From jdtemplet at gmail.com  Thu Nov  2 22:05:06 2017
From: jdtemplet at gmail.com (James Templet)
Date: Thu, 2 Nov 2017 17:05:06 -0500
Subject: [tac_plus] Comprehensive Configuration Guide
Message-ID: <CALDbQP4aoBZS7aOp=sZ71iqr0B-_SpuHThaofXouB6Y4BoY3MA@mail.gmail.com>

I wrote a comprehensive configuration guide for the pro-bono version of
tac_plus (uses mavis instead of PAM) because I felt like the existing
guides were inadequate.

I realize the Shrubbery Networks vanilla version is configured somewhat
differently, but I thought some people might find the information helpful.
Please see the link below.

https://askubuntu.com/questions/970137/how-do-you-configure-a-tacacs-server-on-ubuntu-16-04-authenticating-against-act

Disregard if you don't think this is helpful.

Any feedback is welcomed. Maybe I'll put together a similar guide for the
Shrubbery Networks version.

-James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20171102/32b45dc7/attachment.html>

From daniel.schmidt at wyo.gov  Fri Nov  3 16:17:20 2017
From: daniel.schmidt at wyo.gov (Daniel Schmidt)
Date: Fri, 3 Nov 2017 10:17:20 -0600
Subject: [tac_plus] Comprehensive Configuration Guide
In-Reply-To: <CALDbQP4aoBZS7aOp=sZ71iqr0B-_SpuHThaofXouB6Y4BoY3MA@mail.gmail.com>
References: <CALDbQP4aoBZS7aOp=sZ71iqr0B-_SpuHThaofXouB6Y4BoY3MA@mail.gmail.com>
Message-ID: <CAOyMAKn2dy5_6u-MG+7UuqjFtNsCrGnvp1h=-VckzB3iY7c73g@mail.gmail.com>

"Many older IOS versions (especially any version <12.2) will not work with
a TACACS+ server that sends additional attributes"

With do_auth and after authentication, this is addressed.   Shrubbery
tac_plus + do_auth suffers from obscurity for some reason, which is a shame
as it works quite well.

On Thu, Nov 2, 2017 at 4:05 PM, James Templet <jdtemplet at gmail.com> wrote:

> I wrote a comprehensive configuration guide for the pro-bono version of
> tac_plus (uses mavis instead of PAM) because I felt like the existing
> guides were inadequate.
>
> I realize the Shrubbery Networks vanilla version is configured somewhat
> differently, but I thought some people might find the information helpful.
> Please see the link below.
>
> https://askubuntu.com/questions/970137/how-do-you-
> configure-a-tacacs-server-on-ubuntu-16-04-authenticating-against-act
>
> Disregard if you don't think this is helpful.
>
> Any feedback is welcomed. Maybe I'll put together a similar guide for the
> Shrubbery Networks version.
>
> -James
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.shrubbery.net/pipermail/tac_plus/
> attachments/20171102/32b45dc7/attachment.html>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>

-- 

E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20171103/e930571f/attachment.html>

From daniel.schmidt at wyo.gov  Mon Nov  6 18:40:03 2017
From: daniel.schmidt at wyo.gov (Daniel Schmidt)
Date: Mon, 6 Nov 2017 11:40:03 -0700
Subject: [tac_plus] Brocade Fabric OS
Message-ID: <CAOyMAKmW7mJpuLE0wDGv0F25mnUCEHNhbAQ7601j_2BRnK3BcA@mail.gmail.com>

A long shot, but......

brcd-role seems to work find for exec in Fabric OS.  I get a role no
problem.  I need a Chassis Role.  The example is not at all right:

http://www.brocade.com/content/html/en/administration-guide/fos-740-admin/GUID-7A0B5B7E-8FDD-4E78-80FC-2B13A2ED767A.html

I've tried it six ways to Sunday, as shell, exec... can't get it to work.

-- 

E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20171106/d1d835d7/attachment.html>

From heas at shrubbery.net  Mon Nov  6 19:20:44 2017
From: heas at shrubbery.net (heasley)
Date: Mon, 6 Nov 2017 19:20:44 +0000
Subject: [tac_plus] Brocade Fabric OS
In-Reply-To: <CAOyMAKmW7mJpuLE0wDGv0F25mnUCEHNhbAQ7601j_2BRnK3BcA@mail.gmail.com>
References: <CAOyMAKmW7mJpuLE0wDGv0F25mnUCEHNhbAQ7601j_2BRnK3BcA@mail.gmail.com>
Message-ID: <20171106192044.GM33825@shrubbery.net>

Mon, Nov 06, 2017 at 11:40:03AM -0700, Daniel Schmidt:
> A long shot, but......
> 
> brcd-role seems to work find for exec in Fabric OS.  I get a role no
> problem.  I need a Chassis Role.  The example is not at all right:
> 
> http://www.brocade.com/content/html/en/administration-guide/fos-740-admin/GUID-7A0B5B7E-8FDD-4E78-80FC-2B13A2ED767A.html
> 
> I've tried it six ways to Sunday, as shell, exec... can't get it to work.
> 

perhaps set them to optional?  i've seen implementations that differentiate;
clearly they should not, but ...


From daniel.schmidt at wyo.gov  Mon Nov  6 19:49:10 2017
From: daniel.schmidt at wyo.gov (Daniel Schmidt)
Date: Mon, 6 Nov 2017 12:49:10 -0700
Subject: [tac_plus] Brocade Fabric OS
In-Reply-To: <20171106192044.GM33825@shrubbery.net>
References: <CAOyMAKmW7mJpuLE0wDGv0F25mnUCEHNhbAQ7601j_2BRnK3BcA@mail.gmail.com>
 <20171106192044.GM33825@shrubbery.net>
Message-ID: <CAOyMAKkR2NQzWs0dcR80RPkehb-=ATL=KsdawJ9dEzKDs+39qw@mail.gmail.com>

brcd-role will work with optional, but I can't seem to get ChassisRole to
work either way.  Then again, I don't understand FabricOS at all - maybe I
need to create a chassis first or something.  Thanks though.

On Mon, Nov 6, 2017 at 12:20 PM, heasley <heas at shrubbery.net> wrote:

> Mon, Nov 06, 2017 at 11:40:03AM -0700, Daniel Schmidt:
> > A long shot, but......
> >
> > brcd-role seems to work find for exec in Fabric OS.  I get a role no
> > problem.  I need a Chassis Role.  The example is not at all right:
> >
> > http://www.brocade.com/content/html/en/administration-guide/fos-740-
> admin/GUID-7A0B5B7E-8FDD-4E78-80FC-2B13A2ED767A.html
> >
> > I've tried it six ways to Sunday, as shell, exec... can't get it to work.
> >
>
> perhaps set them to optional?  i've seen implementations that
> differentiate;
> clearly they should not, but ...
>

-- 

E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20171106/e199836d/attachment.html>

From daniel.schmidt at wyo.gov  Mon Nov  6 20:43:12 2017
From: daniel.schmidt at wyo.gov (Daniel Schmidt)
Date: Mon, 6 Nov 2017 13:43:12 -0700
Subject: [tac_plus] Brocade Fabric OS
In-Reply-To: <CAOyMAKkR2NQzWs0dcR80RPkehb-=ATL=KsdawJ9dEzKDs+39qw@mail.gmail.com>
References: <CAOyMAKmW7mJpuLE0wDGv0F25mnUCEHNhbAQ7601j_2BRnK3BcA@mail.gmail.com>
 <20171106192044.GM33825@shrubbery.net>
 <CAOyMAKkR2NQzWs0dcR80RPkehb-=ATL=KsdawJ9dEzKDs+39qw@mail.gmail.com>
Message-ID: <CAOyMAKkhoyPa1U9vzb2_MuL7JUx5jQtVyc1rO5sda1v62H_FfQ@mail.gmail.com>

I finally got it, after spending more time than I would like to admit.
HomeLF needs to be 128, because I don't understand what it is yet.
brcd-role can be optional.  brcd-AV-Pair1 and 2 do not appear to work as
optional.

        service = exec {
         brcd-role = admin
         brcd-AV-Pair1 = "homeLF=128;LFRoleList=admin:
1,3,4;securityAdmin:5,6"
         brcd-AV-Pair2 = "chassisRole=admin"
        }

Commas in an av pair.  The one delimiter that I thought I could count on
never being in an av pair.  When I get time, I will write a fix for
do_auth.  Also, I finally implemented netaddr to support / notation.  Not
sure if anybody besides me uses it anymore though,

On Mon, Nov 6, 2017 at 12:49 PM, Daniel Schmidt <daniel.schmidt at wyo.gov>
wrote:

> brcd-role will work with optional, but I can't seem to get ChassisRole to
> work either way.  Then again, I don't understand FabricOS at all - maybe I
> need to create a chassis first or something.  Thanks though.
>
> On Mon, Nov 6, 2017 at 12:20 PM, heasley <heas at shrubbery.net> wrote:
>
>> Mon, Nov 06, 2017 at 11:40:03AM -0700, Daniel Schmidt:
>> > A long shot, but......
>> >
>> > brcd-role seems to work find for exec in Fabric OS.  I get a role no
>> > problem.  I need a Chassis Role.  The example is not at all right:
>> >
>> > http://www.brocade.com/content/html/en/administration-guide/
>> fos-740-admin/GUID-7A0B5B7E-8FDD-4E78-80FC-2B13A2ED767A.html
>> >
>> > I've tried it six ways to Sunday, as shell, exec... can't get it to
>> work.
>> >
>>
>> perhaps set them to optional?  i've seen implementations that
>> differentiate;
>> clearly they should not, but ...
>>
>
>

-- 

E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20171106/65ce6f4d/attachment.html>

From vadud3 at gmail.com  Thu Nov  9 21:38:39 2017
From: vadud3 at gmail.com (Asif Iqbal)
Date: Thu, 9 Nov 2017 16:38:39 -0500
Subject: [tac_plus] TACACS+ config group syntax for Arbor
Message-ID: <CAOHBbgWMcaAGnz8j-xWbX7DKOQRTby=yyz-PbSevF740oUQJjw@mail.gmail.com>

Hi All.

Any one doing TACACS+ with Arbor? We can authenticate fine, but failing to
get into shell mode.

with -d 8 -d 16 I get no following log when run shell command, and Arbor
says "970: Command requires higher privilege"

Thu Nov  9 21:23:25 2017 [3079]: login query for 'iqbala' port tty?? from
> 192.168.1.100 accepted
> Thu Nov  9 21:23:25 2017 [3113]: connect from 192.168.1.100 [192.168.1.100]
> Thu Nov  9 21:23:25 2017 [3113]: Start authorization request
> Thu Nov  9 21:23:25 2017 [3113]: do_author: user='iqbala'
> Thu Nov  9 21:23:25 2017 [3113]: user 'iqbala' found
> Thu Nov  9 21:23:25 2017 [3113]: svc=N_svc protocol= not found, denied by
> default
> Thu Nov  9 21:23:25 2017 [3113]: authorization query for 'iqbala' login
> from 192.168.1.100 rejected
> Thu Nov  9 21:23:25 2017 [3122]: connect from 192.168.1.100 [192.168.1.100]
> Thu Nov  9 21:23:25 2017 [3122]: Start authorization request
> Thu Nov  9 21:23:25 2017 [3122]: do_author: user='iqbala'
> Thu Nov  9 21:23:25 2017 [3122]: user 'iqbala' found
> Thu Nov  9 21:23:25 2017 [3122]: svc=N_svc protocol= not found, denied by
> default
> Thu Nov  9 21:23:25 2017 [3122]: authorization query for 'iqbala' login
> from 192.168.1.100 rejected




Appreciate any help!


-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20171109/d2c152fb/attachment.html>

From heas at shrubbery.net  Thu Nov  9 23:42:51 2017
From: heas at shrubbery.net (heasley)
Date: Thu, 9 Nov 2017 23:42:51 +0000
Subject: [tac_plus] TACACS+ config group syntax for Arbor
In-Reply-To: <CAOHBbgWMcaAGnz8j-xWbX7DKOQRTby=yyz-PbSevF740oUQJjw@mail.gmail.com>
References: <CAOHBbgWMcaAGnz8j-xWbX7DKOQRTby=yyz-PbSevF740oUQJjw@mail.gmail.com>
Message-ID: <20171109234251.GR67214@shrubbery.net>

Thu, Nov 09, 2017 at 04:38:39PM -0500, Asif Iqbal:
> Hi All.
> 
> Any one doing TACACS+ with Arbor? We can authenticate fine, but failing to
> get into shell mode.
> 
> with -d 8 -d 16 I get no following log when run shell command, and Arbor
> says "970: Command requires higher privilege"
> 
> Thu Nov  9 21:23:25 2017 [3079]: login query for 'iqbala' port tty?? from
> > 192.168.1.100 accepted
> > Thu Nov  9 21:23:25 2017 [3113]: connect from 192.168.1.100 [192.168.1.100]
> > Thu Nov  9 21:23:25 2017 [3113]: Start authorization request
> > Thu Nov  9 21:23:25 2017 [3113]: do_author: user='iqbala'
> > Thu Nov  9 21:23:25 2017 [3113]: user 'iqbala' found
> > Thu Nov  9 21:23:25 2017 [3113]: svc=N_svc protocol= not found, denied by
> > default

enable the packet dump debug to see what service the device is sending.
you dont have that service in the config so its going to the default.

> > Thu Nov  9 21:23:25 2017 [3113]: authorization query for 'iqbala' login
> > from 192.168.1.100 rejected
> > Thu Nov  9 21:23:25 2017 [3122]: connect from 192.168.1.100 [192.168.1.100]
> > Thu Nov  9 21:23:25 2017 [3122]: Start authorization request
> > Thu Nov  9 21:23:25 2017 [3122]: do_author: user='iqbala'
> > Thu Nov  9 21:23:25 2017 [3122]: user 'iqbala' found
> > Thu Nov  9 21:23:25 2017 [3122]: svc=N_svc protocol= not found, denied by
> > default
> > Thu Nov  9 21:23:25 2017 [3122]: authorization query for 'iqbala' login
> > from 192.168.1.100 rejected
> 
> 
> 
> 
> Appreciate any help!
> 
> 
> -- 
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20171109/d2c152fb/attachment.html>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus


From vadud3 at gmail.com  Fri Nov 10 00:25:36 2017
From: vadud3 at gmail.com (Asif Iqbal)
Date: Thu, 9 Nov 2017 19:25:36 -0500
Subject: [tac_plus] TACACS+ config group syntax for Arbor
In-Reply-To: <20171109234251.GR67214@shrubbery.net>
References: <CAOHBbgWMcaAGnz8j-xWbX7DKOQRTby=yyz-PbSevF740oUQJjw@mail.gmail.com>
 <20171109234251.GR67214@shrubbery.net>
Message-ID: <CAOHBbgUo7d70_QvUGu61m6MPF71Qcj1LKmGs4_zt0cqP5xD9dw@mail.gmail.com>

This is all I get when doing debug like this and type the ``shell'' command

  -d 8 -d 16 -d 32 -d 64 -d 128 -d 256 -d 512 -d 1024 -d 2048 -d 32768 -d
65536

Also setup default service = permit

Fri Nov 10 00:09:44 2017 [27585]: connect from 192.168.1.100 [192.168.1.100]
Fri Nov 10 00:09:45 2017 [27585]: login query for 'iqbala' port tty?? from
192.168.1.100 accepted
Fri Nov 10 00:09:45 2017 [27619]: connect from 192.168.1.100 [192.168.1.100]
Fri Nov 10 00:09:45 2017 [27619]: Start authorization request
Fri Nov 10 00:09:45 2017 [27619]: do_author: user='iqbala'
Fri Nov 10 00:09:45 2017 [27619]: user 'iqbala' found
Fri Nov 10 00:09:45 2017 [27619]: svc=N_svc protocol= svcname=arbor not
found, permitted by default
Fri Nov 10 00:09:45 2017 [27619]: authorization query for 'iqbala' login
from 192.168.1.100 accepted
Fri Nov 10 00:09:45 2017 [27630]: connect from 192.168.1.100 [192.168.1.100]
Fri Nov 10 00:09:45 2017 [27630]: Start authorization request
Fri Nov 10 00:09:45 2017 [27630]: do_author: user='iqbala'
Fri Nov 10 00:09:45 2017 [27630]: user 'iqbala' found
Fri Nov 10 00:09:45 2017 [27630]: svc=N_svc protocol= svcname=system not
found, permitted by default
Fri Nov 10 00:09:45 2017 [27630]: authorization query for 'iqbala' login
from 192.168.1.100 accepted



On Thu, Nov 9, 2017 at 6:42 PM, heasley <heas at shrubbery.net> wrote:

> Thu, Nov 09, 2017 at 04:38:39PM -0500, Asif Iqbal:
> > Hi All.
> >
> > Any one doing TACACS+ with Arbor? We can authenticate fine, but failing
> to
> > get into shell mode.
> >
> > with -d 8 -d 16 I get no following log when run shell command, and Arbor
> > says "970: Command requires higher privilege"
> >
> > Thu Nov  9 21:23:25 2017 [3079]: login query for 'iqbala' port tty?? from
> > > 192.168.1.100 accepted
> > > Thu Nov  9 21:23:25 2017 [3113]: connect from 192.168.1.100
> [192.168.1.100]
> > > Thu Nov  9 21:23:25 2017 [3113]: Start authorization request
> > > Thu Nov  9 21:23:25 2017 [3113]: do_author: user='iqbala'
> > > Thu Nov  9 21:23:25 2017 [3113]: user 'iqbala' found
> > > Thu Nov  9 21:23:25 2017 [3113]: svc=N_svc protocol= not found, denied
> by
> > > default
>
> enable the packet dump debug to see what service the device is sending.
> you dont have that service in the config so its going to the default.
>
> > > Thu Nov  9 21:23:25 2017 [3113]: authorization query for 'iqbala' login
> > > from 192.168.1.100 rejected
> > > Thu Nov  9 21:23:25 2017 [3122]: connect from 192.168.1.100
> [192.168.1.100]
> > > Thu Nov  9 21:23:25 2017 [3122]: Start authorization request
> > > Thu Nov  9 21:23:25 2017 [3122]: do_author: user='iqbala'
> > > Thu Nov  9 21:23:25 2017 [3122]: user 'iqbala' found
> > > Thu Nov  9 21:23:25 2017 [3122]: svc=N_svc protocol= not found, denied
> by
> > > default
> > > Thu Nov  9 21:23:25 2017 [3122]: authorization query for 'iqbala' login
> > > from 192.168.1.100 rejected
> >
> >
> >
> >
> > Appreciate any help!
> >
> >
> > --
> > Asif Iqbal
> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> > A: Because it messes up the order in which people normally read text.
> > Q: Why is top-posting such a bad thing?
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: <http://www.shrubbery.net/pipermail/tac_plus/
> attachments/20171109/d2c152fb/attachment.html>
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo/tac_plus
>



-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20171109/6b6ea8c4/attachment.html>

From vadud3 at gmail.com  Fri Nov 10 00:54:26 2017
From: vadud3 at gmail.com (Asif Iqbal)
Date: Thu, 9 Nov 2017 19:54:26 -0500
Subject: [tac_plus] TACACS+ config group syntax for Arbor
In-Reply-To: <CAOHBbgUo7d70_QvUGu61m6MPF71Qcj1LKmGs4_zt0cqP5xD9dw@mail.gmail.com>
References: <CAOHBbgWMcaAGnz8j-xWbX7DKOQRTby=yyz-PbSevF740oUQJjw@mail.gmail.com>
 <20171109234251.GR67214@shrubbery.net>
 <CAOHBbgUo7d70_QvUGu61m6MPF71Qcj1LKmGs4_zt0cqP5xD9dw@mail.gmail.com>
Message-ID: <CAOHBbgUAJ9QSzjK9AiOG5=M_2tvYN387-FhJpppR4ZEv_t2dHw@mail.gmail.com>

found out need to define group which needs to map to group name local to
the arbor appliance.

Fri Nov 10 00:42:49 2017 [29090]: connect from 192.168.1.100 [192.168.1.100]
Fri Nov 10 00:42:50 2017 [29090]: login query for 'iqbala' port tty?? from
192.168.1.100 accepted
Fri Nov 10 00:42:50 2017 [29114]: connect from 192.168.1.100 [192.168.1.100]
Fri Nov 10 00:42:50 2017 [29114]: Start authorization request
Fri Nov 10 00:42:50 2017 [29114]: do_author: user='iqbala'
Fri Nov 10 00:42:50 2017 [29114]: user 'iqbala' found
Fri Nov 10 00:42:50 2017 [29114]: nas:service=arbor (passed thru)
Fri Nov 10 00:42:50 2017 [29114]: nas:absent,
server:arbor_group=arbor_admin -> add arbor_group=arbor_admin (k)
Fri Nov 10 00:42:50 2017 [29114]: added 1 args
Fri Nov 10 00:42:50 2017 [29114]: out_args[0] = service=arbor input copy
discarded
Fri Nov 10 00:42:50 2017 [29114]: out_args[1] = arbor_group=arbor_admin
compacted to out_args[0]
Fri Nov 10 00:42:50 2017 [29114]: 1 output args
Fri Nov 10 00:42:50 2017 [29114]: authorization query for 'iqbala' login
from 192.168.1.100 accepted


group = ARBOR_ADMIN {
        service = arbor {
            arbor_group = arbor_admin
        }
}

much closer now



On Thu, Nov 9, 2017 at 7:25 PM, Asif Iqbal <vadud3 at gmail.com> wrote:

> This is all I get when doing debug like this and type the ``shell'' command
>
>   -d 8 -d 16 -d 32 -d 64 -d 128 -d 256 -d 512 -d 1024 -d 2048 -d 32768 -d
> 65536
>
> Also setup default service = permit
>
> Fri Nov 10 00:09:44 2017 [27585]: connect from 192.168.1.100
> [192.168.1.100]
> Fri Nov 10 00:09:45 2017 [27585]: login query for 'iqbala' port tty?? from
> 192.168.1.100 accepted
> Fri Nov 10 00:09:45 2017 [27619]: connect from 192.168.1.100
> [192.168.1.100]
> Fri Nov 10 00:09:45 2017 [27619]: Start authorization request
> Fri Nov 10 00:09:45 2017 [27619]: do_author: user='iqbala'
> Fri Nov 10 00:09:45 2017 [27619]: user 'iqbala' found
> Fri Nov 10 00:09:45 2017 [27619]: svc=N_svc protocol= svcname=arbor not
> found, permitted by default
> Fri Nov 10 00:09:45 2017 [27619]: authorization query for 'iqbala' login
> from 192.168.1.100 accepted
> Fri Nov 10 00:09:45 2017 [27630]: connect from 192.168.1.100
> [192.168.1.100]
> Fri Nov 10 00:09:45 2017 [27630]: Start authorization request
> Fri Nov 10 00:09:45 2017 [27630]: do_author: user='iqbala'
> Fri Nov 10 00:09:45 2017 [27630]: user 'iqbala' found
> Fri Nov 10 00:09:45 2017 [27630]: svc=N_svc protocol= svcname=system not
> found, permitted by default
> Fri Nov 10 00:09:45 2017 [27630]: authorization query for 'iqbala' login
> from 192.168.1.100 accepted
>
>
>
> On Thu, Nov 9, 2017 at 6:42 PM, heasley <heas at shrubbery.net> wrote:
>
>> Thu, Nov 09, 2017 at 04:38:39PM -0500, Asif Iqbal:
>> > Hi All.
>> >
>> > Any one doing TACACS+ with Arbor? We can authenticate fine, but failing
>> to
>> > get into shell mode.
>> >
>> > with -d 8 -d 16 I get no following log when run shell command, and Arbor
>> > says "970: Command requires higher privilege"
>> >
>> > Thu Nov  9 21:23:25 2017 [3079]: login query for 'iqbala' port tty??
>> from
>> > > 192.168.1.100 accepted
>> > > Thu Nov  9 21:23:25 2017 [3113]: connect from 192.168.1.100
>> [192.168.1.100]
>> > > Thu Nov  9 21:23:25 2017 [3113]: Start authorization request
>> > > Thu Nov  9 21:23:25 2017 [3113]: do_author: user='iqbala'
>> > > Thu Nov  9 21:23:25 2017 [3113]: user 'iqbala' found
>> > > Thu Nov  9 21:23:25 2017 [3113]: svc=N_svc protocol= not found,
>> denied by
>> > > default
>>
>> enable the packet dump debug to see what service the device is sending.
>> you dont have that service in the config so its going to the default.
>>
>> > > Thu Nov  9 21:23:25 2017 [3113]: authorization query for 'iqbala'
>> login
>> > > from 192.168.1.100 rejected
>> > > Thu Nov  9 21:23:25 2017 [3122]: connect from 192.168.1.100
>> [192.168.1.100]
>> > > Thu Nov  9 21:23:25 2017 [3122]: Start authorization request
>> > > Thu Nov  9 21:23:25 2017 [3122]: do_author: user='iqbala'
>> > > Thu Nov  9 21:23:25 2017 [3122]: user 'iqbala' found
>> > > Thu Nov  9 21:23:25 2017 [3122]: svc=N_svc protocol= not found,
>> denied by
>> > > default
>> > > Thu Nov  9 21:23:25 2017 [3122]: authorization query for 'iqbala'
>> login
>> > > from 192.168.1.100 rejected
>> >
>> >
>> >
>> >
>> > Appreciate any help!
>> >
>> >
>> > --
>> > Asif Iqbal
>> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
>> > A: Because it messes up the order in which people normally read text.
>> > Q: Why is top-posting such a bad thing?
>> > -------------- next part --------------
>> > An HTML attachment was scrubbed...
>> > URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/
>> 20171109/d2c152fb/attachment.html>
>> > _______________________________________________
>> > tac_plus mailing list
>> > tac_plus at shrubbery.net
>> > http://www.shrubbery.net/mailman/listinfo/tac_plus
>>
>
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>
>


-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20171109/634cc871/attachment.html>

From rytaluv at gmail.com  Tue Nov 14 14:27:26 2017
From: rytaluv at gmail.com (Ritah Mulinde)
Date: Tue, 14 Nov 2017 17:27:26 +0300
Subject: [tac_plus] No priviledge prompt
Message-ID: <CADZS39UJaMZuHrXC5Sa8CmaQju3TMfu4OyCx0CRchQ++hYWBhg@mail.gmail.com>

Hello everyone

i have added my switch ip to my tacac+ server conf file for AAA
authentication

so far i have 2 switches added to the conf file tac_plus.conf with syntax

acl = default   {
                permit = x\.x\.x\.x
                permit = y\.y\.y\.y
}


However, tacac+ authentication only works perfect with switch x.x.x.x but
with y.y.y.y, i manage to log in with the same user as used to log into
switch x.x.x.x but get a prompt with no privileges yet the sure has
privilege 15. Am i missing something?? is tac_plus.conf the only file where
i need to add the router ip or is there another file??
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20171114/b44726c3/attachment.html>

From heas at shrubbery.net  Tue Nov 14 21:17:07 2017
From: heas at shrubbery.net (heasley)
Date: Tue, 14 Nov 2017 21:17:07 +0000
Subject: [tac_plus] No priviledge prompt
In-Reply-To: <CADZS39UJaMZuHrXC5Sa8CmaQju3TMfu4OyCx0CRchQ++hYWBhg@mail.gmail.com>
References: <CADZS39UJaMZuHrXC5Sa8CmaQju3TMfu4OyCx0CRchQ++hYWBhg@mail.gmail.com>
Message-ID: <20171114211706.GB54717@shrubbery.net>

Tue, Nov 14, 2017 at 05:27:26PM +0300, Ritah Mulinde:
> Hello everyone
> 
> i have added my switch ip to my tacac+ server conf file for AAA
> authentication
> 
> so far i have 2 switches added to the conf file tac_plus.conf with syntax
> 
> acl = default   {
>                 permit = x\.x\.x\.x
>                 permit = y\.y\.y\.y
> }
> 
> 
> However, tacac+ authentication only works perfect with switch x.x.x.x but
> with y.y.y.y, i manage to log in with the same user as used to log into
> switch x.x.x.x but get a prompt with no privileges yet the sure has
> privilege 15. Am i missing something?? is tac_plus.conf the only file where
> i need to add the router ip or is there another file??

the switch also require configuration for the priv-lvl AVP to be accepted
from the tacacs server.


From rytaluv at gmail.com  Wed Nov 15 13:34:55 2017
From: rytaluv at gmail.com (Ritah Mulinde)
Date: Wed, 15 Nov 2017 16:34:55 +0300
Subject: [tac_plus] deny syntax
Message-ID: <CADZS39V307qY84Jf0ker1zXxZ3X_P32FUYqOMz-3OTEjEv2WzQ@mail.gmail.com>

Hello

In the tacacs+ conf file  /etc/tac_plus.conf

What is the syntax to deny every other ip after permitting the ones you
need in an ACL???
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20171115/ebd94394/attachment.html>

From awentzell at gmail.com  Wed Nov 15 14:12:07 2017
From: awentzell at gmail.com (Andrew Wentzell)
Date: Wed, 15 Nov 2017 09:12:07 -0500
Subject: [tac_plus] deny syntax
In-Reply-To: <CADZS39V307qY84Jf0ker1zXxZ3X_P32FUYqOMz-3OTEjEv2WzQ@mail.gmail.com>
References: <CADZS39V307qY84Jf0ker1zXxZ3X_P32FUYqOMz-3OTEjEv2WzQ@mail.gmail.com>
Message-ID: <CADBpUxXTkWQL9sH50ynTJ0EZ52-vZETbiwc78-KVnstaF65fhA@mail.gmail.com>

On Wed, Nov 15, 2017 at 8:34 AM, Ritah Mulinde <rytaluv at gmail.com> wrote:
> Hello
>
> In the tacacs+ conf file  /etc/tac_plus.conf
>
> What is the syntax to deny every other ip after permitting the ones you
> need in an ACL???

There is an implicit deny at the end of the ACL, but you can
explicitly define it like so:

deny = .*


From heas at shrubbery.net  Thu Nov 16 00:34:48 2017
From: heas at shrubbery.net (heasley)
Date: Thu, 16 Nov 2017 00:34:48 +0000
Subject: [tac_plus] deny syntax
In-Reply-To: <CADZS39V307qY84Jf0ker1zXxZ3X_P32FUYqOMz-3OTEjEv2WzQ@mail.gmail.com>
References: <CADZS39V307qY84Jf0ker1zXxZ3X_P32FUYqOMz-3OTEjEv2WzQ@mail.gmail.com>
Message-ID: <20171116003447.GA43959@shrubbery.net>

Wed, Nov 15, 2017 at 04:34:55PM +0300, Ritah Mulinde:
> Hello
> 
> In the tacacs+ conf file  /etc/tac_plus.conf
> 
> What is the syntax to deny every other ip after permitting the ones you
> need in an ACL???

deny ".*"


From andrew.villano at gmail.com  Mon Nov 20 15:54:40 2017
From: andrew.villano at gmail.com (Andrew Villano)
Date: Mon, 20 Nov 2017 10:54:40 -0500
Subject: [tac_plus] Tac Plus Auth Error with IOS 16
Message-ID: <CAPi4Pw+LOye6waDK4NOGpam4WFe04niFKat1+wNPgQ-ZmxfRfQ@mail.gmail.com>

I have a switch that I recently upgraded to IOS XE 16 (Everest) from 3.x.x.
It is the only switch that will not authenticate to tacacs. It does allow
local authentication and I do see traffic during those exchanges.
tac_plus.conf is setup to do file authentication from /etc/passwd .

This is the debug log I pulled during the failure:

Reading config
Version F4.0.4.28 Initialized 1
tac_plus server F4.0.4.28 starting
socket FD 4 AF 2
socket FD 5 AF 10
uid=0 euid=0 gid=0 egid=0 s=37962240
connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=nopassword rec=1
cfg_get_value: recurse group = rancid
cfg_get_intvalue: returns 0
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cidf-06a.nyed.circ2.dcn tty2: fd 6 eof (connection closed)
Read -1 bytes from cidf-06a.nyed.circ2.dcn tty2, expecting 12
cidf-06a.nyed.circ2.dcn tty2: Null reply packet, expecting CONTINUE
connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=nopassword rec=1
cfg_get_value: recurse group = rancid
cfg_get_intvalue: returns 0
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cidf-06a.nyed.circ2.dcn tty2: fd 6 eof (connection closed)
Read -1 bytes from cidf-06a.nyed.circ2.dcn tty2, expecting 12
cidf-06a.nyed.circ2.dcn tty2: Null reply packet, expecting CONTINUE
connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=nopassword rec=1
cfg_get_value: recurse group = rancid
cfg_get_intvalue: returns 0
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cidf-06a.nyed.circ2.dcn tty2: fd 6 eof (connection closed)
Read -1 bytes from cidf-06a.nyed.circ2.dcn tty2, expecting 12
cidf-06a.nyed.circ2.dcn tty2: Null reply packet, expecting CONTINUE
connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]

//successful connection//

cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cfg_get_value: name=root isuser=1 attr=login rec=1
cfg_get_value: recurse group = admins
cfg_get_pvalue: returns NULL
cfg_get_value: name=root isuser=1 attr=login rec=1
cfg_get_value: recurse group = admins
cfg_get_pvalue: returns NULL
cfg_get_value: name=root isuser=1 attr=nopassword rec=1
cfg_get_value: recurse group = admins
cfg_get_intvalue: returns 0
cfg_get_value: name=root isuser=1 attr=login rec=1
cfg_get_value: recurse group = admins
cfg_get_pvalue: returns NULL
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cidf-06a.nyed.circ2.dcn tty2: fd 6 eof (connection closed)
Read -1 bytes from cidf-06a.nyed.circ2.dcn tty2, expecting 12
cidf-06a.nyed.circ2.dcn tty2: Null reply packet, expecting CONTINUE
connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cfg_get_value: name=root isuser=1 attr=acl rec=1
cfg_get_value: recurse group = admins
cfg_get_pvalue: returns NULL
cfg_get_value: name=root isuser=1 attr=before rec=1
cfg_get_value: recurse group = admins
cfg_get_pvalue: returns NULL
cfg_get_svc_node: username=root N_svc_exec proto= svcname= rec=1
cfg_get_svc_node: recurse group = admins
cfg_get_svc_node: found N_svc_exec proto= svcname=
cfg_get_svc_node: username=root N_svc_exec proto= svcname= rec=1
cfg_get_svc_node: recurse group = admins
cfg_get_svc_node: found N_svc_exec proto= svcname=
cfg_get_value: name=root isuser=1 attr=after rec=1
cfg_get_value: recurse group = admins
cfg_get_pvalue: returns NULL
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL



Debug from the Switch:

Nov 20 15:43:09.239: TPLUS: Client is not responding Forcefully closing the
socket
Nov 20 15:43:09.240: TPLUS: Details of client session
Nov 20 15:43:09.240:  Client PID : 502
Nov 20 15:43:09.240:  Allocator PC : 0
Nov 20 15:43:09.240:  Transaction Type : Authentication
Nov 20 15:43:09.240:  Transaction Status : GET_PASSWORD
Nov 20 15:43:09.240:  Service : none
Nov 20 15:43:09.240:  Protocol : none
Nov 20 15:47:59.067: TPLUS(00000FCA) login timer stopped
Nov 20 15:47:59.067: TPLUS(00000FCA)/0/None: Started 120 sec timeout
Nov 20 15:48:02.055: TPLUS(00000FCA) login timer stopped
Nov 20 15:48:02.055: TPLUS(00000FCA)/1/None: Started 120 sec timeout
Nov 20 15:48:10.509: TPLUS: Ignore unknown socket 0
Nov 20 15:48:10.511: TPLUS: Ignore unknown socket 1
Nov 20 15:48:17.445: TPLUS(00000FCA)/1/IDLE/FF97E186F0: AAA id is not
matching between  1 (00000000)
Nov 20 15:48:17.445: TPLUS(00000FCA) login timer stopped
Nov 20 15:48:17.445: TPLUS(00000000)/1/None: Timer Stoped
Nov 20 15:48:19.462: TPLUS(00000FCA) login timer stopped
Nov 20 15:48:19.462: TPLUS(00000FCA)/0/None: Started 120 sec timeout
Nov 20 15:48:50.072: TPLUS(00000FCB) login timer stopped
Nov 20 15:48:50.073: TPLUS: Invalid Client information received as input
Nov 20 15:48:59.169: TPLUS(00000FCB) login timer stopped
Nov 20 15:48:59.170: TPLUS: Invalid Client information received as input
Nov 20 15:49:19.976: TPLUS(00000FCC) login timer stopped
Nov 20 15:49:19.977: TPLUS: Invalid Client information received as input
Nov 20 15:49:27.798: TPLUS(00000FCC) login timer stopped
Nov 20 15:49:27.799: TPLUS: Invalid Client information received as input

Tac_plus.conf:

key = stuffgoeshere
default authentication = file /etc/passwd
accounting file = /var/log/tac\_plus.acct

user = $enable$ {
    login = cleartext "blahblahblah"
}

user = rancid {
    member = rancid
}

user = root {
    member = admins
}

group = admins {
    default service = permit
    service = exec {
        priv-lvl = 15
    }
}

group = rancid {
        default service = deny
        service = exec {
            priv-lvl = 15
        }
        cmd = write {
                permit .*
                }
        cmd = dir {
                permit .*
                }
        cmd = copy {
                permit running-config
                }
        cmd = show {
                permit .*
                }
        cmd = terminal {
                permit length
                }
        cmd=enable {
                permit .*
                }
        cmd=exit {
                permit .*
                }
        cmd = admin {
              permit .*
              }
        cmd = more {
              permit .*
                }
}


do_auth.conf
[users]

root =
   vdxgroup

admin =
   vdxgroup

rancid =
   vdxgroup



[vdxgroup]
host_allow =
.*
device_permit =
.*
command_permit =
    .*
av_pairs =
    priv-lvl=15

    shell:roles="network-admin"




Thanks in Advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20171120/679ba8d7/attachment.html>

From daniel.schmidt at wyo.gov  Mon Nov 20 21:21:53 2017
From: daniel.schmidt at wyo.gov (Daniel Schmidt)
Date: Mon, 20 Nov 2017 14:21:53 -0700
Subject: [tac_plus] Tac Plus Auth Error with IOS 16
In-Reply-To: <CAPi4Pw+LOye6waDK4NOGpam4WFe04niFKat1+wNPgQ-ZmxfRfQ@mail.gmail.com>
References: <CAPi4Pw+LOye6waDK4NOGpam4WFe04niFKat1+wNPgQ-ZmxfRfQ@mail.gmail.com>
Message-ID: <CAOyMAKn9uVvRxNp0Mzsn_GyvGogsFzZhFdAVjf_SPPbR_aCZSA@mail.gmail.com>

wild guess:

try adding pap = cleartext "blahblahblah"

On Mon, Nov 20, 2017 at 8:54 AM, Andrew Villano <andrew.villano at gmail.com>
wrote:

> I have a switch that I recently upgraded to IOS XE 16 (Everest) from 3.x.x.
> It is the only switch that will not authenticate to tacacs. It does allow
> local authentication and I do see traffic during those exchanges.
> tac_plus.conf is setup to do file authentication from /etc/passwd .
>
> This is the debug log I pulled during the failure:
>
> Reading config
> Version F4.0.4.28 Initialized 1
> tac_plus server F4.0.4.28 starting
> socket FD 4 AF 2
> socket FD 5 AF 10
> uid=0 euid=0 gid=0 egid=0 s=37962240
> connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]
> cfg_get_hvalue: name=10.99.99.166 attr=key
> cfg_get_hvalue: no host named 10.99.99.166
> cfg_get_phvalue: returns NULL
> cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
> cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
> cfg_get_phvalue: returns NULL
> cfg_get_value: name=rancid isuser=1 attr=login rec=1
> cfg_get_value: recurse group = rancid
> cfg_get_pvalue: returns NULL
> cfg_get_value: name=rancid isuser=1 attr=login rec=1
> cfg_get_value: recurse group = rancid
> cfg_get_pvalue: returns NULL
> cfg_get_value: name=rancid isuser=1 attr=nopassword rec=1
> cfg_get_value: recurse group = rancid
> cfg_get_intvalue: returns 0
> cfg_get_value: name=rancid isuser=1 attr=login rec=1
> cfg_get_value: recurse group = rancid
> cfg_get_pvalue: returns NULL
> cfg_get_hvalue: name=10.99.99.166 attr=key
> cfg_get_hvalue: no host named 10.99.99.166
> cfg_get_phvalue: returns NULL
> cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
> cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
> cfg_get_phvalue: returns NULL
> cidf-06a.nyed.circ2.dcn tty2: fd 6 eof (connection closed)
> Read -1 bytes from cidf-06a.nyed.circ2.dcn tty2, expecting 12
> cidf-06a.nyed.circ2.dcn tty2: Null reply packet, expecting CONTINUE
> connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]
> cfg_get_hvalue: name=10.99.99.166 attr=key
> cfg_get_hvalue: no host named 10.99.99.166
> cfg_get_phvalue: returns NULL
> cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
> cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
> cfg_get_phvalue: returns NULL
> cfg_get_value: name=rancid isuser=1 attr=login rec=1
> cfg_get_value: recurse group = rancid
> cfg_get_pvalue: returns NULL
> cfg_get_value: name=rancid isuser=1 attr=login rec=1
> cfg_get_value: recurse group = rancid
> cfg_get_pvalue: returns NULL
> cfg_get_value: name=rancid isuser=1 attr=nopassword rec=1
> cfg_get_value: recurse group = rancid
> cfg_get_intvalue: returns 0
> cfg_get_value: name=rancid isuser=1 attr=login rec=1
> cfg_get_value: recurse group = rancid
> cfg_get_pvalue: returns NULL
> cfg_get_hvalue: name=10.99.99.166 attr=key
> cfg_get_hvalue: no host named 10.99.99.166
> cfg_get_phvalue: returns NULL
> cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
> cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
> cfg_get_phvalue: returns NULL
> cidf-06a.nyed.circ2.dcn tty2: fd 6 eof (connection closed)
> Read -1 bytes from cidf-06a.nyed.circ2.dcn tty2, expecting 12
> cidf-06a.nyed.circ2.dcn tty2: Null reply packet, expecting CONTINUE
> connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]
> cfg_get_hvalue: name=10.99.99.166 attr=key
> cfg_get_hvalue: no host named 10.99.99.166
> cfg_get_phvalue: returns NULL
> cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
> cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
> cfg_get_phvalue: returns NULL
> cfg_get_value: name=rancid isuser=1 attr=login rec=1
> cfg_get_value: recurse group = rancid
> cfg_get_pvalue: returns NULL
> cfg_get_value: name=rancid isuser=1 attr=login rec=1
> cfg_get_value: recurse group = rancid
> cfg_get_pvalue: returns NULL
> cfg_get_value: name=rancid isuser=1 attr=nopassword rec=1
> cfg_get_value: recurse group = rancid
> cfg_get_intvalue: returns 0
> cfg_get_value: name=rancid isuser=1 attr=login rec=1
> cfg_get_value: recurse group = rancid
> cfg_get_pvalue: returns NULL
> cfg_get_hvalue: name=10.99.99.166 attr=key
> cfg_get_hvalue: no host named 10.99.99.166
> cfg_get_phvalue: returns NULL
> cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
> cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
> cfg_get_phvalue: returns NULL
> cidf-06a.nyed.circ2.dcn tty2: fd 6 eof (connection closed)
> Read -1 bytes from cidf-06a.nyed.circ2.dcn tty2, expecting 12
> cidf-06a.nyed.circ2.dcn tty2: Null reply packet, expecting CONTINUE
> connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]
>
> //successful connection//
>
> cfg_get_hvalue: name=10.99.99.166 attr=key
> cfg_get_hvalue: no host named 10.99.99.166
> cfg_get_phvalue: returns NULL
> cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
> cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
> cfg_get_phvalue: returns NULL
> cfg_get_value: name=root isuser=1 attr=login rec=1
> cfg_get_value: recurse group = admins
> cfg_get_pvalue: returns NULL
> cfg_get_value: name=root isuser=1 attr=login rec=1
> cfg_get_value: recurse group = admins
> cfg_get_pvalue: returns NULL
> cfg_get_value: name=root isuser=1 attr=nopassword rec=1
> cfg_get_value: recurse group = admins
> cfg_get_intvalue: returns 0
> cfg_get_value: name=root isuser=1 attr=login rec=1
> cfg_get_value: recurse group = admins
> cfg_get_pvalue: returns NULL
> cfg_get_hvalue: name=10.99.99.166 attr=key
> cfg_get_hvalue: no host named 10.99.99.166
> cfg_get_phvalue: returns NULL
> cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
> cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
> cfg_get_phvalue: returns NULL
> cidf-06a.nyed.circ2.dcn tty2: fd 6 eof (connection closed)
> Read -1 bytes from cidf-06a.nyed.circ2.dcn tty2, expecting 12
> cidf-06a.nyed.circ2.dcn tty2: Null reply packet, expecting CONTINUE
> connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]
> cfg_get_hvalue: name=10.99.99.166 attr=key
> cfg_get_hvalue: no host named 10.99.99.166
> cfg_get_phvalue: returns NULL
> cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
> cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
> cfg_get_phvalue: returns NULL
> cfg_get_value: name=root isuser=1 attr=acl rec=1
> cfg_get_value: recurse group = admins
> cfg_get_pvalue: returns NULL
> cfg_get_value: name=root isuser=1 attr=before rec=1
> cfg_get_value: recurse group = admins
> cfg_get_pvalue: returns NULL
> cfg_get_svc_node: username=root N_svc_exec proto= svcname= rec=1
> cfg_get_svc_node: recurse group = admins
> cfg_get_svc_node: found N_svc_exec proto= svcname=
> cfg_get_svc_node: username=root N_svc_exec proto= svcname= rec=1
> cfg_get_svc_node: recurse group = admins
> cfg_get_svc_node: found N_svc_exec proto= svcname=
> cfg_get_value: name=root isuser=1 attr=after rec=1
> cfg_get_value: recurse group = admins
> cfg_get_pvalue: returns NULL
> cfg_get_hvalue: name=10.99.99.166 attr=key
> cfg_get_hvalue: no host named 10.99.99.166
> cfg_get_phvalue: returns NULL
> cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
> cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
> cfg_get_phvalue: returns NULL
>
>
>
> Debug from the Switch:
>
> Nov 20 15:43:09.239: TPLUS: Client is not responding Forcefully closing the
> socket
> Nov 20 15:43:09.240: TPLUS: Details of client session
> Nov 20 15:43:09.240:  Client PID : 502
> Nov 20 15:43:09.240:  Allocator PC : 0
> Nov 20 15:43:09.240:  Transaction Type : Authentication
> Nov 20 15:43:09.240:  Transaction Status : GET_PASSWORD
> Nov 20 15:43:09.240:  Service : none
> Nov 20 15:43:09.240:  Protocol : none
> Nov 20 15:47:59.067: TPLUS(00000FCA) login timer stopped
> Nov 20 15:47:59.067: TPLUS(00000FCA)/0/None: Started 120 sec timeout
> Nov 20 15:48:02.055: TPLUS(00000FCA) login timer stopped
> Nov 20 15:48:02.055: TPLUS(00000FCA)/1/None: Started 120 sec timeout
> Nov 20 15:48:10.509: TPLUS: Ignore unknown socket 0
> Nov 20 15:48:10.511: TPLUS: Ignore unknown socket 1
> Nov 20 15:48:17.445: TPLUS(00000FCA)/1/IDLE/FF97E186F0: AAA id is not
> matching between  1 (00000000)
> Nov 20 15:48:17.445: TPLUS(00000FCA) login timer stopped
> Nov 20 15:48:17.445: TPLUS(00000000)/1/None: Timer Stoped
> Nov 20 15:48:19.462: TPLUS(00000FCA) login timer stopped
> Nov 20 15:48:19.462: TPLUS(00000FCA)/0/None: Started 120 sec timeout
> Nov 20 15:48:50.072: TPLUS(00000FCB) login timer stopped
> Nov 20 15:48:50.073: TPLUS: Invalid Client information received as input
> Nov 20 15:48:59.169: TPLUS(00000FCB) login timer stopped
> Nov 20 15:48:59.170: TPLUS: Invalid Client information received as input
> Nov 20 15:49:19.976: TPLUS(00000FCC) login timer stopped
> Nov 20 15:49:19.977: TPLUS: Invalid Client information received as input
> Nov 20 15:49:27.798: TPLUS(00000FCC) login timer stopped
> Nov 20 15:49:27.799: TPLUS: Invalid Client information received as input
>
> Tac_plus.conf:
>
> key = stuffgoeshere
> default authentication = file /etc/passwd
> accounting file = /var/log/tac\_plus.acct
>
> user = $enable$ {
>     login = cleartext "blahblahblah"
> }
>
> user = rancid {
>     member = rancid
> }
>
> user = root {
>     member = admins
> }
>
> group = admins {
>     default service = permit
>     service = exec {
>         priv-lvl = 15
>     }
> }
>
> group = rancid {
>         default service = deny
>         service = exec {
>             priv-lvl = 15
>         }
>         cmd = write {
>                 permit .*
>                 }
>         cmd = dir {
>                 permit .*
>                 }
>         cmd = copy {
>                 permit running-config
>                 }
>         cmd = show {
>                 permit .*
>                 }
>         cmd = terminal {
>                 permit length
>                 }
>         cmd=enable {
>                 permit .*
>                 }
>         cmd=exit {
>                 permit .*
>                 }
>         cmd = admin {
>               permit .*
>               }
>         cmd = more {
>               permit .*
>                 }
> }
>
>
> do_auth.conf
> [users]
>
> root =
>    vdxgroup
>
> admin =
>    vdxgroup
>
> rancid =
>    vdxgroup
>
>
>
> [vdxgroup]
> host_allow =
> .*
> device_permit =
> .*
> command_permit =
>     .*
> av_pairs =
>     priv-lvl=15
>
>     shell:roles="network-admin"
>
>
>
>
> Thanks in Advance.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.shrubbery.net/pipermail/tac_plus/
> attachments/20171120/679ba8d7/attachment.html>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>

-- 

E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20171120/6953ac9e/attachment.html>

From heas at shrubbery.net  Tue Nov 21 01:56:58 2017
From: heas at shrubbery.net (heasley)
Date: Tue, 21 Nov 2017 01:56:58 +0000
Subject: [tac_plus] Tac Plus Auth Error with IOS 16
In-Reply-To: <CAOyMAKn9uVvRxNp0Mzsn_GyvGogsFzZhFdAVjf_SPPbR_aCZSA@mail.gmail.com>
References: <CAPi4Pw+LOye6waDK4NOGpam4WFe04niFKat1+wNPgQ-ZmxfRfQ@mail.gmail.com>
 <CAOyMAKn9uVvRxNp0Mzsn_GyvGogsFzZhFdAVjf_SPPbR_aCZSA@mail.gmail.com>
Message-ID: <20171121015657.GG38448@shrubbery.net>

Mon, Nov 20, 2017 at 02:21:53PM -0700, Daniel Schmidt:
> wild guess:
> 
> try adding pap = cleartext "blahblahblah"
> 

yeah, or try it with -d 8 -d 256.  find the service type, because this
is weird:

> > Nov 20 15:43:09.240: TPLUS: Details of client session
> > Nov 20 15:43:09.240:  Client PID : 502
> > Nov 20 15:43:09.240:  Allocator PC : 0
> > Nov 20 15:43:09.240:  Transaction Type : Authentication
> > Nov 20 15:43:09.240:  Transaction Status : GET_PASSWORD
> > Nov 20 15:43:09.240:  Service : none	<<<<<<<<<<<<<<
> > Nov 20 15:43:09.240:  Protocol : none
> > Nov 20 15:47:59.067: TPLUS(00000FCA) login timer stopped
> > Nov 20 15:47:59.067: TPLUS(00000FCA)/0/None: Started 120 sec timeout
                                         ^ wonder what the 0 is.


From andrew.villano at gmail.com  Tue Nov 21 14:42:09 2017
From: andrew.villano at gmail.com (Andrew Villano)
Date: Tue, 21 Nov 2017 09:42:09 -0500
Subject: [tac_plus] Tac Plus Auth Error with IOS 16
In-Reply-To: <20171121015657.GG38448@shrubbery.net>
References: <CAPi4Pw+LOye6waDK4NOGpam4WFe04niFKat1+wNPgQ-ZmxfRfQ@mail.gmail.com>
 <CAOyMAKn9uVvRxNp0Mzsn_GyvGogsFzZhFdAVjf_SPPbR_aCZSA@mail.gmail.com>
 <20171121015657.GG38448@shrubbery.net>
Message-ID: <CAPi4PwKphqZ7AD+QPhvdWZES1BjLOcYS3MjEqMMY+vkx9_KWPw@mail.gmail.com>

Removed -L since that was adding a bunch of noise.

