[tac_plus] accounting logging question

Thu Oct 22 15:52:55 UTC 2015

Please let me know if you need more information. When I try to log
accounting packets so I can capture what commands were run on the HP switch
I receive an error in my tacacs log. Below is information which hopefully
you will find useful.

Please let me know if you have any ideas why it isn't logging the commands
in my tacacs log.

I have attached my tacacs config and the relevant config on my HP switch. I
have also attached some of the log from the tacacs application

Hi, I am running tacacs F4.0.4.28 on Red Hat 7.1 I have tacacs running on
an HP 7510

cat /etc/redhat-release

CentOS Linux release 7.1.1503 (Core)

Thu Oct 22 11:11:08 2015 [13661]: Reading config

Thu Oct 22 11:11:08 2015 [13661]: Version F4.0.4.28 Initialized 1

Thu Oct 22 11:11:08 2015 [13661]: tac_plus server F4.0.4.28 starting

Thu Oct 22 11:11:08 2015 [13662]: Backgrounded

Thu Oct 22 11:11:08 2015 [13663]: socket FD 0 AF 2

Thu Oct 22 11:11:08 2015 [13663]: uid=0 euid=0 gid=0 egid=0 s=36031184

From /var/log/tac_plus.log

Thu Oct 22 11:21:10 2015 [13726]: Error 10.89.64.17: acct minimum payload:
198, got: 188
I am using tacacs to authenticate to an HP Switch

<7thFloorHP-Bertha>dis version

HP Comware Platform Software

Comware Software, Version 5.20.105, Release 6708P10

Copyright (c) 2010-2015 Hewlett-Packard Development Company, L.P.

Thank you,
Eric

*Eric Freeman*
Technical Director/NA for TBWA\Chiat\Day

TBWA\Chiat\Day New York
488 Madison Ave.
New York NY 10022
United States of America
Tel: +12128041324

Twitter: @tbwachiatny <http://www.twitter.com/tbwachiatny>
http://www.tbwachiatdayny.com/

-- 

This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is privileged, confidential and/or otherwise protected from disclosure. If you received this e-mail in error, any review, use, dissemination, distribution or copying of this e-mail is strictly prohibited. Please notify us immediately of the error via e-mail to disclaimer at email-abuse.com and please delete the e-mail from your system, retaining no copies in any media. We appreciate your cooperation.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20151022/79ff06d3/attachment.html>
-------------- next part --------------
key=""
accounting file = /var/log/tac_pluscct.log
acl = XXXX {
        permit = $
        deny = .*
}
group = XXXX {
        default service = permit
        acl = XXXX
        login = 
}
user = XXXX {
        member = XXXX
login = 
}
user = XXXX {
login = 
service = shell {
}
}
user = XXXX {
login = 
service = shell {
}
}
user = rancid {
login = 
service = shell {
}
}
##### ENABLE PASSWORD!
user =  {
login = 
}
user =  {
login = 
}

hwtacacs scheme tacacs
 primary authentication 10.89.68.20
 secondary authentication 10.89.4.7
 primary accounting 10.89.68.20
 key authentication cipher 
 user-name-format without-domain

domain tacacs
 authentication default hwtacacs-scheme tacacs local
 authorization default none
 accounting default hwtacacs-scheme tacacs local
 access-limit disable
 state active   
 idle-cut disable
 self-service-url disable
 accounting optional

Thu Oct 22 11:11:08 2015 [13661]: Reading config
Thu Oct 22 11:11:08 2015 [13661]: Version F4.0.4.28 Initialized 1
Thu Oct 22 11:11:08 2015 [13661]: tac_plus server F4.0.4.28 starting
Thu Oct 22 11:11:08 2015 [13662]: Backgrounded
Thu Oct 22 11:11:08 2015 [13663]: socket FD 0 AF 2
Thu Oct 22 11:11:08 2015 [13663]: uid=0 euid=0 gid=0 egid=0 s=36031184hu Oct 22 11:15:54 2015 [13709]: connect from 10.89.64.17 [10.89.64.17]
Thu Oct 22 11:15:54 2015 [13709]: login query for 'efreeman' port vty1 from 10.89.64.17 ac
cepted
Thu Oct 22 11:15:54 2015 [13710]: connect from 10.89.64.17 [10.89.64.17]
Thu Oct 22 11:15:54 2015 [13710]: Error 10.89.64.17: acct minimum payload: 71, got: 68
Thu Oct 22 11:16:00 2015 [13711]: connect from 10.89.64.17 [10.89.64.17]
Thu Oct 22 11:16:00 2015 [13711]: enable query for 'efreeman' unknown from 10.89.64.17 acc
epted