From alan.villaverde at gmail.com Fri Oct 10 12:04:58 2014 From: alan.villaverde at gmail.com (Alan Alejandro Villaverde) Date: Fri, 10 Oct 2014 09:04:58 -0300 Subject: [tac_plus] - Latest Stable Version you are running Message-ID: Hi guys, I wondered which is the latest stable version you are running. In our case we are running tacacs+-F4.0.4.25. Do you know if it is time to make an upgrade? What do you think? Is there any new stable version? BR -- Alan Alejandro Villaverde. ,JL. j@, Zv uJ.u at qJ :LBO:v1 :r1@ MB G1 rB8Ur , r at Ei O .7 @. :N,:BBO05v,:, :7 u Or vM at r:E: rqr,: .v X Or 7 at r v at U ,@::: 5 .L M: YO:2 at OS. . .7: N iP Y at riBr ,:i::: :q ,q. qk :ii YO. iv7r77r iGF :7v7 :u0u. 7Lj ;5k1r7BN 7P552552v: LUM1, 7FUi:..v at B ik7JMJ. ..,v at rk. _..._ Y8. vL: .5 at v E. .' '. ui,N: .G.O@: @ / _ _ \ .P: J7LEBO Bi | (o)_(o) | .1 i at B7 .MU \( ) / 2 :M at u .uMi //'._.'\ \ :k :U at BOi:vSM2B // . \ \ 7E at B@B at O8PrMk ;B || . \ \ @: @r |\ : / | EM. ;@ \ `) ' (` /_ .B7 0L _)``".____,.'"` (_ ..,:i;7vjuFXZEOMMBBL:::.rB at B@B@ ) )'--'( ( .,::ir77vvJjuu2UF5SS00GZOMBB at B@B at B@B at B@ '---` `---` ::iirr77rrr77vLLLjuu25FXPNZGMOOO at B@B at B@B@@@B at B@B at B :i:i::,:,i,:,:.:.:.:.:.:.:.,.,.,............. ... -------------- next part -------------- An HTML attachment was scrubbed... URL: From krux at thcnet.net Fri Oct 10 14:41:26 2014 From: krux at thcnet.net (krux at thcnet.net) Date: Fri, 10 Oct 2014 07:41:26 -0700 (PDT) Subject: [tac_plus] - Latest Stable Version you are running In-Reply-To: References: Message-ID: > I wondered which is the latest stable version you are running. In our case > we are running tacacs+-F4.0.4.25. I've been running F4.0.4.26 for some time without any issues. That appears to be the latest version. perl -e 's==UBER?=+y[:-o]}(;->\n{q-yp-y+k}?print:??;-p#)' From alan.mckinnon at gmail.com Fri Oct 10 14:37:33 2014 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Fri, 10 Oct 2014 16:37:33 +0200 Subject: [tac_plus] - Latest Stable Version you are running In-Reply-To: References: Message-ID: <5437EF2D.8090703@gmail.com> On 10/10/2014 14:04, Alan Alejandro Villaverde wrote: > Hi guys, > > > I wondered which is the latest stable version you are running. In our case > we are running tacacs+-F4.0.4.25. > > Do you know if it is time to make an upgrade? What do you think? Is there > any new stable version? > > BR > 4.0.4.27a is latest. However, it's a minor change from 4.0.4.25 and fully detailed in the Changelogs. Review those - you will know if you need them. If not, there's no need to upgrade. 5.0.0a1 is not usable, don't try it. It's a first effort at heasley's long-intended reorganize of the code base. -- Alan McKinnon alan.mckinnon at gmail.com From alan.villaverde at gmail.com Tue Oct 14 12:26:35 2014 From: alan.villaverde at gmail.com (Alan Alejandro Villaverde) Date: Tue, 14 Oct 2014 09:26:35 -0300 Subject: [tac_plus] - Latest Stable Version you are running In-Reply-To: <5437EF2D.8090703@gmail.com> References: <5437EF2D.8090703@gmail.com> Message-ID: Hi Guys, Thanks for your collaboration. I finally set up tacacs+-F4.0.4.26 on OpenSuse 12.1. Just another question, Have anyone of you set up a Cisco Wireless Lan Controller to authenticate through this tacacs? The running version 7.3.101.0 is WLC. This doesn?t work for us. When I debugged tacacs, all seems to be fine, there is not any error. The authentication pass fine, but the web interface prompt me to authenticate again. I think I am missing something in the tacacs configuration for this kind of device. Do you have any idea? 2014-10-10 11:37 GMT-03:00 Alan McKinnon : > On 10/10/2014 14:04, Alan Alejandro Villaverde wrote: > > Hi guys, > > > > > > I wondered which is the latest stable version you are running. In our > case > > we are running tacacs+-F4.0.4.25. > > > > Do you know if it is time to make an upgrade? What do you think? Is there > > any new stable version? > > > > BR > > > > > 4.0.4.27a is latest. However, it's a minor change from 4.0.4.25 and > fully detailed in the Changelogs. Review those - you will know if you > need them. If not, there's no need to upgrade. > > 5.0.0a1 is not usable, don't try it. It's a first effort at heasley's > long-intended reorganize of the code base. > > -- > Alan McKinnon > alan.mckinnon at gmail.com > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- Alan Alejandro Villaverde. ,JL. j@, Zv uJ.u at qJ :LBO:v1 :r1@ MB G1 rB8Ur , r at Ei O .7 @. :N,:BBO05v,:, :7 u Or vM at r:E: rqr,: .v X Or 7 at r v at U ,@::: 5 .L M: YO:2 at OS. . .7: N iP Y at riBr ,:i::: :q ,q. qk :ii YO. iv7r77r iGF :7v7 :u0u. 7Lj ;5k1r7BN 7P552552v: LUM1, 7FUi:..v at B ik7JMJ. ..,v at rk. _..._ Y8. vL: .5 at v E. .' '. ui,N: .G.O@: @ / _ _ \ .P: J7LEBO Bi | (o)_(o) | .1 i at B7 .MU \( ) / 2 :M at u .uMi //'._.'\ \ :k :U at BOi:vSM2B // . \ \ 7E at B@B at O8PrMk ;B || . \ \ @: @r |\ : / | EM. ;@ \ `) ' (` /_ .B7 0L _)``".____,.'"` (_ ..,:i;7vjuFXZEOMMBBL:::.rB at B@B@ ) )'--'( ( .,::ir77vvJjuu2UF5SS00GZOMBB at B@B at B@B at B@ '---` `---` ::iirr77rrr77vLLLjuu25FXPNZGMOOO at B@B at B@B@@@B at B@B at B :i:i::,:,i,:,:.:.:.:.:.:.:.,.,.,............. ... -------------- next part -------------- An HTML attachment was scrubbed... URL: From satch at ine.com Fri Oct 17 13:24:37 2014 From: satch at ine.com (Stephen Satchell) Date: Fri, 17 Oct 2014 06:24:37 -0700 Subject: [tac_plus] SOMAXCONN too small Message-ID: <54411895.40003@ine.com> In our shop, we have a number of NAS devices talking to a pair of tac_plus servers in a failover configuration. The configuration file changes constantly. (Don't ask.) What we have been experiencing is that during periods of heavy login activity, some of the users have been left high and dry, sparking tech support calls and a degraded customer experience. Investigating the source, I see that SOMAXCONN is set to 5 (by default? Didn't see any way to adjust from ./configure) which for our application is, I suspect, too small. Is there a particular reason your LISTEN queue is so short? Or is this one of the those situations where "5 should be enough for the usual cases"? I'll be patching the source to boost this to 50 to see what happens. From daniel.schmidt at wyo.gov Fri Oct 17 16:08:33 2014 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Fri, 17 Oct 2014 10:08:33 -0600 Subject: [tac_plus] - Latest Stable Version you are running In-Reply-To: References: <5437EF2D.8090703@gmail.com> Message-ID: The WLC uses roles. service = ciscowlc { role1 = ALL } On Tue, Oct 14, 2014 at 6:26 AM, Alan Alejandro Villaverde < alan.villaverde at gmail.com> wrote: > Hi Guys, > > Thanks for your collaboration. I finally set up tacacs+-F4.0.4.26 on > OpenSuse 12.1. > > Just another question, Have anyone of you set up a Cisco Wireless Lan > Controller to authenticate through this tacacs? The running version > 7.3.101.0 is WLC. > > This doesn?t work for us. When I debugged tacacs, all seems to be fine, > there is not any error. The authentication pass fine, but the web interface > prompt me to authenticate again. > > I think I am missing something in the tacacs configuration for this kind of > device. > > Do you have any idea? > > 2014-10-10 11:37 GMT-03:00 Alan McKinnon : > > > On 10/10/2014 14:04, Alan Alejandro Villaverde wrote: > > > Hi guys, > > > > > > > > > I wondered which is the latest stable version you are running. In our > > case > > > we are running tacacs+-F4.0.4.25. > > > > > > Do you know if it is time to make an upgrade? What do you think? Is > there > > > any new stable version? > > > > > > BR > > > > > > > > > 4.0.4.27a is latest. However, it's a minor change from 4.0.4.25 and > > fully detailed in the Changelogs. Review those - you will know if you > > need them. If not, there's no need to upgrade. > > > > 5.0.0a1 is not usable, don't try it. It's a first effort at heasley's > > long-intended reorganize of the code base. > > > > -- > > Alan McKinnon > > alan.mckinnon at gmail.com > > > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo/tac_plus > > > > > > -- > Alan Alejandro Villaverde. > > ,JL. > j@, Zv > uJ.u at qJ > :LBO:v1 > :r1@ MB > G1 rB8Ur , > r at Ei O .7 @. > :N,:BBO05v,:, :7 u Or > vM at r:E: rqr,: .v X Or > 7 at r v at U ,@::: 5 .L M: > YO:2 at OS. . .7: N iP > Y at riBr ,:i::: :q ,q. > qk :ii YO. > iv7r77r iGF :7v7 > :u0u. 7Lj ;5k1r7BN > 7P552552v: LUM1, 7FUi:..v at B > ik7JMJ. ..,v at rk. > _..._ Y8. vL: .5 at v E. > .' '. ui,N: .G.O@: @ > / _ _ \ .P: J7LEBO Bi > | (o)_(o) | .1 i at B7 .MU > \( ) / 2 :M at u .uMi > //'._.'\ \ :k :U at BOi:vSM2B > // . \ \ 7E at B@B at O8PrMk ;B > || . \ \ @: @r > |\ : / | EM. ;@ > \ `) ' (` /_ .B7 0L > _)``".____,.'"