[tac_plus] tac_plus login and enable password issue

john heasley heas at shrubbery.net
Thu Dec 8 17:42:01 UTC 2011


Wed, Dec 07, 2011 at 07:54:49PM -0800, Ricki Z:
> Hi John,
> 
> Previously thanks for your info. I have done change config with default service under group but i still experience the same problem. My problem exactly is why? i can login to cisco switch using "login password" or "enable password" and why i can enter priviledge mode using "login password" or "enable password" too.
> 
> Below is my new config for tac-plus server:
> -----------------------------------cut-----------------------------------
> user = user1 {
> ??? ??? ??? ??? member = admin
> ??? ??? ??? ??? login = cleartext user1
> ??? ??? ??? ??? enable = cleartext enauser1
> }
> 
> user = user2 {
> ??? ??? ??? ??? member = admin
> ??? ??? ??? ??? login = cleartext user2
> ??? ??? ??? ??? enable = cleartext enauser2
> }
> group = admin {
> ??????? default service = permit
> }
> -----------------------------------cut-----------------------------------
> And below my cisco switch config for tac-plus authentication:
> 
> -----------------------------------cut-----------------------------------
> aaa new-model
> aaa authentication login default group tacacs+ local line
> aaa authentication login user group tacacs+ local
> aaa authentication login net_admin group tacacs+ line enable
> aaa authentication enable default group tacacs+ enable
> aaa authorization exec default group tacacs+ if-authenticated
> aaa authorization commands 0 default group tacacs+ if-authenticated
> aaa authorization commands 1 default group tacacs+ if-authenticated
> aaa authorization commands 7 default group tacacs+ if-authenticated
> aaa authorization commands 15 default group tacacs+ if-authenticated
> aaa authorization network default group tacacs+ if-authenticated
> aaa accounting exec user start-stop group tacacs+
> aaa accounting commands 0 user start-stop group tacacs+
> aaa accounting commands 1 user start-stop group tacacs+
> aaa accounting commands 7 user start-stop group tacacs+
> aaa accounting commands 15 user start-stop group tacacs+
> aaa accounting network user start-stop group tacacs+
> aaa accounting connection user start-stop group tacacs
> !
> line con 0
> ?login authentication net_admin
> line vty 0 4

 login authentication default

otherwise, looks ok.  try debugging options on the router and the tacacs
daemon to figure out why its not working as you expect.

> ?accounting connection user
> ?accounting commands 0 user
> ?accounting commands 1 user
> ?accounting commands 7 user
> ?accounting commands 15 user
> ?accounting exec user
> line vty 5 15
> ?accounting connection user
> ?accounting commands 0 user
> ?accounting commands 1 user
> ?accounting commands 7 user
> ?accounting commands 15 user
> ?accounting exec user
> -----------------------------------cut-----------------------------------
> 
> Here the illustration for login to cisco switch:
> -----------------------------------cut-----------------------------------
> User Access Verification
> 
> Username: user1
> Password: user1
> 
> or 
> 
> 
> Username: user1
> Password: enauser1
> -----------------------------------cut-----------------------------------
> Here the illustration for enter priviledge to cisco switch:
> -----------------------------------cut-----------------------------------
> cisco-sw>en
> Password: enauser1
> 
> or
> 
> cisco-sw>en
> Password: user1
> -----------------------------------cut-----------------------------------
> Is there any abnormal with my config on tac-plus server or cisco switch?
> 
> Tx,
> Ricki
> 
> 
> 
> ________________________________
>  From: john heasley <heas at shrubbery.net>
> To: Ricki Z <rz.bangka at yahoo.com> 
> Cc: "tac_plus at shrubbery.net" <tac_plus at shrubbery.net> 
> Sent: Thursday, December 8, 2011 5:51 AM
> Subject: Re: [tac_plus] tac_plus login and enable password issue
>  
> Sun, Nov 27, 2011 at 08:58:15PM -0800, Ricki Z:
> > Hi All,
> > 
> > 
> > 
> > I have issue when i using enable password per user (not on global config with user $enab15$ etc.) and every user using different password for cisco enable on tac_plus server. Refer to the config that i send before i can using AAA for cisco devices with tac_plus but if i login using user1, then i can use password "user1" or "enauser1" and after login success, i can enter privilege mode using password "user1" or "enauser1" and same for user2. In normal condition should be i just can login using user1 with password "user1" (failed if using password "enauser1" and i just can enter priviledge mode using password "enauser1" (failed if using "user1").
> > 
> > user = user1 {
> > ??? ??? ??? ??? default service = permit
> default service does not belong under user configuration.
> 
> otherwise, i can not reproduce the problem that i think you are describing.
> given two users configured with different passwords, one can not use the
> other's passwords to login or enable.
> 
> I'd guess that you have a device configuration problem or there is some
> strange problem with how you've compiled tac_plus.? more likely the former.
> 
> > ??? ??? ??? ??? login = cleartext user1
> > ??? ??? ??? ??? enable = cleartext enauser1
> > }
> > 
> > user = user2 {
> > ??? ??? ??? ??? default service = permit
> > ??? ??? ??? ??? login = cleartext user2
> > ??? ??? ??? ??? enable = cleartext enauser2
> > }
> > 
> > And if i configure enable password per user and every user using the same enable password (like config below), all
> >? working like suppose to be it mean if i login using user1 i just can using password "user1" (can't using password "enapwd") and i just can enter priviledge mode using password "enauser" (can't using password "user1").
> > user = user1 {
> > ??? ??? ??? ??? default service = permit
> > ??? ??? ??? ??? login = cleartext user1
> > ??? ??? ??? ??? enable = cleartext enauser
> > }
> > 
> > user = user2 {
> > ??? ??? ??? ??? default service = permit
> > ??? ??? ??? ??? login = cleartext user2
> > ??? ??? ??? ??? enable = cleartext enauser
> > }
> > 
> > Need your advice for solve this issue.
> > 
> > Tx,
> > Ricki
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20111127/71681cee/attachment.html>
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus


More information about the tac_plus mailing list