From vadud3 at gmail.com Fri Jun 1 20:10:29 2012 From: vadud3 at gmail.com (Asif Iqbal) Date: Fri, 1 Jun 2012 16:10:29 -0400 Subject: [tac_plus] seeing lots of Read -1 bytes from router.example.net , expecting 12 Message-ID: Am I experiencing a bug? I am running tac_plus F4.0.4.19 I see 110444 of the following type of error in 14 hrs. Jun 1 16:36:27 hlr-tacacs-01 tac_plus[17512]: Read -1 bytes from router.example.net , expecting 12 -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From kissg at ssg.ki.iif.hu Sat Jun 2 06:46:45 2012 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Sat, 2 Jun 2012 08:46:45 +0200 (CEST) Subject: [tac_plus] seeing lots of Read -1 bytes from router.example.net , expecting 12 In-Reply-To: References: Message-ID: > Am I experiencing a bug? > > I am running tac_plus F4.0.4.19 > > I see 110444 of the following type of error in 14 hrs. > > Jun 1 16:36:27 hlr-tacacs-01 tac_plus[17512]: Read -1 bytes from > router.example.net , expecting 12 It seems to be rather an "attack". Somebody continously connect to router.example.net then disconnects. The router does the same with your TACACS+ server. Gabor From vadud3 at gmail.com Sat Jun 2 17:38:16 2012 From: vadud3 at gmail.com (Asif Iqbal) Date: Sat, 2 Jun 2012 13:38:16 -0400 Subject: [tac_plus] seeing lots of Read -1 bytes from router.example.net , expecting 12 In-Reply-To: References: Message-ID: On Sat, Jun 2, 2012 at 2:46 AM, Kiss Gabor (Bitman) wrote: > > Am I experiencing a bug? > > > > I am running tac_plus F4.0.4.19 > > > > I see 110444 of the following type of error in 14 hrs. > > > > Jun 1 16:36:27 hlr-tacacs-01 tac_plus[17512]: Read -1 bytes from > > router.example.net , expecting 12 > > It seems to be rather an "attack". > This is valid traffic, not an attack. > Somebody continously connect to router.example.net then disconnects. > The router does the same with your TACACS+ server. > > Gabor > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From vadud3 at gmail.com Sat Jun 2 18:07:57 2012 From: vadud3 at gmail.com (Asif Iqbal) Date: Sat, 2 Jun 2012 14:07:57 -0400 Subject: [tac_plus] seeing lots of Read -1 bytes from router.example.net , expecting 12 In-Reply-To: References: Message-ID: On Sat, Jun 2, 2012 at 1:38 PM, Asif Iqbal wrote: > On Sat, Jun 2, 2012 at 2:46 AM, Kiss Gabor (Bitman) wrote: > >> > Am I experiencing a bug? >> > >> > I am running tac_plus F4.0.4.19 >> > >> > I see 110444 of the following type of error in 14 hrs. >> > >> > Jun 1 16:36:27 hlr-tacacs-01 tac_plus[17512]: Read -1 bytes from >> > router.example.net , expecting 12 >> >> It seems to be rather an "attack". >> > > This is valid traffic, not an attack. > > >> Somebody continously connect to router.example.net then disconnects. >> The router does the same with your TACACS+ server. >> >> Gabor >> > > How do I verify if those are keep-alive requests. This url suggests I am experiencing those keep-alive chats http://blog.xbsd.org/2010/10/20/cisco-css-and-tacacs I have thousands of routers. It would be lot of work to add the disable in all of them. Is there may be another approach to this short from ignoring this massive amount of noises? > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > > > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Sun Jun 3 09:05:25 2012 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Sun, 3 Jun 2012 11:05:25 +0200 Subject: [tac_plus] seeing lots of Read -1 bytes from router.example.net , expecting 12 In-Reply-To: References: Message-ID: <20120603110525.17fde161@khamul.example.com> On Sat, 2 Jun 2012 14:07:57 -0400 Asif Iqbal wrote: > On Sat, Jun 2, 2012 at 1:38 PM, Asif Iqbal wrote: > > > On Sat, Jun 2, 2012 at 2:46 AM, Kiss Gabor (Bitman) > > wrote: > > > >> > Am I experiencing a bug? > >> > > >> > I am running tac_plus F4.0.4.19 > >> > > >> > I see 110444 of the following type of error in 14 hrs. > >> > > >> > Jun 1 16:36:27 hlr-tacacs-01 tac_plus[17512]: Read -1 bytes from > >> > router.example.net , expecting 12 > >> > >> It seems to be rather an "attack". > >> > > > > This is valid traffic, not an attack. > > > > > >> Somebody continously connect to router.example.net then > >> disconnects. The router does the same with your TACACS+ server. > >> > >> Gabor > >> > > > > > How do I verify if those are keep-alive requests. This url suggests I > am experiencing those keep-alive > chats > > http://blog.xbsd.org/2010/10/20/cisco-css-and-tacacs > > I have thousands of routers. It would be lot of work to add the > disable in all of them. > Is there may be another approach to this short from ignoring this > massive amount > of noises? If your network is anything like mine, then it's a mess of mis-applied configs stretching back 10 years through a very long list of templates in use at the time. My solution is to fix it with software: Put all your devices in rancid (hack together some kind of automation to make this easier on yourself). Scan the rancid files periodically and hack together a script that will reconfigure devices you find not to your liking. It's a fair amount of work and involves building a framework suitable for your environment. But the results are well worth the effort as it outs you in a place where you can make massive updates to the entire network with relative ease. -- Alan McKinnnon alan.mckinnon at gmail.com From heas at shrubbery.net Mon Jun 4 20:58:21 2012 From: heas at shrubbery.net (heasley) Date: Mon, 4 Jun 2012 13:58:21 -0700 Subject: [tac_plus] seeing lots of Read -1 bytes from router.example.net , expecting 12 In-Reply-To: References: Message-ID: <20120604205821.GY73293@shrubbery.net> Sat, Jun 02, 2012 at 02:07:57PM -0400, Asif Iqbal: > How do I verify if those are keep-alive requests. This url suggests I am > experiencing those keep-alive > chats > > http://blog.xbsd.org/2010/10/20/cisco-css-and-tacacs > > I have thousands of routers. It would be lot of work to add the disable in > all of them. > Is there may be another approach to this short from ignoring this massive > amount > of noises? there is no "tacacs keepalive" msg. this is a timeout; ie: the router connects, then does not proceed with the auth process before the tacacs server timed-out the session. From vadud3 at gmail.com Mon Jun 4 21:06:39 2012 From: vadud3 at gmail.com (Asif Iqbal) Date: Mon, 4 Jun 2012 17:06:39 -0400 Subject: [tac_plus] seeing lots of Read -1 bytes from router.example.net , expecting 12 In-Reply-To: <20120604205821.GY73293@shrubbery.net> References: <20120604205821.GY73293@shrubbery.net> Message-ID: On Mon, Jun 4, 2012 at 4:58 PM, heasley wrote: > Sat, Jun 02, 2012 at 02:07:57PM -0400, Asif Iqbal: > > How do I verify if those are keep-alive requests. This url suggests I am > > experiencing those keep-alive > > chats > > > > http://blog.xbsd.org/2010/10/20/cisco-css-and-tacacs > > > > I have thousands of routers. It would be lot of work to add the disable > in > > all of them. > > Is there may be another approach to this short from ignoring this massive > > amount > > of noises? > > there is no "tacacs keepalive" msg. this is a timeout; ie: the router > connects, then does not proceed with the auth process before the tacacs > server timed-out the session. > any suggestion how to fix this? we were using F4.0.4 on Solaris 8 and do not remember seeing these errors. We are now running F4.0.4.19 on ubuntu 10.04 64bit LTS. -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Mon Jun 4 21:35:32 2012 From: heas at shrubbery.net (heasley) Date: Mon, 4 Jun 2012 14:35:32 -0700 Subject: [tac_plus] seeing lots of Read -1 bytes from router.example.net , expecting 12 In-Reply-To: References: <20120604205821.GY73293@shrubbery.net> Message-ID: <20120604213532.GH73293@shrubbery.net> Mon, Jun 04, 2012 at 05:06:39PM -0400, Asif Iqbal: > On Mon, Jun 4, 2012 at 4:58 PM, heasley wrote: > > > Sat, Jun 02, 2012 at 02:07:57PM -0400, Asif Iqbal: > > > How do I verify if those are keep-alive requests. This url suggests I am > > > experiencing those keep-alive > > > chats > > > > > > http://blog.xbsd.org/2010/10/20/cisco-css-and-tacacs > > > > > > I have thousands of routers. It would be lot of work to add the disable > > in > > > all of them. > > > Is there may be another approach to this short from ignoring this massive > > > amount > > > of noises? > > > > there is no "tacacs keepalive" msg. this is a timeout; ie: the router > > connects, then does not proceed with the auth process before the tacacs > > server timed-out the session. > > > > any suggestion how to fix this? we were using F4.0.4 on Solaris 8 and do > not remember seeing these errors. i dont know what that config knob in the url you post does, but try it. but, its more likely what others have suggested - probing attempts either to the router or directly to the daemon. could use tcp_wrapper to block that or IP filters. or, could be your router config for tacacs, such as using single-connection or a change in the router code; which you'd have to debug. From David.Midlo at stfrancis.k12.mn.us Wed Jun 6 07:29:55 2012 From: David.Midlo at stfrancis.k12.mn.us (David Midlo) Date: Wed, 6 Jun 2012 02:29:55 -0500 Subject: [tac_plus] Advice for HP Procurve 2626 switches Message-ID: <0776B776A7EB6E46AAB37C133E9FF6500D2F4F9FD3@MAIL.sfsd.isd15.org> Hello, It seems HP Procurves don't report back the username when moving to enable mode. The reply after entering the password is 'invalid password'. You can find my config here http://pastebin.com/MAyFLxxF the switch is configured with the key (removed from paste). I'm having trouble finding any documentation as to how to approach this issue, any example configs or modifications/directives would be greatly appreciated. With regards, David Midlo David Midlo Discovery | Integrity | Will | Organic | Stewardship Interim Network Administrator Independent School District 15 - St Francis, Minnesota Office of School Technology Office 763 753 7154 Mobile 763 286 6335 District Information | Calendar | Helpdesk Request -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Wed Jun 6 18:48:22 2012 From: heas at shrubbery.net (heasley) Date: Wed, 6 Jun 2012 11:48:22 -0700 Subject: [tac_plus] Advice for HP Procurve 2626 switches In-Reply-To: <0776B776A7EB6E46AAB37C133E9FF6500D2F4F9FD3@MAIL.sfsd.isd15.org> References: <0776B776A7EB6E46AAB37C133E9FF6500D2F4F9FD3@MAIL.sfsd.isd15.org> Message-ID: <20120606184822.GJ58513@shrubbery.net> Wed, Jun 06, 2012 at 02:29:55AM -0500, David Midlo: > Hello, > > It seems HP Procurves don't report back the username when moving to enable mode. The reply after entering the password is 'invalid password'. You can find my config here http://pastebin.com/MAyFLxxF the switch is configured with the key (removed from paste). > > I'm having trouble finding any documentation as to how to approach this issue, any example configs or modifications/directives would be greatly appreciated. you probably need to spend some quality debugging time. enable the packet and auth debugging in the daemon. if the device does not pass the username with the enable and you are using tacacs for login authentication, complain to HP. even if it does not pass one initially, the daemon should send a get_user request to get one. also see the CONFIGURING ENABLE PASSWORDS section of the user_guide and the user section of the tac_plus.conf manpage for $enab*$ references. From David.Midlo at stfrancis.k12.mn.us Thu Jun 7 14:41:13 2012 From: David.Midlo at stfrancis.k12.mn.us (David Midlo) Date: Thu, 7 Jun 2012 09:41:13 -0500 Subject: [tac_plus] Advice for HP Procurve 2626 switches In-Reply-To: Message-ID: "I have serveral procurve models (2510,2610, 5120,4100) working well with tac_plus, in some models I have needed to upgrade the firmware to use privilege attributes." This is what the problem turned out to be. After a night firmware updates, these procurves now play nice enough with tac_plus. It should be said though that it only works if priv-lvl 15 is defined for users in tac_plus.conf on the server side and on the switch side, issuing the command 'aaa authentication login privilege-mode'. These switches still don't seem to pass the username when logging in to user-mode and then to enable. For my environment this works as there are no level 1 network technicians who would utilize operator mode. I could see for some however, that it could represent a problem. Thanks for your help! David Midlo Discovery | Integrity | Will | Organic | Stewardship Interim Network Administrator Independent School District 15 - St Francis, Minnesota Office of School Technology Office 763 753 7154 Mobile 763 286 6335 District Information | Calendar | Helpdesk Request From: Antonio Ojea Garcia > To: "David J. Midlo" > Cc: "tac_plus at shrubbery.net" > Subject: Re: [tac_plus] Advice for HP Procurve 2626 switches Hello, Could you try to put this on your tac_plus.conf ?: user = $enable$ { login = cleartext "password" } I have serveral procurve models (2510,2610, 5120,4100) working well with tac_plus, in some models I have needed to upgrade the firmware to use privilege attributes. Also you don't have the tacacs key in your procurve configuration, dont forget it ;) 2012/6/6 David Midlo > Hello, It seems HP Procurves don't report back the username when moving to enable mode. The reply after entering the password is 'invalid password'. You can find my config here http://pastebin.com/MAyFLxxF the switch is configured with the key (removed from paste). I'm having trouble finding any documentation as to how to approach this issue, any example configs or modifications/directives would be greatly appreciated. With regards, David Midlo David Midlo Discovery | Integrity | Will | Organic | Stewardship Interim Network Administrator Independent School District 15 - St Francis, Minnesota Office of School Technology Office 763 753 7154 Mobile 763 286 6335 District Information | Calendar | Helpdesk Request -------------- next part -------------- An HTML attachment was scrubbed... URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus -------------- next part -------------- An HTML attachment was scrubbed... URL: From antonio.ojea.garcia at gmail.com Thu Jun 7 07:02:30 2012 From: antonio.ojea.garcia at gmail.com (Antonio Ojea Garcia) Date: Thu, 7 Jun 2012 09:02:30 +0200 Subject: [tac_plus] Advice for HP Procurve 2626 switches In-Reply-To: <09450c6966574882a68e4098037e194c@HUB1-PRO.xunta.local> References: <09450c6966574882a68e4098037e194c@HUB1-PRO.xunta.local> Message-ID: Hello, Could you try to put this on your tac_plus.conf ?: user = $enable$ { login = cleartext "password" } I have serveral procurve models (2510,2610, 5120,4100) working well with tac_plus, in some models I have needed to upgrade the firmware to use privilege attributes. Also you don't have the tacacs key in your procurve configuration, dont forget it ;) 2012/6/6 David Midlo > Hello, > > It seems HP Procurves don't report back the username when moving to enable > mode. The reply after entering the password is 'invalid password'. You can > find my config here http://pastebin.com/MAyFLxxF the switch is > configured with the key (removed from paste). > > I'm having trouble finding any documentation as to how to approach this > issue, any example configs or modifications/directives would be greatly > appreciated. > > With regards, > > David Midlo > > David Midlo > Discovery | Integrity | Will | Organic | Stewardship > > Interim Network Administrator > Independent School District 15 - St Francis, Minnesota > Office of School Technology > > Office 763 753 7154 Mobile 763 286 6335 > District Information | Calendar< > http://www.google.com/calendar/embed?src=david.midlo%40stfrancis.k12.mn.us&ctz=America/Chicago%22%20style=%22border:%200%22%20width=%22800%22%20height=%22600%22%20frameborder=%220%22%20scrolling=%22no%22> > | Helpdesk Request < > http://saints/OST/Lists/Helpdesk%20Request/NewForm.aspx> > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20120606/1ae33eb2/attachment.html > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -------------- next part -------------- An HTML attachment was scrubbed... URL: From CMullett at express-news.net Fri Jun 8 16:28:34 2012 From: CMullett at express-news.net (Mullett, Cynthia) Date: Fri, 8 Jun 2012 11:28:34 -0500 Subject: [tac_plus] tacplus assistance Message-ID: <2E1610A2C3656A40ADF73E1C2D6EF4B707A61CD3@RHOUEVS03.resource.hearstcorp.com> Hi, I downloaded and installed tacacs+=F4.0.4.25 with a successful ./configure and make install however, I do not know where to find the tac_plus.conf. I ran a find from / and didn't see it. it's not in /etc. is it something I have to make or is there a file somewhere? any help will be appreciated. Linux redhat 6.1 x86_64 on sun blade -------------------------------------- Cynthia E. Mullett Publishing Systems Applications Specialist II San Antonio Express-News 210.250.3048 ======================================================== This e-mail message is intended only for the personal use of the