` (_ ..,:i;7vjuFXZEOMMBBL:::.rB at B@B@ > ) )'--'( ( .,::ir77vvJjuu2UF5SS00GZOMBB at B@B at B@B at B@ > '---` `---` ::iirr77rrr77vLLLjuu25FXPNZGMOOO at B@B at B@B@@@B at B@B at B > :i:i::,:,i,:,:.:.:.:.:.:.:.,.,.,............. ... > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20141014/a79e8d9f/attachment.html > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Fri Oct 17 22:06:51 2014 From: heas at shrubbery.net (Heasley) Date: Fri, 17 Oct 2014 15:06:51 -0700 Subject: [tac_plus] SOMAXCONN too small In-Reply-To: <54411895.40003@ine.com> References: <54411895.40003@ine.com> Message-ID: <36B2761C-DB91-49CD-9A3C-093F6E38C64E@shrubbery.net> > Am 17.10.2014 um 06:24 schrieb Stephen Satchell : > > In our shop, we have a number of NAS devices talking to a pair of tac_plus servers in a failover configuration. The configuration file changes constantly. (Don't ask.) What we have been experiencing is that during periods of heavy login activity, some of the users have been left high and dry, sparking tech support calls and a degraded customer experience. > > Investigating the source, I see that SOMAXCONN is set to 5 (by default? Didn't see any way to adjust from ./configure) which for our application is, I suspect, too small. > > Is there a particular reason your LISTEN queue is so short? Or is this one of the those situations where "5 should be enough for the usual cases"? > > I'll be patching the source to boost this to 50 to see what happens. I dont see why 50 should be a problem. Fbsd default is 128. i suppose one may prefer a client find no connection and roll to another server vs wait. So, its probsbly better left to the default or cmdline option. > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus From alan.villaverde at gmail.com Mon Oct 20 15:09:42 2014 From: alan.villaverde at gmail.com (Alan Alejandro Villaverde) Date: Mon, 20 Oct 2014 12:09:42 -0300 Subject: [tac_plus] - Latest Stable Version you are running In-Reply-To: References: <5437EF2D.8090703@gmail.com> Message-ID: Hi guys! I finally made it works! I did it with the config I mentioned before. Searching a bit more I found this page http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-5/config_guide/b_cg75/b_cg75_chapter_0101001.html In which I could fing this: *Note * For basic management authentication via TACACS+ to succeed, it is required to configure authentication and authorization servers on the WLC. Accounting configuration is optional. So my error was that in the WLC, security, TACACS+, I had configured only Authentication without setting up the Authorization tacacs section. Now it is working! Thanks for your time and collaboration. Best regards. 2014-10-20 11:05 GMT-03:00 Alan Alejandro Villaverde < alan.villaverde at gmail.com>: > Hi Daniel, > > Could you please teach me where I have to add this line? > I added this line into the group access list section. I dont know if it is > ok, but the tacacs don?t show me any error. > > NOTE: the tacacs production server is running F4.0.4.25 > > group = todo_super_user { > service = exec { > priv-lvl = 15 > } > service = ciscowlc { > role1 = ALL > } > acl = todo > } > > Here the log: ( logging -d 16) > > login query for 'avillaverde' unknown-port from 10.85.206.34 accepted > > The authentication is valid, but the wireless controller is still > prompting to me user and password again. > > > Do you have a WLC running 7.3.101.0 and authenticating with tacacs? Maybe > I am missing some configuration items. > > I will appreciate so much your help. > > > > 2014-10-17 13:08 GMT-03:00 Daniel Schmidt : > > The WLC uses roles. >> >> service = ciscowlc { >> role1 = ALL >> } >> >> >> On Tue, Oct 14, 2014 at 6:26 AM, Alan Alejandro Villaverde < >> alan.villaverde at gmail.com> wrote: >> >>> Hi Guys, >>> >>> Thanks for your collaboration. I finally set up tacacs+-F4.0.4.26 on >>> OpenSuse 12.1. >>> >>> Just another question, Have anyone of you set up a Cisco Wireless Lan >>> Controller to authenticate through this tacacs? The running version >>> 7.3.101.0 is WLC. >>> >>> This doesn?t work for us. When I debugged tacacs, all seems to be fine, >>> there is not any error. The authentication pass fine, but the web >>> interface >>> prompt me to authenticate again. >>> >>> I think I am missing something in the tacacs configuration for this kind >>> of >>> device. >>> >>> Do you have any idea? >>> >>> 2014-10-10 11:37 GMT-03:00 Alan McKinnon : >>> >>> > On 10/10/2014 14:04, Alan Alejandro Villaverde wrote: >>> > > Hi guys, >>> > > >>> > > >>> > > I wondered which is the latest stable version you are running. In our >>> > case >>> > > we are running tacacs+-F4.0.4.25. >>> > > >>> > > Do you know if it is time to make an upgrade? What do you think? Is >>> there >>> > > any new stable version? >>> > > >>> > > BR >>> > > >>> > >>> > >>> > 4.0.4.27a is latest. However, it's a minor change from 4.0.4.25 and >>> > fully detailed in the Changelogs. Review those - you will know if you >>> > need them. If not, there's no need to upgrade. >>> > >>> > 5.0.0a1 is not usable, don't try it. It's a first effort at heasley's >>> > long-intended reorganize of the code base. >>> > >>> > -- >>> > Alan McKinnon >>> > alan.mckinnon at gmail.com >>> > >>> > _______________________________________________ >>> > tac_plus mailing list >>> > tac_plus at shrubbery.net >>> > http://www.shrubbery.net/mailman/listinfo/tac_plus >>> > >>> >>> >>> >>> -- >>> Alan Alejandro Villaverde. >>> >>> ,JL. >>> j@, Zv >>> uJ.u at qJ >>> :LBO:v1 >>> :r1@ MB >>> G1 rB8Ur , >>> r at Ei O .7 @. >>> :N,:BBO05v,:, :7 u Or >>> vM at r:E: rqr,: .v X Or >>> 7 at r v at U ,@::: 5 .L M: >>> YO:2 at OS. . .7: N iP >>> Y at riBr ,:i::: :q ,q. >>> qk :ii YO. >>> iv7r77r iGF :7v7 >>> :u0u. 7Lj ;5k1r7BN >>> 7P552552v: LUM1, 7FUi:..v at B >>> ik7JMJ. ..,v at rk. >>> _..._ Y8. vL: .5 at v E. >>> .' '. ui,N: .G.O@: @ >>> / _ _ \ .P: J7LEBO Bi >>> | (o)_(o) | .1 i at B7 .MU >>> \( ) / 2 :M at u .uMi >>> //'._.'\ \ :k :U at BOi:vSM2B >>> // . \ \ 7E at B@B at O8PrMk ;B >>> || . \ \ @: @r >>> |\ : / | EM. ;@ >>> \ `) ' (` /_ .B7 0L >>> _)``".____,.'"` (_ ..,:i;7vjuFXZEOMMBBL:::.rB at B@B@ >>> ) )'--'( ( .,::ir77vvJjuu2UF5SS00GZOMBB at B@B at B@B at B@ >>> '---` `---` ::iirr77rrr77vLLLjuu25FXPNZGMOOO at B@B at B@B@@@B at B@B at B >>> :i:i::,:,i,:,:.:.:.:.:.:.:.,.,.,............. ... >>> -------------- next part -------------- >>> An HTML attachment was scrubbed... >>> URL: < >>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20141014/a79e8d9f/attachment.html >>> > >>> _______________________________________________ >>> tac_plus mailing list >>> tac_plus at shrubbery.net >>> http://www.shrubbery.net/mailman/listinfo/tac_plus >>> >> >> E-Mail to and from me, in connection with the transaction >> of public business, is subject to the Wyoming Public Records >> Act and may be disclosed to third parties. >> >> >> > > > -- > Alan Alejandro Villaverde. > > ,JL. > j@, Zv > uJ.u at qJ > :LBO:v1 > :r1@ MB > G1 rB8Ur , > r at Ei O .7 @. > :N,:BBO05v,:, :7 u Or > vM at r:E: rqr,: .v X Or > 7 at r v at U ,@::: 5 .L M: > YO:2 at OS. . .7: N iP > Y at riBr ,:i::: :q ,q. > qk :ii YO. > iv7r77r iGF :7v7 > :u0u. 7Lj ;5k1r7BN > 7P552552v: LUM1, 7FUi:..v at B > ik7JMJ. ..,v at rk. > _..._ Y8. vL: .5 at v E. > .' '. ui,N: .G.O@: @ > / _ _ \ .P: J7LEBO Bi > | (o)_(o) | .1 i at B7 .MU > \( ) / 2 :M at u .uMi > //'._.'\ \ :k :U at BOi:vSM2B > // . \ \ 7E at B@B at O8PrMk ;B > || . \ \ @: @r > |\ : / | EM. ;@ > \ `) ' (` /_ .B7 0L > _)``".____,.'"` (_ ..,:i;7vjuFXZEOMMBBL:::.rB at B@B@ > ) )'--'( ( .,::ir77vvJjuu2UF5SS00GZOMBB at B@B at B@B at B@ > '---` `---` ::iirr77rrr77vLLLjuu25FXPNZGMOOO at B@B at B@B@@@B at B@B at B > :i:i::,:,i,:,:.:.:.:.:.:.:.,.,.,............. ... > > -- Alan Alejandro Villaverde. ,JL. j@, Zv uJ.u at qJ :LBO:v1 :r1@ MB G1 rB8Ur , r at Ei O .7 @. :N,:BBO05v,:, :7 u Or vM at r:E: rqr,: .v X Or 7 at r v at U ,@::: 5 .L M: YO:2 at OS. . .7: N iP Y at riBr ,:i::: :q ,q. qk :ii YO. iv7r77r iGF :7v7 :u0u. 7Lj ;5k1r7BN 7P552552v: LUM1, 7FUi:..v at B ik7JMJ. ..,v at rk. _..._ Y8. vL: .5 at v E. .' '. ui,N: .G.O@: @ / _ _ \ .P: J7LEBO Bi | (o)_(o) | .1 i at B7 .MU \( ) / 2 :M at u .uMi //'._.'\ \ :k :U at BOi:vSM2B // . \ \ 7E at B@B at O8PrMk ;B || . \ \ @: @r |\ : / | EM. ;@ \ `) ' (` /_ .B7 0L _)``".____,.'"` (_ ..,:i;7vjuFXZEOMMBBL:::.rB at B@B@ ) )'--'( ( .,::ir77vvJjuu2UF5SS00GZOMBB at B@B at B@B at B@ '---` `---` ::iirr77rrr77vLLLjuu25FXPNZGMOOO at B@B at B@B@@@B at B@B at B :i:i::,:,i,:,:.:.:.:.:.:.:.,.,.,............. ... -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.villaverde at gmail.com Mon Oct 20 14:05:42 2014 From: alan.villaverde at gmail.com (Alan Alejandro Villaverde) Date: Mon, 20 Oct 2014 11:05:42 -0300 Subject: [tac_plus] - Latest Stable Version you are running In-Reply-To: References: <5437EF2D.8090703@gmail.com> Message-ID: Hi Daniel, Could you please teach me where I have to add this line? I added this line into the group access list section. I dont know if it is ok, but the tacacs don?t show me any error. NOTE: the tacacs production server is running F4.0.4.25 group = todo_super_user { service = exec { priv-lvl = 15 } service = ciscowlc { role1 = ALL } acl = todo } Here the log: ( logging -d 16) login query for 'avillaverde' unknown-port from 10.85.206.34 accepted The authentication is valid, but the wireless controller is still prompting to me user and password again. Do you have a WLC running 7.3.101.0 and authenticating with tacacs? Maybe I am missing some configuration items. I will appreciate so much your help. 2014-10-17 13:08 GMT-03:00 Daniel Schmidt : > The WLC uses roles. > > service = ciscowlc { > role1 = ALL > } > > > On Tue, Oct 14, 2014 at 6:26 AM, Alan Alejandro Villaverde < > alan.villaverde at gmail.com> wrote: > >> Hi Guys, >> >> Thanks for your collaboration. I finally set up tacacs+-F4.0.4.26 on >> OpenSuse 12.1. >> >> Just another question, Have anyone of you set up a Cisco Wireless Lan >> Controller to authenticate through this tacacs? The running version >> 7.3.101.0 is WLC. >> >> This doesn?t work for us. When I debugged tacacs, all seems to be fine, >> there is not any error. The authentication pass fine, but the web >> interface >> prompt me to authenticate again. >> >> I think I am missing something in the tacacs configuration for this kind >> of >> device. >> >> Do you have any idea? >> >> 2014-10-10 11:37 GMT-03:00 Alan McKinnon : >> >> > On 10/10/2014 14:04, Alan Alejandro Villaverde wrote: >> > > Hi guys, >> > > >> > > >> > > I wondered which is the latest stable version you are running. In our >> > case >> > > we are running tacacs+-F4.0.4.25. >> > > >> > > Do you know if it is time to make an upgrade? What do you think? Is >> there >> > > any new stable version? >> > > >> > > BR >> > > >> > >> > >> > 4.0.4.27a is latest. However, it's a minor change from 4.0.4.25 and >> > fully detailed in the Changelogs. Review those - you will know if you >> > need them. If not, there's no need to upgrade. >> > >> > 5.0.0a1 is not usable, don't try it. It's a first effort at heasley's >> > long-intended reorganize of the code base. >> > >> > -- >> > Alan McKinnon >> > alan.mckinnon at gmail.com >> > >> > _______________________________________________ >> > tac_plus mailing list >> > tac_plus at shrubbery.net >> > http://www.shrubbery.net/mailman/listinfo/tac_plus >> > >> >> >> >> -- >> Alan Alejandro Villaverde. >> >> ,JL. >> j@, Zv >> uJ.u at qJ >> :LBO:v1 >> :r1@ MB >> G1 rB8Ur , >> r at Ei O .7 @. >> :N,:BBO05v,:, :7 u Or >> vM at r:E: rqr,: .v X Or >> 7 at r v at U ,@::: 5 .L M: >> YO:2 at OS. . .7: N iP >> Y at riBr ,:i::: :q ,q. >> qk :ii YO. >> iv7r77r iGF :7v7 >> :u0u. 7Lj ;5k1r7BN >> 7P552552v: LUM1, 7FUi:..v at B >> ik7JMJ. ..,v at rk. >> _..._ Y8. vL: .5 at v E. >> .' '. ui,N: .G.O@: @ >> / _ _ \ .P: J7LEBO Bi >> | (o)_(o) | .1 i at B7 .MU >> \( ) / 2 :M at u .uMi >> //'._.'\ \ :k :U at BOi:vSM2B >> // . \ \ 7E at B@B at O8PrMk ;B >> || . \ \ @: @r >> |\ : / | EM. ;@ >> \ `) ' (` /_ .B7 0L >> _)``".____,.'"` (_ ..,:i;7vjuFXZEOMMBBL:::.rB at B@B@ >> ) )'--'( ( .,::ir77vvJjuu2UF5SS00GZOMBB at B@B at B@B at B@ >> '---` `---` ::iirr77rrr77vLLLjuu25FXPNZGMOOO at B@B at B@B@@@B at B@B at B >> :i:i::,:,i,:,:.:.:.:.:.:.:.,.,.,............. ... >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: < >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20141014/a79e8d9f/attachment.html >> > >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus >> > > E-Mail to and from me, in connection with the transaction > of public business, is subject to the Wyoming Public Records > Act and may be disclosed to third parties. > > > -- Alan Alejandro Villaverde. ,JL. j@, Zv uJ.u at qJ :LBO:v1 :r1@ MB G1 rB8Ur , r at Ei O .7 @. :N,:BBO05v,:, :7 u Or vM at r:E: rqr,: .v X Or 7 at r v at U ,@::: 5 .L M: YO:2 at OS. . .7: N iP Y at riBr ,:i::: :q ,q. qk :ii YO. iv7r77r iGF :7v7 :u0u. 7Lj ;5k1r7BN 7P552552v: LUM1, 7FUi:..v at B ik7JMJ. ..,v at rk. _..._ Y8. vL: .5 at v E. .' '. ui,N: .G.O@: @ / _ _ \ .P: J7LEBO Bi | (o)_(o) | .1 i at B7 .MU \( ) / 2 :M at u .uMi //'._.'\ \ :k :U at BOi:vSM2B // . \ \ 7E at B@B at O8PrMk ;B || . \ \ @: @r |\ : / | EM. ;@ \ `) ' (` /_ .B7 0L _)``".____,.'"