[tac_plus] Re: Issue when starting up

Hailu Meng hailumeng at gmail.com
Thu Feb 18 18:02:20 UTC 2010 

Thanks John. I tried to debug aaa information in my switch. I deleted the
authorization and accounting setup in my switch trying to make thing simple.
Here is my current setup in swtich:
aaa new-model
aaa authentication login default group tacacs+ line
aaa authentication enable default group tacacs+ enable

Very simple one.

And I compared the successful and unsuccessful login debug here. I also
checked my Active Directory server, the events there are totally same for
successful and unsuccessful login.

Successful login:
Feb 18 11:21:30.813 CST: tty1 AAA/DISC: 1/"User Request"
Feb 18 11:21:30.817 CST: tty1 AAA/DISC/EXT: 1020/"User Request"
Feb 18 11:21:30.817 CST: tty1 AAA/DISC: 9/"NAS Error"
Feb 18 11:21:30.817 CST: tty1 AAA/DISC/EXT: 1002/"Unknown"
Feb 18 11:21:30.817 CST: AAA/MEMORY: free_user (0x80CF5BDC) user='' ruser=''
port='tty1' rem_addr='10.1.10.1' authen_type=ASCII service=LOGIN priv=1

Unsuccessful login:
Feb 18 11:47:45.392 CST: tty1 AAA/DISC: 1/"User Request"
Feb 18 11:47:45.392 CST: tty1 AAA/DISC/EXT: 1020/"User Request"
Feb 18 11:47:45.392 CST: tty1 AAA/DISC: 9/"NAS Error"
Feb 18 11:47:45.396 CST: tty1 AAA/DISC/EXT: 1002/"Unknown"
Feb 18 11:47:45.396 CST: AAA/MEMORY: free_user (0x80CEAC74) user='testuser'
ruser='' port='tty1' rem_addr='10.1.10.1' authen_type=ASCII service=LOGIN
priv=1
Feb 18 11:48:00.248 CST: AAA: parse name=tty1 idb type=-1 tty=-1
Feb 18 11:48:00.248 CST: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0
adapter=0 port=1 channel=0
Feb 18 11:48:00.248 CST: AAA/MEMORY: create_user (0x80D7FC00) user=''
ruser='' port='tty1' rem_addr='10.1.10.1' authen_type=ASCII service=LOGIN
priv=1


The difference here is when the successful login happens, the "user" name is
empty but unsuccessful login has real user name "testuser" value. This
sounds weird to me. Total opposite to my thinking. I did several
comparisons. All same log.

I just wonder why background and foreground has this difference. In
addition, not sure "NAS error" is a problem or not. It exists in successful
login too.

Thanks for your help. Really appreciated.

Lou

On Thu, Feb 18, 2010 at 12:16 AM, john heasley <heas at shrubbery.net> wrote:

> Wed, Feb 17, 2010 at 04:16:04PM -0600, Hailu Meng:
> > Hi All,
> >
> > I have been running tac_plus in my redhat for couple of months. And I
> always
> > run it as "tac_plus -C /etc/tac_plus.conf -t -d 120 -g" at frontground.
> > Right now I try to setup a service for tac_plus and run as a daemon. But
> > when I tried to run
> > "tac_plus -C /etc/tac_plus.conf -t -d 120", I can't login my cisco
> switch.
> > It still ask me for username. but it won't accept my password. The log
> > shows:
> >
> > Wed Feb 17 15:44:44 2010 [25229]: Reading config
> > Wed Feb 17 15:44:44 2010 [25229]: Version F4.0.4.19 Initialized 1
> > Wed Feb 17 15:44:44 2010 [25229]: tac_plus server F4.0.4.19 starting
> > Wed Feb 17 15:44:44 2010 [25230]: Backgrounded
> > Wed Feb 17 15:44:44 2010 [25231]: uid=505 euid=505 gid=505 egid=505 s=0
> > Wed Feb 17 15:44:54 2010 [25231]: session.peerip is 10.1.1.10
> > Wed Feb 17 15:44:54 2010 [25234]: connect from 10.1.1.10 [10.1.1.10]
> > Wed Feb 17 15:44:55 2010 [25234]: pam_verify username
> > Wed Feb 17 15:44:55 2010 [25234]: pam_tacacs received 1 pam_messages
> > Wed Feb 17 15:44:55 2010 [25234]: Error 10.1.1.10 tty1:
> PAM_PROMPT_ECHO_OFF
> > Wed Feb 17 15:44:59 2010 [25234]: pam_verify returns 1
> > Wed Feb 17 15:44:59 2010 [25234]: Password has not expired <no expiry
> date
> > set>
> > Wed Feb 17 15:44:59 2010 [25234]: login query for 'username' tty1 from
> > 10.1.1.10 accepted
> > Wed Feb 17 15:45:05 2010 [25231]: session.peerip is 10.1.1.10
> > Wed Feb 17 15:45:05 2010 [25238]: connect from 10.1.1.10 [10.1.1.10]
> >
> > After the above log, the switch pop up "Password" again asking me for the
> > password. I compared the normal log. It is same with the above. Wondering
> > why it already accepted but still keep asking me the password.
> >
> > Does anyone have idea about this?
>
> you might try -d 256 and verify that the config on the device is correct.
> also inspect the syslog for messages from the device.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20100218/42a2816d/attachment.html

More information about the tac_plus mailing list