From manuel.strauch at gmx.de Thu Dec 6 12:25:55 2012 From: manuel.strauch at gmx.de (Manuel Strauch) Date: Thu, 06 Dec 2012 13:25:55 +0100 Subject: [tac_plus] Tacacs+ and NX-OS Message-ID: <50C08ED3.8090800@gmx.de> Dear Sir or Madam, i am using your program tac_plus now on several Cisco ios Devices (like Catalyst Switches) in the company i work for. Now we are going to get Nexus Devices (like 3048tp) and I wanted to connect these devices also to my Tacacs server, but i have a small (?) problem with it. I configured my test device like this: --------------------------------- feature tacacs+ tacacs+ distribute tacacs-server key 7 "wawyanb123" ip tacacs source-interface mgmt0 tacacs-server test username test password test123 tacacs-server host 172.18.13.220 key 7 "wawyanb123" tacacs+ commit ip access-list copp-system-acl-tacacsradius 10 permit tcp any any eq tacacs 20 permit tcp any eq tacacs any class-map type control-plane match-any copp-tacacsradius match access-group name copp-system-acl-tacacsradius class copp-tacacsradius tacacs-server directed-request aaa group server tacacs+ ACS aaa authentication login default group ACS aaa authentication login console group ACS aaa accounting default group ACS aaa authentication login error-enable --------------------------------- My serverside config is like the following: --------------------------------- group = netadmin { default service = permit acl = LEVELBASED-ACL service = exec { idletime = 5 timeout = 15 shell:roles="network-admin" } } user = root { login = des "gDdcHHV9ThP02" enable = des "gDdcHHV9ThP02" member = netadmin name = "root" } --------------------------------- This are the configurations i found on several websites, which should work. The device and the server are succuesfull communicating, but it doesn't matter what i type into the Loginpanel, i can't login with the Logins i set. Errormessages: On the device: Nexus 3000 Switch login: root Password: Login incorrect In the syslog of the tacacs server: Dec 6 13:20:03 NagiosNG tac_plus[32545]: login failure: root 172.18.13.223 (172.18.13.223) 3001 In both logs, "tacwho.log" and "tac_pluss.acct" is nothing shown, about my login trys. Now my problem in a few words: I thought i configured my device and my server well for a good communication between both, but it seems that there is a failure in it, but i can't figure out where the failure were made, so maybe you can help me with this problem. If you need any other log entries, i can send you anything you need. Thank you very much in advance for your answer, Manuel Strauch From daniel.schmidt at wyo.gov Thu Dec 6 19:09:25 2012 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Thu, 6 Dec 2012 12:09:25 -0700 Subject: [tac_plus] Tacacs+ and NX-OS In-Reply-To: <50C08ED3.8090800@gmx.de> References: <50C08ED3.8090800@gmx.de> Message-ID: Try pap = des. Also, checkout tacacs.org for a write up I did, back when I had time to work on that sort of things. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Manuel Strauch Sent: Thursday, December 06, 2012 5:26 AM To: tac_plus at shrubbery.net Subject: [tac_plus] Tacacs+ and NX-OS Dear Sir or Madam, i am using your program tac_plus now on several Cisco ios Devices (like Catalyst Switches) in the company i work for. Now we are going to get Nexus Devices (like 3048tp) and I wanted to connect these devices also to my Tacacs server, but i have a small (?) problem with it. I configured my test device like this: --------------------------------- feature tacacs+ tacacs+ distribute tacacs-server key 7 "wawyanb123" ip tacacs source-interface mgmt0 tacacs-server test username test password test123 tacacs-server host 172.18.13.220 key 7 "wawyanb123" tacacs+ commit ip access-list copp-system-acl-tacacsradius 10 permit tcp any any eq tacacs 20 permit tcp any eq tacacs any class-map type control-plane match-any copp-tacacsradius match access-group name copp-system-acl-tacacsradius class copp-tacacsradius tacacs-server directed-request aaa group server tacacs+ ACS aaa authentication login default group ACS aaa authentication login console group ACS aaa accounting default group ACS aaa authentication login error-enable --------------------------------- My serverside config is like the following: --------------------------------- group = netadmin { default service = permit acl = LEVELBASED-ACL service = exec { idletime = 5 timeout = 15 shell:roles="network-admin" } } user = root { login = des "gDdcHHV9ThP02" enable = des "gDdcHHV9ThP02" member = netadmin name = "root" } --------------------------------- This are the configurations i found on several websites, which should work. The device and the server are succuesfull communicating, but it doesn't matter what i type into the Loginpanel, i can't login with the Logins i set. Errormessages: On the device: Nexus 3000 Switch login: root Password: Login incorrect In the syslog of the tacacs server: Dec 6 13:20:03 NagiosNG tac_plus[32545]: login failure: root 172.18.13.223 (172.18.13.223) 3001 In both logs, "tacwho.log" and "tac_pluss.acct" is nothing shown, about my login trys. Now my problem in a few words: I thought i configured my device and my server well for a good communication between both, but it seems that there is a failure in it, but i can't figure out where the failure were made, so maybe you can help me with this problem. If you need any other log entries, i can send you anything you need. Thank you very much in advance for your answer, Manuel Strauch _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. From vadud3 at gmail.com Tue Dec 11 20:15:04 2012 From: vadud3 at gmail.com (Asif Iqbal) Date: Tue, 11 Dec 2012 15:15:04 -0500 Subject: [tac_plus] No User prompt Message-ID: I see intermittent login issue to the routers. Sometime get no login prompt and jump straight to Password: prompt. My guess is tacacs+ daemon gets overloaded and router fails to get a response from to tacacs+ daemon. I am running tac_plus F4.0.4.26 on Ubuntu 10.04.4 LTS 64 bit. $ tac_plus -v tac_plus version F4.0.4.26 ACLS FIONBIO LIBWRAP LINUX LITTLE_ENDIAN LOG_DAEMON PAM NO_PWAGE REAPCHILD RETSIGTYPE RETSIGTYPE SHADOW_PASSWORDS SIGTSTP SIGTTIN SIGTTOU SO_REUSEADDR STRERROR TAC_PLUS_PORT UENABLE __STDC__ Currently I see 20 tac_plus process running tied to one IP and one PORT. Any suggestion on how to verify if it is hitting resource limitation? -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Tue Dec 11 22:33:50 2012 From: heas at shrubbery.net (heasley) Date: Tue, 11 Dec 2012 22:33:50 +0000 Subject: [tac_plus] No User prompt In-Reply-To: References: Message-ID: <20121211223350.GA30969@shrubbery.net> Tue, Dec 11, 2012 at 03:15:04PM -0500, Asif Iqbal: > I see intermittent login issue to the routers. Sometime get no login prompt > and > jump straight to Password: prompt. My guess is tacacs+ daemon gets > overloaded > and router fails to get a response from to tacacs+ daemon. > Any suggestion on how to verify if it is hitting resource limitation? the daemon is single threaded, so unless it exceeds the number of processes or other limits placed on it, it will just spawn a separate process to handle the auth/author. if you have only a password prompt, i'd guess access to the tacacs server is failing and you have no local users configured on the device to handle the auth after tacacs, so you receive just a password prompt from the vty. check router configs, enable tacacs debugging, see logs on the tacacs server. From arnabbiswas1 at gmail.com Wed Dec 12 15:56:24 2012 From: arnabbiswas1 at gmail.com (Arnab Biswas) Date: Wed, 12 Dec 2012 21:26:24 +0530 Subject: [tac_plus] Free Client side tool for TACACS+ Message-ID: Hi All, Disclaimer : This is not something related to tac_plus! I am looking for a free tool which can work as TACACS+ client. I want to use the tool for testing different types of authorization requests exchanged between the server (tac_plus/Cisco ACS) and the tool. I see a client from http://www.axlradius.com/TACACSClient.htm, but that's not free. Even for evaluation copy I am not getting any response. Any suggestions? Thanks, Arnab -------------- next part -------------- An HTML attachment was scrubbed... URL: From anareshom at gmail.com Fri Dec 14 11:30:20 2012 From: anareshom at gmail.com (Naresh Kumar) Date: Fri, 14 Dec 2012 17:00:20 +0530 Subject: [tac_plus] tacacs+-F4.0.4.26 helppppppppppppppppppppppppp In-Reply-To: References: Message-ID: Guys I forgot i am using Ubuntu flavor On Fri, Dec 14, 2012 at 4:45 PM, Naresh Kumar wrote: > Hi guys > > i am trying to install and configure the latest version of tacacs but i > am unable to find a document > > last year i was so luck i was working with the older version of tacacs+-F4.0.4.10.tar > with the help of below website on how to configure > > > http://bejoybkn.blogspot.in/2011/07/network-monitoring-toolstacplusrancidsy.html > > > but for the newer version i am unable to up and run the tacacs . > > please help on this i am trying all my best to find, but unfortunately i > guess i am unluck :( :( :( > > > pls help meeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee > > Thanks in advance > > Regards > Naresh > -------------- next part -------------- An HTML attachment was scrubbed... URL: From anareshom at gmail.com Fri Dec 14 11:15:22 2012 From: anareshom at gmail.com (Naresh Kumar) Date: Fri, 14 Dec 2012 16:45:22 +0530 Subject: [tac_plus] tacacs+-F4.0.4.26 helppppppppppppppppppppppppp Message-ID: Hi guys i am trying to install and configure the latest version of tacacs but i am unable to find a document last year i was so luck i was working with the older version of tacacs+-F4.0.4.10.tar with the help of below website on how to configure http://bejoybkn.blogspot.in/2011/07/network-monitoring-toolstacplusrancidsy.html but for the newer version i am unable to up and run the tacacs . please help on this i am trying all my best to find, but unfortunately i guess i am unluck :( :( :( pls help meeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee Thanks in advance Regards Naresh -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Fri Dec 14 16:24:31 2012 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Fri, 14 Dec 2012 09:24:31 -0700 Subject: [tac_plus] tacacs+-F4.0.4.26 helppppppppppppppppppppppppp In-Reply-To: References: Message-ID: <26f44b5abf81cb9e3fc9ee97c900d578@mail.gmail.com> What exact step are you stuck on? You may find the following site informative: http://lmgtfy.com/?q=tac_plus+howto+ubuntu -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Naresh Kumar Sent: Friday, December 14, 2012 4:30 AM To: tac_plus at shrubbery.net Subject: Re: [tac_plus] tacacs+-F4.0.4.26 helppppppppppppppppppppppppp Guys I forgot i am using Ubuntu flavor On Fri, Dec 14, 2012 at 4:45 PM, Naresh Kumar wrote: > Hi guys > > i am trying to install and configure the latest version of tacacs but > i am unable to find a document > > last year i was so luck i was working with the older version of tacacs+-F4.0.4.10.tar > with the help of below website on how to configure > > > http://bejoybkn.blogspot.in/2011/07/network-monitoring-toolstacplusran > cidsy.html > > > but for the newer version i am unable to up and run the tacacs . > > please help on this i am trying all my best to find, but unfortunately i > guess i am unluck :( :( :( > > > pls help meeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee > > Thanks in advance > > Regards > Naresh > -------------- next part -------------- An HTML attachment was scrubbed... URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties.