[tac_plus] PAP - Tacacs 4.19

Ariel Staroba astaroba at hotmail.com
Mon Mar 12 18:55:22 UTC 2012 

Hello,
 We use Tacacs Plus version 4.19. It’s very stable and reliable, but we have problems with some switches validating with PAP like Enterasys S4 and N7.  We debugged the validation session in the Tacacs server and these are the results:
 
 
Validation error(ssh):
Mar  6 11:29:26 TACACS tac_plus[24992]: session.peerip is 129.214.14.141
Mar  6 11:29:26 TACACS tac_plus[24992]: session request from 129.214.14.141 sock=2
Mar  6 11:29:26 TACACS tac_plus[25436]: connect from 129.214.14.141 [129.214.14.141]
Mar  6 11:29:26 TACACS tac_plus[25436]: Waiting for packet
Mar  6 11:29:26 TACACS tac_plus[25436]: Read AUTHEN/START size=55
Mar  6 11:29:26 TACACS tac_plus[25436]: validation request from 129.214.14.141
Mar  6 11:29:26 TACACS tac_plus[25436]: PACKET: key=xxxxxx
Mar  6 11:29:26 TACACS tac_plus[25436]: version 193 (0xc1), type 1, seq no 1, flags 0x1
Mar  6 11:29:26 TACACS tac_plus[25436]: session_id 3989435205 (0xedc9f345), Data length 43 (0x2b)
Mar  6 11:29:26 TACACS tac_plus[25436]: End header
Mar  6 11:29:26 TACACS tac_plus[25436]: type=AUTHEN/START, priv_lvl = 0
Mar  6 11:29:26 TACACS tac_plus[25436]: action=login
Mar  6 11:29:26 TACACS tac_plus[25436]: authen_type=pap
Mar  6 11:29:26 TACACS tac_plus[25436]: service=login
Mar  6 11:29:26 TACACS tac_plus[25436]: user_len=10 port_len=3 (0x3), rem_addr_len=13 (0xd)
Mar  6 11:29:26 TACACS tac_plus[25436]: data_len=9
Mar  6 11:29:26 TACACS tac_plus[25436]: User:
Mar  6 11:29:26 TACACS tac_plus[25436]: aorellanop
Mar  6 11:29:26 TACACS tac_plus[25436]: port:
Mar  6 11:29:26 TACACS tac_plus[25436]: ssh
Mar  6 11:29:26 TACACS tac_plus[25436]: rem_addr:
Mar  6 11:29:26 TACACS tac_plus[25436]: 10.96.155.223
Mar  6 11:29:26 TACACS tac_plus[25436]: data:
Mar  6 11:29:26 TACACS tac_plus[25436]: PEPExxx
Mar  6 11:29:26 TACACS tac_plus[25436]: End packet
Mar  6 11:29:26 TACACS tac_plus[25436]: Authen Start request
Mar  6 11:29:26 TACACS tac_plus[25436]: choose_authen chose default_fn
Mar  6 11:29:26 TACACS tac_plus[25436]: Calling authentication function
Mar  6 11:29:26 TACACS tac_plus[25436]: pap-login query for 'aorellanop' ssh from 129.214.14.141 rejected
Mar  6 11:29:26 TACACS tac_plus[25436]: login failure: aorellanop 129.214.14.141 (129.214.14.141) ssh
Mar  6 11:29:26 TACACS tac_plus[25436]: Writing AUTHEN/FAIL size=18
Mar  6 11:29:26 TACACS tac_plus[25436]: PACKET: key=xxxxxxx
Mar  6 11:29:26 TACACS tac_plus[25436]: version 193 (0xc1), type 1, seq no 2, flags 0x1
Mar  6 11:29:26 TACACS tac_plus[25436]: session_id 3989435205 (0xedc9f345), Data length 6 (0x6)
Mar  6 11:29:26 TACACS tac_plus[25436]: End header
Mar  6 11:29:26 TACACS tac_plus[25436]: type=AUTHEN status=2 (AUTHEN/FAIL) flags=0x0
Mar  6 11:29:26 TACACS tac_plus[25436]: msg_len=0, data_len=0
Mar  6 11:29:26 TACACS tac_plus[25436]: msg:
Mar  6 11:29:26 TACACS tac_plus[25436]: data:
Mar  6 11:29:26 TACACS tac_plus[25436]: End packet
Mar  6 11:29:26 TACACS tac_plus[25436]: 129.214.14.141: disconnect
 
 
Validation ok. other switch(non N7):
Mar  6 11:15:10 TACACS tac_plus[25183]: type=AUTHEN/START, priv_lvl = 0
Mar  6 11:15:10 TACACS tac_plus[25183]: action=login
Mar  6 11:15:10 TACACS tac_plus[25183]: authen_type=ascii
Mar  6 11:15:10 TACACS tac_plus[25183]: service=login
Mar  6 11:15:10 TACACS tac_plus[25183]: user_len=10 port_len=7 (0x7), rem_addr_len=0 (0x0)
Mar  6 11:15:10 TACACS tac_plus[25183]: data_len=0
Mar  6 11:15:10 TACACS tac_plus[25183]: User:
Mar  6 11:15:10 TACACS tac_plus[25183]: aorellanop
Mar  6 11:15:10 TACACS tac_plus[25183]: port:
Mar  6 11:15:10 TACACS tac_plus[25183]: unknown
Mar  6 11:15:10 TACACS tac_plus[25183]: rem_addr:
Mar  6 11:15:10 TACACS tac_plus[25183]: data:
Mar  6 11:15:10 TACACS tac_plus[25183]: End packet
Mar  6 11:15:10 TACACS tac_plus[25183]: Authen Start request
Mar  6 11:15:10 TACACS tac_plus[25183]: choose_authen chose default_fn
Mar  6 11:15:10 TACACS tac_plus[25183]: Calling authentication function
Mar  6 11:15:10 TACACS tac_plus[25183]: Writing AUTHEN/GETPASS size=28
Mar  6 11:15:10 TACACS tac_plus[25183]: PACKET: key=xxxxxxx
Mar  6 11:15:10 TACACS tac_plus[25183]: version 192 (0xc0), type 1, seq no 2, flags 0x1
Mar  6 11:15:10 TACACS tac_plus[25183]: session_id 4520 (0x11a8), Data length 16 (0x10)
Mar  6 11:15:10 TACACS tac_plus[25183]: End header
Mar  6 11:15:10 TACACS tac_plus[25183]: type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
Mar  6 11:15:10 TACACS tac_plus[25183]: msg_len=10, data_len=0
Mar  6 11:15:10 TACACS tac_plus[25183]: msg:
Mar  6 11:15:10 TACACS tac_plus[25183]: Password:
Mar  6 11:15:10 TACACS tac_plus[25183]: data:
Mar  6 11:15:10 TACACS tac_plus[25183]: End packet
Mar  6 11:15:10 TACACS tac_plus[25183]: Waiting for packet
Mar  6 11:15:11 TACACS tac_plus[25183]: Read AUTHEN/CONT size=26
Mar  6 11:15:11 TACACS tac_plus[25183]: PACKET: key=xxxxxxx
Mar  6 11:15:11 TACACS tac_plus[25183]: version 192 (0xc0), type 1, seq no 3, flags 0x1
Mar  6 11:15:11 TACACS tac_plus[25183]: session_id 4520 (0x11a8), Data length 14 (0xe)
Mar  6 11:15:11 TACACS tac_plus[25183]: End header
Mar  6 11:15:11 TACACS tac_plus[25183]: type=AUTHEN/CONT
Mar  6 11:15:11 TACACS tac_plus[25183]: user_msg_len 9 (0x9), user_data_len 0 (0x0)
Mar  6 11:15:11 TACACS tac_plus[25183]: flags=0x0
Mar  6 11:15:11 TACACS tac_plus[25183]: User msg:
Mar  6 11:15:11 TACACS tac_plus[25183]: Ma!76dryn
Mar  6 11:15:11 TACACS tac_plus[25183]: User data:
Mar  6 11:15:11 TACACS tac_plus[25183]: End packet
Mar  6 11:15:11 TACACS tac_plus[25183]: Found entry for aorellanop in shadow file
Mar  6 11:15:11 TACACS tac_plus[25183]: verify PEPExxx  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Mar  6 11:15:11 TACACS tac_plus[25183]: PEPExxx  encrypts to XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Mar  6 11:15:11 TACACS tac_plus[25183]: Password is correct
Mar  6 11:15:11 TACACS tac_plus[25183]: Password has not expired /bin/bash
Mar  6 11:15:11 TACACS tac_plus[25183]: cfg_acl_check(acl_argentina, 129.214.180.66)
Mar  6 11:15:11 TACACS tac_plus[25183]: ip 129.214.180.66 matched permit regex .* of acl filter acl_argentina
Mar  6 11:15:11 TACACS tac_plus[25183]: login query for 'aorellanop' unknown from 129.214.180.66 accepted
Mar  6 11:15:11 TACACS tac_plus[25183]: Writing AUTHEN/SUCCEED size=18
Mar  6 11:15:11 TACACS tac_plus[25183]: PACKET: key=xxxxxxx
Mar  6 11:15:11 TACACS tac_plus[25183]: version 192 (0xc0), type 1, seq no 4, flags 0x1
Mar  6 11:15:11 TACACS tac_plus[25183]: session_id 4520 (0x11a8), Data length 6 (0x6)
Mar  6 11:15:11 TACACS tac_plus[25183]: End header
Mar  6 11:15:11 TACACS tac_plus[25183]: type=AUTHEN status=1 (AUTHEN/SUCCEED) flags=0x0
Mar  6 11:15:11 TACACS tac_plus[25183]: msg_len=0, data_len=0
Mar  6 11:15:11 TACACS tac_plus[25183]: msg:
Mar  6 11:15:11 TACACS tac_plus[25183]: data:
Mar  6 11:15:11 TACACS tac_plus[25183]: End packet
 
 
 
 
File config in Linux Suse 11.2
 
user = aorellanop {
default service = permit
member = lvl_15_argentina
login = file /etc/passwd
 
}
 
####can do this it with another version of Tacacs-plus?? pap = file /etc/passwd #####
user = aorellanop {
default service = permit
member = lvl_15_argentina
login = file /etc/passwd
pap = file /etc/passwd
 
}
We want to use the Linux password (etc / passwd) for both types of authentication. Is this it possible?
 
 
Best Regards.
Ariel
 
 
 
 
 
  		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20120312/56488275/attachment.html>

More information about the tac_plus mailing list