[tac_plus] tac_plus login and enable password issue

[john heasley]

Sun, Nov 27, 2011 at 08:58:15PM -0800, Ricki Z:
> Hi All,
> 
> 
> 
> I have issue when i using enable password per user (not on global config with user $enab15$ etc.) and every user using different password for cisco enable on tac_plus server. Refer to the config that i send before i can using AAA for cisco devices with tac_plus but if i login using user1, then i can use password "user1" or "enauser1" and after login success, i can enter privilege mode using password "user1" or "enauser1" and same for user2. In normal condition should be i just can login using user1 with password "user1" (failed if using password "enauser1" and i just can enter priviledge mode using password "enauser1" (failed if using "user1").
> 
> user = user1 {
> ??? ??? ??? ??? default service = permit
default service does not belong under user configuration.

otherwise, i can not reproduce the problem that i think you are describing.
given two users configured with different passwords, one can not use the
other's passwords to login or enable.

I'd guess that you have a device configuration problem or there is some
strange problem with how you've compiled tac_plus.  more likely the former.

> ??? ??? ??? ??? login = cleartext user1
> ??? ??? ??? ??? enable = cleartext enauser1
> }
> 
> user = user2 {
> ??? ??? ??? ??? default service = permit
> ??? ??? ??? ??? login = cleartext user2
> ??? ??? ??? ??? enable = cleartext enauser2
> }
> 
> And if i configure enable password per user and every user using the same enable password (like config below), all
>  working like suppose to be it mean if i login using user1 i just can using password "user1" (can't using password "enapwd") and i just can enter priviledge mode using password "enauser" (can't using password "user1").
> user = user1 {
> ??? ??? ??? ??? default service = permit
> ??? ??? ??? ??? login = cleartext user1
> ??? ??? ??? ??? enable = cleartext enauser
> }
> 
> user = user2 {
> ??? ??? ??? ??? default service = permit
> ??? ??? ??? ??? login = cleartext user2
> ??? ??? ??? ??? enable = cleartext enauser
> }
> 
> Need your advice for solve this issue.
> 
> Tx,
> Ricki
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20111127/71681cee/attachment.html>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus