[tac_plus] Re: Issue when starting up

Hailu Meng hailumeng at gmail.com
Fri Feb 19 13:58:35 UTC 2010 

The tacacs config in my switch is simple:
tacacs-server host 10.20.1.72
tacacs-server key 7 xxxxxxxxx

The tac_plus.conf in server:
accounting file = /var/log/tacacs_acct
key = mykey

user = $enab15$ {
  login = des "DKxtKRZ/XeEgM"
}

group = admin {
  default service = permit
  service = exec {
    priv-lvl = 15
  }
}

group = limited {
  default service = deny
  service = exec {
        priv-lvl = 1
  }
  cmd = show {
        permit ip
        permit interface
  }
}

user = testuser{
        member = admin
        login = PAM
}

Thanks a lot John. From this configuration, I can't tell this is requesting
another authentication.

On Thu, Feb 18, 2010 at 7:18 PM, john heasley <heas at shrubbery.net> wrote:

> Thu, Feb 18, 2010 at 07:05:57PM -0600, Hailu Meng:
> > Thanks John. My tacacs+ configuration in switch is simple:
> >
> > aaa new-model
> > aaa authentication login default group tacacs+ line
> > aaa authentication enable default group tacacs+ enable
>
> thats the aaa config, what about tacacs.
>
> >
> >
> >
> > On Thu, Feb 18, 2010 at 5:45 PM, john heasley <heas at shrubbery.net>
> wrote:
> >
> > > Thu, Feb 18, 2010 at 02:02:46PM -0600, Hailu Meng:
> > > > Thu Feb 18 13:42:22 2010 [27117]: Writing AUTHEN/SUCCEED size=18
> > > > Thu Feb 18 13:42:22 2010 [27117]: PACKET: key=mykey
> > > > Thu Feb 18 13:42:22 2010 [27117]: version 192 (0xc0), type 1, seq no
> 6,
> > > > flags 0x1
> > > > Thu Feb 18 13:42:22 2010 [27117]: session_id 3918696952 (0xe99291f8),
> > > Data
> > > > length 6 (0x6)
> > > > Thu Feb 18 13:42:22 2010 [27117]: End header
> > > > Thu Feb 18 13:42:22 2010 [27117]: type=AUTHEN status=1
> (AUTHEN/SUCCEED)
> > > > flags=0x0
> > > > Thu Feb 18 13:42:22 2010 [27117]: msg_len=0, data_len=0
> > > > Thu Feb 18 13:42:22 2010 [27117]: msg:
> > > > Thu Feb 18 13:42:22 2010 [27117]: data:
> > > > Thu Feb 18 13:42:22 2010 [27117]: End packet
> > > > Thu Feb 18 13:42:22 2010 [27117]: 10.1.2.1: disconnect
> > > > *<------ This above is the same as successful one, from here, I got
> > > another
> > > > "Password" Prompt asking for password*. *Even I input my correct
> password
> > > > for the 2nd time, it just doesn't allow me in*.* I also tried wrong
> > > password
> > > > for the first time password input on purpose, I did get rejected
> message
> > > > like "login query for 'testuser' tty1 from 10.1.2.1 rejected"*
> > >
> > > > Thu Feb 18 13:42:28 2010 [27116]: session request from 10.1.2.1
> sock=2
> > > > Thu Feb 18 13:42:28 2010 [27135]: connect from 10.1.2.1 [10.1.2.1]
> > > > Thu Feb 18 13:42:28 2010 [27135]: Waiting for packet
> > > > Thu Feb 18 13:42:28 2010 [27135]: Read AUTHEN/START size=35
> > > > Thu Feb 18 13:42:28 2010 [27135]: validation request from 10.1.2.1
> > > > Thu Feb 18 13:42:28 2010 [27135]: PACKET: key=mykey
> > > > Thu Feb 18 13:42:28 2010 [27135]: version 192 (0xc0), type 1, seq no
> 1,
> > > > flags 0x1
> > > > Thu Feb 18 13:42:28 2010 [27135]: session_id 3154815253 (0xbc0aa915),
> > > Data
> > > > length 23 (0x17)
> > >
> > > its starting a new auth connection.
> > >
> > > whats the tacacs conf on the device?
> > >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20100219/ecaedc6e/attachment.html

More information about the tac_plus mailing list