[tac_plus] tac_plus and PAM

Tucker Jones ttjones2013 at hotmail.com
Fri Dec 20 15:18:01 UTC 2013 

Hello,

I am setting up a Centos server to run tac_plus and am trying to use it with PAM. Currently, I am trying to use tac_plus to authenticate users who are VPN'ing into the network. The users are able to VPN in however, the pam_tally2 is indicating is a bad login and incrementing the attempts so after a period of time the user gets locked out. I am sure it is some step I have missed in my configuration. I have seen where some other people had a similar problem but, I haven't seen what their resolution was. I did look in the past archives but, I didn't see anything specific to this. I apologize if I missed it.

My current tac_plus.conf appears like this. I just started testing this so it is only slightly modified from the default currently.

key = "xxxxxxxx" -removed 
accounting file = /var/log/tac.acct
# authentication users not appearing elsewhere via
# the file /etc/passwd
#default authentication = file /etc/passwd

acl = default   {
                #permit = 192\.168\.0\.
                

}

# Example of host-specific configuration:
host = 192.168.2.1 {
        prompt = "Enter your Unix username and password, Username: "
        # Enable password for the router, generate a new one with tac_pwd
        #enable = des 4P8MBRmulyloo
}

# Group that is allowed to do most configuration on all interfaces etc.
group = admin {
        # group members who don't have their own login password will be
        # looked up in /etc/passwd
        #login = file /etc/passwd
        #login = PAM

        # group members who have no expiry date set will use this one
        #expires = "Jan 1 1997"

        # only allow access to specific routers
        acl = default


        # Needed for the router to make commands available to user (subject
        # to authorization if so configured on the router
        service = exec {
                priv-lvl = 15
                #default service = permit
        }

        cmd = username {
                permit .*
        }
        cmd = enable {
                permit .*
        }
        cmd = show {
                permit .*
        }
        cmd = exit {
                permit .*
        }
        cmd = configure {
                permit .*
        }
        cmd = interface {
                permit .*
        }
        cmd =  switchport  {
                permit .*
        }
        cmd = description {
                permit .*
        }
        cmd = no {
                permit shutdown
        }


}

# A group that can change some limited configuration on switchports
# related to host-side network configuration
group = sysadmin {
        # group members who don't have their own login password will be
        # looked up in /etc/passwd:
        #login = file /etc/passwd
        # or authenticated via PAM:
        login = PAM
        acl = default

        # Needed for the router to make commands available to user (subject
        # to authorization if so configured on the router
        service = exec {
                priv-lvl = 15
        }
        cmd = enable {
                permit .*
        }
        cmd = show {
                permit .*
        }
        cmd = exit {
                permit .*
        }
        cmd = configure {
                permit .*
        }
        cmd = interface {
                permit FastEthernet.*
                permit GigabitEthernet.*
        }
        cmd =  switchport  {
                permit "access vlan.*"
                permit "trunk encapsulation.*"
                permit "mode.*"
                permit "trunk allowed vlan.*"
        }
        cmd = description {
                permit .*
        }

        cmd = no {
                permit shutdown
        }

}

user = joe {
        login = PAM
        #member = sysadmin
        member = admin
}
user=kdavis {
      login = PAM
}

user = fred {
        login = PAM
        member = sysadmin
}

# User account configured for use with "rancid"
user = rancid {
        # Generate a new password with tac_pwd
        #login = des LXUxLCkFhGpwA

        service = exec {
                priv-lvl = 15
        }

        cmd = show { permit .* }
        cmd = exit { permit .* }
        cmd = dir { permit .* }
        cmd = write { permit term }
}

# Global enable level 15 password, generate a new one with tac_pwd
user = $enab15$ {
        #login = des 97cZOIgSXU/4I
}

#user = DEFAULT {
#       login = PAM
#member = default
#}

I did turn on debugging when my user logged in and saw this:

cfg_get_hvalue: name=192.168.0.1 attr=key
cfg_get_hvalue: no host named 192.168.0.1
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=192.168.0.1 attr=key
cfg_get_hvalue: no host named 192.168.0.1
cfg_get_phvalue: returns NULL
cfg_get_value: name=kdavis isuser=1 attr=expires rec=1
cfg_get_pvalue: returns NULL
cfg_get_value: name=kdavis isuser=1 attr=acl rec=1
cfg_get_pvalue: returns NULL
login query for 'kdavis' 1032192 from 192.168.0.1 accepted
cfg_get_hvalue: name=192.168.0.1 attr=key
cfg_get_hvalue: no host named 192.168.0.1
cfg_get_phvalue: returns NULL

I wonder if its something with these Null values that is somehow impacting things. Any suggestions or help would be appreciated.



 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20131220/1ba18fda/attachment.html>

More information about the tac_plus mailing list