recipient(s) named above. If you are not an intended recipient, you may not review, copy or distribute this message. If you have received this communication in error, please notify the sender immediately by e-mail and delete the original message. ======================================================== -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Fri Jun 8 18:10:16 2012 From: heas at shrubbery.net (heasley) Date: Fri, 8 Jun 2012 11:10:16 -0700 Subject: [tac_plus] tacplus assistance In-Reply-To: <2E1610A2C3656A40ADF73E1C2D6EF4B707A61CD3@RHOUEVS03.resource.hearstcorp.com> References: <2E1610A2C3656A40ADF73E1C2D6EF4B707A61CD3@RHOUEVS03.resource.hearstcorp.com> Message-ID: <20120608181016.GB98875@shrubbery.net> Fri, Jun 08, 2012 at 11:28:34AM -0500, Mullett, Cynthia: > I downloaded and installed tacacs+=F4.0.4.25 > > with a successful ./configure and make install however, I do not know > where to find the tac_plus.conf. I ran a find from / and didn't see it. > it's not in /etc. is it something I have to make or is there a file > somewhere? any help will be appreciated. it is something that you create. i've attached a sample. -------------- next part -------------- key = "your key here" # logging destinatio logging = daemon # destination of accounting data #accounting syslog; # OR accounting file = /var/log/tac.acct # authentication for users not appearing elsewhere via # the file /etc/passwd default authentication = file /etc/passwd acl = dial_only { # All access routers are in 192.168/16. However, except for # 192.168.0.1 all backbone routers are in 198.168.0/24. # Deny access to the backbone routers. permit = ^192\.168\.0\.1$ deny = ^192\.168\.0\. permit = ^192\.168\. } group = no_backbone { # permit an exec to start and permit all commands and # services by default default service = permit service = exec { # When an exec is started, its connection access list # will be 4. "acl" is quoted because it is a keyword. # It also has an autocmd "acl" = 4 autocmd = "telnet duffhost" } # group will only be allowed to login on NASes acl = dial_only } group = admin { # group members who don't have their own login password will be # looked up in /etc/passwd login = file /etc/passwd # login = (cleartext | des | PAM | skey | nopassword) # group members who have no expiry date set will use this one expires = "Jan 1 1997" # deny access to backbone routers acl = dial_only } user = DEFAULT { default service = permit service = ppp protocol = ip { addr-pool=foobar } } user = homer { default service = permit login = PAM enable = cleartext myenablepwd enable = des mEX027bHtzTlQ enable = file /etc/passwd member = no_backbone } user = fred { login = des mEX027bHtzTlQ name = "Fred Flintstone" member = admin enable = nopassword expires = "May 23 2005" arap = cleartext "Fred's arap secret" chap = cleartext "Fred's chap secret" service = exec { # When Fred starts an exec, his connection access # list is 5 "acl" = 5 # We require this autocmd to be done at startup autocmd = "telnet foo" } # All commands except show system are denied for Fred cmd = show { # Fred can run the following show command permit system deny .* } service = ppp protocol = ip { # Fred can run ip over ppp only if he uses one # of the following mandatory addresses. If he # supplies no address, the first one here will # be mandated addr=131.108.12.11 addr=131.108.12.12 addr=131.108.12.13 addr=131.108.12.14 # Fred's mandatory input access list number is 101 inacl=101 # We will suggest an output access list of 102, but the NAS may # choose to ignore or override it optional outacl=102 } service = slip { # Fred can run slip. When he does, he will have to use # these mandatory access lists inacl=101 outacl=102 } } user = wilma { # Wilma has no password of her own, but she's a group member so # she'll use the group password if there is one. Same for her # password expiry date member = admin } From Peter.Tavenier at vancis.nl Mon Jun 11 09:16:48 2012 From: Peter.Tavenier at vancis.nl (Peter Tavenier) Date: Mon, 11 Jun 2012 09:16:48 +0000 Subject: [tac_plus] Tacacs and MRV Labdadriver Message-ID: Hi, Does anyone on the list have experience with Tacacs and MRV Labdadriver 800? We're running tac_plus on linux, but I don't get is