[tac_plus] do_auth and aaa authorization not working with Foundry ServerIronXL load-balancers

[heasley]

Fri, Mar 14, 2014 at 04:17:00PM +0000, Aaron Wasserott:
> I have many ancient Foundry  ServerIronXL load-balancers. They work fine with basic TACACS AAA but when I implement do_auth I cannot login. I noticed some interesting behavior, that if I either turn off authorization or enable do_auth debugging it will work.
> 
> Below are tacacs debug outputs for the 3 scenarios with do_auth. 1) with authorization and it fails. 2)  without authorization and it passes. 3) with authorization and with debugging and it passes. Doing a compare, between scenario 1 and 3 it appears the root issue is that without debugging, do_auth will send AUTHOR/PASS_REPL and with debugging it will send AUTHOR/PASS_ADD. If you paste the entire debug output (with header) below into a text editor, this in on line 115. Shortly after that on line 138 there are other differences, and w/o debugging it either sends or receives (I can't tell) data not sent/received with debugging. Also notice that w/o debugging it never receives the username. Then w/o debugging it gets a null packet when it expects a continue, pointing to the ServerIron not liking something sent to it.
> 
> I am hoping to find a way to modify how do_auth communicates with the ServerIron's that leaves debugging off, and authorization on.

i believe something is missing; the do-auth script is exiting with value 2
but not writing the AVPs or the AVPs are empty.  There are many debugging
messages in the script that are commented out.  you should uncomment them
and try the script; there are only two places where it exits with code 2.
it may be that it should be exiting with code 1.