[tac_plus] do_auth and aaa authorization not working with Foundry ServerIronXL load-balancers
Aaron Wasserott
aaron.wasserott at viawest.com
Fri Mar 14 16:17:00 UTC 2014
I have many ancient Foundry ServerIronXL load-balancers. They work fine with basic TACACS AAA but when I implement do_auth I cannot login. I noticed some interesting behavior, that if I either turn off authorization or enable do_auth debugging it will work.
Below are tacacs debug outputs for the 3 scenarios with do_auth. 1) with authorization and it fails. 2) without authorization and it passes. 3) with authorization and with debugging and it passes. Doing a compare, between scenario 1 and 3 it appears the root issue is that without debugging, do_auth will send AUTHOR/PASS_REPL and with debugging it will send AUTHOR/PASS_ADD. If you paste the entire debug output (with header) below into a text editor, this in on line 115. Shortly after that on line 138 there are other differences, and w/o debugging it either sends or receives (I can't tell) data not sent/received with debugging. Also notice that w/o debugging it never receives the username. Then w/o debugging it gets a null packet when it expects a continue, pointing to the ServerIron not liking something sent to it.
I am hoping to find a way to modify how do_auth communicates with the ServerIron's that leaves debugging off, and authorization on.
Thanks,
------
Here are the AAA configs I have on the ServerIronXL running version 7.4.01mT12 that works:
aaa authentication enable default tacacs+ enable
aaa authentication login default tacacs+ enable
aaa authentication login privilege-mode
aaa accounting commands 0 default start-stop tacacs+
aaa accounting exec default start-stop tacacs+
tacacs-server host 10.99.11.10
tacacs-server key 1 $S!--+sU@
tacacs-server retransmit 1
tacacs-server timeout 2
Adding the following breaks it unless debugging is enabled:
aaa authorization exec default tacacs+ none
I am running tac_plus version F5.0.0a1 and do_auth version 1.92 on Ubuntu 12.04 x64.
Here are the tacacs debug outputs from scenario 1 and 3 I mentioned above.
### do_auth AND aaa authorization WITHOUT -D --- FAILS
session request from 10.99.1.11 sock=2
connect from 10.99.1.11 [10.99.1.11]
Waiting for packet
Read AUTHEN/START size=36
validation request from 10.99.1.11
PACKET: key=password
version 192 (0xc0), type 1, seq no 1, flags 0x1
session_id 534387377 (0x1fda1ab1), Data length 24 (0x18)
End header
type=AUTHEN/START, priv_lvl = 0
action=login
authen_type=ascii
service=login
user_len=0 port_len=4 (0x4), rem_addr_len=12 (0xc)
data_len=0
User:
port:
tty4
rem_addr:
10.33.144.34
data:
End packet
Authen Start request
choose_authen returns 1
Writing AUTHEN/GETUSER size=55
PACKET: key=password
version 192 (0xc0), type 1, seq no 2, flags 0x1
session_id 534387377 (0x1fda1ab1), Data length 43 (0x2b)
End header
type=AUTHEN status=4 (AUTHEN/GETUSER) flags=0x0
msg_len=37, data_len=0
msg:
0xa User Access Verification 0xa
data:
End packet
Waiting for packet
Read AUTHEN/CONT size=24
PACKET: key=password
version 192 (0xc0), type 1, seq no 3, flags 0x1
session_id 534387377 (0x1fda1ab1), Data length 12 (0xc)
End header
type=AUTHEN/CONT
user_msg_len 7 (0x7), user_data_len 0 (0x0)
flags=0x0
User msg:
testuser
User data:
End packet
choose_authen chose default_fn
Calling authentication function
Writing AUTHEN/GETPASS size=28
PACKET: key=password
version 192 (0xc0), type 1, seq no 4, flags 0x1
session_id 534387377 (0x1fda1ab1), Data length 16 (0x10)
End header
type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
msg_len=10, data_len=0
msg:
Password:
data:
End packet
Waiting for packet
Read AUTHEN/CONT size=26
PACKET: key=password
version 192 (0xc0), type 1, seq no 5, flags 0x1
session_id 534387377 (0x1fda1ab1), Data length 14 (0xe)
End header
type=AUTHEN/CONT
user_msg_len 9 (0x9), user_data_len 0 (0x0)
flags=0x0
User msg:
P at ssw0rd!
User data:
End packet
login query for 'testuser' tty4 from 10.99.1.11 accepted
Writing AUTHEN/SUCCEED size=18
PACKET: key=password
version 192 (0xc0), type 1, seq no 6, flags 0x1
session_id 534387377 (0x1fda1ab1), Data length 6 (0x6)
End header
type=AUTHEN status=1 (AUTHEN/SUCCEED) flags=0x0
msg_len=0, data_len=0
msg:
data:
End packet
10.99.1.11: disconnect
session request from 10.99.1.11 sock=2
connect from 10.99.1.11 [10.99.1.11]
Waiting for packet
Read AUTHOR size=62
validation request from 10.99.1.11
PACKET: key=password
version 192 (0xc0), type 2, seq no 1, flags 0x1
session_id 67398558 (0x4046b9e), Data length 50 (0x32)
End header
type=AUTHOR, priv_lvl=5, authen=1
method=tacacs+
svc=1 user_len=7 port_len=4 rem_addr_len=12
arg_cnt=2
User:
testuser
port:
tty4
rem_addr:
10.33.144.34
arg[0]: size=13
service=shell
arg[1]: size=4
cmd*
End packet
Writing AUTHOR/PASS_REPL size=30
PACKET: key=password
version 192 (0xc0), type 2, seq no 2, flags 0x1
session_id 67398558 (0x4046b9e), Data length 18 (0x12)
End header
type=AUTHOR/REPLY status=2 (AUTHOR/PASS_REPL)
msg_len=0, data_len=0 arg_cnt=1
msg:
data:
arg[0] size=11
priv-lvl=15
End packet
authorization query for 'testuser' tty4 from 10.99.1.11 accepted
10.99.1.11: disconnect
session request from 10.99.1.11 sock=2
connect from 10.99.1.11 [10.99.1.11]
Waiting for packet
Read AUTHEN/START size=36
validation request from 10.99.1.11
PACKET: key=password
version 192 (0xc0), type 1, seq no 1, flags 0x1
session_id 629145972 (0x25800174), Data length 24 (0x18)
End header
type=AUTHEN/START, priv_lvl = 0
action=login
authen_type=ascii
service=login
user_len=0 port_len=4 (0x4), rem_addr_len=12 (0xc)
data_len=0
User:
port:
tty4
rem_addr:
10.33.144.34
data:
End packet
Authen Start request
choose_authen returns 1
Writing AUTHEN/GETUSER size=55
PACKET: key=password
version 192 (0xc0), type 1, seq no 2, flags 0x1
session_id 629145972 (0x25800174), Data length 43 (0x2b)
End header
type=AUTHEN status=4 (AUTHEN/GETUSER) flags=0x0
msg_len=37, data_len=0
msg:
0xa User Access Verification 0xa
data:
End packet
Waiting for packet
10.99.1.11: exception on fd 2
Read -1 bytes from 10.99.1.11 tty4, expecting 12
Error 10.99.1.11 tty4: Null reply packet, expecting CONTINUE
10.99.1.11: disconnect
### do_auth AND aaa authorization AND -D --- SUCCESS
session request from 10.99.1.11 sock=2
connect from 10.99.1.11 [10.99.1.11]
Waiting for packet
Read AUTHEN/START size=36
validation request from 10.99.1.11
PACKET: key=password
version 192 (0xc0), type 1, seq no 1, flags 0x1
session_id 1510741470 (0x5a0c15de), Data length 24 (0x18)
End header
type=AUTHEN/START, priv_lvl = 0
action=login
authen_type=ascii
service=login
user_len=0 port_len=4 (0x4), rem_addr_len=12 (0xc)
data_len=0
User:
port:
tty2
rem_addr:
10.33.144.34
data:
End packet
Authen Start request
choose_authen returns 1
Writing AUTHEN/GETUSER size=55
PACKET: key=password
version 192 (0xc0), type 1, seq no 2, flags 0x1
session_id 1510741470 (0x5a0c15de), Data length 43 (0x2b)
End header
type=AUTHEN status=4 (AUTHEN/GETUSER) flags=0x0
msg_len=37, data_len=0
msg:
0xa User Access Verification 0xa
data:
End packet
Waiting for packet
Read AUTHEN/CONT size=24
PACKET: key=password
version 192 (0xc0), type 1, seq no 3, flags 0x1
session_id 1510741470 (0x5a0c15de), Data length 12 (0xc)
End header
type=AUTHEN/CONT
user_msg_len 7 (0x7), user_data_len 0 (0x0)
flags=0x0
User msg:
testuser
User data:
End packet
choose_authen chose default_fn
Calling authentication function
Writing AUTHEN/GETPASS size=28
PACKET: key=password
version 192 (0xc0), type 1, seq no 4, flags 0x1
session_id 1510741470 (0x5a0c15de), Data length 16 (0x10)
End header
type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
msg_len=10, data_len=0
msg:
Password:
data:
End packet
Waiting for packet
Read AUTHEN/CONT size=26
PACKET: key=password
version 192 (0xc0), type 1, seq no 5, flags 0x1
session_id 1510741470 (0x5a0c15de), Data length 14 (0xe)
End header
type=AUTHEN/CONT
user_msg_len 9 (0x9), user_data_len 0 (0x0)
flags=0x0
User msg:
P at ssw0rd!
