[tac_plus] Nokia IPSO Firewall to TACACS+

Asif Iqbal vadud3 at gmail.com
Fri Jun 12 02:14:56 UTC 2015 

On Thu, Jun 11, 2015 at 2:37 PM, Asif Iqbal <vadud3 at gmail.com> wrote:

> I have this setup on tacacs+ side, but user failing to authenticate.
>
> group = ipso_admin {
> service = nokia-ipso {
> Nokia-IPSO-User-Role = "adminRole"
> Nokia-IPSO-SuperUser-Access = 1
> }
> }
>
> user = foo {
>         login = PAM
> member = ipso_admin
> }
>
>
> I am seeing these logs. I am not sure where it is getting the ``admin''
> login.
>
>
> Thu Jun 11 16:22:28 2015 [8107]: connect from mpls-vrrp.example.net
> [192.168.100.33]
> Thu Jun 11 16:22:28 2015 [8107]: login query for 'admin' General from
> mpls-vrrp.example.net rejected
> Thu Jun 11 16:22:28 2015 [8107]: login failure: admin
> mpls-vrrp.example.net (192.168.100.33) General
> Thu Jun 11 16:24:51 2015 [11142]: session.peerip is 192.168.100.33
> Thu Jun 11 16:24:51 2015 [14004]: connect from mpls-vrrp.example.net
> [192.168.100.33]
> Thu Jun 11 16:24:53 2015 [14004]: login query for 'foo' General from
> mpls-vrrp.example.net rejected
> Thu Jun 11 16:24:53 2015 [14004]: login failure: foo mpls-vrrp.example.net
> (192.168.100.33) General
> Thu Jun 11 16:25:05 2015 [11142]: session.peerip is 192.168.100.33
> Thu Jun 11 16:25:05 2015 [14653]: connect from mpls-vrrp.example.net
> [192.168.100.33]
> Thu Jun 11 16:25:06 2015 [14653]: login query for 'foo' General from
> mpls-vrrp.example.net rejected
> Thu Jun 11 16:25:06 2015 [14653]: login failure: foo mpls-vrrp.example.net
> (192.168.100.33) General
> Thu Jun 11 16:29:43 2015 [11142]: session.peerip is 192.168.100.33
> Thu Jun 11 16:29:43 2015 [26878]: connect from mpls-vrrp.example.net
> [192.168.100.33]
> Thu Jun 11 16:29:53 2015 [26878]: mpls-vrrp.example.net General: fd 2 eof
> (connection closed)
> Thu Jun 11 16:29:53 2015 [26878]: Read -1 bytes from mpls-vrrp.example.net
> General, expecting 12
> Thu Jun 11 16:29:53 2015 [26878]: Error mpls-vrrp.example.net General:
> Null reply packet, expecting CONTINUE
> Thu Jun 11 16:30:19 2015 [11142]: session.peerip is 192.168.100.33
> Thu Jun 11 16:30:19 2015 [28716]: connect from mpls-vrrp.example.net
> [192.168.100.33]
> Thu Jun 11 16:30:19 2015 [28716]: login query for 'admin' General from
> mpls-vrrp.example.net rejected
> Thu Jun 11 16:30:19 2015 [28716]: login failure: admin
> mpls-vrrp.example.net (192.168.100.33) General
> Thu Jun 11 16:33:37 2015 [11142]: session.peerip is 192.168.100.33
> Thu Jun 11 16:33:37 2015 [4462]: connect from mpls-vrrp.example.net
> [192.168.100.33]
> Thu Jun 11 16:33:37 2015 [4462]: login query for 'admin' General from
> mpls-vrrp.example.net rejected
> Thu Jun 11 16:33:37 2015 [4462]: login failure: admin
> mpls-vrrp.example.net (192.168.100.33) General
> Thu Jun 11 16:48:21 2015 [11142]: session.peerip is 192.168.100.33
> Thu Jun 11 16:48:21 2015 [4278]: connect from mpls-vrrp.example.net
> [192.168.100.33]
> Thu Jun 11 16:48:21 2015 [4278]: login query for 'admin' General from
> mpls-vrrp.example.net rejected
> Thu Jun 11 16:48:21 2015 [4278]: login failure: admin
> mpls-vrrp.example.net (192.168.100.33) General
> Thu Jun 11 17:10:21 2015 [11142]: session.peerip is 192.168.100.33
> Thu Jun 11 17:10:21 2015 [7781]: connect from mpls-vrrp.example.net
> [192.168.100.33]
> Thu Jun 11 17:10:31 2015 [7781]: login query for 'foo' General from
> mpls-vrrp.example.net rejected
> Thu Jun 11 17:10:31 2015 [7781]: login failure: foo mpls-vrrp.example.net
> (192.168.100.33) General
> Thu Jun 11 17:10:33 2015 [11142]: session.peerip is 192.168.100.33
> Thu Jun 11 17:10:33 2015 [7999]: connect from mpls-vrrp.example.net
> [192.168.100.33]
> Thu Jun 11 17:10:42 2015 [7999]: mpls-vrrp.example.net General: fd 2 eof
> (connection closed)
> Thu Jun 11 17:10:42 2015 [7999]: Read -1 bytes from mpls-vrrp.example.net
> General, expecting 12
> Thu Jun 11 17:10:42 2015 [7999]: Error mpls-vrrp.example.net General:
> Null reply packet, expecting CONTINUE
> Thu Jun 11 17:10:42 2015 [7999]: Error mpls-vrrp.example.net General:
> Password change aborted.
> Thu Jun 11 17:10:42 2015 [7999]: login query for 'foo' General from
> mpls-vrrp.example.net rejected
> Thu Jun 11 17:10:42 2015 [7999]: login failure: foo mpls-vrrp.example.net
> (192.168.100.33) General
>
>
> Nokia IPSO firewall guys saying this
>
> Tried authentication again this morning, no luck. Again my firewalls are
> dropping the packet for being out of TCP state, errors similar to this:
>
> TCP packet out of state: Unexpected post SYN packet - RST or SYN expected
> tcp_flags: ACK
>
> That seems to be align with "Read -1 bytes from mpls-vrrp.example.net
> General, expecting 12" ?
>
> Any suggestion how to get a successful authentication? Firewall sshd is
> doing the TACACS+ authentication only, no command authorization. May be I
> need a cmd = * { permit .* } ? or just default service = permit and no cmd
> clause?
>
>

I was reported by firewall team of successful T+ authentication. And the
RST was related some misconfig on NAT.

I have not made any change on my original config which followed the doc on
Nokia IPSO TACACS+ config, provided by our firewall team.

Thanks a lot for your help!


-- 
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>
>


-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150611/44cf3d17/attachment.html>

More information about the tac_plus mailing list