working. We get message like: Tue May 8 08:05:30 2012 [1182]: connect from 192.168.x.x [192.168.x.x] Tue May 8 08:05:30 2012 [1182]: pap-login query for 'admin' unknown from 192.168.x.x rejected Tue May 8 08:05:30 2012 [1182]: login failure: admin 192.168.x.x (192.168.x.x) unknown The "from 'admin' unknown" sound weird to me. Any suggestions where to look at? Best regards, Peter From heas at shrubbery.net Mon Jun 11 15:09:13 2012 From: heas at shrubbery.net (heasley) Date: Mon, 11 Jun 2012 08:09:13 -0700 Subject: [tac_plus] Tacacs and MRV Labdadriver In-Reply-To: References: Message-ID: <20120611150913.GC14763@shrubbery.net> Mon, Jun 11, 2012 at 09:16:48AM +0000, Peter Tavenier: > Hi, > > Does anyone on the list have experience with Tacacs and MRV Labdadriver 800? > We're running tac_plus on linux, but I don't get is working. > > We get message like: > Tue May 8 08:05:30 2012 [1182]: connect from 192.168.x.x [192.168.x.x] > Tue May 8 08:05:30 2012 [1182]: pap-login query for 'admin' unknown from 192.168.x.x rejected > Tue May 8 08:05:30 2012 [1182]: login failure: admin 192.168.x.x (192.168.x.x) unknown > > The "from 'admin' unknown" sound weird to me. Any suggestions where to look at? that should be more like "pap-login query for '%s' port %s from %s %s". its probably your configuration; perhaps missing a password source for pap service. user = foo { pap = file .... } From Peter.Tavenier at vancis.nl Tue Jun 12 06:20:26 2012 From: Peter.Tavenier at vancis.nl (Peter Tavenier) Date: Tue, 12 Jun 2012 06:20:26 +0000 Subject: [tac_plus] Tacacs and MRV Labdadriver In-Reply-To: <20120611150913.GC14763@shrubbery.net> References: <20120611150913.GC14763@shrubbery.net> Message-ID: > -----Original Message----- > From: heasley [mailto:heas at shrubbery.net] > Sent: maandag 11 juni 2012 17:09 > To: Peter Tavenier > Cc: tac_plus at shrubbery.net > Subject: Re: [tac_plus] Tacacs and MRV Labdadriver > > Mon, Jun 11, 2012 at 09:16:48AM +0000, Peter Tavenier: > > Hi, > > > > Does anyone on the list have experience with Tacacs and MRV Labdadriver > 800? > > We're running tac_plus on linux, but I don't get is working. > > > > We get message like: > > Tue May 8 08:05:30 2012 [1182]: connect from 192.168.x.x [192.168.x.x] > > Tue May 8 08:05:30 2012 [1182]: pap-login query for 'admin' unknown from > 192.168.x.x rejected > > Tue May 8 08:05:30 2012 [1182]: login failure: admin 192.168.x.x > (192.168.x.x) unknown > > > > The "from 'admin' unknown" sound weird to me. Any suggestions where to > look at? > > that should be more like "pap-login query for '%s' port %s from %s %s". > its probably your configuration; perhaps missing a password source for > pap service. > > user = foo { > pap = file .... > } Thanks for the quick response. I have a configuration like: user = foo { login = des ... pap = des ... member = groupx name = "foo bar" } Should I use a file instead of 'des ...'? What should be in that file? Best regards, Peter From heas at shrubbery.net Tue Jun 12 06:36:24 2012 From: heas at shrubbery.net (heasley) Date: Tue, 12 Jun 2012 06:36:24 +0000 Subject: [tac_plus] Tacacs and MRV Labdadriver In-Reply-To: References: <20120611150913.GC14763@shrubbery.net> Message-ID: <20120612063624.GA45774@shrubbery.net> Tue, Jun 12, 2012 at 06:20:26AM +0000, Peter Tavenier: > > -----Original Message----- > > From: heasley [mailto:heas at shrubbery.net] > > Sent: maandag 11 juni 2012 17:09 > > To: Peter Tavenier > > Cc: tac_plus at shrubbery.net > > Subject: Re: [tac_plus] Tacacs and MRV Labdadriver > > > > Mon, Jun 11, 2012 at 09:16:48AM +0000, Peter Tavenier: > > > Hi, > > > > > > Does anyone on the list have experience with Tacacs and MRV Labdadriver > > 800? > > > We're running tac_plus on linux, but I don't get is working. > > > > > > We get message like: > > > Tue May 8 08:05:30 2012 [1182]: connect from 192.168.x.x [192.168.x.x] > > > Tue May 8 08:05:30 2012 [1182]: pap-login query for 'admin' unknown from > > 192.168.x.x rejected > > > Tue May 8 08:05:30 2012 [1182]: login failure: admin 192.168.x.x > > (192.168.x.x) unknown > > > > > > The "from 'admin' unknown" sound weird to me. Any suggestions where to > > look at? > > > > that should be more like "pap-login query for '%s' port %s from %s %s". > > its probably your configuration; perhaps missing a password source for > > pap service. > > > > user = foo { > > pap = file .... > > } > > Thanks for the quick response. I have a configuration like: > > user = foo { > login = des ... > pap = des ... > member = groupx > name = "foo bar" > } > > Should I use a file instead of 'des ...'