Found something worth mentioning when adding -d256:

**client ip**: Illegal major version specified: found 97 wanted 192
**client ip**: disconnect


Rest of the Log:
session request from 10.99.99.166 sock=6
connect from 10.99.99.166 [10.99.99.166]
Waiting for packet
Read AUTHEN/START size=43
validation request from 10.99.99.166
PACKET: key=**tacacs key**
version 192 (0xc0), type 1, seq no 1, flags 0x1
session_id 453907388 (0x1b0e13bc), Data length 31 (0x1f)
End header
type=AUTHEN/START, priv_lvl = 1
action=login
authen_type=ascii
service=login
user_len=6 port_len=4 (0x4), rem_addr_len=13 (0xd)
data_len=0
User:
rancid
port:
tty3
rem_addr:
**client ip**
data:
End packet
Authen Start request
choose_authen chose default_fn
Calling authentication function
Writing AUTHEN/GETPASS size=28
PACKET: key=**tacacs key**
version 192 (0xc0), type 1, seq no 2, flags 0x1
session_id 453907388 (0x1b0e13bc), Data length 16 (0x10)
End header
type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
msg_len=10, data_len=0
msg:
Password:
data:
End packet
Waiting for packet



Turned on debug aaa authentication and debug tacacs authentication:

Nov 21 14:36:49.113: TPLUS(00000FE0)/1/READ/FF96035DF8: timed out
Nov 21 14:36:49.113: TPLUS: Authentication start packet created for
4064(rancid)
Nov 21 14:36:49.113: TPLUS(00000FE0)/1/READ/FF96035DF8: timed out, clean up
Nov 21 14:36:49.113: TPLUS(00000FE0) login timer stopped
Nov 21 14:36:49.113: TPLUS(00000FE0)/1/FF96035DF8: Processing the reply
packet
Nov 21 14:36:49.114: TPLUS: Invalid Client information received as input
Nov 21 14:36:52.119: AAA/AUTHEN/LOGIN (00000FE0): Pick method list
'default'
Nov 21 14:36:52.120: TPLUS: Queuing AAA Authentication request 4064 for
processing
Nov 21 14:36:52.120: TPLUS(00000FE0) login timer started 1020 sec timeout
Nov 21 14:36:52.120: TPLUS: processing authentication start request id 4064
Nov 21 14:36:52.120: TPLUS: Authentication start packet created for
4064(rancid)
Nov 21 14:36:52.121: TPLUS: Using server **tacacs server**
Nov 21 14:36:52.122: TPLUS(00000FE0)/1/NB_WAIT/FF97B1F858: Started 5 sec
timeout
Nov 21 14:36:52.125: TPLUS(00000FE0)/1/NB_WAIT: socket event 2
Nov 21 14:36:52.126: TPLUS(00000FE0)/1/NB_WAIT: wrote entire 43 bytes
request
Nov 21 14:36:52.126: TPLUS(00000FE0)/1/READ: socket event 1
Nov 21 14:36:52.127: TPLUS(00000FE0)/1/READ: Would block while reading
Nov 21 14:36:57.122: TPLUS(00000FE0)/1/READ/FF97B1F858: timed out
Nov 21 14:36:57.122: TPLUS: Authentication start packet created for
4064(rancid)
Nov 21 14:36:57.123: TPLUS(00000FE0)/1/READ/FF97B1F858: timed out, clean up
Nov 21 14:36:57.123: TPLUS(00000FE0) login timer stopped
Nov 21 14:36:57.123: TPLUS(00000FE0)/1/FF97B1F858: Processing the reply
packet
Nov 21 14:36:57.124: TPLUS: Invalid Client information received as input



On Mon, Nov 20, 2017 at 8:56 PM, heasley <heas at shrubbery.net> wrote:

> Mon, Nov 20, 2017 at 02:21:53PM -0700, Daniel Schmidt:
> > wild guess:
> >
> > try adding pap = cleartext "blahblahblah"
> >
>
> yeah, or try it with -d 8 -d 256.  find the service type, because this
> is weird:
>
> > > Nov 20 15:43:09.240: TPLUS: Details of client session
> > > Nov 20 15:43:09.240:  Client PID : 502
> > > Nov 20 15:43:09.240:  Allocator PC : 0
> > > Nov 20 15:43:09.240:  Transaction Type : Authentication
> > > Nov 20 15:43:09.240:  Transaction Status : GET_PASSWORD
> > > Nov 20 15:43:09.240:  Service : none        <<<<<<<<<<<<<<
> > > Nov 20 15:43:09.240:  Protocol : none
> > > Nov 20 15:47:59.067: TPLUS(00000FCA) login timer stopped
> > > Nov 20 15:47:59.067: TPLUS(00000FCA)/0/None: Started 120 sec timeout
>                                          ^ wonder what the 0 is.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20171121/407e980d/attachment.html>

From heas at shrubbery.net  Tue Nov 21 17:50:22 2017
From: heas at shrubbery.net (heasley)
Date: Tue, 21 Nov 2017 17:50:22 +0000
Subject: [tac_plus] Tac Plus Auth Error with IOS 16
In-Reply-To: <CAPi4PwKphqZ7AD+QPhvdWZES1BjLOcYS3MjEqMMY+vkx9_KWPw@mail.gmail.com>
References: <CAPi4Pw+LOye6waDK4NOGpam4WFe04niFKat1+wNPgQ-ZmxfRfQ@mail.gmail.com>
 <CAOyMAKn9uVvRxNp0Mzsn_GyvGogsFzZhFdAVjf_SPPbR_aCZSA@mail.gmail.com>
 <20171121015657.GG38448@shrubbery.net>
 <CAPi4PwKphqZ7AD+QPhvdWZES1BjLOcYS3MjEqMMY+vkx9_KWPw@mail.gmail.com>
Message-ID: <20171121175021.GC14583@shrubbery.net>

Tue, Nov 21, 2017 at 09:42:09AM -0500, Andrew Villano:
> Removed -L since that was adding a bunch of noise.
> 
> Found something worth mentioning when adding -d256:
> 
> **client ip**: Illegal major version specified: found 97 wanted 192
> **client ip**: disconnect

yeah, weird.  the debug o/p looks normal to me.

> Turned on debug aaa authentication and debug tacacs authentication:
> 
> Nov 21 14:36:49.113: TPLUS(00000FE0)/1/READ/FF96035DF8: timed out
> Nov 21 14:36:49.113: TPLUS: Authentication start packet created for
> 4064(rancid)
> Nov 21 14:36:49.113: TPLUS(00000FE0)/1/READ/FF96035DF8: timed out, clean up
> Nov 21 14:36:49.113: TPLUS(00000FE0) login timer stopped
> Nov 21 14:36:49.113: TPLUS(00000FE0)/1/FF96035DF8: Processing the reply
> packet
> Nov 21 14:36:49.114: TPLUS: Invalid Client information received as input
> Nov 21 14:36:52.119: AAA/AUTHEN/LOGIN (00000FE0): Pick method list
> 'default'
> Nov 21 14:36:52.120: TPLUS: Queuing AAA Authentication request 4064 for
> processing
> Nov 21 14:36:52.120: TPLUS(00000FE0) login timer started 1020 sec timeout
> Nov 21 14:36:52.120: TPLUS: processing authentication start request id 4064
> Nov 21 14:36:52.120: TPLUS: Authentication start packet created for
> 4064(rancid)
> Nov 21 14:36:52.121: TPLUS: Using server **tacacs server**
> Nov 21 14:36:52.122: TPLUS(00000FE0)/1/NB_WAIT/FF97B1F858: Started 5 sec
> timeout
> Nov 21 14:36:52.125: TPLUS(00000FE0)/1/NB_WAIT: socket event 2
> Nov 21 14:36:52.126: TPLUS(00000FE0)/1/NB_WAIT: wrote entire 43 bytes
> request
> Nov 21 14:36:52.126: TPLUS(00000FE0)/1/READ: socket event 1
> Nov 21 14:36:52.127: TPLUS(00000FE0)/1/READ: Would block while reading
> Nov 21 14:36:57.122: TPLUS(00000FE0)/1/READ/FF97B1F858: timed out

why did it timeout.  do you have filters somewhere that are interfering?
or perhaps a routing problem or duplicate address?  maybe add aaa packet
debugging.

> Nov 21 14:36:57.122: TPLUS: Authentication start packet created for
> 4064(rancid)
> Nov 21 14:36:57.123: TPLUS(00000FE0)/1/READ/FF97B1F858: timed out, clean up
> Nov 21 14:36:57.123: TPLUS(00000FE0) login timer stopped
> Nov 21 14:36:57.123: TPLUS(00000FE0)/1/FF97B1F858: Processing the reply
> packet
> Nov 21 14:36:57.124: TPLUS: Invalid Client information received as input
> 
> 
> 
> On Mon, Nov 20, 2017 at 8:56 PM, heasley <heas at shrubbery.net> wrote:
> 
> > Mon, Nov 20, 2017 at 02:21:53PM -0700, Daniel Schmidt:
> > > wild guess:
> > >
> > > try adding pap = cleartext "blahblahblah"
> > >
> >
> > yeah, or try it with -d 8 -d 256.  find the service type, because this
> > is weird:
> >
> > > > Nov 20 15:43:09.240: TPLUS: Details of client session
> > > > Nov 20 15:43:09.240:  Client PID : 502
> > > > Nov 20 15:43:09.240:  Allocator PC : 0
> > > > Nov 20 15:43:09.240:  Transaction Type : Authentication
> > > > Nov 20 15:43:09.240:  Transaction Status : GET_PASSWORD
> > > > Nov 20 15:43:09.240:  Service : none        <<<<<<<<<<<<<<
> > > > Nov 20 15:43:09.240:  Protocol : none
> > > > Nov 20 15:47:59.067: TPLUS(00000FCA) login timer stopped
> > > > Nov 20 15:47:59.067: TPLUS(00000FCA)/0/None: Started 120 sec timeout
> >                                          ^ wonder what the 0 is.
> >


From daniel.schmidt at wyo.gov  Tue Nov 21 20:06:09 2017
From: daniel.schmidt at wyo.gov (Daniel Schmidt)
Date: Tue, 21 Nov 2017 13:06:09 -0700
Subject: [tac_plus] Tac Plus Auth Error with IOS 16
In-Reply-To: <CAPi4PwJZydedEvc6+eRKvsUMSq+uSEinjcbVdwcO-=a0ed5Qdw@mail.gmail.com>
References: <CAPi4Pw+LOye6waDK4NOGpam4WFe04niFKat1+wNPgQ-ZmxfRfQ@mail.gmail.com>
 <CAOyMAKn9uVvRxNp0Mzsn_GyvGogsFzZhFdAVjf_SPPbR_aCZSA@mail.gmail.com>
 <20171121015657.GG38448@shrubbery.net>
 <CAPi4PwKphqZ7AD+QPhvdWZES1BjLOcYS3MjEqMMY+vkx9_KWPw@mail.gmail.com>
 <20171121175021.GC14583@shrubbery.net>
 <CAPi4PwJZydedEvc6+eRKvsUMSq+uSEinjcbVdwcO-=a0ed5Qdw@mail.gmail.com>
Message-ID: <CAOyMAK=orXKr6KZfGZrkQBJtyJD9vymNrW0FFiDXPnoAAwwUUA@mail.gmail.com>

Are you saying this could be a do_auth problem?  I do not have anything IOS
XE 16 to test with.

On Tue, Nov 21, 2017 at 12:57 PM, Andrew Villano <andrew.villano at gmail.com>
wrote:

> ++Reply_All...
>
> It's not at the network layer because it will connect intermittently,
> especially when using another (more privileged account). The only
> difference between the two accounts is the filtering I do in do_auth.conf
> and the fact that one also exists as a local account.
>
>
> Nov 21 18:37:26.296: AAA/BIND(00000FE2): Bind i/f
> Nov 21 18:37:26.297: AAA/AUTHEN/LOGIN (00000FE2): Pick method list
> 'default'
> Nov 21 18:37:26.297: TPLUS: Queuing AAA Authentication request 4066 for
> processing
> Nov 21 18:37:26.298: TPLUS(00000FE2) login timer started 1020 sec timeout
> Nov 21 18:37:26.299: TPLUS: processing authentication start request id 4066
> Nov 21 18:37:26.299: TPLUS: Authentication start packet created for
> 4066(root)
> Nov 21 18:37:26.300: TPLUS: Using server **tacacs server ip**
> Nov 21 18:37:26.302: TPLUS(00000FE2)/0/NB_WAIT/FF97E18E08: Started 5 sec
> timeout
> Nov 21 18:37:26.303: TPLUS(00000FE2)/0/NB_WAIT: socket event 2
> Nov 21 18:37:26.304: TPLUS(00000FE2)/0/NB_WAIT: wrote entire 41 bytes
> request
> Nov 21 18:37:26.304: TPLUS(00000FE2)/0/READ: socket event 1
> Nov 21 18:37:26.304: TPLUS(00000FE2)/0/READ: Would block while reading
> Nov 21 18:37:26.313: TPLUS(00000FE2)/0/READ: socket event 1
> Nov 21 18:37:26.313: TPLUS(00000FE2)/0/READ: read entire 12 header bytes
> (expect 16 bytes data)
> Nov 21 18:37:26.313: TPLUS(00000FE2)/0/READ: socket event 1
> Nov 21 18:37:26.313: TPLUS(00000FE2)/0/READ: read entire 28 bytes response
> Nov 21 18:37:26.313: TPLUS(00000FE2) login timer stopped
> Nov 21 18:37:26.314: TPLUS(00000FE2)/0/FF97E18E08: Processing the reply
> packet
> Nov 21 18:37:26.314: TPLUS: Received authen response status GET_PASSWORD
> (8)
> Nov 21 18:37:26.314: TPLUS(00000FE2)/0/None: Started 120 sec timeout
> Nov 21 18:37:29.546: TPLUS: Queuing AAA Authentication request 4066 for
> processing
> Nov 21 18:37:29.547: TPLUS(00000FE2) login timer started 1020 sec timeout
> Nov 21 18:37:29.547: TPLUS: processing authentication continue request id
> 4066
> Nov 21 18:37:29.548: TPLUS: Authentication continue packet generated for
> 4066
> Nov 21 18:37:29.548: TPLUS(00000FE2)/0/None: Timer Stoped
> Nov 21 18:37:29.549: TPLUS(00000FE2)/0/WRITE/FF97AEA8C0: Started 5 sec
> timeout
> Nov 21 18:37:29.549: TPLUS(00000FE2)/0/WRITE: wrote entire 24 bytes request
> Nov 21 18:37:29.571: TPLUS(00000FE2)/0/READ: socket event 1
> Nov 21 18:37:29.571: TPLUS(00000FE2)/0/READ: read entire 12 header bytes
> (expect 6 bytes data)
> Nov 21 18:37:29.571: TPLUS(00000FE2)/0/READ: socket event 1
> Nov 21 18:37:29.572: TPLUS(00000FE2)/0/READ: read entire 18 bytes response
> Nov 21 18:37:29.572: TPLUS(00000FE2) login timer stopped
> Nov 21 18:37:29.572: TPLUS(00000FE2)/0/FF97AEA8C0: Processing the reply
> packet
> Nov 21 18:37:29.572: TPLUS: Received authen response status PASS (2)
> Nov 21 18:37:29.573: TPLUS: Invalid Client information received as input
> Nov 21 18:37:29.627: TPLUS(00000FE2) login timer stopped
> Nov 21 18:37:29.627: TPLUS: Invalid Client information received as input
> Nov 21 18:40:03.178: AAA/BIND(00000FE3): Bind i/f
> Nov 21 18:40:03.178: AAA/AUTHEN/LOGIN (00000FE3): Pick method list
> 'default'
> Nov 21 18:40:03.179: TPLUS: Queuing AAA Authentication request 4067 for
> processing
> Nov 21 18:40:03.179: TPLUS(00000FE3) login timer started 1020 sec timeout
> Nov 21 18:40:03.179: TPLUS: processing authentication start request id 4067
> Nov 21 18:40:03.179: TPLUS: Authentication start packet created for
> 4067(rancid)
> Nov 21 18:40:03.180: TPLUS: Using server **tacacs server ip**
> Nov 21 18:40:03.181: TPLUS(00000FE3)/0/NB_WAIT/FF97D911E8: Started 5 sec
> timeout
> Nov 21 18:40:03.183: TPLUS(00000FE3)/0/NB_WAIT: socket event 2
> Nov 21 18:40:03.183: T+: Version 192 (0xC0), type 1, seq 1, encryption 1,
> SC 0
> Nov 21 18:40:03.183: T+: session_id 2506212375 <(250)%20621-2375>
> (0x9561C417), dlen 31 (0x1F)
> Nov 21 18:40:03.183: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
> Nov 21 18:40:03.183: T+: svc:LOGIN user_len:6 port_len:4 (0x4)
> raddr_len:13 (0xD) data_len:0
> Nov 21 18:40:03.183: T+: user:  rancid
> Nov 21 18:40:03.183: T+: port:  tty2
> Nov 21 18:40:03.183: T+: rem_addr:  **client ip**
> Nov 21 18:40:03.183: T+: data:
> Nov 21 18:40:03.183: T+: End Packet
> Nov 21 18:40:03.184: TPLUS(00000FE3)/0/NB_WAIT: wrote entire 43 bytes
> request
> Nov 21 18:40:03.184: TPLUS(00000FE3)/0/READ: socket event 1
> Nov 21 18:40:03.184: TPLUS(00000FE3)/0/READ: Would block while reading
> Nov 21 18:40:03.190: TPLUS(00000FE3)/0/READ: socket event 1
> Nov 21 18:40:03.190: TPLUS(00000FE3)/0/READ: read entire 12 header bytes
> (expect 16 bytes data)
> Nov 21 18:40:03.190: TPLUS(00000FE3)/0/READ: socket event 1
> Nov 21 18:40:03.190: TPLUS(00000FE3)/0/READ: read entire 28 bytes response
> Nov 21 18:40:03.191: T+: Version 192 (0xC0), type 1, seq 2, encryption 1,
> SC 0
> Nov 21 18:40:03.191: T+: session_id 2506212375 <(250)%20621-2375>
> (0x9561C417), dlen 16 (0x10)
> Nov 21 18:40:03.191: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10,
> data_len:0
> Nov 21 18:40:03.191: T+: msg:  Password:
> Nov 21 18:40:03.191: T+: data:
> Nov 21 18:40:03.191: T+: End Packet
> Nov 21 18:40:03.191: TPLUS(00000FE3) login timer stopped
> Nov 21 18:40:03.191: TPLUS(00000FE3)/0/FF97D911E8: Processing the reply
> packet
> Nov 21 18:40:03.191: TPLUS: Received authen response status GET_PASSWORD
> (8)
> Nov 21 18:40:03.192: TPLUS(00000FE3)/0/None: Started 120 sec timeout
> Nov 21 18:40:06.197: AAA/AUTHEN/LOGIN (00000FE3): Pick method list
> 'default'
> Nov 21 18:40:06.197: TPLUS: Queuing AAA Authentication request 4067 for
> processing
> Nov 21 18:40:06.198: TPLUS(00000FE3) login timer started 1020 sec timeout
> Nov 21 18:40:06.198: TPLUS: processing authentication start request id 4067
> Nov 21 18:40:06.198: TPLUS: Authentication start packet created for
> 4067(rancid)
> Nov 21 18:40:06.198: TPLUS: Using server **tacacs server ip**
> Nov 21 18:40:06.200: TPLUS(00000FE3)/1/NB_WAIT/FF97AEA8C0: Started 5 sec
> timeout
> Nov 21 18:40:06.201: TPLUS(00000FE3)/1/NB_WAIT: socket event 2
> Nov 21 18:40:06.201: T+: Version 192 (0xC0), type 1, seq 1, encryption 1,
> SC 0
> Nov 21 18:40:06.201: T+: session_id 795748828 (0x2F6E29DC), dlen 31 (0x1F)
> Nov 21 18:40:06.201: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
> Nov 21 18:40:06.201: T+: svc:LOGIN user_len:6 port_len:4 (0x4)
> raddr_len:13 (0xD) data_len:0
> Nov 21 18:40:06.201: T+: user:  rancid
> Nov 21 18:40:06.202: T+: port:  tty2
> Nov 21 18:40:06.202: T+: rem_addr:  **client ip**
> Nov 21 18:40:06.202: T+: data:
> Nov 21 18:40:06.202: T+: End Packet
> Nov 21 18:40:06.204: TPLUS(00000FE3)/1/NB_WAIT: wrote entire 43 bytes
> request
> Nov 21 18:40:06.204: TPLUS(00000FE3)/1/READ: socket event 1
> Nov 21 18:40:06.204: TPLUS(00000FE3)/1/READ: Would block while reading
> Nov 21 18:40:11.199: TPLUS(00000FE3)/1/READ/FF97AEA8C0: timed out
> Nov 21 18:40:11.199: TPLUS: Authentication start packet created for
> 4067(rancid)
> Nov 21 18:40:11.199: TPLUS(00000FE3)/1/READ/FF97AEA8C0: timed out, clean
> up
> Nov 21 18:40:11.200: TPLUS(00000FE3) login timer stopped
> Nov 21 18:40:11.200: TPLUS(00000FE3)/1/FF97AEA8C0: Processing the reply
> packet
> Nov 21 18:40:11.200: TPLUS: Invalid Client information received as input
> Nov 21 18:40:14.207: AAA/AUTHEN/LOGIN (00000FE3): Pick method list
> 'default'
> Nov 21 18:40:14.208: TPLUS: Queuing AAA Authentication request 4067 for
> processing
> Nov 21 18:40:14.208: TPLUS(00000FE3) login timer started 1020 sec timeout
> Nov 21 18:40:14.208: TPLUS: processing authentication start request id 4067
> Nov 21 18:40:14.208: TPLUS: Authentication start packet created for
> 4067(rancid)
> Nov 21 18:40:14.209: TPLUS: Using server **tacacs server ip**
> Nov 21 18:40:14.210: TPLUS(00000FE3)/1/NB_WAIT/FF97AEA8C0: Started 5 sec
> timeout
> Nov 21 18:40:14.211: TPLUS(00000FE3)/1/NB_WAIT: socket event 2
> Nov 21 18:40:14.211: T+: Version 192 (0xC0), type 1, seq 1, encryption 1,
> SC 0
> Nov 21 18:40:14.211: T+: session_id 2016212721 <(201)%20621-2721>
> (0x782CF6F1), dlen 31 (0x1F)
> Nov 21 18:40:14.211: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
> Nov 21 18:40:14.212: T+: svc:LOGIN user_len:6 port_len:4 (0x4)
> raddr_len:13 (0xD) data_len:0
> Nov 21 18:40:14.212: T+: user:  rancid
> Nov 21 18:40:14.212: T+: port:  tty2
> Nov 21 18:40:14.212: T+: rem_addr:  **client ip**
> Nov 21 18:40:14.212: T+: data:
> Nov 21 18:40:14.212: T+: End Packet
> Nov 21 18:40:14.212: TPLUS(00000FE3)/1/NB_WAIT: wrote entire 43 bytes
> request
> Nov 21 18:40:14.212: TPLUS(00000FE3)/1/READ: socket event 1
> Nov 21 18:40:14.213: TPLUS(00000FE3)/1/READ: Would block while reading
> Nov 21 18:40:19.211: TPLUS(00000FE3)/1/READ/FF97AEA8C0: timed out
> Nov 21 18:40:19.211: TPLUS: Authentication start packet created for
> 4067(rancid)
> Nov 21 18:40:19.211: TPLUS(00000FE3)/1/READ/FF97AEA8C0: timed out, clean
> up
> Nov 21 18:40:19.211: TPLUS(00000FE3) login timer stopped
> Nov 21 18:40:19.211: TPLUS(00000FE3)/1/FF97AEA8C0: Processing the reply
> packet
> Nov 21 18:40:19.212: TPLUS: Invalid Client information received as input
> Nov 21 18:40:26.559: AAA/BIND(00000FE4): Bind i/f
> Nov 21 18:40:26.559: AAA/AUTHEN/LOGIN (00000FE4): Pick method list
> 'default'
> Nov 21 18:40:26.560: TPLUS: Queuing AAA Authentication request 4068 for
> processing
> Nov 21 18:40:26.560: TPLUS(00000FE4) login timer started 1020 sec timeout
> Nov 21 18:40:26.560: TPLUS: processing authentication start request id 4068
> Nov 21 18:40:26.561: TPLUS: Authentication start packet created for
> 4068(root)
> Nov 21 18:40:26.561: TPLUS: Using server **tacacs server ip**
> Nov 21 18:40:26.563: TPLUS(00000FE4)/1/NB_WAIT/FF97E18E08: Started 5 sec
> timeout
> Nov 21 18:40:26.564: TPLUS(00000FE4)/1/NB_WAIT: socket event 2
> Nov 21 18:40:26.565: T+: Version 192 (0xC0), type 1, seq 1, encryption 1,
> SC 0
> Nov 21 18:40:26.565: T+: session_id 2166987313 <(216)%20698-7313>
> (0x81299A31), dlen 29 (0x1D)
> Nov 21 18:40:26.566: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
> Nov 21 18:40:26.566: T+: svc:LOGIN user_len:4 port_len:4 (0x4)
> raddr_len:13 (0xD) data_len:0
> Nov 21 18:40:26.566: T+: user:  root
> Nov 21 18:40:26.567: T+: port:  tty2
> Nov 21 18:40:26.567: T+: rem_addr:  **client ip**
> Nov 21 18:40:26.568: T+: data:
> Nov 21 18:40:26.568: T+: End Packet
> Nov 21 18:40:26.568: TPLUS(00000FE4)/1/NB_WAIT: wrote entire 41 bytes
> request
> Nov 21 18:40:26.568: TPLUS(00000FE4)/1/READ: socket event 1
> Nov 21 18:40:26.568: TPLUS(00000FE4)/1/READ: Would block while reading
> Nov 21 18:40:31.563: TPLUS(00000FE4)/1/READ/FF97E18E08: timed out
> Nov 21 18:40:31.564: TPLUS: Authentication start packet created for
> 4068(root)
> Nov 21 18:40:31.564: TPLUS(00000FE4)/1/READ/FF97E18E08: timed out, clean
> up
> Nov 21 18:40:31.565: TPLUS(00000FE4) login timer stopped
> Nov 21 18:40:31.565: TPLUS(00000FE4)/1/FF97E18E08: Processing the reply
> packet
> Nov 21 18:40:31.566: TPLUS: Invalid Client information received as input
> Nov 21 18:40:34.496: T+: Version 192 (0xC0), type 2, seq 1, encryption 1,
> SC 0
> Nov 21 18:40:34.496: T+: session_id 235734674 (0xE0D0692), dlen 48 (0x30)
> Nov 21 18:40:34.496: T+: AUTHOR, priv_lvl:1, authen:1 method:local
> Nov 21 18:40:34.497: T+: svc:1 user_len:4 port_len:4 rem_addr_len:13
> arg_cnt:2
> Nov 21 18:40:34.497: T+: user:  root
> Nov 21 18:40:34.497: T+: port:  tty2
> Nov 21 18:40:34.497: T+: rem_addr:  **client ip**
> Nov 21 18:40:34.497: T+: arg[0]: size:13 service=shell
> Nov 21 18:40:34.497: T+: arg[1]: size:4 cmd*
> Nov 21 18:40:34.497: T+: End Packet
> Nov 21 18:40:39.494: TPLUS(00000FE4) login timer stopped
> Nov 21 18:40:39.497: TPLUS: Invalid Client information received as input
> Nov 21 18:42:03.191: TPLUS: Client is not responding Forcefully closing
> the socket
> Nov 21 18:42:03.191: TPLUS: Details of client session
> Nov 21 18:42:03.191:  Client PID : 393
> Nov 21 18:42:03.191:  Allocator PC : 0
> Nov 21 18:42:03.192:  Transaction Type : Authentication
> Nov 21 18:42:03.192:  Transaction Status : GET_PASSWORD
> Nov 21 18:42:03.192:  Service : none
> Nov 21 18:42:03.192:  Protocol : none
>
> On Tue, Nov 21, 2017 at 12:50 PM, heasley <heas at shrubbery.net> wrote:
>
>> Tue, Nov 21, 2017 at 09:42:09AM -0500, Andrew Villano:
>> > Removed -L since that was adding a bunch of noise.
>> >
>> > Found something worth mentioning when adding -d256:
>> >
>> > **client ip**: Illegal major version specified: found 97 wanted 192
>> > **client ip**: disconnect
>>
>> yeah, weird.  the debug o/p looks normal to me.
>>
>> > Turned on debug aaa authentication and debug tacacs authentication:
>> >
>> > Nov 21 14:36:49.113: TPLUS(00000FE0)/1/READ/FF96035DF8: timed out
>> > Nov 21 14:36:49.113: TPLUS: Authentication start packet created for
>> > 4064(rancid)
>> > Nov 21 14:36:49.113: TPLUS(00000FE0)/1/READ/FF96035DF8: timed out,
>> clean up
>> > Nov 21 14:36:49.113: TPLUS(00000FE0) login timer stopped
>> > Nov 21 14:36:49.113: TPLUS(00000FE0)/1/FF96035DF8: Processing the reply
>> > packet
>> > Nov 21 14:36:49.114: TPLUS: Invalid Client information received as input
>> > Nov 21 14:36:52.119: AAA/AUTHEN/LOGIN (00000FE0): Pick method list
>> > 'default'
>> > Nov 21 14:36:52.120: TPLUS: Queuing AAA Authentication request 4064 for
>> > processing
>> > Nov 21 14:36:52.120: TPLUS(00000FE0) login timer started 1020 sec
>> timeout
>> > Nov 21 14:36:52.120: TPLUS: processing authentication start request id
>> 4064
>> > Nov 21 14:36:52.120: TPLUS: Authentication start packet created for
>> > 4064(rancid)
>> > Nov 21 14:36:52.121: TPLUS: Using server **tacacs server**
>> > Nov 21 14:36:52.122: TPLUS(00000FE0)/1/NB_WAIT/FF97B1F858: Started 5
>> sec
>> > timeout
>> > Nov 21 14:36:52.125: TPLUS(00000FE0)/1/NB_WAIT: socket event 2
>> > Nov 21 14:36:52.126: TPLUS(00000FE0)/1/NB_WAIT: wrote entire 43 bytes
>> > request
>> > Nov 21 14:36:52.126: TPLUS(00000FE0)/1/READ: socket event 1
>> > Nov 21 14:36:52.127: TPLUS(00000FE0)/1/READ: Would block while reading
>> > Nov 21 14:36:57.122: TPLUS(00000FE0)/1/READ/FF97B1F858: timed out
>>
>> why did it timeout.  do you have filters somewhere that are interfering?
>> or perhaps a routing problem or duplicate address?  maybe add aaa packet
>> debugging.
>>
>> > Nov 21 14:36:57.122: TPLUS: Authentication start packet created for
>> > 4064(rancid)
>> > Nov 21 14:36:57.123: TPLUS(00000FE0)/1/READ/FF97B1F858: timed out,
>> clean up
>> > Nov 21 14:36:57.123: TPLUS(00000FE0) login timer stopped
>> > Nov 21 14:36:57.123: TPLUS(00000FE0)/1/FF97B1F858: Processing the reply
>> > packet
>> > Nov 21 14:36:57.124: TPLUS: Invalid Client information received as input
>> >
>> >
>> >
>> > On Mon, Nov 20, 2017 at 8:56 PM, heasley <heas at shrubbery.net> wrote:
>> >
>> > > Mon, Nov 20, 2017 at 02:21:53PM -0700, Daniel Schmidt:
>> > > > wild guess:
>> > > >
>> > > > try adding pap = cleartext "blahblahblah"
>> > > >
>> > >
>> > > yeah, or try it with -d 8 -d 256.  find the service type, because this
>> > > is weird:
>> > >
>> > > > > Nov 20 15:43:09.240: TPLUS: Details of client session
>> > > > > Nov 20 15:43:09.240:  Client PID : 502
>> > > > > Nov 20 15:43:09.240:  Allocator PC : 0
>> > > > > Nov 20 15:43:09.240:  Transaction Type : Authentication
>> > > > > Nov 20 15:43:09.240:  Transaction Status : GET_PASSWORD
>> > > > > Nov 20 15:43:09.240:  Service : none        <<<<<<<<<<<<<<
>> > > > > Nov 20 15:43:09.240:  Protocol : none
>> > > > > Nov 20 15:47:59.067: TPLUS(00000FCA) login timer stopped
>> > > > > Nov 20 15:47:59.067: TPLUS(00000FCA)/0/None: Started 120 sec
>> timeout
>> > >                                          ^ wonder what the 0 is.
>> > >
>>
>
>

-- 

E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20171121/ea29caa2/attachment.html>

From andrew.villano at gmail.com  Tue Nov 21 20:25:06 2017
From: andrew.villano at gmail.com (Andrew Villano)
Date: Tue, 21 Nov 2017 15:25:06 -0500
Subject: [tac_plus] Tac Plus Auth Error with IOS 16
In-Reply-To: <CAPi4PwJZydedEvc6+eRKvsUMSq+uSEinjcbVdwcO-=a0ed5Qdw@mail.gmail.com>
References: <CAPi4Pw+LOye6waDK4NOGpam4WFe04niFKat1+wNPgQ-ZmxfRfQ@mail.gmail.com>
 <CAOyMAKn9uVvRxNp0Mzsn_GyvGogsFzZhFdAVjf_SPPbR_aCZSA@mail.gmail.com>
 <20171121015657.GG38448@shrubbery.net>
 <CAPi4PwKphqZ7AD+QPhvdWZES1BjLOcYS3MjEqMMY+vkx9_KWPw@mail.gmail.com>
 <20171121175021.GC14583@shrubbery.net>
 <CAPi4PwJZydedEvc6+eRKvsUMSq+uSEinjcbVdwcO-=a0ed5Qdw@mail.gmail.com>
Message-ID: <CAPi4PwJk5YmUcsQ3eJQ5_iRYOr+2PcfMncDuU11NVOkwHtJ-Cg@mail.gmail.com>

Found the problem. Special characters are not tolerated in passwords.

On Tue, Nov 21, 2017 at 2:57 PM, Andrew Villano <andrew.villano at gmail.com>
wrote:

