[tac_plus] Re: Issue when starting up
Hailu Meng
hailumeng at gmail.com
Fri Feb 19 16:20:05 UTC 2010
But I have two different models of switches have same problem when using
backgrounded tac_plus. It seems not a IOS bug.
On Fri, Feb 19, 2010 at 10:00 AM, john heasley <heas at shrubbery.net> wrote:
> Fri, Feb 19, 2010 at 07:58:35AM -0600, Hailu Meng:
> > The tacacs config in my switch is simple:
> > tacacs-server host 10.1.5.1
> > tacacs-server key 7 xxxxxxxxx
>
> thats it? nothing else? if thats it, i can't imagine why its requesting
> multiple times. i suggest that you contact cisco to research bugs in IOS.
>
> > The tac_plus.conf in server:
> > accounting file = /var/log/tacacs_acct
> > key = mykey
> >
> > user = $enab15$ {
> > login = des "DKxtKRZ/XeEgM"
> > }
> >
> > group = admin {
> > default service = permit
> > service = exec {
> > priv-lvl = 15
> > }
> > }
> >
> > group = limited {
> > default service = deny
> > service = exec {
> > priv-lvl = 1
> > }
> > cmd = show {
> > permit ip
> > permit interface
> > }
> > }
> >
> > user = testuser{
> > member = admin
> > login = PAM
> > }
> >
> > Thanks a lot John. From this configuration, I can't tell this is
> requesting
> > another authentication.
> >
> > On Thu, Feb 18, 2010 at 7:18 PM, john heasley <heas at shrubbery.net>
> wrote:
> >
> > > Thu, Feb 18, 2010 at 07:05:57PM -0600, Hailu Meng:
> > > > Thanks John. My tacacs+ configuration in switch is simple:
> > > >
> > > > aaa new-model
> > > > aaa authentication login default group tacacs+ line
> > > > aaa authentication enable default group tacacs+ enable
> > >
> > > thats the aaa config, what about tacacs.
> > >
> > > >
> > > >
> > > >
> > > > On Thu, Feb 18, 2010 at 5:45 PM, john heasley <heas at shrubbery.net>
> > > wrote:
> > > >
> > > > > Thu, Feb 18, 2010 at 02:02:46PM -0600, Hailu Meng:
> > > > > > Thu Feb 18 13:42:22 2010 [27117]: Writing AUTHEN/SUCCEED size=18
> > > > > > Thu Feb 18 13:42:22 2010 [27117]: PACKET: key=mykey
> > > > > > Thu Feb 18 13:42:22 2010 [27117]: version 192 (0xc0), type 1, seq
> no
> > > 6,
> > > > > > flags 0x1
> > > > > > Thu Feb 18 13:42:22 2010 [27117]: session_id 3918696952
> (0xe99291f8),
> > > > > Data
> > > > > > length 6 (0x6)
> > > > > > Thu Feb 18 13:42:22 2010 [27117]: End header
> > > > > > Thu Feb 18 13:42:22 2010 [27117]: type=AUTHEN status=1
> > > (AUTHEN/SUCCEED)
> > > > > > flags=0x0
> > > > > > Thu Feb 18 13:42:22 2010 [27117]: msg_len=0, data_len=0
> > > > > > Thu Feb 18 13:42:22 2010 [27117]: msg:
> > > > > > Thu Feb 18 13:42:22 2010 [27117]: data:
> > > > > > Thu Feb 18 13:42:22 2010 [27117]: End packet
> > > > > > Thu Feb 18 13:42:22 2010 [27117]: 10.1.2.1: disconnect
> > > > > > *<------ This above is the same as successful one, from here, I
> got
> > > > > another
> > > > > > "Password" Prompt asking for password*. *Even I input my correct
> > > password
> > > > > > for the 2nd time, it just doesn't allow me in*.* I also tried
> wrong
> > > > > password
> > > > > > for the first time password input on purpose, I did get rejected
> > > message
> > > > > > like "login query for 'testuser' tty1 from 10.1.2.1 rejected"*
> > > > >
> > > > > > Thu Feb 18 13:42:28 2010 [27116]: session request from 10.1.2.1
> > > sock=2
> > > > > > Thu Feb 18 13:42:28 2010 [27135]: connect from 10.1.2.1
> [10.1.2.1]
> > > > > > Thu Feb 18 13:42:28 2010 [27135]: Waiting for packet
> > > > > > Thu Feb 18 13:42:28 2010 [27135]: Read AUTHEN/START size=35
> > > > > > Thu Feb 18 13:42:28 2010 [27135]: validation request from
> 10.1.2.1
> > > > > > Thu Feb 18 13:42:28 2010 [27135]: PACKET: key=mykey
> > > > > > Thu Feb 18 13:42:28 2010 [27135]: version 192 (0xc0), type 1, seq
> no
> > > 1,
> > > > > > flags 0x1
> > > > > > Thu Feb 18 13:42:28 2010 [27135]: session_id 3154815253
> (0xbc0aa915),
> > > > > Data
> > > > > > length 23 (0x17)
> > > > >
> > > > > its starting a new auth connection.
> > > > >
> > > > > whats the tacacs conf on the device?
> > > > >
> > >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20100219/d0bf3540/attachment.html
More information about the tac_plus
mailing list