` (_ ..,:i;7vjuFXZEOMMBBL:::.rB at B@B@ ) )'--'( ( .,::ir77vvJjuu2UF5SS00GZOMBB at B@B at B@B at B@ '---` `---` ::iirr77rrr77vLLLjuu25FXPNZGMOOO at B@B at B@B@@@B at B@B at B :i:i::,:,i,:,:.:.:.:.:.:.:.,.,.,............. ... -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Mon Oct 20 21:13:02 2014 From: heas at shrubbery.net (heasley) Date: Mon, 20 Oct 2014 21:13:02 +0000 Subject: [tac_plus] SOMAXCONN too small In-Reply-To: <20141020205954.2C599143C@guelah.shrubbery.net> <36B2761C-DB91-49CD-9A3C-093F6E38C64E@shrubbery.net> Message-ID: <20141020211302.GA45956@shrubbery.net> Fri, Oct 17, 2014 at 03:06:51PM -0700, Heasley: > > > > > Am 17.10.2014 um 06:24 schrieb Stephen Satchell : > > > > In our shop, we have a number of NAS devices talking to a pair of tac_plus servers in a failover configuration. The configuration file changes constantly. (Don't ask.) What we have been experiencing is that during periods of heavy login activity, some of the users have been left high and dry, sparking tech support calls and a degraded customer experience. > > > > Investigating the source, I see that SOMAXCONN is set to 5 (by default? Didn't see any way to adjust from ./configure) which for our application is, I suspect, too small. > > > > Is there a particular reason your LISTEN queue is so short? Or is this one of the those situations where "5 should be enough for the usual cases"? > > > > I'll be patching the source to boost this to 50 to see what happens. > > I dont see why 50 should be a problem. Fbsd default is 128. i suppose one may prefer a client find no connection and roll to another server vs wait. So, its probsbly better left to the default or cmdline option. > > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo/tac_plus > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus Index: tac_plus.c =================================================================== --- tac_plus.c (revision 3661) +++ tac_plus.c (working copy) @@ -270,9 +270,14 @@ { extern char *optarg; FILE *fp; - int c, *s, ns; + int c, *s, ns, somaxconn; struct pollfd *pfds; +#ifndef SOMAXCONN +# define SOMAXCONN 64 +#endif + somaxconn = SOMAXCONN; + #if PROFILE moncontrol(0); #endif @@ -293,7 +298,7 @@ tac_exit(1); } - while ((c = getopt(argc, argv, "B:C:d:hiPp:tGgvSsLl:w:u:")) != EOF) + while ((c = getopt(argc, argv, "B:C:d:hiPp:tGgvSsLl:m:w:u:")) != EOF) switch (c) { case 'B': /* bind() address*/ bind_address = optarg; @@ -338,6 +343,9 @@ case 'l': /* logfile */ logfile = tac_strdup(optarg); break; + case 'm': /* SOMAXCONN */ + somaxconn = atoi(optarg); + break; case 'S': /* enable single-connection */ opt_S = 1; break; @@ -501,12 +509,8 @@ get_socket(&s, &ns); -#ifndef SOMAXCONN -#define SOMAXCONN 5 -#endif - for (c = 0; c < ns; c++) { - if (listen(s[c], SOMAXCONN) < 0) { + if (listen(s[c], somaxconn) < 0) { console = 1; report(LOG_ERR, "listen: %s", strerror(errno)); tac_exit(1); Index: tac_plus.8.in =================================================================== --- tac_plus.8.in (revision 3661) +++ tac_plus.8.in (working copy) @@ -1,6 +1,6 @@ .\" .hys 50 -.TH tac_plus 8 "28 July 2009" +.TH tac_plus 8 "20 October 2014" .\" .SH NAME tac_plus \- tacacs plus daemon @@ -20,6 +20,9 @@ .BI \-l ] [\c +.BI \-m +] +[\c .BI \-p ] [\c @@ -135,6 +138,11 @@ The logs are still posted to syslog. .\" .TP +.B -m +Specify an alternative client listen queue limit. +The default is SOMAXCONN or 64, if your O/S does not specify one. +.\" +.TP .B -L Lookup DNS PTR (Domain Name System PoinTeR) record of client addresses. The resulting FQDN (Fully Qualified Domain Name), if it resolves, will be Index: CHANGES =================================================================== --- CHANGES (revision 3661) +++ CHANGES (working copy) @@ -471,3 +471,5 @@ - update autoconf bits for autoconf 2.69 - put tac_plus daemon in sbin, where it ought to be - fix hdr->datalength handling in dump_nas_pak() + - add -m option to specify the client listen queue max and increase + the default to 64 if the O/S does not define SOMAXCONN From Michael.Josten at hs-niederrhein.de Thu Oct 23 09:55:30 2014 From: Michael.Josten at hs-niederrhein.de (Josten, Michael) Date: Thu, 23 Oct 2014 11:55:30 +0200 Subject: [tac_plus] tac_plus Logging Security concerns Message-ID: <9BDA0B754D62C64FBE6B0CFFA429C47A2EEBF1A775@prometheus> Hello, i am worried about user input being logged to my tac_plus logfile. I recently compiled version F4.0.4.27a under debian 7.6 to implement PAM functionality. Everything is working good so far, but I took a very close look into my /var/log/tacacs/tacacs file