wrote: > > > > > Wed, Feb 17, 2010 at 04:16:04PM -0600, Hailu Meng: > > > > Hi All, > > > > > > > > I have been running tac_plus in my redhat for couple of months. And I > > > always > > > > run it as "tac_plus -C /etc/tac_plus.conf -t -d 120 -g" at > frontground. > > > > Right now I try to setup a service for tac_plus and run as a daemon. > But > > > > when I tried to run > > > > "tac_plus -C /etc/tac_plus.conf -t -d 120", I can't login my cisco > > > switch. > > > > It still ask me for username. but it won't accept my password. The > log > > > > shows: > > > > > > > > Wed Feb 17 15:44:44 2010 [25229]: Reading config > > > > Wed Feb 17 15:44:44 2010 [25229]: Version F4.0.4.19 Initialized 1 > > > > Wed Feb 17 15:44:44 2010 [25229]: tac_plus server F4.0.4.19 starting > > > > Wed Feb 17 15:44:44 2010 [25230]: Backgrounded > > > > Wed Feb 17 15:44:44 2010 [25231]: uid=505 euid=505 gid=505 egid=505 > s=0 > > > > Wed Feb 17 15:44:54 2010 [25231]: session.peerip is 10.1.1.10 > > > > Wed Feb 17 15:44:54 2010 [25234]: connect from 10.1.1.10 [10.1.1.10] > > > > Wed Feb 17 15:44:55 2010 [25234]: pam_verify username > > > > Wed Feb 17 15:44:55 2010 [25234]: pam_tacacs received 1 pam_messages > > > > Wed Feb 17 15:44:55 2010 [25234]: Error 10.1.1.10 tty1: > > > PAM_PROMPT_ECHO_OFF > > > > Wed Feb 17 15:44:59 2010 [25234]: pam_verify returns 1 > > > > Wed Feb 17 15:44:59 2010 [25234]: Password has not expired > > date > > > > set> > > > > Wed Feb 17 15:44:59 2010 [25234]: login query for 'username' tty1 > from > > > > 10.1.1.10 accepted > > > > Wed Feb 17 15:45:05 2010 [25231]: session.peerip is 10.1.1.10 > > > > Wed Feb 17 15:45:05 2010 [25238]: connect from 10.1.1.10 [10.1.1.10] > > > > > > > > After the above log, the switch pop up "Password" again asking me for > the > > > > password. I compared the normal log. It is same with the above. > Wondering > > > > why it already accepted but still keep asking me the password. > > > > > > > > Does anyone have idea about this? > > > > > > you might try -d 256 and verify that the config on the device is > correct. > > > also inspect the syslog for messages from the device. > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20100218/958a4aad/attachment.html From heas at shrubbery.net Thu Feb 18 23:45:19 2010 From: heas at shrubbery.net (john heasley) Date: Thu, 18 Feb 2010 15:45:19 -0800 Subject: [tac_plus] Re: Issue when starting up In-Reply-To: <8dabae5b1002181202s32f1c0a8r390e4daacc8debf6@mail.gmail.com> References: <8dabae5b1002171416u2f3d2574mf5eb22116fa10962@mail.gmail.com> <20100218061628.GG27716@shrubbery.net> <8dabae5b1002181002g733eb460tde2059ce94078799@mail.gmail.com> <20100218192127.GE21216@shrubbery.net> <8dabae5b1002181202s32f1c0a8r390e4daacc8debf6@mail.gmail.com> Message-ID: <20100218234519.GM21216@shrubbery.net> Thu, Feb 18, 2010 at 02:02:46PM -0600, Hailu Meng: > Thu Feb 18 13:42:22 2010 [27117]: Writing AUTHEN/SUCCEED size=18 > Thu Feb 18 13:42:22 2010 [27117]: PACKET: key=mykey > Thu Feb 18 13:42:22 2010 [27117]: version 192 (0xc0), type 1, seq no 6, > flags 0x1 > Thu Feb 18 13:42:22 2010 [27117]: session_id 3918696952 (0xe99291f8), Data > length 6 (0x6) > Thu Feb 18 13:42:22 2010 [27117]: End header > Thu Feb 18 13:42:22 2010 [27117]: type=AUTHEN status=1 (AUTHEN/SUCCEED) > flags=0x0 > Thu Feb 18 13:42:22 2010 [27117]: msg_len=0, data_len=0 > Thu Feb 18 13:42:22 2010 [27117]: msg: > Thu Feb 18 13:42:22 2010 [27117]: data: > Thu Feb 18 13:42:22 2010 [27117]: End packet > Thu Feb 18 13:42:22 2010 [27117]: 10.1.2.1: disconnect > *<------ This above is the same as successful one, from here, I got another > "Password" Prompt asking for password*. *Even I input my correct password > for the 2nd time, it just doesn't allow me in*.* I also tried wrong password > for the first time password input on purpose, I did get rejected message > like "login query for 'testuser' tty1 from 10.1.2.1 rejected"* > Thu Feb 18 13:42:28 2010 [27116]: session request from 10.1.2.1 sock=2 > Thu Feb 18 13:42:28 2010 [27135]: connect from 10.1.2.1 [10.1.2.1] > Thu Feb 18 13:42:28 2010 [27135]: Waiting for packet > Thu Feb 18 13:42:28 2010 [27135]: Read AUTHEN/START size=35 > Thu Feb 18 13:42:28 2010 [27135]: validation request from 10.1.2.1 > Thu Feb 18 13:42:28 2010 [27135]: PACKET: key=mykey > Thu Feb 18 13:42:28 2010 [27135]: version 192 (0xc0), type 1, seq no 1, > flags 0x1 > Thu Feb 18 13:42:28 2010 [27135]: session_id 3154815253 (0xbc0aa915), Data > length 23 (0x17) its starting a new auth connection. whats the tacacs conf on the device? From hailumeng at gmail.com Fri Feb 19 01:10:52 2010 From: hailumeng at gmail.com (Hailu Meng) Date: Thu, 18 Feb 2010 19:10:52 -0600 Subject: [tac_plus] Re: Issue when starting up In-Reply-To: <20100218234519.GM21216@shrubbery.net> References: <8dabae5b1002171416u2f3d2574mf5eb22116fa10962@mail.gmail.com> <20100218061628.GG27716@shrubbery.net> <8dabae5b1002181002g733eb460tde2059ce94078799@mail.gmail.com> <20100218192127.GE21216@shrubbery.net> <8dabae5b1002181202s32f1c0a8r390e4daacc8debf6@mail.gmail.com> <20100218234519.GM21216@shrubbery.net> Message-ID: <8dabae5b1002181710r3411c64bqf89ce1247a75c077@mail.gmail.com> Here is my tac_plus conf in linux box: accounting file = /var/log/tacacs_acct key = mykey user = $enab15$ { login = des "DKxtKRZ/XeEgM" } group = admin { default service = permit service = exec { priv-lvl = 15 } } group = limited { default service = deny service = exec { priv-lvl = 1 } cmd = show { permit ip permit interface } } user = testuser{ member = admin login = PAM } On Thu, Feb 18, 2010 at 5:45 PM, john heasley wrote: > Thu, Feb 18, 2010 at 02:02:46PM -0600, Hailu Meng: > > Thu Feb 18 13:42:22 2010 [27117]: Writing AUTHEN/SUCCEED size=18 > > Thu Feb 18 13:42:22 2010 [27117]: PACKET: key=mykey > > Thu Feb 18 13:42:22 2010 [27117]: version 192 (0xc0), type 1, seq no 6, > > flags 0x1 > > Thu Feb 18 13:42:22 2010 [27117]: session_id 3918696952 (0xe99291f8), > Data > > length 6 (0x6) > > Thu Feb 18 13:42:22 2010 [27117]: End header > > Thu Feb 18 13:42:22 2010 [27117]: type=AUTHEN status=1 (AUTHEN/SUCCEED) > > flags=0x0 > > Thu Feb 18 13:42:22 2010 [27117]: msg_len=0, data_len=0 > > Thu Feb 18 13:42:22 2010 [27117]: msg: > > Thu Feb 18 13:42:22 2010 [27117]: data: > > Thu Feb 18 13:42:22 2010 [27117]: End packet > > Thu Feb 18 13:42:22 2010 [27117]: 10.1.2.1: disconnect > > *<------ This above is the same as successful one, from here, I got > another > > "Password" Prompt asking for password*. *Even I input my correct password > > for the 2nd time, it just doesn't allow me in*.* I also tried wrong > password > > for the first time password input on purpose, I did get rejected message > > like "login query for 'testuser' tty1 from 10.1.2.1 rejected"* > > > Thu Feb 18 13:42:28 2010 [27116]: session request from 10.1.2.1 sock=2 > > Thu Feb 18 13:42:28 2010 [27135]: connect from 10.1.2.1 [10.1.2.1] > > Thu Feb 18 13:42:28 2010 [27135]: Waiting for packet > > Thu Feb 18 13:42:28 2010 [27135]: Read AUTHEN/START size=35 > > Thu Feb 18 13:42:28 2010 [27135]: validation request from 10.1.2.1 > > Thu Feb 18 13:42:28 2010 [27135]: PACKET: key=mykey > > Thu Feb 18 13:42:28 2010 [27135]: version 192 (0xc0), type 1, seq no 1, > > flags 0x1 > > Thu Feb 18 13:42:28 2010 [27135]: session_id 3154815253 (0xbc0aa915), > Data > > length 23 (0x17) > > its starting a new auth connection. > > whats the tacacs conf on the device? > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20100218/b47b56fb/attachment.html From hailumeng at gmail.com Fri Feb 19 13:58:35 2010 From: hailumeng at gmail.com (Hailu Meng) Date: Fri, 19 Feb 2010 07:58:35 -0600 Subject: [tac_plus] Re: Issue when starting up In-Reply-To: <20100219011832.GP21216@shrubbery.net> References: <8dabae5b1002171416u2f3d2574mf5eb22116fa10962@mail.gmail.com> <20100218061628.GG27716@shrubbery.net> <8dabae5b1002181002g733eb460tde2059ce94078799@mail.gmail.com> <20100218192127.GE21216@shrubbery.net> <8dabae5b1002181202s32f1c0a8r390e4daacc8debf6@mail.gmail.com> <20100218234519.GM21216@shrubbery.net> <8dabae5b1002181705l3436aac6v7cc911f5031cd829@mail.gmail.com> <20100219011832.GP21216@shrubbery.net> Message-ID: <8dabae5b1002190558x50bcccd9o240a223e7acba221@mail.gmail.com> The tacacs config in my switch is simple: tacacs-server host 10.20.1.72 tacacs-server key 7 xxxxxxxxx The tac_plus.conf in server: accounting file = /var/log/tacacs_acct key = mykey user = $enab15$ { login = des "DKxtKRZ/XeEgM" } group = admin { default service = permit service = exec { priv-lvl = 15 } } group = limited { default service = deny service = exec { priv-lvl = 1 } cmd = show { permit ip permit interface } } user = testuser{ member = admin login = PAM } Thanks a lot John. From this configuration, I can't tell this is requesting another authentication. On Thu, Feb 18, 2010 at 7:18 PM, john heasley wrote: > Thu, Feb 18, 2010 at 07:05:57PM -0600, Hailu Meng: > > Thanks John. My tacacs+ configuration in switch is simple: > > > > aaa new-model > > aaa authentication login default group tacacs+ line > > aaa authentication enable default group tacacs+ enable > > thats the aaa config, what about tacacs. > > > > > > > > > On Thu, Feb 18, 2010 at 5:45 PM, john heasley > wrote: > > > > > Thu, Feb 18, 2010 at 02:02:46PM -0600, Hailu Meng: > > > > Thu Feb 18 13:42:22 2010 [27117]: Writing AUTHEN/SUCCEED size=18 > > > > Thu Feb 18 13:42:22 2010 [27117]: PACKET: key=mykey > > > > Thu Feb 18 13:42:22 2010 [27117]: version 192 (0xc0), type 1, seq no > 6, > > > > flags 0x1 > > > > Thu Feb 18 13:42:22 2010 [27117]: session_id 3918696952 (0xe99291f8), > > > Data > > > > length 6 (0x6) > > > > Thu Feb 18 13:42:22 2010 [27117]: End header > > > > Thu Feb 18 13:42:22 2010 [27117]: type=AUTHEN status=1 > (AUTHEN/SUCCEED) > > > > flags=0x0 > > > > Thu Feb 18 13:42:22 2010 [27117]: msg_len=0, data_len=0 > > > > Thu Feb 18 13:42:22 2010 [27117]: msg: > > > > Thu Feb 18 13:42:22 2010 [27117]: data: > > > > Thu Feb 18 13:42:22 2010 [27117]: End packet > > > > Thu Feb 18 13:42:22 2010 [27117]: 10.1.2.1: disconnect > > > > *<------ This above is the same as successful one, from here, I got > > > another > > > > "Password" Prompt asking for password*. *Even I input my correct > password > > > > for the 2nd time, it just doesn't allow me in*.* I also tried wrong > > > password > > > > for the first time password input on purpose, I did get rejected > message > > > > like "login query for 'testuser' tty1 from 10.1.2.1 rejected"* > > > > > > > Thu Feb 18 13:42:28 2010 [27116]: session request from 10.1.2.1 > sock=2 > > > > Thu Feb 18 13:42:28 2010 [27135]: connect from 10.1.2.1 [10.1.2.1] > > > > Thu Feb 18 13:42:28 2010 [27135]: Waiting for packet > > > > Thu Feb 18 13:42:28 2010 [27135]: Read AUTHEN/START size=35 > > > > Thu Feb 18 13:42:28 2010 [27135]: validation request from 10.1.2.1 > > > > Thu Feb 18 13:42:28 2010 [27135]: PACKET: key=mykey > > > > Thu Feb 18 13:42:28 2010 [27135]: version 192 (0xc0), type 1, seq no > 1, > > > > flags 0x1 > > > > Thu Feb 18 13:42:28 2010 [27135]: session_id 3154815253 (0xbc0aa915), > > > Data > > > > length 23 (0x17) > > > > > > its starting a new auth connection. > > > > > > whats the tacacs conf on the device? > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20100219/ecaedc6e/attachment.html From hailumeng at gmail.com Fri Feb 19 16:20:05 2010 From: hailumeng at gmail.com (Hailu Meng) Date: Fri, 19 Feb 2010 10:20:05 -0600 Subject: [tac_plus] Re: Issue when starting up In-Reply-To: <20100219160054.GA29861@shrubbery.net> References: <8dabae5b1002171416u2f3d2574mf5eb22116fa10962@mail.gmail.com> <20100218061628.GG27716@shrubbery.net> <8dabae5b1002181002g733eb460tde2059ce94078799@mail.gmail.com> <20100218192127.GE21216@shrubbery.net> <8dabae5b1002181202s32f1c0a8r390e4daacc8debf6@mail.gmail.com> <20100218234519.GM21216@shrubbery.net> <8dabae5b1002181705l3436aac6v7cc911f5031cd829@mail.gmail.com> <20100219011832.GP21216@shrubbery.net> <8dabae5b1002190558x50bcccd9o240a223e7acba221@mail.gmail.com> <20100219160054.GA29861@shrubbery.net> Message-ID: <8dabae5b1002190820q1d1c01e1m10841a9e5c64614@mail.gmail.com> But I have two different models of switches have same problem when using backgrounded tac_plus. It seems not a IOS bug. On Fri, Feb 19, 2010 at 10:00 AM, john heasley wrote: > Fri, Feb 19, 2010 at 07:58:35AM -0600, Hailu Meng: > > The tacacs config in my switch is simple: > > tacacs-server host 10.1.5.1 > > tacacs-server key 7 xxxxxxxxx > > thats it? nothing else? if thats it, i can't imagine why its requesting > multiple times. i suggest that you contact cisco to research bugs in IOS. > > > The tac_plus.conf in server: > > accounting file = /var/log/tacacs_acct > > key = mykey > > > > user = $enab15$ { > > login = des "DKxtKRZ/XeEgM" > > } > > > > group = admin { > > default service = permit > > service = exec { > > priv-lvl = 15 > > } > > } > > > > group = limited { > > default service = deny > > service = exec { > > priv-lvl = 1 > > } > > cmd = show { > > permit ip > > permit interface > > } > > } > > > > user = testuser{ > > member = admin > > login = PAM > > } > > > > Thanks a lot John. From this configuration, I can't tell this is > requesting > > another authentication. > > > > On Thu, Feb 18, 2010 at 7:18 PM, john heasley > wrote: > > > > > Thu, Feb 18, 2010 at 07:05:57PM -0600, Hailu Meng: > > > > Thanks John. My tacacs+ configuration in switch is simple: > > > > > > > > aaa new-model > > > > aaa authentication login default group tacacs+ line > > > > aaa authentication enable default group tacacs+ enable > > > > > > thats the aaa config, what about tacacs. > > > > > > > > > > > > > > > > > > > On Thu, Feb 18, 2010 at 5:45 PM, john heasley > > > wrote: > > > > > > > > > Thu, Feb 18, 2010 at 02:02:46PM -0600, Hailu Meng: > > > > > > Thu Feb 18 13:42:22 2010 [27117]: Writing AUTHEN/SUCCEED size=18 > > > > > > Thu Feb 18 13:42:22 2010 [27117]: PACKET: key=mykey > > > > > > Thu Feb 18 13:42:22 2010 [27117]: version 192 (0xc0), type 1, seq > no > > > 6, > > > > > > flags 0x1 > > > > > > Thu Feb 18 13:42:22 2010 [27117]: session_id 3918696952 > (0xe99291f8), > > > > > Data > > > > > > length 6 (0x6) > > > > > > Thu Feb 18 13:42:22 2010 [27117]: End header > > > > > > Thu Feb 18 13:42:22 2010 [27117]: type=AUTHEN status=1 > > > (AUTHEN/SUCCEED) > > > > > > flags=0x0 > > > > > > Thu Feb 18 13:42:22 2010 [27117]: msg_len=0, data_len=0 > > > > > > Thu Feb 18 13:42:22 2010 [27117]: msg: > > > > > > Thu Feb 18 13:42:22 2010 [27117]: data: > > > > > > Thu Feb 18 13:42:22 2010 [27117]: End packet > > > > > > Thu Feb 18 13:42:22 2010 [27117]: 10.1.2.1: disconnect > > > > > > *<------ This above is the same as successful one, from here, I > got > > > > > another > > > > > > "Password" Prompt asking for password*. *Even I input my correct > > > password > > > > > > for the 2nd time, it just doesn't allow me in*.* I also tried > wrong > > > > > password > > > > > > for the first time password input on purpose, I did get rejected > > > message > > > > > > like "login query for 'testuser' tty1 from 10.1.2.1 rejected"* > > > > > > > > > > > Thu Feb 18 13:42:28 2010 [27116]: session request from 10.1.2.1 > > > sock=2 > > > > > > Thu Feb 18 13:42:28 2010 [27135]: connect from 10.1.2.1 > [10.1.2.1] > > > > > > Thu Feb 18 13:42:28 2010 [27135]: Waiting for packet > > > > > > Thu Feb 18 13:42:28 2010 [27135]: Read AUTHEN/START size=35 > > > > > > Thu Feb 18 13:42:28 2010 [27135]: validation request from > 10.1.2.1 > > > > > > Thu Feb 18 13:42:28 2010 [27135]: PACKET: key=mykey > > > > > > Thu Feb 18 13:42:28 2010 [27135]: version 192 (0xc0), type 1, seq > no > > > 1, > > > > > > flags 0x1 > > > > > > Thu Feb 18 13:42:28 2010 [27135]: session_id 3154815253 > (0xbc0aa915), > > > > > Data > > > > > > length 23 (0x17) > > > > > > > > > > its starting a new auth connection. > > > > > > > > > > whats the tacacs conf on the device? > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20100219/d0bf3540/attachment.html