[tac_plus] Nokia IPSO Firewall to TACACS+

Asif Iqbal vadud3 at gmail.com
Thu Jun 11 18:37:51 UTC 2015 

I have this setup on tacacs+ side, but user failing to authenticate.

group = ipso_admin {
service = nokia-ipso {
Nokia-IPSO-User-Role = "adminRole"
Nokia-IPSO-SuperUser-Access = 1
}
}

user = foo {
        login = PAM
member = ipso_admin
}


I am seeing these logs. I am not sure where it is getting the ``admin''
login.


Thu Jun 11 16:22:28 2015 [8107]: connect from mpls-vrrp.example.net
[192.168.100.33]
Thu Jun 11 16:22:28 2015 [8107]: login query for 'admin' General from
mpls-vrrp.example.net rejected
Thu Jun 11 16:22:28 2015 [8107]: login failure: admin mpls-vrrp.example.net
(192.168.100.33) General
Thu Jun 11 16:24:51 2015 [11142]: session.peerip is 192.168.100.33
Thu Jun 11 16:24:51 2015 [14004]: connect from mpls-vrrp.example.net
[192.168.100.33]
Thu Jun 11 16:24:53 2015 [14004]: login query for 'foo' General from
mpls-vrrp.example.net rejected
Thu Jun 11 16:24:53 2015 [14004]: login failure: foo mpls-vrrp.example.net
(192.168.100.33) General
Thu Jun 11 16:25:05 2015 [11142]: session.peerip is 192.168.100.33
Thu Jun 11 16:25:05 2015 [14653]: connect from mpls-vrrp.example.net
[192.168.100.33]
Thu Jun 11 16:25:06 2015 [14653]: login query for 'foo' General from
mpls-vrrp.example.net rejected
Thu Jun 11 16:25:06 2015 [14653]: login failure: foo mpls-vrrp.example.net
(192.168.100.33) General
Thu Jun 11 16:29:43 2015 [11142]: session.peerip is 192.168.100.33
Thu Jun 11 16:29:43 2015 [26878]: connect from mpls-vrrp.example.net
[192.168.100.33]
Thu Jun 11 16:29:53 2015 [26878]: mpls-vrrp.example.net General: fd 2 eof
(connection closed)
Thu Jun 11 16:29:53 2015 [26878]: Read -1 bytes from mpls-vrrp.example.net
General, expecting 12
Thu Jun 11 16:29:53 2015 [26878]: Error mpls-vrrp.example.net General: Null
reply packet, expecting CONTINUE
Thu Jun 11 16:30:19 2015 [11142]: session.peerip is 192.168.100.33
Thu Jun 11 16:30:19 2015 [28716]: connect from mpls-vrrp.example.net
[192.168.100.33]
Thu Jun 11 16:30:19 2015 [28716]: login query for 'admin' General from
mpls-vrrp.example.net rejected
Thu Jun 11 16:30:19 2015 [28716]: login failure: admin mpls-vrrp.example.net
(192.168.100.33) General
Thu Jun 11 16:33:37 2015 [11142]: session.peerip is 192.168.100.33
Thu Jun 11 16:33:37 2015 [4462]: connect from mpls-vrrp.example.net
[192.168.100.33]
Thu Jun 11 16:33:37 2015 [4462]: login query for 'admin' General from
mpls-vrrp.example.net rejected
Thu Jun 11 16:33:37 2015 [4462]: login failure: admin mpls-vrrp.example.net
(192.168.100.33) General
Thu Jun 11 16:48:21 2015 [11142]: session.peerip is 192.168.100.33
Thu Jun 11 16:48:21 2015 [4278]: connect from mpls-vrrp.example.net
[192.168.100.33]
Thu Jun 11 16:48:21 2015 [4278]: login query for 'admin' General from
mpls-vrrp.example.net rejected
Thu Jun 11 16:48:21 2015 [4278]: login failure: admin mpls-vrrp.example.net
(192.168.100.33) General
Thu Jun 11 17:10:21 2015 [11142]: session.peerip is 192.168.100.33
Thu Jun 11 17:10:21 2015 [7781]: connect from mpls-vrrp.example.net
[192.168.100.33]
Thu Jun 11 17:10:31 2015 [7781]: login query for 'foo' General from
mpls-vrrp.example.net rejected
Thu Jun 11 17:10:31 2015 [7781]: login failure: foo mpls-vrrp.example.net
(192.168.100.33) General
Thu Jun 11 17:10:33 2015 [11142]: session.peerip is 192.168.100.33
Thu Jun 11 17:10:33 2015 [7999]: connect from mpls-vrrp.example.net
[192.168.100.33]
Thu Jun 11 17:10:42 2015 [7999]: mpls-vrrp.example.net General: fd 2 eof
(connection closed)
Thu Jun 11 17:10:42 2015 [7999]: Read -1 bytes from mpls-vrrp.example.net
General, expecting 12
Thu Jun 11 17:10:42 2015 [7999]: Error mpls-vrrp.example.net General: Null
reply packet, expecting CONTINUE
Thu Jun 11 17:10:42 2015 [7999]: Error mpls-vrrp.example.net General:
Password change aborted.
Thu Jun 11 17:10:42 2015 [7999]: login query for 'foo' General from
mpls-vrrp.example.net rejected
Thu Jun 11 17:10:42 2015 [7999]: login failure: foo mpls-vrrp.example.net
(192.168.100.33) General


Nokia IPSO firewall guys saying this

Tried authentication again this morning, no luck. Again my firewalls are
dropping the packet for being out of TCP state, errors similar to this:

TCP packet out of state: Unexpected post SYN packet - RST or SYN expected
tcp_flags: ACK

That seems to be align with "Read -1 bytes from mpls-vrrp.example.net
General, expecting 12" ?

Any suggestion how to get a successful authentication? Firewall sshd is
doing the TACACS+ authentication only, no command authorization. May be I
need a cmd = * { permit .* } ? or just default service = permit and no cmd
clause?

-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150611/974d43eb/attachment.html>

More information about the tac_plus mailing list