[tac_plus] Problem with TACACS+ Authentication

Alan McKinnon alan.mckinnon at gmail.com
Thu Dec 12 06:57:47 UTC 2013 

On 12/12/2013 04:52, Rob Campbell wrote:
> Hello,
> 
> I tried sending this email yesterday, but I wasn't a list member at the
> time so it was blocked for moderation.
> 
> I am new to TACACS+ and tac_plus.  I was just trying it out with a very
> simple configuration between my Ubuntu laptop and an Imagestream router.
>  Imagestream routers run linux, so it is using pam_tacplus.so.  I am only
> using it for sshd at this time, so I do not lose the ability to login to
> the router.  I have the two configured and talking to each other, but I
> cannot get it to accept my password.  Here are the logs from one of my
> attempts:
> 
> session.peerip is 192.168.100.222
> connect from 192.168.100.222 [192.168.100.222]
> cfg_get_hvalue: name=192.168.100.222 attr=key
> cfg_get_hvalue: no host named 192.168.100.222
> cfg_get_phvalue: returns NULL
> cfg_get_value: name=rcampbell isuser=1 attr=pap rec=1
> cfg_get_pvalue: returns NULL
> cfg_get_value: name=rcampbell isuser=1 attr=global rec=1
> cfg_get_pvalue: returns NULL
> cfg_get_value: name=rcampbell isuser=1 attr=acl rec=1
> cfg_get_pvalue: returns NULL
> pap-login query for 'rcampbell' ssh from 192.168.100.222 rejected
> login failure: rcampbell 192.168.100.222 (192.168.100.222) ssh
> cfg_get_hvalue: name=192.168.100.222 attr=key
> cfg_get_hvalue: no host named 192.168.100.222
> cfg_get_phvalue: returns NULL
> 
> Here is the corresponding tac_plus.conf for that setup:
> 
> accounting file = /var/log/tac_plus.acct
> key = testing123
> 
> user = rcampbell {
>     name = "Rob Campbell"
>     login = des "gjh0yUzBigWxQ"
> }
> 
> user = DEFAULT {
> login = PAM
> service = ppp protocol = ip {}
> }
> 
> 
> I have tried this with both a DES encrypted password and a plaintext
> password with no luck.  The logs also look exactly the same no matter what
> password I supply.  Is there something simple I am overlooking here?  Thank
> you.


Your router is using pap (not ascii) to do the password exchange step
with tac_plus. Try this in tac_plus.conf:

user = rcampbell {
    name = "Rob Campbell"
    login = des "gjh0yUzBigWxQ"
    pap = des "gjh0yUzBigWxQ"
}


-- 
Alan McKinnon
alan.mckinnon at gmail.com

More information about the tac_plus mailing list