[tac_plus] Regarding of an issue on tac_plus

Mon Dec 21 22:38:26 UTC 2015

Fri, Dec 18, 2015 at 05:21:09AM +0000, Wallance Hou:
> Hi,
> 
> Thanks very much for your response. Actually, I configured tacacs+ accounting on SRX550 and Extreme Summit 450A and the same error log as below, btw the cisco devices always work perfectly. Doesn't it have any way to fix this issue or in newest tac_plus version?
> 
> Fri Dec 18 03:04:01 2015 [14830]: Error 123.1.2.24: acct minimum payload: 177, got: 54

Well, I do not know without understanding what your device is sending.
I believe that the packet debugging would output enough information to
determine if the device is omitting something or mangling the request.
If its mangling it, then the daemon is doing the right thing.

Either way, the correct fix is fixing whatever isnt following the tacacs
protocol draft.

> Thanks.
> Wallance Hou
> ITTE Infrastructure Ops
> wallance.hou at ericsson.com
> Phone: 887 29303
> 
> -----Original Message-----
> From: heasley [mailto:heas at shrubbery.net] 
> Sent: Friday, December 18, 2015 5:38 AM
> To: Wallance Hou
> Cc: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] Regarding of an issue on tac_plus
> 
> Thu, Dec 17, 2015 at 10:22:04AM +0000, Wallance Hou:
> > Dear tac_plus Support,
> > 
> > I am using tac_plus(tacacs+-F4.0.4.26-1.proserve .el5.x86_64.rpm) with AAA service for my network. But it shown the below error when I configured accounting to tacacs server on Juniper and Extreme device. Would you kindly give me some advice? I appreciate it very much for your kindly feedback.
> > 
> > Thu Dec 17 18:07:49 2015 [13839]: Error 123.1.1.23: acct minimum 
> > payload: 258, got: 106
> 
> An accounting record has a strict format and clearly an accounting record was sent to the tacacs daemon that did not meet the requirements, too little in this case.  assuming its from a network device, rather than a probe from the internet, the device sending the record has a bug or the packet was damaged in flight.
> 
> junos does not do tacacs account, afaik.  so, the extreme has a bug or a packet was mangled in flight.  the daemon supports debug options to dump packets, etc to syslog.