[tac_plus] Nokia IPSO Firewall to TACACS+
heasley
heas at shrubbery.net
Thu Jun 11 21:58:08 UTC 2015
Thu, Jun 11, 2015 at 02:37:51PM -0400, Asif Iqbal:
> I have this setup on tacacs+ side, but user failing to authenticate.
>
> group = ipso_admin {
> service = nokia-ipso {
> Nokia-IPSO-User-Role = "adminRole"
> Nokia-IPSO-SuperUser-Access = 1
> }
> }
>
> user = foo {
> login = PAM
> member = ipso_admin
> }
>
>
> I am seeing these logs. I am not sure where it is getting the ``admin''
> login.
>
>
> Thu Jun 11 16:22:28 2015 [8107]: connect from mpls-vrrp.example.net
> [192.168.100.33]
> Nokia IPSO firewall guys saying this
>
> Tried authentication again this morning, no luck. Again my firewalls are
> dropping the packet for being out of TCP state, errors similar to this:
>
> TCP packet out of state: Unexpected post SYN packet - RST or SYN expected
> tcp_flags: ACK
>
> That seems to be align with "Read -1 bytes from mpls-vrrp.example.net
> General, expecting 12" ?
I cant say; appears there were successful connections there. the error
above really just means a premature disconnection.
> Any suggestion how to get a successful authentication? Firewall sshd is
> doing the TACACS+ authentication only, no command authorization. May be I
> need a cmd = * { permit .* } ? or just default service = permit and no cmd
> clause?
i suggest trying:
user = DEFAULT {
default service = permit
}
and try authen / author debugging to see more info about the reason for the
denied login.
More information about the tac_plus
mailing list