[tac_plus] PAP - Tacacs 4.19
Daniel Schmidt
daniel.schmidt at wyo.gov
Mon Mar 12 19:13:18 UTC 2012
> We want to use the Linux password (etc / passwd) for both types of
authentication. Is this it possible?
user = aorellanop {
default service = permit
member = lvl_15_argentina
login = file /etc/passwd
pap = file /etc/passwd
enable = file /etc/passwd
}
-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Ariel Staroba
Sent: Monday, March 12, 2012 12:55 PM
To: tac_plus at shrubbery.net; aorellanop at gmail.com
Subject: [tac_plus] PAP - Tacacs 4.19
Hello,
We use Tacacs Plus version 4.19. It's very stable and reliable, but we
have problems with some switches validating with PAP like Enterasys S4 and
N7. We debugged the validation session in the Tacacs server and these are
the results:
Validation error(ssh):
Mar 6 11:29:26 TACACS tac_plus[24992]: session.peerip is 129.214.14.141
Mar 6 11:29:26 TACACS tac_plus[24992]: session request from
129.214.14.141 sock=2
Mar 6 11:29:26 TACACS tac_plus[25436]: connect from 129.214.14.141
[129.214.14.141]
Mar 6 11:29:26 TACACS tac_plus[25436]: Waiting for packet
Mar 6 11:29:26 TACACS tac_plus[25436]: Read AUTHEN/START size=55
Mar 6 11:29:26 TACACS tac_plus[25436]: validation request from
129.214.14.141
Mar 6 11:29:26 TACACS tac_plus[25436]: PACKET: key=xxxxxx
Mar 6 11:29:26 TACACS tac_plus[25436]: version 193 (0xc1), type 1, seq no
1, flags 0x1
Mar 6 11:29:26 TACACS tac_plus[25436]: session_id 3989435205
(0xedc9f345), Data length 43 (0x2b)
Mar 6 11:29:26 TACACS tac_plus[25436]: End header
Mar 6 11:29:26 TACACS tac_plus[25436]: type=AUTHEN/START, priv_lvl = 0
Mar 6 11:29:26 TACACS tac_plus[25436]: action=login
Mar 6 11:29:26 TACACS tac_plus[25436]: authen_type=pap
Mar 6 11:29:26 TACACS tac_plus[25436]: service=login
Mar 6 11:29:26 TACACS tac_plus[25436]: user_len=10 port_len=3 (0x3),
rem_addr_len=13 (0xd)
Mar 6 11:29:26 TACACS tac_plus[25436]: data_len=9
Mar 6 11:29:26 TACACS tac_plus[25436]: User:
Mar 6 11:29:26 TACACS tac_plus[25436]: aorellanop
Mar 6 11:29:26 TACACS tac_plus[25436]: port:
Mar 6 11:29:26 TACACS tac_plus[25436]: ssh
Mar 6 11:29:26 TACACS tac_plus[25436]: rem_addr:
Mar 6 11:29:26 TACACS tac_plus[25436]: 10.96.155.223
Mar 6 11:29:26 TACACS tac_plus[25436]: data:
Mar 6 11:29:26 TACACS tac_plus[25436]: PEPExxx
Mar 6 11:29:26 TACACS tac_plus[25436]: End packet
Mar 6 11:29:26 TACACS tac_plus[25436]: Authen Start request
Mar 6 11:29:26 TACACS tac_plus[25436]: choose_authen chose default_fn
Mar 6 11:29:26 TACACS tac_plus[25436]: Calling authentication function
Mar 6 11:29:26 TACACS tac_plus[25436]: pap-login query for 'aorellanop'
ssh from 129.214.14.141 rejected
Mar 6 11:29:26 TACACS tac_plus[25436]: login failure: aorellanop
129.214.14.141 (129.214.14.141) ssh
Mar 6 11:29:26 TACACS tac_plus[25436]: Writing AUTHEN/FAIL size=18
Mar 6 11:29:26 TACACS tac_plus[25436]: PACKET: key=xxxxxxx
Mar 6 11:29:26 TACACS tac_plus[25436]: version 193 (0xc1), type 1, seq no
2, flags 0x1
Mar 6 11:29:26 TACACS tac_plus[25436]: session_id 3989435205
(0xedc9f345), Data length 6 (0x6)
Mar 6 11:29:26 TACACS tac_plus[25436]: End header
Mar 6 11:29:26 TACACS tac_plus[25436]: type=AUTHEN status=2 (AUTHEN/FAIL)
flags=0x0
Mar 6 11:29:26 TACACS tac_plus[25436]: msg_len=0, data_len=0
Mar 6 11:29:26 TACACS tac_plus[25436]: msg:
Mar 6 11:29:26 TACACS tac_plus[25436]: data:
Mar 6 11:29:26 TACACS tac_plus[25436]: End packet
Mar 6 11:29:26 TACACS tac_plus[25436]: 129.214.14.141: disconnect
Validation ok. other switch(non N7):
Mar 6 11:15:10 TACACS tac_plus[25183]: type=AUTHEN/START, priv_lvl = 0
Mar 6 11:15:10 TACACS tac_plus[25183]: action=login
Mar 6 11:15:10 TACACS tac_plus[25183]: authen_type=ascii
Mar 6 11:15:10 TACACS tac_plus[25183]: service=login
Mar 6 11:15:10 TACACS tac_plus[25183]: user_len=10 port_len=7 (0x7),
rem_addr_len=0 (0x0)
Mar 6 11:15:10 TACACS tac_plus[25183]: data_len=0
Mar 6 11:15:10 TACACS tac_plus[25183]: User:
Mar 6 11:15:10 TACACS tac_plus[25183]: aorellanop