> ++Reply_All...
>
> It's not at the network layer because it will connect intermittently,
> especially when using another (more privileged account). The only
> difference between the two accounts is the filtering I do in do_auth.conf
> and the fact that one also exists as a local account.
>
>
> Nov 21 18:37:26.296: AAA/BIND(00000FE2): Bind i/f
> Nov 21 18:37:26.297: AAA/AUTHEN/LOGIN (00000FE2): Pick method list
> 'default'
> Nov 21 18:37:26.297: TPLUS: Queuing AAA Authentication request 4066 for
> processing
> Nov 21 18:37:26.298: TPLUS(00000FE2) login timer started 1020 sec timeout
> Nov 21 18:37:26.299: TPLUS: processing authentication start request id 4066
> Nov 21 18:37:26.299: TPLUS: Authentication start packet created for
> 4066(root)
> Nov 21 18:37:26.300: TPLUS: Using server **tacacs server ip**
> Nov 21 18:37:26.302: TPLUS(00000FE2)/0/NB_WAIT/FF97E18E08: Started 5 sec
> timeout
> Nov 21 18:37:26.303: TPLUS(00000FE2)/0/NB_WAIT: socket event 2
> Nov 21 18:37:26.304: TPLUS(00000FE2)/0/NB_WAIT: wrote entire 41 bytes
> request
> Nov 21 18:37:26.304: TPLUS(00000FE2)/0/READ: socket event 1
> Nov 21 18:37:26.304: TPLUS(00000FE2)/0/READ: Would block while reading
> Nov 21 18:37:26.313: TPLUS(00000FE2)/0/READ: socket event 1
> Nov 21 18:37:26.313: TPLUS(00000FE2)/0/READ: read entire 12 header bytes
> (expect 16 bytes data)
> Nov 21 18:37:26.313: TPLUS(00000FE2)/0/READ: socket event 1
> Nov 21 18:37:26.313: TPLUS(00000FE2)/0/READ: read entire 28 bytes response
> Nov 21 18:37:26.313: TPLUS(00000FE2) login timer stopped
> Nov 21 18:37:26.314: TPLUS(00000FE2)/0/FF97E18E08: Processing the reply
> packet
> Nov 21 18:37:26.314: TPLUS: Received authen response status GET_PASSWORD
> (8)
> Nov 21 18:37:26.314: TPLUS(00000FE2)/0/None: Started 120 sec timeout
> Nov 21 18:37:29.546: TPLUS: Queuing AAA Authentication request 4066 for
> processing
> Nov 21 18:37:29.547: TPLUS(00000FE2) login timer started 1020 sec timeout
> Nov 21 18:37:29.547: TPLUS: processing authentication continue request id
> 4066
> Nov 21 18:37:29.548: TPLUS: Authentication continue packet generated for
> 4066
> Nov 21 18:37:29.548: TPLUS(00000FE2)/0/None: Timer Stoped
> Nov 21 18:37:29.549: TPLUS(00000FE2)/0/WRITE/FF97AEA8C0: Started 5 sec
> timeout
> Nov 21 18:37:29.549: TPLUS(00000FE2)/0/WRITE: wrote entire 24 bytes request
> Nov 21 18:37:29.571: TPLUS(00000FE2)/0/READ: socket event 1
> Nov 21 18:37:29.571: TPLUS(00000FE2)/0/READ: read entire 12 header bytes
> (expect 6 bytes data)
> Nov 21 18:37:29.571: TPLUS(00000FE2)/0/READ: socket event 1
> Nov 21 18:37:29.572: TPLUS(00000FE2)/0/READ: read entire 18 bytes response
> Nov 21 18:37:29.572: TPLUS(00000FE2) login timer stopped
> Nov 21 18:37:29.572: TPLUS(00000FE2)/0/FF97AEA8C0: Processing the reply
> packet
> Nov 21 18:37:29.572: TPLUS: Received authen response status PASS (2)
> Nov 21 18:37:29.573: TPLUS: Invalid Client information received as input
> Nov 21 18:37:29.627: TPLUS(00000FE2) login timer stopped
> Nov 21 18:37:29.627: TPLUS: Invalid Client information received as input
> Nov 21 18:40:03.178: AAA/BIND(00000FE3): Bind i/f
> Nov 21 18:40:03.178: AAA/AUTHEN/LOGIN (00000FE3): Pick method list
> 'default'
> Nov 21 18:40:03.179: TPLUS: Queuing AAA Authentication request 4067 for
> processing
> Nov 21 18:40:03.179: TPLUS(00000FE3) login timer started 1020 sec timeout
> Nov 21 18:40:03.179: TPLUS: processing authentication start request id 4067
> Nov 21 18:40:03.179: TPLUS: Authentication start packet created for
> 4067(rancid)
> Nov 21 18:40:03.180: TPLUS: Using server **tacacs server ip**
> Nov 21 18:40:03.181: TPLUS(00000FE3)/0/NB_WAIT/FF97D911E8: Started 5 sec
> timeout
> Nov 21 18:40:03.183: TPLUS(00000FE3)/0/NB_WAIT: socket event 2
> Nov 21 18:40:03.183: T+: Version 192 (0xC0), type 1, seq 1, encryption 1,
> SC 0
> Nov 21 18:40:03.183: T+: session_id 2506212375 <(250)%20621-2375>
> (0x9561C417), dlen 31 (0x1F)
> Nov 21 18:40:03.183: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
> Nov 21 18:40:03.183: T+: svc:LOGIN user_len:6 port_len:4 (0x4)
> raddr_len:13 (0xD) data_len:0
> Nov 21 18:40:03.183: T+: user:  rancid
> Nov 21 18:40:03.183: T+: port:  tty2
> Nov 21 18:40:03.183: T+: rem_addr:  **client ip**
> Nov 21 18:40:03.183: T+: data:
> Nov 21 18:40:03.183: T+: End Packet
> Nov 21 18:40:03.184: TPLUS(00000FE3)/0/NB_WAIT: wrote entire 43 bytes
> request
> Nov 21 18:40:03.184: TPLUS(00000FE3)/0/READ: socket event 1
> Nov 21 18:40:03.184: TPLUS(00000FE3)/0/READ: Would block while reading
> Nov 21 18:40:03.190: TPLUS(00000FE3)/0/READ: socket event 1
> Nov 21 18:40:03.190: TPLUS(00000FE3)/0/READ: read entire 12 header bytes
> (expect 16 bytes data)
> Nov 21 18:40:03.190: TPLUS(00000FE3)/0/READ: socket event 1
> Nov 21 18:40:03.190: TPLUS(00000FE3)/0/READ: read entire 28 bytes response
> Nov 21 18:40:03.191: T+: Version 192 (0xC0), type 1, seq 2, encryption 1,
> SC 0
> Nov 21 18:40:03.191: T+: session_id 2506212375 <(250)%20621-2375>
> (0x9561C417), dlen 16 (0x10)
> Nov 21 18:40:03.191: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10,
> data_len:0
> Nov 21 18:40:03.191: T+: msg:  Password:
> Nov 21 18:40:03.191: T+: data:
> Nov 21 18:40:03.191: T+: End Packet
> Nov 21 18:40:03.191: TPLUS(00000FE3) login timer stopped
> Nov 21 18:40:03.191: TPLUS(00000FE3)/0/FF97D911E8: Processing the reply
> packet
> Nov 21 18:40:03.191: TPLUS: Received authen response status GET_PASSWORD
> (8)
> Nov 21 18:40:03.192: TPLUS(00000FE3)/0/None: Started 120 sec timeout
> Nov 21 18:40:06.197: AAA/AUTHEN/LOGIN (00000FE3): Pick method list
> 'default'
> Nov 21 18:40:06.197: TPLUS: Queuing AAA Authentication request 4067 for
> processing
> Nov 21 18:40:06.198: TPLUS(00000FE3) login timer started 1020 sec timeout
> Nov 21 18:40:06.198: TPLUS: processing authentication start request id 4067
> Nov 21 18:40:06.198: TPLUS: Authentication start packet created for
> 4067(rancid)
> Nov 21 18:40:06.198: TPLUS: Using server **tacacs server ip**
> Nov 21 18:40:06.200: TPLUS(00000FE3)/1/NB_WAIT/FF97AEA8C0: Started 5 sec
> timeout
> Nov 21 18:40:06.201: TPLUS(00000FE3)/1/NB_WAIT: socket event 2
> Nov 21 18:40:06.201: T+: Version 192 (0xC0), type 1, seq 1, encryption 1,
> SC 0
> Nov 21 18:40:06.201: T+: session_id 795748828 (0x2F6E29DC), dlen 31 (0x1F)
> Nov 21 18:40:06.201: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
> Nov 21 18:40:06.201: T+: svc:LOGIN user_len:6 port_len:4 (0x4)
> raddr_len:13 (0xD) data_len:0
> Nov 21 18:40:06.201: T+: user:  rancid
> Nov 21 18:40:06.202: T+: port:  tty2
> Nov 21 18:40:06.202: T+: rem_addr:  **client ip**
> Nov 21 18:40:06.202: T+: data:
> Nov 21 18:40:06.202: T+: End Packet
> Nov 21 18:40:06.204: TPLUS(00000FE3)/1/NB_WAIT: wrote entire 43 bytes
> request
> Nov 21 18:40:06.204: TPLUS(00000FE3)/1/READ: socket event 1
> Nov 21 18:40:06.204: TPLUS(00000FE3)/1/READ: Would block while reading
> Nov 21 18:40:11.199: TPLUS(00000FE3)/1/READ/FF97AEA8C0: timed out
> Nov 21 18:40:11.199: TPLUS: Authentication start packet created for
> 4067(rancid)
> Nov 21 18:40:11.199: TPLUS(00000FE3)/1/READ/FF97AEA8C0: timed out, clean
> up
> Nov 21 18:40:11.200: TPLUS(00000FE3) login timer stopped
> Nov 21 18:40:11.200: TPLUS(00000FE3)/1/FF97AEA8C0: Processing the reply
> packet
> Nov 21 18:40:11.200: TPLUS: Invalid Client information received as input
> Nov 21 18:40:14.207: AAA/AUTHEN/LOGIN (00000FE3): Pick method list
> 'default'
> Nov 21 18:40:14.208: TPLUS: Queuing AAA Authentication request 4067 for
> processing
> Nov 21 18:40:14.208: TPLUS(00000FE3) login timer started 1020 sec timeout
> Nov 21 18:40:14.208: TPLUS: processing authentication start request id 4067
> Nov 21 18:40:14.208: TPLUS: Authentication start packet created for
> 4067(rancid)
> Nov 21 18:40:14.209: TPLUS: Using server **tacacs server ip**
> Nov 21 18:40:14.210: TPLUS(00000FE3)/1/NB_WAIT/FF97AEA8C0: Started 5 sec
> timeout
> Nov 21 18:40:14.211: TPLUS(00000FE3)/1/NB_WAIT: socket event 2
> Nov 21 18:40:14.211: T+: Version 192 (0xC0), type 1, seq 1, encryption 1,
> SC 0
> Nov 21 18:40:14.211: T+: session_id 2016212721 <(201)%20621-2721>
> (0x782CF6F1), dlen 31 (0x1F)
> Nov 21 18:40:14.211: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
> Nov 21 18:40:14.212: T+: svc:LOGIN user_len:6 port_len:4 (0x4)
> raddr_len:13 (0xD) data_len:0
> Nov 21 18:40:14.212: T+: user:  rancid
> Nov 21 18:40:14.212: T+: port:  tty2
> Nov 21 18:40:14.212: T+: rem_addr:  **client ip**
> Nov 21 18:40:14.212: T+: data:
> Nov 21 18:40:14.212: T+: End Packet
> Nov 21 18:40:14.212: TPLUS(00000FE3)/1/NB_WAIT: wrote entire 43 bytes
> request
> Nov 21 18:40:14.212: TPLUS(00000FE3)/1/READ: socket event 1
> Nov 21 18:40:14.213: TPLUS(00000FE3)/1/READ: Would block while reading
> Nov 21 18:40:19.211: TPLUS(00000FE3)/1/READ/FF97AEA8C0: timed out
> Nov 21 18:40:19.211: TPLUS: Authentication start packet created for
> 4067(rancid)
> Nov 21 18:40:19.211: TPLUS(00000FE3)/1/READ/FF97AEA8C0: timed out, clean
> up
> Nov 21 18:40:19.211: TPLUS(00000FE3) login timer stopped
> Nov 21 18:40:19.211: TPLUS(00000FE3)/1/FF97AEA8C0: Processing the reply
> packet
> Nov 21 18:40:19.212: TPLUS: Invalid Client information received as input
> Nov 21 18:40:26.559: AAA/BIND(00000FE4): Bind i/f
> Nov 21 18:40:26.559: AAA/AUTHEN/LOGIN (00000FE4): Pick method list
> 'default'
> Nov 21 18:40:26.560: TPLUS: Queuing AAA Authentication request 4068 for
> processing
> Nov 21 18:40:26.560: TPLUS(00000FE4) login timer started 1020 sec timeout
> Nov 21 18:40:26.560: TPLUS: processing authentication start request id 4068
> Nov 21 18:40:26.561: TPLUS: Authentication start packet created for
> 4068(root)
> Nov 21 18:40:26.561: TPLUS: Using server **tacacs server ip**
> Nov 21 18:40:26.563: TPLUS(00000FE4)/1/NB_WAIT/FF97E18E08: Started 5 sec
> timeout
> Nov 21 18:40:26.564: TPLUS(00000FE4)/1/NB_WAIT: socket event 2
> Nov 21 18:40:26.565: T+: Version 192 (0xC0), type 1, seq 1, encryption 1,
> SC 0
> Nov 21 18:40:26.565: T+: session_id 2166987313 <(216)%20698-7313>
> (0x81299A31), dlen 29 (0x1D)
> Nov 21 18:40:26.566: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
> Nov 21 18:40:26.566: T+: svc:LOGIN user_len:4 port_len:4 (0x4)
> raddr_len:13 (0xD) data_len:0
> Nov 21 18:40:26.566: T+: user:  root
> Nov 21 18:40:26.567: T+: port:  tty2
> Nov 21 18:40:26.567: T+: rem_addr:  **client ip**
> Nov 21 18:40:26.568: T+: data:
> Nov 21 18:40:26.568: T+: End Packet
> Nov 21 18:40:26.568: TPLUS(00000FE4)/1/NB_WAIT: wrote entire 41 bytes
> request
> Nov 21 18:40:26.568: TPLUS(00000FE4)/1/READ: socket event 1
> Nov 21 18:40:26.568: TPLUS(00000FE4)/1/READ: Would block while reading
> Nov 21 18:40:31.563: TPLUS(00000FE4)/1/READ/FF97E18E08: timed out
> Nov 21 18:40:31.564: TPLUS: Authentication start packet created for
> 4068(root)
> Nov 21 18:40:31.564: TPLUS(00000FE4)/1/READ/FF97E18E08: timed out, clean
> up
> Nov 21 18:40:31.565: TPLUS(00000FE4) login timer stopped
> Nov 21 18:40:31.565: TPLUS(00000FE4)/1/FF97E18E08: Processing the reply
> packet
> Nov 21 18:40:31.566: TPLUS: Invalid Client information received as input
> Nov 21 18:40:34.496: T+: Version 192 (0xC0), type 2, seq 1, encryption 1,
> SC 0
> Nov 21 18:40:34.496: T+: session_id 235734674 (0xE0D0692), dlen 48 (0x30)
> Nov 21 18:40:34.496: T+: AUTHOR, priv_lvl:1, authen:1 method:local
> Nov 21 18:40:34.497: T+: svc:1 user_len:4 port_len:4 rem_addr_len:13
> arg_cnt:2
> Nov 21 18:40:34.497: T+: user:  root
> Nov 21 18:40:34.497: T+: port:  tty2
> Nov 21 18:40:34.497: T+: rem_addr:  **client ip**
> Nov 21 18:40:34.497: T+: arg[0]: size:13 service=shell
> Nov 21 18:40:34.497: T+: arg[1]: size:4 cmd*
> Nov 21 18:40:34.497: T+: End Packet
> Nov 21 18:40:39.494: TPLUS(00000FE4) login timer stopped
> Nov 21 18:40:39.497: TPLUS: Invalid Client information received as input
> Nov 21 18:42:03.191: TPLUS: Client is not responding Forcefully closing
> the socket
> Nov 21 18:42:03.191: TPLUS: Details of client session
> Nov 21 18:42:03.191:  Client PID : 393
> Nov 21 18:42:03.191:  Allocator PC : 0
> Nov 21 18:42:03.192:  Transaction Type : Authentication
> Nov 21 18:42:03.192:  Transaction Status : GET_PASSWORD
> Nov 21 18:42:03.192:  Service : none
> Nov 21 18:42:03.192:  Protocol : none
>
> On Tue, Nov 21, 2017 at 12:50 PM, heasley <heas at shrubbery.net> wrote:
>
>> Tue, Nov 21, 2017 at 09:42:09AM -0500, Andrew Villano:
>> > Removed -L since that was adding a bunch of noise.
>> >
>> > Found something worth mentioning when adding -d256:
>> >
>> > **client ip**: Illegal major version specified: found 97 wanted 192
>> > **client ip**: disconnect
>>
>> yeah, weird.  the debug o/p looks normal to me.
>>
>> > Turned on debug aaa authentication and debug tacacs authentication:
>> >
>> > Nov 21 14:36:49.113: TPLUS(00000FE0)/1/READ/FF96035DF8: timed out
>> > Nov 21 14:36:49.113: TPLUS: Authentication start packet created for
>> > 4064(rancid)
>> > Nov 21 14:36:49.113: TPLUS(00000FE0)/1/READ/FF96035DF8: timed out,
>> clean up
>> > Nov 21 14:36:49.113: TPLUS(00000FE0) login timer stopped
>> > Nov 21 14:36:49.113: TPLUS(00000FE0)/1/FF96035DF8: Processing the reply
>> > packet
>> > Nov 21 14:36:49.114: TPLUS: Invalid Client information received as input
>> > Nov 21 14:36:52.119: AAA/AUTHEN/LOGIN (00000FE0): Pick method list
>> > 'default'
>> > Nov 21 14:36:52.120: TPLUS: Queuing AAA Authentication request 4064 for
>> > processing
>> > Nov 21 14:36:52.120: TPLUS(00000FE0) login timer started 1020 sec
>> timeout
>> > Nov 21 14:36:52.120: TPLUS: processing authentication start request id
>> 4064
>> > Nov 21 14:36:52.120: TPLUS: Authentication start packet created for
>> > 4064(rancid)
>> > Nov 21 14:36:52.121: TPLUS: Using server **tacacs server**
>> > Nov 21 14:36:52.122: TPLUS(00000FE0)/1/NB_WAIT/FF97B1F858: Started 5
>> sec
>> > timeout
>> > Nov 21 14:36:52.125: TPLUS(00000FE0)/1/NB_WAIT: socket event 2
>> > Nov 21 14:36:52.126: TPLUS(00000FE0)/1/NB_WAIT: wrote entire 43 bytes
>> > request
>> > Nov 21 14:36:52.126: TPLUS(00000FE0)/1/READ: socket event 1
>> > Nov 21 14:36:52.127: TPLUS(00000FE0)/1/READ: Would block while reading
>> > Nov 21 14:36:57.122: TPLUS(00000FE0)/1/READ/FF97B1F858: timed out
>>
>> why did it timeout.  do you have filters somewhere that are interfering?
>> or perhaps a routing problem or duplicate address?  maybe add aaa packet
>> debugging.
>>
>> > Nov 21 14:36:57.122: TPLUS: Authentication start packet created for
>> > 4064(rancid)
>> > Nov 21 14:36:57.123: TPLUS(00000FE0)/1/READ/FF97B1F858: timed out,
>> clean up
>> > Nov 21 14:36:57.123: TPLUS(00000FE0) login timer stopped
>> > Nov 21 14:36:57.123: TPLUS(00000FE0)/1/FF97B1F858: Processing the reply
>> > packet
>> > Nov 21 14:36:57.124: TPLUS: Invalid Client information received as input
>> >
>> >
>> >
>> > On Mon, Nov 20, 2017 at 8:56 PM, heasley <heas at shrubbery.net> wrote:
>> >
>> > > Mon, Nov 20, 2017 at 02:21:53PM -0700, Daniel Schmidt:
>> > > > wild guess:
>> > > >
>> > > > try adding pap = cleartext "blahblahblah"
>> > > >
>> > >
>> > > yeah, or try it with -d 8 -d 256.  find the service type, because this
>> > > is weird:
>> > >
>> > > > > Nov 20 15:43:09.240: TPLUS: Details of client session
>> > > > > Nov 20 15:43:09.240:  Client PID : 502
>> > > > > Nov 20 15:43:09.240:  Allocator PC : 0
>> > > > > Nov 20 15:43:09.240:  Transaction Type : Authentication
>> > > > > Nov 20 15:43:09.240:  Transaction Status : GET_PASSWORD
>> > > > > Nov 20 15:43:09.240:  Service : none        <<<<<<<<<<<<<<
>> > > > > Nov 20 15:43:09.240:  Protocol : none
>> > > > > Nov 20 15:47:59.067: TPLUS(00000FCA) login timer stopped
>> > > > > Nov 20 15:47:59.067: TPLUS(00000FCA)/0/None: Started 120 sec
>> timeout
>> > >                                          ^ wonder what the 0 is.
>> > >
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20171121/57544e92/attachment.html>

From andrew.villano at gmail.com  Tue Nov 21 19:57:27 2017
From: andrew.villano at gmail.com (Andrew Villano)
Date: Tue, 21 Nov 2017 14:57:27 -0500
Subject: [tac_plus] Tac Plus Auth Error with IOS 16
In-Reply-To: <20171121175021.GC14583@shrubbery.net>
References: <CAPi4Pw+LOye6waDK4NOGpam4WFe04niFKat1+wNPgQ-ZmxfRfQ@mail.gmail.com>
 <CAOyMAKn9uVvRxNp0Mzsn_GyvGogsFzZhFdAVjf_SPPbR_aCZSA@mail.gmail.com>
 <20171121015657.GG38448@shrubbery.net>
 <CAPi4PwKphqZ7AD+QPhvdWZES1BjLOcYS3MjEqMMY+vkx9_KWPw@mail.gmail.com>
 <20171121175021.GC14583@shrubbery.net>
Message-ID: <CAPi4PwJZydedEvc6+eRKvsUMSq+uSEinjcbVdwcO-=a0ed5Qdw@mail.gmail.com>

++Reply_All...

It's not at the network layer because it will connect intermittently,
especially when using another (more privileged account). The only
difference between the two accounts is the filtering I do in do_auth.conf
and the fact that one also exists as a local account.