? What should be in that file? that should be fine. enable more debugging, specify -d multiple times or OR them. perhaps you are missing 'default authorization'. From pchannon at central1.com Tue Jun 26 17:29:24 2012 From: pchannon at central1.com (Phill Channon) Date: Tue, 26 Jun 2012 10:29:24 -0700 Subject: [tac_plus] Release notes Message-ID: Hello, Just wondering where (if at all) there are release notes between version updates when they get published ? We are running F4.0.4.23 and just wondering if we get much benefits to upgrading to 4.26. I just joined the announce list, perhaps this is where its normally posted ? Also, I can't find where/if any of the current versions support IPv6, is there already support or on a roadmap at all ? Thanks, Phill. From vadud3 at gmail.com Wed Jun 27 02:28:22 2012 From: vadud3 at gmail.com (Asif Iqbal) Date: Tue, 26 Jun 2012 22:28:22 -0400 Subject: [tac_plus] Release notes In-Reply-To: References: Message-ID: On Tue, Jun 26, 2012 at 1:29 PM, Phill Channon wrote: > Hello, > > Just wondering where (if at all) there are release notes between version > updates when they get published ? > > We are running F4.0.4.23 and just wondering if we get much benefits to > upgrading to 4.26. > > CHANGES file is what you are looking for > I just joined the announce list, perhaps this is where its normally posted > ? > > Also, I can't find where/if any of the current versions support IPv6, is > there already support or on a roadmap at all ? > > Thanks, > Phill. > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Thu Jun 28 22:42:47 2012 From: heas at shrubbery.net (heasley) Date: Thu, 28 Jun 2012 15:42:47 -0700 Subject: [tac_plus] Release notes In-Reply-To: References: Message-ID: <20120628224247.GN29941@shrubbery.net> Tue, Jun 26, 2012 at 10:29:24AM -0700, Phill Channon: > Hello, > > Just wondering where (if at all) there are release notes between version updates when they get published ? > > We are running F4.0.4.23 and just wondering if we get much benefits to upgrading to 4.26. > > I just joined the announce list, perhaps this is where its normally posted ? normally, yes. I've added the CHANGES file to the web page. > Also, I can't find where/if any of the current versions support IPv6, is there already support or on a roadmap at all ? i've only had fleeting thoughts about v6. I haven't looked into what code is defective WRT v6. From pchannon at central1.com Thu Jun 28 22:55:54 2012 From: pchannon at central1.com (Phill Channon) Date: Thu, 28 Jun 2012 15:55:54 -0700 Subject: [tac_plus] Release notes In-Reply-To: <20120628224247.GN29941@shrubbery.net> References: <20120628224247.GN29941@shrubbery.net> Message-ID: <2A22A9C6-AC5F-4F8C-91F9-81E3D244E2DE@central1.com> Thanks, that would be handy to have on the site - looks good. I'm happy to be a guinea pig for any IPv6 tac_plus testing if needed :) On 2012-06-28, at 3:42 PM, heasley wrote: > Tue, Jun 26, 2012 at 10:29:24AM -0700, Phill Channon: >> Hello, >> >> Just wondering where (if at all) there are release notes between version updates when they get published ? >> >> We are running F4.0.4.23 and just wondering if we get much benefits to upgrading to 4.26. >> >> I just joined the announce list, perhaps this is where its normally posted ? > > normally, yes. I've added the CHANGES file to the web page. > >> Also, I can't find where/if any of the current versions support IPv6, is there already support or on a roadmap at all ? > > i've only had fleeting thoughts about v6. I haven't looked into what code is > defective WRT v6. From A.L.M.Buxey at lboro.ac.uk Thu Jun 28 07:42:11 2012 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Thu, 28 Jun 2012 07:42:11 +0000 Subject: [tac_plus] IPv6 support in tac_plus Message-ID: <04E66786-1E51-4EC3-8917-43617AF6E532@lboro.ac.uk> hi, just wondering what the progress/status is for IPv6 support in tac_plus ? many thanks alan