From dagmid_d at yahoo.com Thu Mar 1 10:12:25 2012 From: dagmid_d at yahoo.com (Dagia Dorjsuren) Date: Thu, 1 Mar 2012 02:12:25 -0800 (PST) Subject: [tac_plus] how to deny some commands Message-ID: <1330596745.93251.YahooMailNeo@web33905.mail.mud.yahoo.com> Hello, ??? i have a question about Tacacs+. How to deny "interface fastethernet x/x" command after "configure terminal" command has entered? Anyone help me please? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From gabbawp at gmail.com Fri Mar 2 06:01:52 2012 From: gabbawp at gmail.com (Gareth Hopkins) Date: Fri, 2 Mar 2012 08:01:52 +0200 Subject: [tac_plus] how to deny some commands In-Reply-To: <1330596745.93251.YahooMailNeo@web33905.mail.mud.yahoo.com> References: <1330596745.93251.YahooMailNeo@web33905.mail.mud.yahoo.com> Message-ID: <6B1C571E-2582-4557-BF7A-E94E2FFBA622@gmail.com> Hi, You can specify something as follows cmd = interface { deny "fastethernet x/x" permit .* } Cheers, Gareth On 01 Mar 2012, at 12:12 PM, Dagia Dorjsuren wrote: > Hello, > > i have a question about Tacacs+. How to deny "interface fastethernet x/x" command after "configure terminal" command has entered? Anyone help me please? > > Thanks > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From vollkommen at gmx.net Sat Mar 3 06:33:24 2012 From: vollkommen at gmx.net (YJZ) Date: Sat, 03 Mar 2012 07:33:24 +0100 Subject: [tac_plus] patch of tacacs+-F4.0.4.23 & tacacs+-F5.0.0a1 for Mac OS X 10.6 or higher Message-ID: <20120303063324.322690@gmx.net> Hello Shrubbery Networks, Since Apple has switched back from /usr/include/pam (OS X 10.0 through 10.5) to using the same /usr/include/security like other UNICES on OS X 10.6 and up, tacacs+-F4.0.4.23 and tacacs+-F5.0.0a1 now need the following small patch in order to compile on the latest OS X releases (10.6, 10.7, and probably 10.8). diff -rupN pwlib.c.orig pwlib.c > pwlib.c.diff --- pwlib.c.orig 2012-01-23 16:05:22.000000000 -0800 +++ pwlib.c 2012-03-02 22:16:11.000000000 -0800 @@ -32,7 +32,11 @@ #if HAVE_PAM # ifdef __APPLE__ /* MacOS X */ -# include +# if __ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__ >= 1060 +# include +# else +# include +# endif # else # include # endif Best Regards, YiJia Zhang _/_/_/ mailto:vollkommen at gmx.net -- NEU: FreePhone 3-fach-Flat mit kostenlosem Smartphone! Jetzt informieren: http://mobile.1und1.de/?ac=OM.PW.PW003K20328T7073a From daveycraney at gmail.com Mon Mar 5 16:37:45 2012 From: daveycraney at gmail.com (David Crane) Date: Mon, 5 Mar 2012 16:37:45 +0000 Subject: [tac_plus] Granular restrictions of the "show" commands Message-ID: Hi, I'm trying to restrict the running of show commands on a more granular level. I just can't figure out how to do it. What I want is a user to be able to perform show run interface fa0/1 (For example) but not perform a show run or show run interface vlan relevant tac config is cmd = "show" { permit "/^running-config interface/" } This appears to be just allowing all show commands. I've tried different expressions after googling several different configs, but everything I try appear to just deny all show commands, or allows them all. I believe this is possible to do. I just need to know what I'm missing and how this should be formatted. Much appreciated. Dave. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bphelps at gls.com Mon Mar 5 18:46:51 2012 From: bphelps at gls.com (Brandon Phelps) Date: Mon, 05 Mar 2012 13:46:51 -0500 Subject: [tac_plus] Granular restrictions of the "show" commands In-Reply-To: References: Message-ID: <4F550A1B.7090703@gls.com> Have you added the appropriate aaa authorization lines to your device? If these lines were working properly then the user should not be able to perform any action at all since the default is to deny everything (unless you have a default service = permit line and neglected to mention it). On 03/05/2012 11:37 AM, David Crane wrote: > Hi, > > I'm trying to restrict the running of show commands on a more granular > level. I just can't figure out how to do it. > > What I want is a user to be able to perform > > show run interface fa0/1 (For example) > > but not perform a > > > show run > > > or > > > show run interface vlan > > > relevant tac config is > > cmd = "show" { > permit "/^running-config interface/" > } > > This appears to be just allowing all show commands. I've tried different > expressions after googling several different configs, but everything I try > appear to just deny all show commands, or allows them all. > > > I believe this is possible to do. I just need to know what I'm missing and > how this should be formatted. > > > Much appreciated. > > > Dave. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From alan.mckinnon at gmail.com Mon Mar 5 20:22:53 2012 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Mon, 5 Mar 2012 22:22:53 +0200 Subject: [tac_plus] Granular restrictions of the "show" commands In-Reply-To: References: Message-ID: <20120305222253.3a476208@khamul.example.com> On Mon, 5 Mar 2012 16:37:45 +0000 David Crane wrote: > Hi, > > I'm trying to restrict the running of show commands on a more granular > level. I just can't figure out how to do it. > > What I want is a user to be able to perform > > show run interface fa0/1 (For example) > > but not perform a > > > show run > > > or > > > show run interface vlan > > > relevant tac config is > > cmd = "show" { > permit "/^running-config interface/" > } Omit the backslashes here, you do not need them. This is not running in a shell environment, there's no need to escape things, neither do you need to escape the closing quote. It's also useful to run tac_plus with -d8, the daemon will log what it tries to match and if it succeeded/failed. > > This appears to be just allowing all show commands. I've tried > different expressions after googling several different configs, but > everything I try appear to just deny all show commands, or allows > them all. > > > I believe this is possible to do. I just need to know what I'm > missing and how this should be formatted. > > > Much appreciated. > > > Dave. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > _______________________________________________ tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus -- Alan McKinnnon alan.mckinnon at gmail.com From henry.nicolas at tourneur.be Tue Mar 6 10:52:57 2012 From: henry.nicolas at tourneur.be (Henry-Nicolas Tourneur) Date: Tue, 06 Mar 2012 11:52:57 +0100 Subject: [tac_plus] Tacacs+ versioning questions Message-ID: <5cc34a566062d2c89730b12e6f8c8264@localhost> Hello everybody, I'm pacakging Tacacs+ for Debian and it's running on an old version (4.0.4.19), so I'm going to upgrade the package to the recommended version. I saw that there's a version 5.0.0a1 and a 4.0.4.23 but the version 4 has been uploaded more recently on the FTP [0]. So, I was wondering, which version should be used? If the version 5 is the latest stable one, is it compatible with the configuration file syntax used in the previous versions? Thanks for your help :) Henry-Nicolas Tourneur. [0] ftp://ftp.shrubbery.net/pub/tac_plus/ From heas at shrubbery.net Tue Mar 6 18:35:11 2012 From: heas at shrubbery.net (heasley) Date: Tue, 6 Mar 2012 18:35:11 +0000 Subject: [tac_plus] Tacacs+ versioning questions In-Reply-To: <5cc34a566062d2c89730b12e6f8c8264@localhost> References: <5cc34a566062d2c89730b12e6f8c8264@localhost> Message-ID: <20120306183511.GE51365@shrubbery.net> Tue, Mar 06, 2012 at 11:52:57AM +0100, Henry-Nicolas Tourneur: > Hello everybody, > > I'm pacakging Tacacs+ for Debian and it's running on an old version > (4.0.4.19), so I'm going to upgrade the package to the recommended version. > I saw that there's a version 5.0.0a1 and a 4.0.4.23 but the version 4 has > been uploaded more recently on the FTP [0]. > > So, I was wondering, which version should be used? use 4. 5 is an alpha version; not really ready for production and does not yet include all update from 4. > If the version 5 is the latest stable one, is it compatible with the > configuration file syntax used in the previous versions? > > Thanks for your help :) > > Henry-Nicolas Tourneur. > > [0] ftp://ftp.shrubbery.net/pub/tac_plus/ > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From nicotine at warningg.com Wed Mar 7 21:09:37 2012 From: nicotine at warningg.com (Brandon Ewing) Date: Wed, 7 Mar 2012 15:09:37 -0600 Subject: [tac_plus] Rehash, PAM as default auth Message-ID: <20120307210937.GF15660@radiological.warningg.com> Greetings, I've searched for a few hours now, on the list and in Google, but can't seem to find my answer. I seem to remember there being a patch to allow default authentication = PAM in the TACACS configuration file, and then defining a user = { } authorization stanza to handle device and command authorization. Despite all my googlin's, I am uanble to find any reference to this patch. Can anyone provide some pointers? -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From daniel.schmidt at wyo.gov Wed Mar 7 21:48:59 2012 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Wed, 7 Mar 2012 14:48:59 -0700 Subject: [tac_plus] Rehash, PAM as default auth In-Reply-To: <20120307210937.GF15660@radiological.warningg.com> References: <20120307210937.GF15660@radiological.warningg.com> Message-ID: <118082be9ecc6b3fd105ea5233bcf4f5@mail.gmail.com> I think it was incorporated. (or somebody correct me) I'm thinking the syntax you want would be: default authentication = PAM user = DEFAULT { member = silly_group } group = silly_group { default service = permit //services, do_auth, & whatever else } If you get it working, you may consider writing a howto. Some people have offered advice, but I don't think anybody has written a detailed "howto" especially one geared toward the "ldap-clueless." -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Brandon Ewing Sent: Wednesday, March 07, 2012 2:10 PM To: tac_plus at shrubbery.net Subject: [tac_plus] Rehash, PAM as default auth Greetings, I've searched for a few hours now, on the list and in Google, but can't seem to find my answer. I seem to remember there being a patch to allow default authentication = PAM in the TACACS configuration file, and then defining a user = { } authorization stanza to handle device and command authorization. Despite all my googlin's, I am uanble to find any reference to this patch. Can anyone provide some pointers? -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. From nicotine at warningg.com Wed Mar 7 22:05:09 2012 From: nicotine at warningg.com (Brandon Ewing) Date: Wed, 7 Mar 2012 16:05:09 -0600 Subject: [tac_plus] Rehash, PAM as default auth In-Reply-To: <118082be9ecc6b3fd105ea5233bcf4f5@mail.gmail.com> References: <20120307210937.GF15660@radiological.warningg.com> <118082be9ecc6b3fd105ea5233bcf4f5@mail.gmail.com> Message-ID: <20120307220509.GG15660@radiological.warningg.com> On Wed, Mar 07, 2012 at 02:48:59PM -0700, Daniel Schmidt wrote: > I think it was incorporated. (or somebody correct me) I'm thinking the > syntax you want would be: > > default authentication = PAM tac_plus F4.0.4.19 throws an error on this line, which is why I think a patch is necessary -- I could've sworn there was one, but I can't find it. > > user = DEFAULT { > member = silly_group > } > > group = silly_group { > default service = permit > //services, do_auth, & whatever else > } This seems about right. > > If you get it working, you may consider writing a howto. Some people have > offered advice, but I don't think anybody has written a detailed "howto" > especially one geared toward the "ldap-clueless." Definitely consider that. I already have incorporated a patch or two into my tac_plus installation (mostly just using the user's auth for enable password as well, for ASA devices), and need to write up support docs internally anyway. -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From jnathan at salesforce.com Thu Mar 8 15:20:10 2012 From: jnathan at salesforce.com (Jon Nathan) Date: Thu, 8 Mar 2012 07:20:10 -0800 Subject: [tac_plus] Rehash, PAM as default auth In-Reply-To: <20120307220509.GG15660@radiological.warningg.com> Message-ID: http://www.shrubbery.net/pipermail/tac_plus/2011-May/000882.html -Jon On 3/7/12 5:05 PM, "Brandon Ewing" wrote: > On Wed, Mar 07, 2012 at 02:48:59PM -0700, Daniel Schmidt wrote: >> I think it was incorporated. (or somebody correct me) I'm thinking the >> syntax you want would be: >> >> default authentication = PAM > > tac_plus F4.0.4.19 throws an error on this line, which is why I think a > patch is necessary -- I could've sworn there was one, but I can't find it. > >> >> user = DEFAULT { >> member = silly_group >> } >> >> group = silly_group { >> default service = permit >> //services, do_auth, & whatever else >> } > > This seems about right. > >> >> If you get it working, you may consider writing a howto. Some people have >> offered advice, but I don't think anybody has written a detailed "howto" >> especially one geared toward the "ldap-clueless." > > Definitely consider that. I already have incorporated a patch or two into > my tac_plus installation (mostly just using the user's auth for enable > password as well, for ASA devices), and need to write up support docs > internally anyway. > > -- > Brandon Ewing (nicotine at warningg.com) > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: not available > Type: application/pgp-signature > Size: 189 bytes > Desc: not available > URL: > achment.bin> > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > From astaroba at hotmail.com Mon Mar 12 18:55:22 2012 From: astaroba at hotmail.com (Ariel Staroba) Date: Mon, 12 Mar 2012 15:55:22 -0300 Subject: [tac_plus] PAP - Tacacs 4.19 Message-ID: Hello, We use Tacacs Plus version 4.19. It?s very stable and reliable, but we have problems with some switches validating with PAP like Enterasys S4 and N7. We debugged the validation session in the Tacacs server and these are the results: Validation error(ssh): Mar 6 11:29:26 TACACS tac_plus[24992]: session.peerip is 129.214.14.141 Mar 6 11:29:26 TACACS tac_plus[24992]: session request from 129.214.14.141 sock=2 Mar 6 11:29:26 TACACS tac_plus[25436]: connect from 129.214.14.141 [129.214.14.141] Mar 6 11:29:26 TACACS tac_plus[25436]: Waiting for packet Mar 6 11:29:26 TACACS tac_plus[25436]: Read AUTHEN/START size=55 Mar 6 11:29:26 TACACS tac_plus[25436]: validation request from 129.214.14.141 Mar 6 11:29:26 TACACS tac_plus[25436]: PACKET: key=xxxxxx Mar 6 11:29:26 TACACS tac_plus[25436]: version 193 (0xc1), type 1, seq no 1, flags 0x1 Mar 6 11:29:26 TACACS tac_plus[25436]: session_id 3989435205 (0xedc9f345), Data length 43 (0x2b) Mar 6 11:29:26 TACACS tac_plus[25436]: End header Mar 6 11:29:26 TACACS tac_plus[25436]: type=AUTHEN/START, priv_lvl = 0 Mar 6 11:29:26 TACACS tac_plus[25436]: action=login Mar 6 11:29:26 TACACS tac_plus[25436]: authen_type=pap Mar 6 11:29:26 TACACS tac_plus[25436]: service=login Mar 6 11:29:26 TACACS tac_plus[25436]: user_len=10 port_len=3 (0x3), rem_addr_len=13 (0xd) Mar 6 11:29:26 TACACS tac_plus[25436]: data_len=9 Mar 6 11:29:26 TACACS tac_plus[25436]: User: Mar 6 11:29:26 TACACS tac_plus[25436]: aorellanop Mar 6 11:29:26 TACACS tac_plus[25436]: port: Mar 6 11:29:26 TACACS tac_plus[25436]: ssh Mar 6 11:29:26 TACACS tac_plus[25436]: rem_addr: Mar 6 11:29:26 TACACS tac_plus[25436]: 10.96.155.223 Mar 6 11:29:26 TACACS tac_plus[25436]: data: Mar 6 11:29:26 TACACS tac_plus[25436]: PEPExxx Mar 6 11:29:26 TACACS tac_plus[25436]: End packet Mar 6 11:29:26 TACACS tac_plus[25436]: Authen Start request Mar 6 11:29:26 TACACS tac_plus[25436]: choose_authen chose default_fn Mar 6 11:29:26 TACACS tac_plus[25436]: Calling authentication function Mar 6 11:29:26 TACACS tac_plus[25436]: pap-login query for 'aorellanop' ssh from 129.214.14.141 rejected Mar 6 11:29:26 TACACS tac_plus[25436]: login failure: aorellanop 129.214.14.141 (129.214.14.141) ssh