User data:
End packet
login query for 'testuser' tty2 from 10.99.1.11 accepted
Writing AUTHEN/SUCCEED size=18
PACKET: key=password
version 192 (0xc0), type 1, seq no 6, flags 0x1
session_id 1510741470 (0x5a0c15de), Data length 6 (0x6)
End header
type=AUTHEN status=1 (AUTHEN/SUCCEED) flags=0x0
msg_len=0, data_len=0
msg:
data:
End packet
10.99.1.11: disconnect
session request from 10.99.1.11 sock=2
connect from 10.99.1.11 [10.99.1.11]
Waiting for packet
Read AUTHOR size=62
validation request from 10.99.1.11
PACKET: key=password
version 192 (0xc0), type 2, seq no 1, flags 0x1
session_id 504562638 (0x1e1303ce), Data length 50 (0x32)
End header
type=AUTHOR, priv_lvl=5, authen=1
method=tacacs+
svc=1 user_len=7 port_len=4 rem_addr_len=12
arg_cnt=2
User:
testuser
port:
tty2
rem_addr:
10.33.144.34
arg[0]: size=13
service=shell
arg[1]: size=4
cmd*
End packet
Writing AUTHOR/PASS_ADD size=30
PACKET: key=password
version 192 (0xc0), type 2, seq no 2, flags 0x1
session_id 504562638 (0x1e1303ce), Data length 18 (0x12)
End header
type=AUTHOR/REPLY status=1 (AUTHOR/PASS_ADD)
msg_len=0, data_len=0 arg_cnt=1
msg:
data:
arg[0] size=11
priv-lvl=15
End packet
authorization query for 'testuser' tty2 from 10.99.1.11 accepted
10.99.1.11: disconnect
session request from 10.99.1.11 sock=2
connect from 10.99.1.11 [10.99.1.11]
Waiting for packet
Read ACCT size=84
validation request from 10.99.1.11
PACKET: key=password
version 192 (0xc0), type 3, seq no 1, flags 0x1
session_id 344350923 (0x148660cb), Data length 72 (0x48)
End header
ACCT, flags=0x2 method=6 priv_lvl=0
type=1 svc=1
user_len=7 port_len=4 rem_addr_len=12
arg_cnt=3
User:
testuser
port:
tty2
rem_addr:
10.33.144.34
arg[0]: size=9
task_id=3
arg[1]: size=15
timezone=GMT+00
arg[2]: size=13
service=shell
End packet
Writing ACCT size=17
PACKET: key=password
version 192 (0xc0), type 3, seq no 2, flags 0x1
session_id 344350923 (0x148660cb), Data length 5 (0x5)
End header
ACCT/REPLY status=1
msg_len=0 data_len=0
msg:
data:
End packet
10.99.1.11: disconnect
session request from 10.99.1.11 sock=2
connect from 10.99.1.11 [10.99.1.11]
Waiting for packet
Read ACCT size=119
validation request from 10.99.1.11
PACKET: key=password
version 192 (0xc0), type 3, seq no 1, flags 0x1
session_id 899685447 (0x35a01c47), Data length 107 (0x6b)
End header
ACCT, flags=0x4 method=6 priv_lvl=0
type=1 svc=1
user_len=7 port_len=4 rem_addr_len=12
arg_cnt=5
User:
testuser
port:
tty2
rem_addr:
10.33.144.34
arg[0]: size=9
task_id=3
arg[1]: size=15
timezone=GMT+00
arg[2]: size=13
service=shell
arg[3]: size=14
elapsed_time=2
arg[4]: size=19
reason=User Request
End packet
Writing ACCT size=17
PACKET: key=password
version 192 (0xc0), type 3, seq no 2, flags 0x1
session_id 899685447 (0x35a01c47), Data length 5 (0x5)
End header
ACCT/REPLY status=1
msg_len=0 data_len=0
msg:
data:
End packet
10.99.1.11: disconnect
More information about the tac_plus
mailing list