[tac_plus] Problem with TACACS+ Authentication

Rob Campbell kg6hum at gmail.com
Thu Dec 12 02:52:55 UTC 2013


Hello,

I tried sending this email yesterday, but I wasn't a list member at the
time so it was blocked for moderation.

I am new to TACACS+ and tac_plus.  I was just trying it out with a very
simple configuration between my Ubuntu laptop and an Imagestream router.
 Imagestream routers run linux, so it is using pam_tacplus.so.  I am only
using it for sshd at this time, so I do not lose the ability to login to
the router.  I have the two configured and talking to each other, but I
cannot get it to accept my password.  Here are the logs from one of my
attempts:

session.peerip is 192.168.100.222
connect from 192.168.100.222 [192.168.100.222]
cfg_get_hvalue: name=192.168.100.222 attr=key
cfg_get_hvalue: no host named 192.168.100.222
cfg_get_phvalue: returns NULL
cfg_get_value: name=rcampbell isuser=1 attr=pap rec=1
cfg_get_pvalue: returns NULL
cfg_get_value: name=rcampbell isuser=1 attr=global rec=1
cfg_get_pvalue: returns NULL
cfg_get_value: name=rcampbell isuser=1 attr=acl rec=1
cfg_get_pvalue: returns NULL
pap-login query for 'rcampbell' ssh from 192.168.100.222 rejected
login failure: rcampbell 192.168.100.222 (192.168.100.222) ssh
cfg_get_hvalue: name=192.168.100.222 attr=key
cfg_get_hvalue: no host named 192.168.100.222
cfg_get_phvalue: returns NULL

Here is the corresponding tac_plus.conf for that setup:

accounting file = /var/log/tac_plus.acct
key = testing123

user = rcampbell {
    name = "Rob Campbell"
    login = des "gjh0yUzBigWxQ"
}

user = DEFAULT {
login = PAM
service = ppp protocol = ip {}
}


I have tried this with both a DES encrypted password and a plaintext
password with no luck.  The logs also look exactly the same no matter what
password I supply.  Is there something simple I am overlooking here?  Thank
you.

--
Rob Campbell
KG6HUM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20131211/9287307c/attachment.html>


More information about the tac_plus mailing list