Nov 21 18:37:26.296: AAA/BIND(00000FE2): Bind i/f
Nov 21 18:37:26.297: AAA/AUTHEN/LOGIN (00000FE2): Pick method list
'default'
Nov 21 18:37:26.297: TPLUS: Queuing AAA Authentication request 4066 for
processing
Nov 21 18:37:26.298: TPLUS(00000FE2) login timer started 1020 sec timeout
Nov 21 18:37:26.299: TPLUS: processing authentication start request id 4066
Nov 21 18:37:26.299: TPLUS: Authentication start packet created for
4066(root)
Nov 21 18:37:26.300: TPLUS: Using server **tacacs server ip**
Nov 21 18:37:26.302: TPLUS(00000FE2)/0/NB_WAIT/FF97E18E08: Started 5 sec
timeout
Nov 21 18:37:26.303: TPLUS(00000FE2)/0/NB_WAIT: socket event 2
Nov 21 18:37:26.304: TPLUS(00000FE2)/0/NB_WAIT: wrote entire 41 bytes
request
Nov 21 18:37:26.304: TPLUS(00000FE2)/0/READ: socket event 1
Nov 21 18:37:26.304: TPLUS(00000FE2)/0/READ: Would block while reading
Nov 21 18:37:26.313: TPLUS(00000FE2)/0/READ: socket event 1
Nov 21 18:37:26.313: TPLUS(00000FE2)/0/READ: read entire 12 header bytes
(expect 16 bytes data)
Nov 21 18:37:26.313: TPLUS(00000FE2)/0/READ: socket event 1
Nov 21 18:37:26.313: TPLUS(00000FE2)/0/READ: read entire 28 bytes response
Nov 21 18:37:26.313: TPLUS(00000FE2) login timer stopped
Nov 21 18:37:26.314: TPLUS(00000FE2)/0/FF97E18E08: Processing the reply
packet
Nov 21 18:37:26.314: TPLUS: Received authen response status GET_PASSWORD (8)
Nov 21 18:37:26.314: TPLUS(00000FE2)/0/None: Started 120 sec timeout
Nov 21 18:37:29.546: TPLUS: Queuing AAA Authentication request 4066 for
processing
Nov 21 18:37:29.547: TPLUS(00000FE2) login timer started 1020 sec timeout
Nov 21 18:37:29.547: TPLUS: processing authentication continue request id
4066
Nov 21 18:37:29.548: TPLUS: Authentication continue packet generated for
4066
Nov 21 18:37:29.548: TPLUS(00000FE2)/0/None: Timer Stoped
Nov 21 18:37:29.549: TPLUS(00000FE2)/0/WRITE/FF97AEA8C0: Started 5 sec
timeout
Nov 21 18:37:29.549: TPLUS(00000FE2)/0/WRITE: wrote entire 24 bytes request
Nov 21 18:37:29.571: TPLUS(00000FE2)/0/READ: socket event 1
Nov 21 18:37:29.571: TPLUS(00000FE2)/0/READ: read entire 12 header bytes
(expect 6 bytes data)
Nov 21 18:37:29.571: TPLUS(00000FE2)/0/READ: socket event 1
Nov 21 18:37:29.572: TPLUS(00000FE2)/0/READ: read entire 18 bytes response
Nov 21 18:37:29.572: TPLUS(00000FE2) login timer stopped
Nov 21 18:37:29.572: TPLUS(00000FE2)/0/FF97AEA8C0: Processing the reply
packet
Nov 21 18:37:29.572: TPLUS: Received authen response status PASS (2)
Nov 21 18:37:29.573: TPLUS: Invalid Client information received as input
Nov 21 18:37:29.627: TPLUS(00000FE2) login timer stopped
Nov 21 18:37:29.627: TPLUS: Invalid Client information received as input
Nov 21 18:40:03.178: AAA/BIND(00000FE3): Bind i/f
Nov 21 18:40:03.178: AAA/AUTHEN/LOGIN (00000FE3): Pick method list
'default'
Nov 21 18:40:03.179: TPLUS: Queuing AAA Authentication request 4067 for
processing
Nov 21 18:40:03.179: TPLUS(00000FE3) login timer started 1020 sec timeout
Nov 21 18:40:03.179: TPLUS: processing authentication start request id 4067
Nov 21 18:40:03.179: TPLUS: Authentication start packet created for
4067(rancid)
Nov 21 18:40:03.180: TPLUS: Using server **tacacs server ip**
Nov 21 18:40:03.181: TPLUS(00000FE3)/0/NB_WAIT/FF97D911E8: Started 5 sec
timeout
Nov 21 18:40:03.183: TPLUS(00000FE3)/0/NB_WAIT: socket event 2
Nov 21 18:40:03.183: T+: Version 192 (0xC0), type 1, seq 1, encryption 1,
SC 0
Nov 21 18:40:03.183: T+: session_id 2506212375 <(250)%20621-2375>
(0x9561C417), dlen 31 (0x1F)
Nov 21 18:40:03.183: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
Nov 21 18:40:03.183: T+: svc:LOGIN user_len:6 port_len:4 (0x4) raddr_len:13
(0xD) data_len:0
Nov 21 18:40:03.183: T+: user:  rancid
Nov 21 18:40:03.183: T+: port:  tty2
Nov 21 18:40:03.183: T+: rem_addr:  **client ip**
Nov 21 18:40:03.183: T+: data:
Nov 21 18:40:03.183: T+: End Packet
Nov 21 18:40:03.184: TPLUS(00000FE3)/0/NB_WAIT: wrote entire 43 bytes
request
Nov 21 18:40:03.184: TPLUS(00000FE3)/0/READ: socket event 1
Nov 21 18:40:03.184: TPLUS(00000FE3)/0/READ: Would block while reading
Nov 21 18:40:03.190: TPLUS(00000FE3)/0/READ: socket event 1
Nov 21 18:40:03.190: TPLUS(00000FE3)/0/READ: read entire 12 header bytes
(expect 16 bytes data)
Nov 21 18:40:03.190: TPLUS(00000FE3)/0/READ: socket event 1
Nov 21 18:40:03.190: TPLUS(00000FE3)/0/READ: read entire 28 bytes response
Nov 21 18:40:03.191: T+: Version 192 (0xC0), type 1, seq 2, encryption 1,
SC 0
Nov 21 18:40:03.191: T+: session_id 2506212375 <(250)%20621-2375>
(0x9561C417), dlen 16 (0x10)
Nov 21 18:40:03.191: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10,
data_len:0
Nov 21 18:40:03.191: T+: msg:  Password:
Nov 21 18:40:03.191: T+: data:
Nov 21 18:40:03.191: T+: End Packet
Nov 21 18:40:03.191: TPLUS(00000FE3) login timer stopped
Nov 21 18:40:03.191: TPLUS(00000FE3)/0/FF97D911E8: Processing the reply
packet
Nov 21 18:40:03.191: TPLUS: Received authen response status GET_PASSWORD (8)
Nov 21 18:40:03.192: TPLUS(00000FE3)/0/None: Started 120 sec timeout
Nov 21 18:40:06.197: AAA/AUTHEN/LOGIN (00000FE3): Pick method list
'default'
Nov 21 18:40:06.197: TPLUS: Queuing AAA Authentication request 4067 for
processing
Nov 21 18:40:06.198: TPLUS(00000FE3) login timer started 1020 sec timeout
Nov 21 18:40:06.198: TPLUS: processing authentication start request id 4067
Nov 21 18:40:06.198: TPLUS: Authentication start packet created for
4067(rancid)
Nov 21 18:40:06.198: TPLUS: Using server **tacacs server ip**
Nov 21 18:40:06.200: TPLUS(00000FE3)/1/NB_WAIT/FF97AEA8C0: Started 5 sec
timeout
Nov 21 18:40:06.201: TPLUS(00000FE3)/1/NB_WAIT: socket event 2
Nov 21 18:40:06.201: T+: Version 192 (0xC0), type 1, seq 1, encryption 1,
SC 0
Nov 21 18:40:06.201: T+: session_id 795748828 (0x2F6E29DC), dlen 31 (0x1F)
Nov 21 18:40:06.201: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
Nov 21 18:40:06.201: T+: svc:LOGIN user_len:6 port_len:4 (0x4) raddr_len:13
(0xD) data_len:0
Nov 21 18:40:06.201: T+: user:  rancid
Nov 21 18:40:06.202: T+: port:  tty2
Nov 21 18:40:06.202: T+: rem_addr:  **client ip**
Nov 21 18:40:06.202: T+: data:
Nov 21 18:40:06.202: T+: End Packet
Nov 21 18:40:06.204: TPLUS(00000FE3)/1/NB_WAIT: wrote entire 43 bytes
request
Nov 21 18:40:06.204: TPLUS(00000FE3)/1/READ: socket event 1
Nov 21 18:40:06.204: TPLUS(00000FE3)/1/READ: Would block while reading
Nov 21 18:40:11.199: TPLUS(00000FE3)/1/READ/FF97AEA8C0: timed out
Nov 21 18:40:11.199: TPLUS: Authentication start packet created for
4067(rancid)
Nov 21 18:40:11.199: TPLUS(00000FE3)/1/READ/FF97AEA8C0: timed out, clean up
Nov 21 18:40:11.200: TPLUS(00000FE3) login timer stopped
Nov 21 18:40:11.200: TPLUS(00000FE3)/1/FF97AEA8C0: Processing the reply
packet
Nov 21 18:40:11.200: TPLUS: Invalid Client information received as input
Nov 21 18:40:14.207: AAA/AUTHEN/LOGIN (00000FE3): Pick method list
'default'
Nov 21 18:40:14.208: TPLUS: Queuing AAA Authentication request 4067 for
processing
Nov 21 18:40:14.208: TPLUS(00000FE3) login timer started 1020 sec timeout
Nov 21 18:40:14.208: TPLUS: processing authentication start request id 4067
Nov 21 18:40:14.208: TPLUS: Authentication start packet created for
4067(rancid)
Nov 21 18:40:14.209: TPLUS: Using server **tacacs server ip**
Nov 21 18:40:14.210: TPLUS(00000FE3)/1/NB_WAIT/FF97AEA8C0: Started 5 sec
timeout
Nov 21 18:40:14.211: TPLUS(00000FE3)/1/NB_WAIT: socket event 2
Nov 21 18:40:14.211: T+: Version 192 (0xC0), type 1, seq 1, encryption 1,
SC 0
Nov 21 18:40:14.211: T+: session_id 2016212721 <(201)%20621-2721>
(0x782CF6F1), dlen 31 (0x1F)
Nov 21 18:40:14.211: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
Nov 21 18:40:14.212: T+: svc:LOGIN user_len:6 port_len:4 (0x4) raddr_len:13
(0xD) data_len:0
Nov 21 18:40:14.212: T+: user:  rancid
Nov 21 18:40:14.212: T+: port:  tty2
Nov 21 18:40:14.212: T+: rem_addr:  **client ip**
Nov 21 18:40:14.212: T+: data:
Nov 21 18:40:14.212: T+: End Packet
Nov 21 18:40:14.212: TPLUS(00000FE3)/1/NB_WAIT: wrote entire 43 bytes
request
Nov 21 18:40:14.212: TPLUS(00000FE3)/1/READ: socket event 1
Nov 21 18:40:14.213: TPLUS(00000FE3)/1/READ: Would block while reading
Nov 21 18:40:19.211: TPLUS(00000FE3)/1/READ/FF97AEA8C0: timed out
Nov 21 18:40:19.211: TPLUS: Authentication start packet created for
4067(rancid)
Nov 21 18:40:19.211: TPLUS(00000FE3)/1/READ/FF97AEA8C0: timed out, clean up
Nov 21 18:40:19.211: TPLUS(00000FE3) login timer stopped
Nov 21 18:40:19.211: TPLUS(00000FE3)/1/FF97AEA8C0: Processing the reply
packet
Nov 21 18:40:19.212: TPLUS: Invalid Client information received as input
Nov 21 18:40:26.559: AAA/BIND(00000FE4): Bind i/f
Nov 21 18:40:26.559: AAA/AUTHEN/LOGIN (00000FE4): Pick method list
'default'
Nov 21 18:40:26.560: TPLUS: Queuing AAA Authentication request 4068 for
processing
Nov 21 18:40:26.560: TPLUS(00000FE4) login timer started 1020 sec timeout
Nov 21 18:40:26.560: TPLUS: processing authentication start request id 4068
Nov 21 18:40:26.561: TPLUS: Authentication start packet created for
4068(root)
Nov 21 18:40:26.561: TPLUS: Using server **tacacs server ip**
Nov 21 18:40:26.563: TPLUS(00000FE4)/1/NB_WAIT/FF97E18E08: Started 5 sec
timeout
Nov 21 18:40:26.564: TPLUS(00000FE4)/1/NB_WAIT: socket event 2
Nov 21 18:40:26.565: T+: Version 192 (0xC0), type 1, seq 1, encryption 1,
SC 0
Nov 21 18:40:26.565: T+: session_id 2166987313 <(216)%20698-7313>
(0x81299A31), dlen 29 (0x1D)
Nov 21 18:40:26.566: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
Nov 21 18:40:26.566: T+: svc:LOGIN user_len:4 port_len:4 (0x4) raddr_len:13
(0xD) data_len:0
Nov 21 18:40:26.566: T+: user:  root
Nov 21 18:40:26.567: T+: port:  tty2
Nov 21 18:40:26.567: T+: rem_addr:  **client ip**
Nov 21 18:40:26.568: T+: data:
Nov 21 18:40:26.568: T+: End Packet
Nov 21 18:40:26.568: TPLUS(00000FE4)/1/NB_WAIT: wrote entire 41 bytes
request
Nov 21 18:40:26.568: TPLUS(00000FE4)/1/READ: socket event 1
Nov 21 18:40:26.568: TPLUS(00000FE4)/1/READ: Would block while reading
Nov 21 18:40:31.563: TPLUS(00000FE4)/1/READ/FF97E18E08: timed out
Nov 21 18:40:31.564: TPLUS: Authentication start packet created for
4068(root)
Nov 21 18:40:31.564: TPLUS(00000FE4)/1/READ/FF97E18E08: timed out, clean up
Nov 21 18:40:31.565: TPLUS(00000FE4) login timer stopped
Nov 21 18:40:31.565: TPLUS(00000FE4)/1/FF97E18E08: Processing the reply
packet
Nov 21 18:40:31.566: TPLUS: Invalid Client information received as input
Nov 21 18:40:34.496: T+: Version 192 (0xC0), type 2, seq 1, encryption 1,
SC 0
Nov 21 18:40:34.496: T+: session_id 235734674 (0xE0D0692), dlen 48 (0x30)
Nov 21 18:40:34.496: T+: AUTHOR, priv_lvl:1, authen:1 method:local
Nov 21 18:40:34.497: T+: svc:1 user_len:4 port_len:4 rem_addr_len:13
arg_cnt:2
Nov 21 18:40:34.497: T+: user:  root
Nov 21 18:40:34.497: T+: port:  tty2
Nov 21 18:40:34.497: T+: rem_addr:  **client ip**
Nov 21 18:40:34.497: T+: arg[0]: size:13 service=shell
Nov 21 18:40:34.497: T+: arg[1]: size:4 cmd*
Nov 21 18:40:34.497: T+: End Packet
Nov 21 18:40:39.494: TPLUS(00000FE4) login timer stopped
Nov 21 18:40:39.497: TPLUS: Invalid Client information received as input
Nov 21 18:42:03.191: TPLUS: Client is not responding Forcefully closing the
socket
Nov 21 18:42:03.191: TPLUS: Details of client session
Nov 21 18:42:03.191:  Client PID : 393
Nov 21 18:42:03.191:  Allocator PC : 0
Nov 21 18:42:03.192:  Transaction Type : Authentication
Nov 21 18:42:03.192:  Transaction Status : GET_PASSWORD
Nov 21 18:42:03.192:  Service : none
Nov 21 18:42:03.192:  Protocol : none

On Tue, Nov 21, 2017 at 12:50 PM, heasley <heas at shrubbery.net> wrote:

> Tue, Nov 21, 2017 at 09:42:09AM -0500, Andrew Villano:
> > Removed -L since that was adding a bunch of noise.
> >
> > Found something worth mentioning when adding -d256:
> >
> > **client ip**: Illegal major version specified: found 97 wanted 192
> > **client ip**: disconnect
>
> yeah, weird.  the debug o/p looks normal to me.
>
> > Turned on debug aaa authentication and debug tacacs authentication:
> >
> > Nov 21 14:36:49.113: TPLUS(00000FE0)/1/READ/FF96035DF8: timed out
> > Nov 21 14:36:49.113: TPLUS: Authentication start packet created for
> > 4064(rancid)
> > Nov 21 14:36:49.113: TPLUS(00000FE0)/1/READ/FF96035DF8: timed out,
> clean up
> > Nov 21 14:36:49.113: TPLUS(00000FE0) login timer stopped
> > Nov 21 14:36:49.113: TPLUS(00000FE0)/1/FF96035DF8: Processing the reply
> > packet
> > Nov 21 14:36:49.114: TPLUS: Invalid Client information received as input
> > Nov 21 14:36:52.119: AAA/AUTHEN/LOGIN (00000FE0): Pick method list
> > 'default'
> > Nov 21 14:36:52.120: TPLUS: Queuing AAA Authentication request 4064 for
> > processing
> > Nov 21 14:36:52.120: TPLUS(00000FE0) login timer started 1020 sec timeout
> > Nov 21 14:36:52.120: TPLUS: processing authentication start request id
> 4064
> > Nov 21 14:36:52.120: TPLUS: Authentication start packet created for
> > 4064(rancid)
> > Nov 21 14:36:52.121: TPLUS: Using server **tacacs server**
> > Nov 21 14:36:52.122: TPLUS(00000FE0)/1/NB_WAIT/FF97B1F858: Started 5 sec
> > timeout
> > Nov 21 14:36:52.125: TPLUS(00000FE0)/1/NB_WAIT: socket event 2
> > Nov 21 14:36:52.126: TPLUS(00000FE0)/1/NB_WAIT: wrote entire 43 bytes
> > request
> > Nov 21 14:36:52.126: TPLUS(00000FE0)/1/READ: socket event 1
> > Nov 21 14:36:52.127: TPLUS(00000FE0)/1/READ: Would block while reading
> > Nov 21 14:36:57.122: TPLUS(00000FE0)/1/READ/FF97B1F858: timed out
>
> why did it timeout.  do you have filters somewhere that are interfering?
> or perhaps a routing problem or duplicate address?  maybe add aaa packet
> debugging.
>
> > Nov 21 14:36:57.122: TPLUS: Authentication start packet created for
> > 4064(rancid)
> > Nov 21 14:36:57.123: TPLUS(00000FE0)/1/READ/FF97B1F858: timed out,
> clean up
> > Nov 21 14:36:57.123: TPLUS(00000FE0) login timer stopped
> > Nov 21 14:36:57.123: TPLUS(00000FE0)/1/FF97B1F858: Processing the reply
> > packet
> > Nov 21 14:36:57.124: TPLUS: Invalid Client information received as input
> >
> >
> >
> > On Mon, Nov 20, 2017 at 8:56 PM, heasley <heas at shrubbery.net> wrote:
> >
> > > Mon, Nov 20, 2017 at 02:21:53PM -0700, Daniel Schmidt:
> > > > wild guess:
> > > >
> > > > try adding pap = cleartext "blahblahblah"
> > > >
> > >
> > > yeah, or try it with -d 8 -d 256.  find the service type, because this
> > > is weird:
> > >
> > > > > Nov 20 15:43:09.240: TPLUS: Details of client session
> > > > > Nov 20 15:43:09.240:  Client PID : 502
> > > > > Nov 20 15:43:09.240:  Allocator PC : 0
> > > > > Nov 20 15:43:09.240:  Transaction Type : Authentication
> > > > > Nov 20 15:43:09.240:  Transaction Status : GET_PASSWORD
> > > > > Nov 20 15:43:09.240:  Service : none        <<<<<<<<<<<<<<
> > > > > Nov 20 15:43:09.240:  Protocol : none
> > > > > Nov 20 15:47:59.067: TPLUS(00000FCA) login timer stopped
> > > > > Nov 20 15:47:59.067: TPLUS(00000FCA)/0/None: Started 120 sec
> timeout
> > >                                          ^ wonder what the 0 is.
> > >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20171121/dbdeb26d/attachment.html>