Mar 6 11:29:26 TACACS tac_plus[25436]: Writing AUTHEN/FAIL size=18 Mar 6 11:29:26 TACACS tac_plus[25436]: PACKET: key=xxxxxxx Mar 6 11:29:26 TACACS tac_plus[25436]: version 193 (0xc1), type 1, seq no 2, flags 0x1 Mar 6 11:29:26 TACACS tac_plus[25436]: session_id 3989435205 (0xedc9f345), Data length 6 (0x6) Mar 6 11:29:26 TACACS tac_plus[25436]: End header Mar 6 11:29:26 TACACS tac_plus[25436]: type=AUTHEN status=2 (AUTHEN/FAIL) flags=0x0 Mar 6 11:29:26 TACACS tac_plus[25436]: msg_len=0, data_len=0 Mar 6 11:29:26 TACACS tac_plus[25436]: msg: Mar 6 11:29:26 TACACS tac_plus[25436]: data: Mar 6 11:29:26 TACACS tac_plus[25436]: End packet Mar 6 11:29:26 TACACS tac_plus[25436]: 129.214.14.141: disconnect Validation ok. other switch(non N7): Mar 6 11:15:10 TACACS tac_plus[25183]: type=AUTHEN/START, priv_lvl = 0 Mar 6 11:15:10 TACACS tac_plus[25183]: action=login Mar 6 11:15:10 TACACS tac_plus[25183]: authen_type=ascii Mar 6 11:15:10 TACACS tac_plus[25183]: service=login Mar 6 11:15:10 TACACS tac_plus[25183]: user_len=10 port_len=7 (0x7), rem_addr_len=0 (0x0) Mar 6 11:15:10 TACACS tac_plus[25183]: data_len=0 Mar 6 11:15:10 TACACS tac_plus[25183]: User: Mar 6 11:15:10 TACACS tac_plus[25183]: aorellanop Mar 6 11:15:10 TACACS tac_plus[25183]: port: Mar 6 11:15:10 TACACS tac_plus[25183]: unknown Mar 6 11:15:10 TACACS tac_plus[25183]: rem_addr: Mar 6 11:15:10 TACACS tac_plus[25183]: data: Mar 6 11:15:10 TACACS tac_plus[25183]: End packet Mar 6 11:15:10 TACACS tac_plus[25183]: Authen Start request Mar 6 11:15:10 TACACS tac_plus[25183]: choose_authen chose default_fn Mar 6 11:15:10 TACACS tac_plus[25183]: Calling authentication function Mar 6 11:15:10 TACACS tac_plus[25183]: Writing AUTHEN/GETPASS size=28 Mar 6 11:15:10 TACACS tac_plus[25183]: PACKET: key=xxxxxxx Mar 6 11:15:10 TACACS tac_plus[25183]: version 192 (0xc0), type 1, seq no 2, flags 0x1 Mar 6 11:15:10 TACACS tac_plus[25183]: session_id 4520 (0x11a8), Data length 16 (0x10) Mar 6 11:15:10 TACACS tac_plus[25183]: End header Mar 6 11:15:10 TACACS tac_plus[25183]: type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1 Mar 6 11:15:10 TACACS tac_plus[25183]: msg_len=10, data_len=0 Mar 6 11:15:10 TACACS tac_plus[25183]: msg: Mar 6 11:15:10 TACACS tac_plus[25183]: Password: Mar 6 11:15:10 TACACS tac_plus[25183]: data: Mar 6 11:15:10 TACACS tac_plus[25183]: End packet Mar 6 11:15:10 TACACS tac_plus[25183]: Waiting for packet Mar 6 11:15:11 TACACS tac_plus[25183]: Read AUTHEN/CONT size=26 Mar 6 11:15:11 TACACS tac_plus[25183]: PACKET: key=xxxxxxx Mar 6 11:15:11 TACACS tac_plus[25183]: version 192 (0xc0), type 1, seq no 3, flags 0x1 Mar 6 11:15:11 TACACS tac_plus[25183]: session_id 4520 (0x11a8), Data length 14 (0xe) Mar 6 11:15:11 TACACS tac_plus[25183]: End header Mar 6 11:15:11 TACACS tac_plus[25183]: type=AUTHEN/CONT Mar 6 11:15:11 TACACS tac_plus[25183]: user_msg_len 9 (0x9), user_data_len 0 (0x0) Mar 6 11:15:11 TACACS tac_plus[25183]: flags=0x0 Mar 6 11:15:11 TACACS tac_plus[25183]: User msg: Mar 6 11:15:11 TACACS tac_plus[25183]: Ma!76dryn Mar 6 11:15:11 TACACS tac_plus[25183]: User data: Mar 6 11:15:11 TACACS tac_plus[25183]: End packet Mar 6 11:15:11 TACACS tac_plus[25183]: Found entry for aorellanop in shadow file Mar 6 11:15:11 TACACS tac_plus[25183]: verify PEPExxx XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Mar 6 11:15:11 TACACS tac_plus[25183]: PEPExxx encrypts to XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Mar 6 11:15:11 TACACS tac_plus[25183]: Password is correct Mar 6 11:15:11 TACACS tac_plus[25183]: Password has not expired /bin/bash Mar 6 11:15:11 TACACS tac_plus[25183]: cfg_acl_check(acl_argentina, 129.214.180.66) Mar 6 11:15:11 TACACS tac_plus[25183]: ip 129.214.180.66 matched permit regex .* of acl filter acl_argentina Mar 6 11:15:11 TACACS tac_plus[25183]: login query for 'aorellanop' unknown from 129.214.180.66 accepted Mar 6 11:15:11 TACACS tac_plus[25183]: Writing AUTHEN/SUCCEED size=18 Mar 6 11:15:11 TACACS tac_plus[25183]: PACKET: key=xxxxxxx Mar 6 11:15:11 TACACS tac_plus[25183]: version 192 (0xc0), type 1, seq no 4, flags 0x1 Mar 6 11:15:11 TACACS tac_plus[25183]: session_id 4520 (0x11a8), Data length 6 (0x6) Mar 6 11:15:11 TACACS tac_plus[25183]: End header Mar 6 11:15:11 TACACS tac_plus[25183]: type=AUTHEN status=1 (AUTHEN/SUCCEED) flags=0x0 Mar 6 11:15:11 TACACS tac_plus[25183]: msg_len=0, data_len=0 Mar 6 11:15:11 TACACS tac_plus[25183]: msg: Mar 6 11:15:11 TACACS tac_plus[25183]: data: Mar 6 11:15:11 TACACS tac_plus[25183]: End packet File config in Linux Suse 11.2 user = aorellanop { default service = permit member = lvl_15_argentina login = file /etc/passwd } ####can do this it with another version of Tacacs-plus?? pap = file /etc/passwd ##### user = aorellanop { default service = permit member = lvl_15_argentina login = file /etc/passwd pap = file /etc/passwd } We want to use the Linux password (etc / passwd) for both types of authentication. Is this it possible? Best Regards. Ariel -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Mon Mar 12 19:13:18 2012 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Mon, 12 Mar 2012 13:13:18 -0600 Subject: [tac_plus] PAP - Tacacs 4.19 In-Reply-To: References: Message-ID: > We want to use the Linux password (etc / passwd) for both types of authentication. Is