[tac_plus] Nokia IPSO Firewall to TACACS+

Alan McKinnon alan.mckinnon at gmail.com
Thu Jun 11 19:46:45 UTC 2015 

On 11/06/2015 20:37, Asif Iqbal wrote:
> I have this setup on tacacs+ side, but user failing to authenticate.
> 
> group = ipso_admin {
> service = nokia-ipso {
> Nokia-IPSO-User-Role = "adminRole"
> Nokia-IPSO-SuperUser-Access = 1
> }
> }
> 
> user = foo {
>         login = PAM
> member = ipso_admin
> }
> 
> 
> I am seeing these logs. I am not sure where it is getting the ``admin''
> login.


My hunch tells me the device is sending it, perhaps as some kind of
default username configuration? The tacacs server is receiving an admin
login as the first thing, before the daemon has taken any action at all.
> 
> 
> Thu Jun 11 16:22:28 2015 [8107]: connect from mpls-vrrp.example.net
> [192.168.100.33]
> Thu Jun 11 16:22:28 2015 [8107]: login query for 'admin' General from
> mpls-vrrp.example.net rejected
> Thu Jun 11 16:22:28 2015 [8107]: login failure: admin mpls-vrrp.example.net
> (192.168.100.33) General
> Thu Jun 11 16:24:51 2015 [11142]: session.peerip is 192.168.100.33
> Thu Jun 11 16:24:51 2015 [14004]: connect from mpls-vrrp.example.net
> [192.168.100.33]
> Thu Jun 11 16:24:53 2015 [14004]: login query for 'foo' General from
> mpls-vrrp.example.net rejected
> Thu Jun 11 16:24:53 2015 [14004]: login failure: foo mpls-vrrp.example.net
> (192.168.100.33) General
> Thu Jun 11 16:25:05 2015 [11142]: session.peerip is 192.168.100.33
> Thu Jun 11 16:25:05 2015 [14653]: connect from mpls-vrrp.example.net
> [192.168.100.33]
> Thu Jun 11 16:25:06 2015 [14653]: login query for 'foo' General from
> mpls-vrrp.example.net rejected
> Thu Jun 11 16:25:06 2015 [14653]: login failure: foo mpls-vrrp.example.net
> (192.168.100.33) General
> Thu Jun 11 16:29:43 2015 [11142]: session.peerip is 192.168.100.33
> Thu Jun 11 16:29:43 2015 [26878]: connect from mpls-vrrp.example.net
> [192.168.100.33]
> Thu Jun 11 16:29:53 2015 [26878]: mpls-vrrp.example.net General: fd 2 eof
> (connection closed)
> Thu Jun 11 16:29:53 2015 [26878]: Read -1 bytes from mpls-vrrp.example.net
> General, expecting 12
> Thu Jun 11 16:29:53 2015 [26878]: Error mpls-vrrp.example.net General: Null
> reply packet, expecting CONTINUE
> Thu Jun 11 16:30:19 2015 [11142]: session.peerip is 192.168.100.33
> Thu Jun 11 16:30:19 2015 [28716]: connect from mpls-vrrp.example.net
> [192.168.100.33]
> Thu Jun 11 16:30:19 2015 [28716]: login query for 'admin' General from
> mpls-vrrp.example.net rejected
> Thu Jun 11 16:30:19 2015 [28716]: login failure: admin mpls-vrrp.example.net
> (192.168.100.33) General
> Thu Jun 11 16:33:37 2015 [11142]: session.peerip is 192.168.100.33
> Thu Jun 11 16:33:37 2015 [4462]: connect from mpls-vrrp.example.net
> [192.168.100.33]
> Thu Jun 11 16:33:37 2015 [4462]: login query for 'admin' General from
> mpls-vrrp.example.net rejected
> Thu Jun 11 16:33:37 2015 [4462]: login failure: admin mpls-vrrp.example.net
> (192.168.100.33) General
> Thu Jun 11 16:48:21 2015 [11142]: session.peerip is 192.168.100.33
> Thu Jun 11 16:48:21 2015 [4278]: connect from mpls-vrrp.example.net
> [192.168.100.33]
> Thu Jun 11 16:48:21 2015 [4278]: login query for 'admin' General from
> mpls-vrrp.example.net rejected
> Thu Jun 11 16:48:21 2015 [4278]: login failure: admin mpls-vrrp.example.net
> (192.168.100.33) General
> Thu Jun 11 17:10:21 2015 [11142]: session.peerip is 192.168.100.33
> Thu Jun 11 17:10:21 2015 [7781]: connect from mpls-vrrp.example.net
> [192.168.100.33]
> Thu Jun 11 17:10:31 2015 [7781]: login query for 'foo' General from
> mpls-vrrp.example.net rejected
> Thu Jun 11 17:10:31 2015 [7781]: login failure: foo mpls-vrrp.example.net
> (192.168.100.33) General
> Thu Jun 11 17:10:33 2015 [11142]: session.peerip is 192.168.100.33
> Thu Jun 11 17:10:33 2015 [7999]: connect from mpls-vrrp.example.net
> [192.168.100.33]
> Thu Jun 11 17:10:42 2015 [7999]: mpls-vrrp.example.net General: fd 2 eof
> (connection closed)
> Thu Jun 11 17:10:42 2015 [7999]: Read -1 bytes from mpls-vrrp.example.net
> General, expecting 12
> Thu Jun 11 17:10:42 2015 [7999]: Error mpls-vrrp.example.net General: Null
> reply packet, expecting CONTINUE
> Thu Jun 11 17:10:42 2015 [7999]: Error mpls-vrrp.example.net General:
> Password change aborted.
> Thu Jun 11 17:10:42 2015 [7999]: login query for 'foo' General from
> mpls-vrrp.example.net rejected
> Thu Jun 11 17:10:42 2015 [7999]: login failure: foo mpls-vrrp.example.net
> (192.168.100.33) General
> 
> 
> Nokia IPSO firewall guys saying this
> 
> Tried authentication again this morning, no luck. Again my firewalls are
> dropping the packet for being out of TCP state, errors similar to this:
> 
> TCP packet out of state: Unexpected post SYN packet - RST or SYN expected
> tcp_flags: ACK
> 
> That seems to be align with "Read -1 bytes from mpls-vrrp.example.net
> General, expecting 12" ?
> 
> Any suggestion how to get a successful authentication? Firewall sshd is
> doing the TACACS+ authentication only, no command authorization. May be I
> need a cmd = * { permit .* } ? or just default service = permit and no cmd
> clause?
> 


You don't need any specific cmd authorizations for authentication to
work. Normally, permitting the correct service is enough to at least see
in the tacacs logs that authentication succeeded. Of course to do
anything useful thereafter, you do need authorization, but that is step 2.

Do your Nokia docs say anything about what it expects from tacacs?



-- 
Alan McKinnon
alan.mckinnon at gmail.com

More information about the tac_plus mailing list