after my colleague informed me about him being able to read his password in cleartext in the logging file. I did further troubleshooting on various switch models like HP procurves, Brocade icx, fcx and mlx switches and even stoneold Enterasys N Series dinosaur switches with aaa accounting settings, encryption settings etc. turned off and on. I started the tac_plus daemon with several debugging levels and no debugging at all and can't get rid of the password being shown in the logs. Even the secret is show in cleartext. I posted a failed authentication part of the logfile on pastebin. http://pastebin.com/sffJkFJc just search for the term "bein" that's the part I am talking about. Best regards Michael Josten Mitarbeiter IT-Betrieb Hochschule Niederrhein KIS - Kommunikations und Informationssysteme Service Niederrhein University of Applied Sciences Communication and Informationsystems Service Reinarzstr. 49 D - 47805 Krefeld Telefon: +49 2151 822 3129 Fax: +49 2151 822 853123 Email: michael.josten at hs-niederrhein.de www.hs-niederrhein.de -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Thu Oct 23 14:57:12 2014 From: heas at shrubbery.net (John Heasley) Date: Thu, 23 Oct 2014 07:57:12 -0700 Subject: [tac_plus] tac_plus Logging Security concerns In-Reply-To: <9BDA0B754D62C64FBE6B0CFFA429C47A2EEBF1A775@prometheus> References: <9BDA0B754D62C64FBE6B0CFFA429C47A2EEBF1A775@prometheus> Message-ID: <283B98E7-32D6-4F2D-8C04-00DD423461EE@shrubbery.net> Am Oct 23, 2014 um 2:55 AM schrieb Josten, Michael : > > Hello, > > i am worried about user input being logged to my tac_plus logfile. I recently compiled version F4.0.4.27a > under debian 7.6 to implement PAM functionality. Everything is working good so far, but I took a very close > look into my /var/log/tacacs/tacacs file after my colleague informed me about him being able to read his > password in cleartext in the logging file. I did further troubleshooting on various switch models like > HP procurves, Brocade icx, fcx and mlx switches and even stoneold Enterasys N Series dinosaur switches > with aaa accounting settings, encryption settings etc. turned off and on. I started the tac_plus daemon with > several debugging levels and no debugging at all and can't get rid of the password being shown in the logs. Gr??en, It should not log any of that information without enabling debugging. Before trying to disable this logging, did you have any debug options on the command-line? I can test this when I have a terminal in a few hours. > Even the secret is show in cleartext. I posted a failed authentication part of the logfile on pastebin. > http://pastebin.com/sffJkFJc just search for the term "bein" that's the part I am talking about. > > Best regards > Michael Josten > Mitarbeiter IT-Betrieb > Hochschule Niederrhein > KIS - Kommunikations und Informationssysteme Service > Niederrhein University of Applied Sciences > Communication and Informationsystems Service > Reinarzstr. 49 > D - 47805 Krefeld > Telefon: +49 2151 822 3129 > Fax: +49 2151 822 853123 > Email: michael.josten at hs-niederrhein.de > www.hs-niederrhein.de > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus From heas at shrubbery.net Thu Oct 23 17:13:33 2014 From: heas at shrubbery.net (John Heasley) Date: Thu, 23 Oct 2014 17:13:33 +0000 Subject: [tac_plus] tac_plus Logging Security concerns In-Reply-To: <283B98E7-32D6-4F2D-8C04-00DD423461EE@shrubbery.net> References: <9BDA0B754D62C64FBE6B0CFFA429C47A2EEBF1A775@prometheus> <283B98E7-32D6-4F2D-8C04-00DD423461EE@shrubbery.net> Message-ID: <20141023171333.GC49163@shrubbery.net> Thu, Oct 23, 2014 at 07:57:12AM -0700, John Heasley: > Am Oct 23, 2014 um 2:55 AM schrieb Josten, Michael : > > > > Hello, > > > > i am worried about user input being logged to my tac_plus logfile. I recently compiled version F4.0.4.27a > > under debian 7.6 to implement PAM functionality. Everything is working good so far, but I took a very close > > look into my /var/log/tacacs/tacacs file after my colleague informed me about him being able to read his > > password in cleartext in the logging file. I did further troubleshooting on various switch models like > > HP procurves, Brocade icx, fcx and mlx switches and even stoneold Enterasys N Series dinosaur switches > > with aaa accounting settings, encryption settings etc. turned off and on. I started the tac_plus daemon with > > several debugging levels