this it possible? user = aorellanop { default service = permit member = lvl_15_argentina login = file /etc/passwd pap = file /etc/passwd enable = file /etc/passwd } -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Ariel Staroba Sent: Monday, March 12, 2012 12:55 PM To: tac_plus at shrubbery.net; aorellanop at gmail.com Subject: [tac_plus] PAP - Tacacs 4.19 Hello, We use Tacacs Plus version 4.19. It's very stable and reliable, but we have problems with some switches validating with PAP like Enterasys S4 and N7. We debugged the validation session in the Tacacs server and these are the results: Validation error(ssh): Mar 6 11:29:26 TACACS tac_plus[24992]: session.peerip is 129.214.14.141 Mar 6 11:29:26 TACACS tac_plus[24992]: session request from 129.214.14.141 sock=2 Mar 6 11:29:26 TACACS tac_plus[25436]: connect from 129.214.14.141 [129.214.14.141] Mar 6 11:29:26 TACACS tac_plus[25436]: Waiting for packet Mar 6 11:29:26 TACACS tac_plus[25436]: Read AUTHEN/START size=55 Mar 6 11:29:26 TACACS tac_plus[25436]: validation request from 129.214.14.141 Mar 6 11:29:26 TACACS tac_plus[25436]: PACKET: key=xxxxxx Mar 6 11:29:26 TACACS tac_plus[25436]: version 193 (0xc1), type 1, seq no 1, flags 0x1 Mar 6 11:29:26 TACACS tac_plus[25436]: session_id 3989435205 (0xedc9f345), Data length 43 (0x2b) Mar 6 11:29:26 TACACS tac_plus[25436]: End header Mar 6 11:29:26 TACACS tac_plus[25436]: type=AUTHEN/START, priv_lvl = 0 Mar 6 11:29:26 TACACS tac_plus[25436]: action=login Mar 6 11:29:26 TACACS tac_plus[25436]: authen_type=pap Mar 6 11:29:26 TACACS tac_plus[25436]: service=login Mar 6 11:29:26 TACACS tac_plus[25436]: user_len=10 port_len=3 (0x3), rem_addr_len=13 (0xd) Mar 6 11:29:26 TACACS tac_plus[25436]: data_len=9 Mar 6 11:29:26 TACACS tac_plus[25436]: User: Mar 6 11:29:26 TACACS tac_plus[25436]: aorellanop Mar 6 11:29:26 TACACS tac_plus[25436]: port: Mar 6 11:29:26 TACACS tac_plus[25436]: ssh Mar 6 11:29:26 TACACS tac_plus[25436]: rem_addr: Mar 6 11:29:26 TACACS tac_plus[25436]: 10.96.155.223 Mar 6 11:29:26 TACACS tac_plus[25436]: data: Mar 6 11:29:26 TACACS tac_plus[25436]: PEPExxx Mar 6 11:29:26 TACACS tac_plus[25436]: End packet Mar 6 11:29:26 TACACS tac_plus[25436]: Authen Start request Mar 6 11:29:26 TACACS tac_plus[25436]: choose_authen chose default_fn Mar 6 11:29:26 TACACS tac_plus[25436]: Calling authentication function Mar 6 11:29:26 TACACS tac_plus[25436]: pap-login query for 'aorellanop' ssh from 129.214.14.141 rejected Mar 6 11:29:26 TACACS tac_plus[25436]: login failure: aorellanop 129.214.14.141 (129.214.14.141) ssh Mar 6 11:29:26 TACACS tac_plus[25436]: Writing AUTHEN/FAIL size=18 Mar 6 11:29:26 TACACS tac_plus[25436]: PACKET: key=xxxxxxx Mar 6 11:29:26 TACACS tac_plus[25436]: version 193 (0xc1), type 1, seq no 2, flags 0x1 Mar 6 11:29:26 TACACS tac_plus[25436]: session_id 3989435205 (0xedc9f345), Data length 6 (0x6) Mar 6 11:29:26 TACACS tac_plus[25436]: End header Mar 6 11:29:26 TACACS tac_plus[25436]: type=AUTHEN status=2 (AUTHEN/FAIL) flags=0x0 Mar 6 11:29:26 TACACS tac_plus[25436]: msg_len=0, data_len=0 Mar 6 11:29:26 TACACS tac_plus[25436]: msg: Mar 6 11:29:26 TACACS tac_plus[25436]: data: Mar 6 11:29:26 TACACS tac_plus[25436]: End packet Mar 6 11:29:26 TACACS tac_plus[25436]: 129.214.14.141: disconnect Validation ok. other switch(non N7): Mar 6 11:15:10 TACACS tac_plus[25183]: type=AUTHEN/START, priv_lvl = 0 Mar 6 11:15:10 TACACS tac_plus[25183]: action=login Mar 6 11:15:10 TACACS tac_plus[25183]: authen_type=ascii Mar 6 11:15:10 TACACS tac_plus[25183]: service=login Mar 6 11:15:10 TACACS tac_plus[25183]: user_len=10 port_len=7 (0x7), rem_addr_len=0 (0x0) Mar 6 11:15:10 TACACS tac_plus[25183]: data_len=0 Mar 6 11:15:10 TACACS tac_plus[25183]: User: Mar 6 11:15:10 TACACS tac_plus[25183]: aorellanop Mar 6 11:15:10 TACACS tac_plus[25183]: port: Mar 6 11:15:10 TACACS tac_plus[25183]: unknown Mar 6 11:15:10 TACACS tac_plus[25183]: rem_addr: Mar 6 11:15:10 TACACS tac_plus[25183]: data: Mar 6 11:15:10 TACACS tac_plus[25183]: End packet Mar 6 11:15:10 TACACS tac_plus[25183]: Authen Start request Mar 6 11:15:10 TACACS tac_plus[25183]: choose_authen chose default_fn Mar 6 11:15:10 TACACS tac_plus[25183]: Calling authentication function Mar 6 11:15:10 TACACS tac_plus[25183]: Writing AUTHEN/GETPASS size=28 Mar 6 11:15:10 TACACS tac_plus[25183]: PACKET: key=xxxxxxx Mar 6 11:15:10 TACACS tac_plus[25183]: version 192 (0xc0), type 1, seq no 2, flags 0x1 Mar 6 11:15:10 TACACS tac_plus[25183]: session_id 4520 (0x11a8), Data length 16 (0x10) Mar 6 11:15:10 TACACS tac_plus[25183]: End header Mar 6 11:15:10 TACACS tac_plus[25183]: type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1 Mar 6 11:15:10 TACACS tac_plus[25183]: msg_len=10, data_len=0 Mar 6 11:15:10 TACACS tac_plus[25183]: msg: Mar 6 11:15:10 TACACS tac_plus[25183]: Password: Mar 6 11:15:10 TACACS tac_plus[25183]: data: Mar 6 11:15:10 TACACS tac_plus[25183]: End packet Mar 6 11:15:10 TACACS tac_plus[25183]: Waiting for packet Mar 6 11:15:11 TACACS tac_plus[25183]: Read AUTHEN/CONT size=26 Mar 6 11:15:11 TACACS tac_plus[25183]: PACKET: key=xxxxxxx Mar 6 11:15:11 TACACS tac_plus[25183]: version 192 (0xc0), type 1, seq no 3, flags 0x1 Mar 6 11:15:11 TACACS tac_plus[25183]: session_id 4520 (0x11a8), Data length 14 (0xe) Mar 6 11:15:11 TACACS tac_plus[25183]: End header Mar 6 11:15:11 TACACS tac_plus[25183]: type=AUTHEN/CONT Mar 6 11:15:11 TACACS tac_plus[25183]: user_msg_len 9 (0x9), user_data_len 0 (0x0) Mar 6 11:15:11 TACACS tac_plus[25183]: flags=0x0 Mar 6 11:15:11 TACACS tac_plus[25183]: User msg: Mar 6 11:15:11 TACACS tac_plus[25183]: Ma!76dryn Mar 6 11:15:11 TACACS tac_plus[25183]: User data: Mar 6 11:15:11 TACACS tac_plus[25183]: End packet Mar 6 11:15:11 TACACS tac_plus[25183]: Found entry for aorellanop in shadow file Mar 6 11:15:11 TACACS tac_plus[25183]: verify PEPExxx XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Mar 6 11:15:11 TACACS tac_plus[25183]: PEPExxx encrypts to XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Mar 6 11:15:11 TACACS tac_plus[25183]: Password is correct Mar 6 11:15:11 TACACS tac_plus[25183]: Password has not expired /bin/bash Mar 6 11:15:11 TACACS tac_plus[25183]: cfg_acl_check(acl_argentina, 129.214.180.66) Mar 6 11:15:11 TACACS tac_plus[25183]: ip 129.214.180.66 matched permit regex .* of acl filter acl_argentina Mar 6 11:15:11 TACACS tac_plus[25183]: login query for 'aorellanop' unknown from 129.214.180.66 accepted Mar 6 11:15:11 TACACS tac_plus[25183]: Writing AUTHEN/SUCCEED size=18 Mar 6 11:15:11 TACACS tac_plus[25183]: PACKET: key=xxxxxxx Mar 6 11:15:11 TACACS tac_plus[25183]: version 192 (0xc0), type 1, seq no 4, flags 0x1 Mar 6 11:15:11 TACACS tac_plus[25183]: session_id 4520 (0x11a8), Data length 6 (0x6) Mar 6 11:15:11 TACACS tac_plus[25183]: End header Mar 6 11:15:11 TACACS tac_plus[25183]: type=AUTHEN status=1 (AUTHEN/SUCCEED) flags=0x0 Mar 6 11:15:11 TACACS tac_plus[25183]: msg_len=0, data_len=0 Mar 6 11:15:11 TACACS tac_plus[25183]: msg: Mar 6 11:15:11 TACACS tac_plus[25183]: data: Mar 6 11:15:11 TACACS tac_plus[25183]: End packet File config in Linux Suse 11.2 user = aorellanop { default service = permit member = lvl_15_argentina login = file /etc/passwd } ####can do this it with another version of Tacacs-plus?? pap = file /etc/passwd ##### user = aorellanop { default service = permit member = lvl_15_argentina login = file /etc/passwd pap = file /etc/passwd } We want to use the Linux password (etc / passwd) for both types of authentication. Is this it possible? Best Regards. Ariel -------------- next part -------------- An HTML attachment was scrubbed... URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. From rhaymell_cristobal at trendmicro.com Tue Mar 13 08:10:26 2012 From: rhaymell_cristobal at trendmicro.com (rhaymell_cristobal at trendmicro.com) Date: Tue, 13 Mar 2012 08:10:26 +0000 Subject: [tac_plus] TACACS return an error message when reading tac_plus.conf Message-ID: Dear Shrubbery, We are trying to migrate our tacacs server from tacacs+-F4.0.4.15 to higher version, this is because the company wants to virtualize our environment and the old service runs on physical server. As we go through the process of migration, we stumbled on a problem, we encountered an error when compiling the tac_plus.conf file, a file that is use on our production network. Below is the error code. return Error: Unrecognised keyword return for acl on line 26 the actual line is: return = .* so we did tried to comment all lines that has return = .* code, after wards next error code was on the line "login = PAM" code in which our tacacs will authenticate on our NIS server, by uncommenting the line we will lose the authentication and will break the architecture of our network. We also tried to use the tac_convert file, but to no avail. Would appreciate the help. Thanks, Rhaymell TREND MICRO EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. -------------- next part -------------- An HTML attachment was scrubbed... URL: From kissg at ssg.ki.iif.hu Tue Mar 13 15:40:16 2012 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Tue, 13 Mar 2012 16:40:16 +0100 (CET) Subject: [tac_plus] TACACS return an error message when reading tac_plus.conf In-Reply-To: References: Message-ID: Dear Rhaymell, > As we go through the process of migration, we stumbled on a problem, we > encountered an error when compiling the tac_plus.conf file, a file that is > use on our production network. Below is the error code. > > return Error: Unrecognised keyword return for acl on line 26 > > the actual line is: return = .* > > so we did tried to comment all lines that has return = .* code, after wards > next error code was on the line "login = PAM" code in which our tacacs will > authenticate on our NIS server, by uncommenting the line we will lose the > authentication and will break the architecture of our network. AFAIK 'return' is a non standard keyword. It can used only if you applied my multiple group membership patch. See http://www.shrubbery.net/pipermail/tac_plus/2007-August/000125.html Your current server is probably contains this enhancement but you are upgrading to the regular version. Cheers Gabor From jeroen at jeroennijhof.nl Fri Mar 16 22:25:31 2012 From: jeroen at jeroennijhof.nl (Jeroen Nijhof) Date: Fri, 16 Mar 2012 23:25:31 +0100 Subject: [tac_plus] PAM support for PAP Message-ID: <4F63BDDB.60409@jeroennijhof.nl> Dear John, Since I've noticed my old pam patch for pap is still used I've decided to rewrite the patch. Attached you can find the patch which will enable PAM support for PAP. I used the 4.0.4.23 branch but it also works for 4.0.4.19 and 4.0.4.22. Maybe it's worth to integrate the patch with the upstream code? Thanks! With kind regards, Jeroen Nijhof -------------- next part -------------- A non-text attachment was scrubbed... Name: pap-pam.patch Type: text/x-patch Size: 936 bytes Desc: not available URL: From heas at shrubbery.net Tue Mar 20 22:23:53 2012 From: heas at shrubbery.net (john heasley) Date: Tue, 20 Mar 2012 22:23:53 +0000 Subject: [tac_plus] PAM support for PAP In-Reply-To: <4F63BDDB.60409@jeroennijhof.nl> References: <4F63BDDB.60409@jeroennijhof.nl> Message-ID: <20120320222353.GF39349@shrubbery.net> Fri, Mar 16, 2012 at 11:25:31PM +0100, Jeroen Nijhof: > Dear John, > > Since I've noticed my old pam patch for pap is still used I've decided > to rewrite the patch. > > Attached you can find the patch which will enable PAM support for PAP. I > used the 4.0.4.23 branch but it also works for 4.0.4.19 and 4.0.4.22. > > Maybe it's worth to integrate the patch with the upstream code? got it. thanks, Jeroen. > Thanks! > > With kind regards, > Jeroen Nijhof > diff -ur tacacs+-F4.0.4.23.orig/config.c tacacs+-F4.0.4.23/config.c > --- tacacs+-F4.0.4.23.orig/config.c 2012-01-24 01:05:22.000000000 +0100 > +++ tacacs+-F4.0.4.23/config.c 2012-03-16 22:15:38.835033501 +0100 > @@ -86,6 +86,7 @@ > #endif > pap = cleartext | > pap = des | > + pap = PAM | > opap = cleartext | > global = cleartext | > msg = > @@ -1134,6 +1135,12 @@ > parse(S_separator); > switch(sym_code) { > > +#ifdef HAVE_PAM > + case S_pam: > + user->pap = tac_strdup(sym_buf); > + break; > +#endif > + > case S_cleartext: > case S_des: > sprintf(buf, "%s ", sym_buf); > @@ -1143,7 +1150,11 @@ > break; > > default: > - parse_error("expecting 'cleartext', or 'des' keyword after " > + parse_error("expecting 'cleartext', " > +#ifdef HAVE_PAM > + "'PAM', " > +#endif > + "or 'des' keyword after " > "'pap =' on line %d", sym_line); > } > sym_get(); From ivanlk3 at gmail.com Thu Mar 29 17:37:34 2012 From: ivanlk3 at gmail.com (ivo) Date: Thu, 29 Mar 2012 19:37:34 +0200 Subject: [tac_plus] TACACS+ Error socket issue. Message-ID: Hi Guys, I need some help with starting and stoping tacacs. I have several tacacs+ processes running on the backround linux red hat enterprise server. Tacacs+ version which I use is F4.0.4.19. The command which I use to start the tacacs processes are: /usr/local/bin/tac_plus -C /etc/tacacs+/R1_tac_plus.conf -l /var/log/tacacs/R1_tac_plus.log -d 16 -p 5000 /usr/local/bin/tac_plus -C /etc/tacacs+/R2_tac_plus.conf -l /var/log/tacacs/R2_tac_plus.log -d 16 -p 5001 /usr/local/bin/tac_plus -C /etc/tacacs+/R3_tac_plus.conf -l /var/log/tacacs/R3_tac_plus.log -d 16 -p 5002 when I run the tacacs it works fine. But the problem is with stop of the tacacs. I am using to stop tacacs on backround kill -9 I am not familiar how start and stop of tacacs+ work. Could me please somebody write a hint how to regular restart (stop and start ) tacacs+ process from above backround processes ? When i "restart" tacacs+ process : kill -9 /usr/local/bin/tac_plus -C /etc/tacacs+/R1_tac_plus.conf -l /var/log/tacacs/R1_tac_plus.log -d 16 -p 5000 I recieve error into R1_tac_plus.log: Version F4.0.4.19 Initialized 1 tac_plus server F4.0.4.19 starting Backgrounded Error get_socket: bind 5000 Address already in use Do anybody know how to regular stop and start tacacs process? -- http://www.gmail.com From daniel.schmidt at wyo.gov Thu Mar 29 17:52:10 2012 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Thu, 29 Mar 2012 11:52:10 -0600 Subject: [tac_plus] TACACS+ Error socket issue. In-Reply-To: References: Message-ID: <45c0b1ec96fecc792da29f1046289983@mail.gmail.com> pkill tac_plus -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of ivo Sent: Thursday, March 29, 2012 11:38 AM To: tac_plus at shrubbery.net Cc: trubela at gmail.com Subject: [tac_plus] TACACS+ Error socket issue. Hi Guys, I need some help with starting and stoping tacacs. I have several tacacs+ processes running on the backround linux red hat enterprise server. Tacacs+ version which I use is F4.0.4.19. The command which I use to start the tacacs processes are: /usr/local/bin/tac_plus -C /etc/tacacs+/R1_tac_plus.conf -l /var/log/tacacs/R1_tac_plus.log -d 16 -p 5000 /usr/local/bin/tac_plus -C /etc/tacacs+/R2_tac_plus.conf -l /var/log/tacacs/R2_tac_plus.log -d 16 -p 5001 /usr/local/bin/tac_plus -C /etc/tacacs+/R3_tac_plus.conf -l /var/log/tacacs/R3_tac_plus.log -d 16 -p 5002 when I run the tacacs it works fine. But the problem is with stop of the tacacs. I am using to stop tacacs on backround kill -9 I am not familiar how start and stop of tacacs+ work. Could me please somebody write a hint how to regular restart (stop and start ) tacacs+ process from above backround processes ? When i "restart" tacacs+ process : kill -9 /usr/local/bin/tac_plus -C /etc/tacacs+/R1_tac_plus.conf -l /var/log/tacacs/R1_tac_plus.log -d 16 -p 5000 I recieve error into R1_tac_plus.log: Version F4.0.4.19 Initialized 1 tac_plus server F4.0.4.19 starting Backgrounded Error get_socket: bind 5000 Address already in use Do anybody know how to regular stop and start tacacs process? -- http://www.gmail.com _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. From heas at shrubbery.net Thu Mar 29 17:55:55 2012 From: heas at shrubbery.net (heasley) Date: Thu, 29 Mar 2012 17:55:55 +0000 Subject: [tac_plus] TACACS+ Error socket issue. In-Reply-To: References: Message-ID: <20120329175555.GX19110@shrubbery.net> Thu, Mar 29, 2012 at 07:37:34PM +0200, ivo: > kill -9 > /usr/local/bin/tac_plus -C /etc/tacacs+/R1_tac_plus.conf -l > /var/log/tacacs/R1_tac_plus.log -d 16 -p 5000 > > I recieve error into R1_tac_plus.log: > Version F4.0.4.19 Initialized 1 > tac_plus server F4.0.4.19 starting > Backgrounded > Error get_socket: bind 5000 Address already in use make sure that it has actually died. From trubela at gmail.com Thu Mar 29 21:36:51 2012 From: trubela at gmail.com (Peter Mraz) Date: Thu, 29 Mar 2012 23:36:51 +0200 Subject: [tac_plus] TACACS+ Error socket issue. In-Reply-To: <20120329175555.GX19110@shrubbery.net> References: <20120329175555.GX19110@shrubbery.net> Message-ID: Hi, Do you know how could we verify If it died? Can happen that we will would like to kill more tac_plus at the same time(each with specific name like R1_tac_plus.conf or R2_tac_plus.conf, each running on different port.) Cheers. On 29 March 2012 19:55, heasley wrote: > Thu, Mar 29, 2012 at 07:37:34PM +0200, ivo: >> kill -9 >> /usr/local/bin/tac_plus -C /etc/tacacs+/R1_tac_plus.conf -l >> /var/log/tacacs/R1_tac_plus.log -d 16 -p 5000 >> >> I recieve error into R1_tac_plus.log: >> Version F4.0.4.19 Initialized 1 >> tac_plus server F4.0.4.19 starting >> Backgrounded >> Error get_socket: bind 5000 Address already in use > > make sure that it has actually died. -- ?akujem / Thank you ----------------------------------------------------------- ? ? ? ? ? ? ? ? ?? Ing. Peter Mraz ? ? ? ? ? ? ? ? ?? ICQ # 212439151 ----------------------------------------------------------- From daniel.schmidt at wyo.gov Thu Mar 29 22:27:09 2012 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Thu, 29 Mar 2012 16:27:09 -0600 Subject: [tac_plus] TACACS+ Error socket issue. In-Reply-To: References: <20120329175555.GX19110@shrubbery.net> Message-ID: pkill should kill everything, pgrep tac_plus will tell u if anything survived On Thu, Mar 29, 2012 at 3:36 PM, Peter Mraz wrote: > Hi, > > Do you know how could we verify If it died? > Can happen that we will would like to kill more tac_plus at the same > time(each with specific name like R1_tac_plus.conf or > R2_tac_plus.conf, each running on different port.) > > Cheers. > > > On 29 March 2012 19:55, heasley wrote: > > Thu, Mar 29, 2012 at 07:37:34PM +0200, ivo: > >> kill -9 > >> /usr/local/bin/tac_plus -C /etc/tacacs+/R1_tac_plus.conf -l > >> /var/log/tacacs/R1_tac_plus.log -d 16 -p 5000 > >> > >> I recieve error into R1_tac_plus.log: > >> Version F4.0.4.19 Initialized 1 > >> tac_plus server F4.0.4.19 starting > >> Backgrounded > >> Error get_socket: bind 5000 Address already in use > > > > make sure that it has actually died. > > > > -- > ?akujem / Thank you > > ----------------------------------------------------------- > Ing. Peter Mraz > ICQ # 212439151 > ----------------------------------------------------------- > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Thu Mar 29 22:28:11 2012 From: heas at shrubbery.net (heasley) Date: Thu, 29 Mar 2012 22:28:11 +0000 Subject: [tac_plus] TACACS+ Error socket issue. In-Reply-To: References: <20120329175555.GX19110@shrubbery.net> Message-ID: <20120329222811.GL19110@shrubbery.net> Thu, Mar 29, 2012 at 04:27:09PM -0600, Daniel Schmidt: > pgrep tac_plus will tell u if anything > survived and/or lsof for the specific port From alan.mckinnon at gmail.com Thu Mar 29 22:34:26 2012 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Fri, 30 Mar 2012 00:34:26 +0200 Subject: [tac_plus] TACACS+ Error socket issue. In-Reply-To: References: <20120329175555.GX19110@shrubbery.net> Message-ID: <20120330003426.5b5f8e63@khamul.example.com> On Thu, 29 Mar 2012 23:36:51 +0200 Peter Mraz wrote: > Hi, > > Do you know how could we verify If it died? > Can happen that we will would like to kill more tac_plus at the same > time(each with specific name like R1_tac_plus.conf or > R2_tac_plus.conf, each running on different port.) cat the pid file in /var/run/tac_plus.pid. and check if a process with that pid is running. You are starting tac_plus correctly and it is very rare for the daemon to not die properly (or indeed to not respond properly to SIGs). The best way to start|stop tac_plus is to use the Red Hat init.d system. You have compiled tac_plus yourself so you will have to either write your own /etc/init.d/tac_plus file or get one somewhere, then use "service tac_plus start|stop" as normal. Red Hat should provide rpms for tac_plus but most likely they will be way out of date. I suggest installing one of these rpms on a spare machine anyway, copy the init.d script for use elsewhere the remove the rpm package. > > Cheers. > > > On 29 March 2012 19:55, heasley wrote: > > Thu, Mar 29, 2012 at 07:37:34PM +0200, ivo: > >> kill -9 > >> /usr/local/bin/tac_plus -C /etc/tacacs+/R1_tac_plus.conf -l > >> /var/log/tacacs/R1_tac_plus.log -d 16 -p 5000 > >> > >> I recieve error into R1_tac_plus.log: > >> Version F4.0.4.19 Initialized 1 > >> tac_plus server F4.0.4.19 starting > >> Backgrounded > >> Error get_socket: bind 5000 Address already in use > > > > make sure that it has actually died. > > > -- Alan McKinnnon alan.mckinnon at gmail.com