From Kevin.Cruse at Instinet.com Fri Jul 1 13:16:40 2016 From: Kevin.Cruse at Instinet.com (Kevin.Cruse at Instinet.com) Date: Fri, 1 Jul 2016 09:16:40 -0400 Subject: [tac_plus] tacacs account log not capturing all authentication attempts Message-ID: I have noticed that some authentication attempts do not get logged in tacacs_account log. For example, we have some non cisco terminal servers, corvils and ciscoworks devices that are configured to authenticate with tacacs. Authentication is working and I can verify the users are hitting tacacs as a packet capture proves it. However, despite users getting authenticated when I check the account log for their ID's, source IP, etc. I see nothing. This seems to be either a bug or misconfiguration. Has anyone encountered this? accounting file = /var/log/tacacs/tacacs_accounting.log ----------------------------------------------------------------- Kevin Cruse US Networks Instinet LLC 309 West 49th Street New York, NY 10019 US kevin.cruse at instinet.com 212-310-4734 ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 27285940.gif Type: image/gif Size: 4077 bytes Desc: not available URL: From heas at shrubbery.net Fri Jul 1 14:30:21 2016 From: heas at shrubbery.net (heasley) Date: Fri, 1 Jul 2016 14:30:21 +0000 Subject: [tac_plus] tacacs account log not capturing all authentication attempts In-Reply-To: References: Message-ID: <20160701143021.GB44580@shrubbery.net> Fri, Jul 01, 2016 at 09:16:40AM -0400, Kevin.Cruse at Instinet.com: > I have noticed that some authentication attempts do not get logged in > tacacs_account log. For example, we have some non cisco terminal servers, > corvils and ciscoworks devices that are configured to authenticate with > tacacs. Authentication is working and I can verify the users are hitting > tacacs as a packet capture proves it. However, despite users getting > authenticated when I check the account log for their ID's, source IP, etc. > I see nothing. This seems to be either a bug or misconfiguration. Has > anyone encountered this? > > > accounting file = /var/log/tacacs/tacacs_accounting.log this is accounting records only and those are produced by the devices and sent to tacacs. auth succes/failure will go to syslog. logging = daemon From Kevin.Cruse at Instinet.com Tue Jul 5 13:37:49 2016 From: Kevin.Cruse at Instinet.com (Kevin.Cruse at Instinet.com) Date: Tue, 5 Jul 2016 09:37:49 -0400 Subject: [tac_plus] tacacs account log not capturing all authentication attempts In-Reply-To: <20160701143021.GB44580@shrubbery.net> References: <20160701143021.GB44580@shrubbery.net> Message-ID: is there other option than sending to syslog? ----------------------------------------------------------------- Kevin Cruse US Networks Instinet LLC 309 West 49th Street New York, NY 10019 US kevin.cruse at instinet.com 212-310-4734 From: heasley To: Kevin.Cruse at Instinet.com, Cc: tac_plus at shrubbery.net Date: 07/01/2016 10:30 AM Subject: Re: [tac_plus] tacacs account log not capturing all authentication attempts Fri, Jul 01, 2016 at 09:16:40AM -0400, Kevin.Cruse at Instinet.com: > I have noticed that some authentication attempts do not get logged in > tacacs_account log. For example, we have some non cisco terminal servers, > corvils and ciscoworks devices that are configured to authenticate with > tacacs. Authentication is working and I can verify the users are hitting > tacacs as a packet capture proves it. However, despite users getting > authenticated when I check the account log for their ID's, source IP, etc. > I see nothing. This seems to be either a bug or misconfiguration. Has > anyone encountered this? > > > accounting file = /var/log/tacacs/tacacs_accounting.log this is accounting records only and those are produced by the devices and sent to tacacs. auth succes/failure will go to syslog. logging = daemon ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an ?as is? basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC. ========================================================================================================= -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 28154471.gif Type: image/gif Size: 4077 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From heas at shrubbery.net Tue Jul 5 21:36:50 2016 From: heas at shrubbery.net (heasley) Date: Tue, 5 Jul 2016 21:36:50 +0000 Subject: [tac_plus] tacacs account log not capturing all authentication attempts In-Reply-To: References: <20160701143021.GB44580@shrubbery.net> Message-ID: <20160705213650.GC55150@shrubbery.net> Tue, Jul 05, 2016 at 09:37:49AM -0400, Kevin.Cruse at Instinet.com: > > is there other option than sending to syslog? no; it creates a blocking operation as multiple processes open/write the file. with debugging enabled, msgs are also written to TACPLUS_LOGFILE, as defined in pathsl.h.