[tac_plus] Re: Issue when starting up

john heasley heas at shrubbery.net
Thu Feb 18 19:21:27 UTC 2010


Thu, Feb 18, 2010 at 12:02:20PM -0600, Hailu Meng:
> Thanks John. I tried to debug aaa information in my switch. I deleted the
> authorization and accounting setup in my switch trying to make thing simple.
> Here is my current setup in swtich:
> aaa new-model
> aaa authentication login default group tacacs+ line
> aaa authentication enable default group tacacs+ enable
> 
> Very simple one.
> 
> And I compared the successful and unsuccessful login debug here. I also
> checked my Active Directory server, the events there are totally same for
> successful and unsuccessful login.
> 
> Successful login:
> Feb 18 11:21:30.813 CST: tty1 AAA/DISC: 1/"User Request"
> Feb 18 11:21:30.817 CST: tty1 AAA/DISC/EXT: 1020/"User Request"
> Feb 18 11:21:30.817 CST: tty1 AAA/DISC: 9/"NAS Error"
> Feb 18 11:21:30.817 CST: tty1 AAA/DISC/EXT: 1002/"Unknown"
> Feb 18 11:21:30.817 CST: AAA/MEMORY: free_user (0x80CF5BDC) user='' ruser=''
> port='tty1' rem_addr='10.1.10.1' authen_type=ASCII service=LOGIN priv=1
> 
> Unsuccessful login:
> Feb 18 11:47:45.392 CST: tty1 AAA/DISC: 1/"User Request"
> Feb 18 11:47:45.392 CST: tty1 AAA/DISC/EXT: 1020/"User Request"
> Feb 18 11:47:45.392 CST: tty1 AAA/DISC: 9/"NAS Error"
> Feb 18 11:47:45.396 CST: tty1 AAA/DISC/EXT: 1002/"Unknown"
> Feb 18 11:47:45.396 CST: AAA/MEMORY: free_user (0x80CEAC74) user='testuser'
> ruser='' port='tty1' rem_addr='10.1.10.1' authen_type=ASCII service=LOGIN
> priv=1
> Feb 18 11:48:00.248 CST: AAA: parse name=tty1 idb type=-1 tty=-1
> Feb 18 11:48:00.248 CST: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0
> adapter=0 port=1 channel=0
> Feb 18 11:48:00.248 CST: AAA/MEMORY: create_user (0x80D7FC00) user=''
> ruser='' port='tty1' rem_addr='10.1.10.1' authen_type=ASCII service=LOGIN
> priv=1
> 
> 
> The difference here is when the successful login happens, the "user" name is
> empty but unsuccessful login has real user name "testuser" value. This
> sounds weird to me. Total opposite to my thinking. I did several
> comparisons. All same log.

what was in the tac_plus packet log (-d 256) ?

> I just wonder why background and foreground has this difference. In
> addition, not sure "NAS error" is a problem or not. It exists in successful
> login too.
> 
> Thanks for your help. Really appreciated.
> 
> Lou
> 
> On Thu, Feb 18, 2010 at 12:16 AM, john heasley <heas at shrubbery.net> wrote:
> 
> > Wed, Feb 17, 2010 at 04:16:04PM -0600, Hailu Meng:
> > > Hi All,
> > >
> > > I have been running tac_plus in my redhat for couple of months. And I
> > always
> > > run it as "tac_plus -C /etc/tac_plus.conf -t -d 120 -g" at frontground.
> > > Right now I try to setup a service for tac_plus and run as a daemon. But
> > > when I tried to run
> > > "tac_plus -C /etc/tac_plus.conf -t -d 120", I can't login my cisco
> > switch.
> > > It still ask me for username. but it won't accept my password. The log
> > > shows:
> > >
> > > Wed Feb 17 15:44:44 2010 [25229]: Reading config
> > > Wed Feb 17 15:44:44 2010 [25229]: Version F4.0.4.19 Initialized 1
> > > Wed Feb 17 15:44:44 2010 [25229]: tac_plus server F4.0.4.19 starting
> > > Wed Feb 17 15:44:44 2010 [25230]: Backgrounded
> > > Wed Feb 17 15:44:44 2010 [25231]: uid=505 euid=505 gid=505 egid=505 s=0
> > > Wed Feb 17 15:44:54 2010 [25231]: session.peerip is 10.1.1.10
> > > Wed Feb 17 15:44:54 2010 [25234]: connect from 10.1.1.10 [10.1.1.10]
> > > Wed Feb 17 15:44:55 2010 [25234]: pam_verify username
> > > Wed Feb 17 15:44:55 2010 [25234]: pam_tacacs received 1 pam_messages
> > > Wed Feb 17 15:44:55 2010 [25234]: Error 10.1.1.10 tty1:
> > PAM_PROMPT_ECHO_OFF
> > > Wed Feb 17 15:44:59 2010 [25234]: pam_verify returns 1
> > > Wed Feb 17 15:44:59 2010 [25234]: Password has not expired <no expiry
> > date
> > > set>
> > > Wed Feb 17 15:44:59 2010 [25234]: login query for 'username' tty1 from
> > > 10.1.1.10 accepted
> > > Wed Feb 17 15:45:05 2010 [25231]: session.peerip is 10.1.1.10
> > > Wed Feb 17 15:45:05 2010 [25238]: connect from 10.1.1.10 [10.1.1.10]
> > >
> > > After the above log, the switch pop up "Password" again asking me for the
> > > password. I compared the normal log. It is same with the above. Wondering
> > > why it already accepted but still keep asking me the password.
> > >
> > > Does anyone have idea about this?
> >
> > you might try -d 256 and verify that the config on the device is correct.
> > also inspect the syslog for messages from the device.
> >


More information about the tac_plus mailing list