Mar 6 11:15:10 TACACS tac_plus[25183]: port:
Mar 6 11:15:10 TACACS tac_plus[25183]: unknown
Mar 6 11:15:10 TACACS tac_plus[25183]: rem_addr:
Mar 6 11:15:10 TACACS tac_plus[25183]: data:
Mar 6 11:15:10 TACACS tac_plus[25183]: End packet
Mar 6 11:15:10 TACACS tac_plus[25183]: Authen Start request
Mar 6 11:15:10 TACACS tac_plus[25183]: choose_authen chose default_fn
Mar 6 11:15:10 TACACS tac_plus[25183]: Calling authentication function
Mar 6 11:15:10 TACACS tac_plus[25183]: Writing AUTHEN/GETPASS size=28
Mar 6 11:15:10 TACACS tac_plus[25183]: PACKET: key=xxxxxxx
Mar 6 11:15:10 TACACS tac_plus[25183]: version 192 (0xc0), type 1, seq no
2, flags 0x1
Mar 6 11:15:10 TACACS tac_plus[25183]: session_id 4520 (0x11a8), Data
length 16 (0x10)
Mar 6 11:15:10 TACACS tac_plus[25183]: End header
Mar 6 11:15:10 TACACS tac_plus[25183]: type=AUTHEN status=5
(AUTHEN/GETPASS) flags=0x1
Mar 6 11:15:10 TACACS tac_plus[25183]: msg_len=10, data_len=0
Mar 6 11:15:10 TACACS tac_plus[25183]: msg:
Mar 6 11:15:10 TACACS tac_plus[25183]: Password:
Mar 6 11:15:10 TACACS tac_plus[25183]: data:
Mar 6 11:15:10 TACACS tac_plus[25183]: End packet
Mar 6 11:15:10 TACACS tac_plus[25183]: Waiting for packet
Mar 6 11:15:11 TACACS tac_plus[25183]: Read AUTHEN/CONT size=26
Mar 6 11:15:11 TACACS tac_plus[25183]: PACKET: key=xxxxxxx
Mar 6 11:15:11 TACACS tac_plus[25183]: version 192 (0xc0), type 1, seq no
3, flags 0x1
Mar 6 11:15:11 TACACS tac_plus[25183]: session_id 4520 (0x11a8), Data
length 14 (0xe)
Mar 6 11:15:11 TACACS tac_plus[25183]: End header
Mar 6 11:15:11 TACACS tac_plus[25183]: type=AUTHEN/CONT
Mar 6 11:15:11 TACACS tac_plus[25183]: user_msg_len 9 (0x9),
user_data_len 0 (0x0)
Mar 6 11:15:11 TACACS tac_plus[25183]: flags=0x0
Mar 6 11:15:11 TACACS tac_plus[25183]: User msg:
Mar 6 11:15:11 TACACS tac_plus[25183]: Ma!76dryn
Mar 6 11:15:11 TACACS tac_plus[25183]: User data:
Mar 6 11:15:11 TACACS tac_plus[25183]: End packet
Mar 6 11:15:11 TACACS tac_plus[25183]: Found entry for aorellanop in
shadow file
Mar 6 11:15:11 TACACS tac_plus[25183]: verify PEPExxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Mar 6 11:15:11 TACACS tac_plus[25183]: PEPExxx encrypts to
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Mar 6 11:15:11 TACACS tac_plus[25183]: Password is correct
Mar 6 11:15:11 TACACS tac_plus[25183]: Password has not expired /bin/bash
Mar 6 11:15:11 TACACS tac_plus[25183]: cfg_acl_check(acl_argentina,
129.214.180.66)
Mar 6 11:15:11 TACACS tac_plus[25183]: ip 129.214.180.66 matched permit
regex .* of acl filter acl_argentina
Mar 6 11:15:11 TACACS tac_plus[25183]: login query for 'aorellanop'
unknown from 129.214.180.66 accepted
Mar 6 11:15:11 TACACS tac_plus[25183]: Writing AUTHEN/SUCCEED size=18
Mar 6 11:15:11 TACACS tac_plus[25183]: PACKET: key=xxxxxxx
Mar 6 11:15:11 TACACS tac_plus[25183]: version 192 (0xc0), type 1, seq no
4, flags 0x1
Mar 6 11:15:11 TACACS tac_plus[25183]: session_id 4520 (0x11a8), Data
length 6 (0x6)
Mar 6 11:15:11 TACACS tac_plus[25183]: End header
Mar 6 11:15:11 TACACS tac_plus[25183]: type=AUTHEN status=1
(AUTHEN/SUCCEED) flags=0x0
Mar 6 11:15:11 TACACS tac_plus[25183]: msg_len=0, data_len=0
Mar 6 11:15:11 TACACS tac_plus[25183]: msg:
Mar 6 11:15:11 TACACS tac_plus[25183]: data:
Mar 6 11:15:11 TACACS tac_plus[25183]: End packet
File config in Linux Suse 11.2
user = aorellanop {
default service = permit
member = lvl_15_argentina
login = file /etc/passwd
}
####can do this it with another version of Tacacs-plus?? pap = file
/etc/passwd #####
user = aorellanop {
default service = permit
member = lvl_15_argentina
login = file /etc/passwd
pap = file /etc/passwd
}
We want to use the Linux password (etc / passwd) for both types of
authentication. Is this it possible?
Best Regards.
Ariel
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.shrubbery.net/pipermail/tac_plus/attachments/20120312/56488275/attachment.html
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.
More information about the tac_plus
mailing list