From heas at shrubbery.net  Tue Nov 21 22:00:22 2017
From: heas at shrubbery.net (heasley)
Date: Tue, 21 Nov 2017 22:00:22 +0000
Subject: [tac_plus] Tac Plus Auth Error with IOS 16
In-Reply-To: <CAPi4PwJk5YmUcsQ3eJQ5_iRYOr+2PcfMncDuU11NVOkwHtJ-Cg@mail.gmail.com>
References: <CAPi4Pw+LOye6waDK4NOGpam4WFe04niFKat1+wNPgQ-ZmxfRfQ@mail.gmail.com>
 <CAOyMAKn9uVvRxNp0Mzsn_GyvGogsFzZhFdAVjf_SPPbR_aCZSA@mail.gmail.com>
 <20171121015657.GG38448@shrubbery.net>
 <CAPi4PwKphqZ7AD+QPhvdWZES1BjLOcYS3MjEqMMY+vkx9_KWPw@mail.gmail.com>
 <20171121175021.GC14583@shrubbery.net>
 <CAPi4PwJZydedEvc6+eRKvsUMSq+uSEinjcbVdwcO-=a0ed5Qdw@mail.gmail.com>
 <CAPi4PwJk5YmUcsQ3eJQ5_iRYOr+2PcfMncDuU11NVOkwHtJ-Cg@mail.gmail.com>
Message-ID: <20171121220022.GA22989@shrubbery.net>

Tue, Nov 21, 2017 at 03:25:06PM -0500, Andrew Villano:
> Found the problem. Special characters are not tolerated in passwords.

in do_auth?  not sure what you mean by special characters; be more specific.


From andrew.villano at gmail.com  Tue Nov 21 22:28:51 2017
From: andrew.villano at gmail.com (Andrew Villano)
Date: Tue, 21 Nov 2017 17:28:51 -0500
Subject: [tac_plus] Tac Plus Auth Error with IOS 16
In-Reply-To: <20171121220022.GA22989@shrubbery.net>
References: <CAPi4Pw+LOye6waDK4NOGpam4WFe04niFKat1+wNPgQ-ZmxfRfQ@mail.gmail.com>
 <CAOyMAKn9uVvRxNp0Mzsn_GyvGogsFzZhFdAVjf_SPPbR_aCZSA@mail.gmail.com>
 <20171121015657.GG38448@shrubbery.net>
 <CAPi4PwKphqZ7AD+QPhvdWZES1BjLOcYS3MjEqMMY+vkx9_KWPw@mail.gmail.com>
 <20171121175021.GC14583@shrubbery.net>
 <CAPi4PwJZydedEvc6+eRKvsUMSq+uSEinjcbVdwcO-=a0ed5Qdw@mail.gmail.com>
 <CAPi4PwJk5YmUcsQ3eJQ5_iRYOr+2PcfMncDuU11NVOkwHtJ-Cg@mail.gmail.com>
 <20171121220022.GA22989@shrubbery.net>
Message-ID: <CAPi4PwLhGuAV5qmXzpO5p=Qmo=AjSh9Z3dg8Cd3sNR4kaF0ysg@mail.gmail.com>

Certain special characters (I've noticed [ @; ] ) are not tolerated as a
user password in tac_plus.conf . When I change the system password for
rancid [user] (which tac_plus.conf reads from) to something without special
characters (eg. [A-z0-9] ), i'm able to login without a problem. It can't
be rancid [application] either because I get consistent experiences with
interactive ssh login.

On Tue, Nov 21, 2017 at 5:00 PM, heasley <heas at shrubbery.net> wrote:

> Tue, Nov 21, 2017 at 03:25:06PM -0500, Andrew Villano:
> > Found the problem. Special characters are not tolerated in passwords.
>
> in do_auth?  not sure what you mean by special characters; be more
> specific.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20171121/8b4574bc/attachment.html>

From heas at shrubbery.net  Tue Nov 21 22:49:30 2017
From: heas at shrubbery.net (heasley)
Date: Tue, 21 Nov 2017 22:49:30 +0000
Subject: [tac_plus] Tac Plus Auth Error with IOS 16
In-Reply-To: <CAPi4PwLhGuAV5qmXzpO5p=Qmo=AjSh9Z3dg8Cd3sNR4kaF0ysg@mail.gmail.com>
References: <CAPi4Pw+LOye6waDK4NOGpam4WFe04niFKat1+wNPgQ-ZmxfRfQ@mail.gmail.com>
 <CAOyMAKn9uVvRxNp0Mzsn_GyvGogsFzZhFdAVjf_SPPbR_aCZSA@mail.gmail.com>
 <20171121015657.GG38448@shrubbery.net>
 <CAPi4PwKphqZ7AD+QPhvdWZES1BjLOcYS3MjEqMMY+vkx9_KWPw@mail.gmail.com>
 <20171121175021.GC14583@shrubbery.net>
 <CAPi4PwJZydedEvc6+eRKvsUMSq+uSEinjcbVdwcO-=a0ed5Qdw@mail.gmail.com>
 <CAPi4PwJk5YmUcsQ3eJQ5_iRYOr+2PcfMncDuU11NVOkwHtJ-Cg@mail.gmail.com>
 <20171121220022.GA22989@shrubbery.net>
 <CAPi4PwLhGuAV5qmXzpO5p=Qmo=AjSh9Z3dg8Cd3sNR4kaF0ysg@mail.gmail.com>
Message-ID: <20171121224930.GB22989@shrubbery.net>

Tue, Nov 21, 2017 at 05:28:51PM -0500, Andrew Villano:
> Certain special characters (I've noticed [ @; ] ) are not tolerated as a
> user password in tac_plus.conf . When I change the system password for
> rancid [user] (which tac_plus.conf reads from) to something without special
> characters (eg. [A-z0-9] ), i'm able to login without a problem. It can't
> be rancid [application] either because I get consistent experiences with
> interactive ssh login.

have you quoted those?  "foo at bar:"

> On Tue, Nov 21, 2017 at 5:00 PM, heasley <heas at shrubbery.net> wrote:
> 
> > Tue, Nov 21, 2017 at 03:25:06PM -0500, Andrew Villano:
> > > Found the problem. Special characters are not tolerated in passwords.
> >
> > in do_auth?  not sure what you mean by special characters; be more
> > specific.
> >


From andrew.villano at gmail.com  Tue Nov 21 23:35:39 2017
From: andrew.villano at gmail.com (Andrew Villano)
Date: Tue, 21 Nov 2017 18:35:39 -0500
Subject: [tac_plus] Tac Plus Auth Error with IOS 16
In-Reply-To: <20171121224930.GB22989@shrubbery.net>
References: <CAPi4Pw+LOye6waDK4NOGpam4WFe04niFKat1+wNPgQ-ZmxfRfQ@mail.gmail.com>
 <CAOyMAKn9uVvRxNp0Mzsn_GyvGogsFzZhFdAVjf_SPPbR_aCZSA@mail.gmail.com>
 <20171121015657.GG38448@shrubbery.net>
 <CAPi4PwKphqZ7AD+QPhvdWZES1BjLOcYS3MjEqMMY+vkx9_KWPw@mail.gmail.com>
 <20171121175021.GC14583@shrubbery.net>
 <CAPi4PwJZydedEvc6+eRKvsUMSq+uSEinjcbVdwcO-=a0ed5Qdw@mail.gmail.com>
 <CAPi4PwJk5YmUcsQ3eJQ5_iRYOr+2PcfMncDuU11NVOkwHtJ-Cg@mail.gmail.com>
 <20171121220022.GA22989@shrubbery.net>
 <CAPi4PwLhGuAV5qmXzpO5p=Qmo=AjSh9Z3dg8Cd3sNR4kaF0ysg@mail.gmail.com>
 <20171121224930.GB22989@shrubbery.net>
Message-ID: <CAPi4PwKpzC7m9uS=TTd2WVmcihw-X_nWNLm3CxssP+gpmc-vAA@mail.gmail.com>

I'm using file authentication, it should be reading directly from
/etc/passwd . The password does not contain quotes.

On Nov 21, 2017 5:49 PM, "heasley" <heas at shrubbery.net> wrote:

> Tue, Nov 21, 2017 at 05:28:51PM -0500, Andrew Villano:
> > Certain special characters (I've noticed [ @; ] ) are not tolerated as a
> > user password in tac_plus.conf . When I change the system password for
> > rancid [user] (which tac_plus.conf reads from) to something without
> special
> > characters (eg. [A-z0-9] ), i'm able to login without a problem. It can't
> > be rancid [application] either because I get consistent experiences with
> > interactive ssh login.
>
> have you quoted those?  "foo at bar:"
>
> > On Tue, Nov 21, 2017 at 5:00 PM, heasley <heas at shrubbery.net> wrote:
> >
> > > Tue, Nov 21, 2017 at 03:25:06PM -0500, Andrew Villano:
> > > > Found the problem. Special characters are not tolerated in passwords.
> > >
> > > in do_auth?  not sure what you mean by special characters; be more
> > > specific.
> > >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20171121/de7721be/attachment.html>

From heas at shrubbery.net  Tue Nov 21 23:48:31 2017
From: heas at shrubbery.net (heasley)
Date: Tue, 21 Nov 2017 23:48:31 +0000
Subject: [tac_plus] Tac Plus Auth Error with IOS 16
In-Reply-To: <CAPi4PwKpzC7m9uS=TTd2WVmcihw-X_nWNLm3CxssP+gpmc-vAA@mail.gmail.com>
References: <CAOyMAKn9uVvRxNp0Mzsn_GyvGogsFzZhFdAVjf_SPPbR_aCZSA@mail.gmail.com>
 <20171121015657.GG38448@shrubbery.net>
 <CAPi4PwKphqZ7AD+QPhvdWZES1BjLOcYS3MjEqMMY+vkx9_KWPw@mail.gmail.com>
 <20171121175021.GC14583@shrubbery.net>
 <CAPi4PwJZydedEvc6+eRKvsUMSq+uSEinjcbVdwcO-=a0ed5Qdw@mail.gmail.com>
 <CAPi4PwJk5YmUcsQ3eJQ5_iRYOr+2PcfMncDuU11NVOkwHtJ-Cg@mail.gmail.com>
 <20171121220022.GA22989@shrubbery.net>
 <CAPi4PwLhGuAV5qmXzpO5p=Qmo=AjSh9Z3dg8Cd3sNR4kaF0ysg@mail.gmail.com>
 <20171121224930.GB22989@shrubbery.net>
 <CAPi4PwKpzC7m9uS=TTd2WVmcihw-X_nWNLm3CxssP+gpmc-vAA@mail.gmail.com>
Message-ID: <20171121234831.GC22989@shrubbery.net>

Tue, Nov 21, 2017 at 06:35:39PM -0500, Andrew Villano:
> I'm using file authentication, it should be reading directly from
> /etc/passwd . The password does not contain quotes.

Then this would be a problem with your system libraries or whatever you
used to create the password hash.  because tacacs should be using the
system lib to read the file.  what is the o/s?

> On Nov 21, 2017 5:49 PM, "heasley" <heas at shrubbery.net> wrote:
> 
> > Tue, Nov 21, 2017 at 05:28:51PM -0500, Andrew Villano:
> > > Certain special characters (I've noticed [ @; ] ) are not tolerated as a
> > > user password in tac_plus.conf . When I change the system password for
> > > rancid [user] (which tac_plus.conf reads from) to something without
> > special
> > > characters (eg. [A-z0-9] ), i'm able to login without a problem. It can't
> > > be rancid [application] either because I get consistent experiences with
> > > interactive ssh login.
> >
> > have you quoted those?  "foo at bar:"
> >
> > > On Tue, Nov 21, 2017 at 5:00 PM, heasley <heas at shrubbery.net> wrote:
> > >
> > > > Tue, Nov 21, 2017 at 03:25:06PM -0500, Andrew Villano:
> > > > > Found the problem. Special characters are not tolerated in passwords.
> > > >
> > > > in do_auth?  not sure what you mean by special characters; be more
> > > > specific.
> > > >
> >


From andrew.villano at gmail.com  Tue Nov 21 23:49:35 2017
From: andrew.villano at gmail.com (Andrew Villano)
Date: Tue, 21 Nov 2017 18:49:35 -0500
Subject: [tac_plus] Tac Plus Auth Error with IOS 16
In-Reply-To: <20171121234831.GC22989@shrubbery.net>
References: <CAOyMAKn9uVvRxNp0Mzsn_GyvGogsFzZhFdAVjf_SPPbR_aCZSA@mail.gmail.com>
 <20171121015657.GG38448@shrubbery.net>
 <CAPi4PwKphqZ7AD+QPhvdWZES1BjLOcYS3MjEqMMY+vkx9_KWPw@mail.gmail.com>
 <20171121175021.GC14583@shrubbery.net>
 <CAPi4PwJZydedEvc6+eRKvsUMSq+uSEinjcbVdwcO-=a0ed5Qdw@mail.gmail.com>
 <CAPi4PwJk5YmUcsQ3eJQ5_iRYOr+2PcfMncDuU11NVOkwHtJ-Cg@mail.gmail.com>
 <20171121220022.GA22989@shrubbery.net>
 <CAPi4PwLhGuAV5qmXzpO5p=Qmo=AjSh9Z3dg8Cd3sNR4kaF0ysg@mail.gmail.com>
 <20171121224930.GB22989@shrubbery.net>
 <CAPi4PwKpzC7m9uS=TTd2WVmcihw-X_nWNLm3CxssP+gpmc-vAA@mail.gmail.com>
 <20171121234831.GC22989@shrubbery.net>
Message-ID: <CAPi4PwJ5JB=Hwjz5Nd6Of1FdJOisn0QhSM6k6oDwmYbqJnRZJw@mail.gmail.com>

Fedora 26

On Nov 21, 2017 6:48 PM, "heasley" <heas at shrubbery.net> wrote:

Tue, Nov 21, 2017 at 06:35:39PM -0500, Andrew Villano:
> I'm using file authentication, it should be reading directly from
> /etc/passwd . The password does not contain quotes.

Then this would be a problem with your system libraries or whatever you
used to create the password hash.  because tacacs should be using the
system lib to read the file.  what is the o/s?

> On Nov 21, 2017 5:49 PM, "heasley" <heas at shrubbery.net> wrote:
>
> > Tue, Nov 21, 2017 at 05:28:51PM -0500, Andrew Villano:
> > > Certain special characters (I've noticed [ @; ] ) are not tolerated
as a
> > > user password in tac_plus.conf . When I change the system password for
> > > rancid [user] (which tac_plus.conf reads from) to something without
> > special
> > > characters (eg. [A-z0-9] ), i'm able to login without a problem. It
can't
> > > be rancid [application] either because I get consistent experiences
with
> > > interactive ssh login.
> >
> > have you quoted those?  "foo at bar:"
> >
> > > On Tue, Nov 21, 2017 at 5:00 PM, heasley <heas at shrubbery.net> wrote:
> > >
> > > > Tue, Nov 21, 2017 at 03:25:06PM -0500, Andrew Villano:
> > > > > Found the problem. Special characters are not tolerated in
passwords.
> > > >
> > > > in do_auth?  not sure what you mean by special characters; be more
> > > > specific.
> > > >
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20171121/1e58ffad/attachment.html>

From heas at shrubbery.net  Wed Nov 22 01:20:44 2017
From: heas at shrubbery.net (heasley)
Date: Wed, 22 Nov 2017 01:20:44 +0000
Subject: [tac_plus] Tac Plus Auth Error with IOS 16
In-Reply-To: <CAPi4PwJ5JB=Hwjz5Nd6Of1FdJOisn0QhSM6k6oDwmYbqJnRZJw@mail.gmail.com>
References: <CAPi4PwKphqZ7AD+QPhvdWZES1BjLOcYS3MjEqMMY+vkx9_KWPw@mail.gmail.com>
 <20171121175021.GC14583@shrubbery.net>
 <CAPi4PwJZydedEvc6+eRKvsUMSq+uSEinjcbVdwcO-=a0ed5Qdw@mail.gmail.com>
 <CAPi4PwJk5YmUcsQ3eJQ5_iRYOr+2PcfMncDuU11NVOkwHtJ-Cg@mail.gmail.com>
 <20171121220022.GA22989@shrubbery.net>
 <CAPi4PwLhGuAV5qmXzpO5p=Qmo=AjSh9Z3dg8Cd3sNR4kaF0ysg@mail.gmail.com>
 <20171121224930.GB22989@shrubbery.net>
 <CAPi4PwKpzC7m9uS=TTd2WVmcihw-X_nWNLm3CxssP+gpmc-vAA@mail.gmail.com>
 <20171121234831.GC22989@shrubbery.net>
 <CAPi4PwJ5JB=Hwjz5Nd6Of1FdJOisn0QhSM6k6oDwmYbqJnRZJw@mail.gmail.com>
Message-ID: <20171122012044.GG22989@shrubbery.net>

Tue, Nov 21, 2017 at 06:49:35PM -0500, Andrew Villano:
> Fedora 26

Hmm, I'd expect that would be working properly.  if you could login to
the system using the passwd (or su/sudo), then tacacs too should have
worked.  Maybe the device is not sending those characters; which would
appear in the tacacs packet debug output.

I'm having a bit of deja vu though; have you searched the archive about
this problem?