[tac_plus] source IP is not in tacacs log for failed logins

heasley heas at shrubbery.net
Wed Jul 23 19:15:23 UTC 2014 

Tue, Jul 22, 2014 at 04:17:03PM -0400, Asif Iqbal:
> On Tue, Jul 22, 2014 at 4:13 PM, Asif Iqbal <vadud3 at gmail.com> wrote:
> 
> >
> >
> >
> > On Tue, Jul 22, 2014 at 4:06 PM, heasley <heas at shrubbery.net> wrote:
> >
> >> Tue, Jul 22, 2014 at 03:55:40PM -0400, Asif Iqbal:
> >> > Is there a way to get the source IP of a failed login in tacacs log?
> >> >
> >> > I see few different debug levels, and not sure which one, if at all,
> >> would
> >> > carry the source
> >> > IP in the log for failed logins.
> >>
> >> the IP of the tacacs client is in the logs.  if you mean of the devices'
> >> client, it tends to only send that if its a PPP/SLIP client.  you can
> >> look for it in the AVPs sent by the tacacs client.
> >>
> >
> > Right, the tacacs client IP is there and you are correct I was looking
> > for the device IP. These tacacs clients/ network elements are cisco
> > devices.
> >
> >
> I am wondering why successful logins will have the device IPs in the log,
> but not failed logins.

these are from the device connecting to the server, 1 success and 1 failure:

Jul 23 19:13:12 mgmt tac_plus[40475]: 198.58.5.127 tty3: fd 3 eof (connection closed)
Jul 23 19:07:42 mgmt tac_plus[40312]: login failure: heas 198.58.5.127 (198.58.5.127) tty2

this is an accounting record:

Jul 23 19:13:12 mgmt tac_plus[40477]: 198.58.5.127    heas    tty2    198.168.100.69   start    task_id=137367    timezone=UTC    service=shell    start_time=1406142792

> 
> >
> > --
> > Asif Iqbal
> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> > <http://t.signauxtrois.com/link?url=http%3A%2F%2Fpgp.mit.edu%2F&ukey=agxzfnNpZ25hbHNjcnhyGAsSC1VzZXJQcm9maWxlGICAgK_p2rIIDA&k=aa904a68-1dfb-42c8-d195-8190bc3fe632>
> > A: Because it messes up the order in which people normally read text.
> > Q: Why is top-posting such a bad thing?
> >
> >
> 
> 
> -- 
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?

More information about the tac_plus mailing list