and no debugging at all and can't get rid of the password being shown in the logs. > > Gr??en, It should not log any of that information without enabling debugging. Before trying to disable this logging, did you have any debug options on the command-line? > > I can test this when I have a terminal in a few hours. I do not see this logging occuring by default, that is without -d options, on debian 7.7. Please ensure that you are not using -d (debug) options. > > Even the secret is show in cleartext. I posted a failed authentication part of the logfile on pastebin. > > http://pastebin.com/sffJkFJc just search for the term "bein" that's the part I am talking about. > > > > Best regards > > Michael Josten > > Mitarbeiter IT-Betrieb > > Hochschule Niederrhein > > KIS - Kommunikations und Informationssysteme Service > > Niederrhein University of Applied Sciences > > Communication and Informationsystems Service > > Reinarzstr. 49 > > D - 47805 Krefeld > > Telefon: +49 2151 822 3129 > > Fax: +49 2151 822 853123 > > Email: michael.josten at hs-niederrhein.de > > www.hs-niederrhein.de > > > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo/tac_plus > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus From Michael.Josten at hs-niederrhein.de Fri Oct 24 04:55:14 2014 From: Michael.Josten at hs-niederrhein.de (Josten, Michael) Date: Fri, 24 Oct 2014 06:55:14 +0200 Subject: [tac_plus] tac_plus Logging Security concerns In-Reply-To: <20141023171333.GC49163@shrubbery.net> References: <9BDA0B754D62C64FBE6B0CFFA429C47A2EEBF1A775@prometheus> <283B98E7-32D6-4F2D-8C04-00DD423461EE@shrubbery.net> <20141023171333.GC49163@shrubbery.net> Message-ID: <9BDA0B754D62C64FBE6B0CFFA429C47A2EEBF1A777@prometheus> Hello, i think i found the problem. I didn't create the /etc/default file and the daemon always started in debugging mode. At least in my world this makes sense ;) but what about the secret being shown in the logfile ? Is that a usual behavior ? Thanks for your help so far. Best regards Michael Josten -----Urspr?ngliche Nachricht----- Von: John Heasley [mailto:heas at shrubbery.net] Gesendet: Donnerstag, 23. Oktober 2014 19:14 An: Josten, Michael Cc: tac_plus at shrubbery.net Betreff: Re: [tac_plus] tac_plus Logging Security concerns Thu, Oct 23, 2014 at 07:57:12AM -0700, John Heasley: > Am Oct 23, 2014 um 2:55 AM schrieb Josten, Michael : > > > > Hello, > > > > i am worried about user input being logged to my tac_plus logfile. I > > recently compiled version F4.0.4.27a under debian 7.6 to implement > > PAM functionality. Everything is working good so far, but I took a > > very close look into my /var/log/tacacs/tacacs file after my > > colleague informed me about him being able to read his password in > > cleartext in the logging file. I did further troubleshooting on > > various switch models like HP procurves, Brocade icx, fcx and mlx switches and even stoneold Enterasys N Series dinosaur switches with aaa accounting settings, encryption settings etc. turned off and on. I started the tac_plus daemon with several debugging levels and no debugging at all and can't get rid of the password being shown in the logs. > > Gr??en, It should not log any of that information without enabling debugging. Before trying to disable this logging, did you have any debug options on the command-line? > > I can test this when I have a terminal in a few hours. I do not see this logging occuring by default, that is without -d options, on debian 7.7. Please ensure that you are not using -d (debug) options. > > Even the secret is show in cleartext. I posted a failed authentication part of the logfile on pastebin. > > http://pastebin.com/sffJkFJc just search for the term "bein" that's the part I am talking about. > > > > Best regards > > Michael Josten > > Mitarbeiter IT-Betrieb > > Hochschule Niederrhein > > KIS - Kommunikations und Informationssysteme Service Niederrhein > > University of Applied Sciences Communication and Informationsystems > > Service Reinarzstr. 49 D - 47805 Krefeld > > Telefon: +49 2151 822 3129 > > Fax: +49 2151 822 853123 > > Email: > > michael.josten at hs-niederrhein.de > n.de> www.hs-niederrhein.de > > > > -------------- next part -------------- An HTML attachment was > > scrubbed... > > URL: > > > 60da86/attachment.html> > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo/tac_plus > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus