[tac_plus] Tac Plus Auth Error with IOS 16
Andrew Villano
andrew.villano at gmail.com
Mon Nov 20 15:54:40 UTC 2017
I have a switch that I recently upgraded to IOS XE 16 (Everest) from 3.x.x.
It is the only switch that will not authenticate to tacacs. It does allow
local authentication and I do see traffic during those exchanges.
tac_plus.conf is setup to do file authentication from /etc/passwd .
This is the debug log I pulled during the failure:
Reading config
Version F4.0.4.28 Initialized 1
tac_plus server F4.0.4.28 starting
socket FD 4 AF 2
socket FD 5 AF 10
uid=0 euid=0 gid=0 egid=0 s=37962240
connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=nopassword rec=1
cfg_get_value: recurse group = rancid
cfg_get_intvalue: returns 0
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cidf-06a.nyed.circ2.dcn tty2: fd 6 eof (connection closed)
Read -1 bytes from cidf-06a.nyed.circ2.dcn tty2, expecting 12
cidf-06a.nyed.circ2.dcn tty2: Null reply packet, expecting CONTINUE
connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=nopassword rec=1
cfg_get_value: recurse group = rancid
cfg_get_intvalue: returns 0
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cidf-06a.nyed.circ2.dcn tty2: fd 6 eof (connection closed)
Read -1 bytes from cidf-06a.nyed.circ2.dcn tty2, expecting 12
cidf-06a.nyed.circ2.dcn tty2: Null reply packet, expecting CONTINUE
connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=nopassword rec=1
cfg_get_value: recurse group = rancid
cfg_get_intvalue: returns 0
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cidf-06a.nyed.circ2.dcn tty2: fd 6 eof (connection closed)
Read -1 bytes from cidf-06a.nyed.circ2.dcn tty2, expecting 12
cidf-06a.nyed.circ2.dcn tty2: Null reply packet, expecting CONTINUE
connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]
//successful connection//
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cfg_get_value: name=root isuser=1 attr=login rec=1
cfg_get_value: recurse group = admins
cfg_get_pvalue: returns NULL
cfg_get_value: name=root isuser=1 attr=login rec=1
cfg_get_value: recurse group = admins
cfg_get_pvalue: returns NULL
cfg_get_value: name=root isuser=1 attr=nopassword rec=1
cfg_get_value: recurse group = admins
cfg_get_intvalue: returns 0
cfg_get_value: name=root isuser=1 attr=login rec=1
cfg_get_value: recurse group = admins
cfg_get_pvalue: returns NULL
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cidf-06a.nyed.circ2.dcn tty2: fd 6 eof (connection closed)
Read -1 bytes from cidf-06a.nyed.circ2.dcn tty2, expecting 12
cidf-06a.nyed.circ2.dcn tty2: Null reply packet, expecting CONTINUE
connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cfg_get_value: name=root isuser=1 attr=acl rec=1
cfg_get_value: recurse group = admins
cfg_get_pvalue: returns NULL
cfg_get_value: name=root isuser=1 attr=before rec=1
cfg_get_value: recurse group = admins
cfg_get_pvalue: returns NULL
cfg_get_svc_node: username=root N_svc_exec proto= svcname= rec=1
cfg_get_svc_node: recurse group = admins
cfg_get_svc_node: found N_svc_exec proto= svcname=
cfg_get_svc_node: username=root N_svc_exec proto= svcname= rec=1
cfg_get_svc_node: recurse group = admins
cfg_get_svc_node: found N_svc_exec proto= svcname=
cfg_get_value: name=root isuser=1 attr=after rec=1
cfg_get_value: recurse group = admins
cfg_get_pvalue: returns NULL
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
Debug from the Switch:
Nov 20 15:43:09.239: TPLUS: Client is not responding Forcefully closing the
socket
Nov 20 15:43:09.240: TPLUS: Details of client session
Nov 20 15:43:09.240: Client PID : 502
Nov 20 15:43:09.240: Allocator PC : 0
Nov 20 15:43:09.240: Transaction Type : Authentication
Nov 20 15:43:09.240: Transaction Status : GET_PASSWORD
Nov 20 15:43:09.240: Service : none
Nov 20 15:43:09.240: Protocol : none
Nov 20 15:47:59.067: TPLUS(00000FCA) login timer stopped
Nov 20 15:47:59.067: TPLUS(00000FCA)/0/None: Started 120 sec timeout
Nov 20 15:48:02.055: TPLUS(00000FCA) login timer stopped
Nov 20 15:48:02.055: TPLUS(00000FCA)/1/None: Started 120 sec timeout
Nov 20 15:48:10.509: TPLUS: Ignore unknown socket 0
Nov 20 15:48:10.511: TPLUS: Ignore unknown socket 1
Nov 20 15:48:17.445: TPLUS(00000FCA)/1/IDLE/FF97E186F0: AAA id is not
matching between 1 (00000000)
Nov 20 15:48:17.445: TPLUS(00000FCA) login timer stopped
Nov 20 15:48:17.445: TPLUS(00000000)/1/None: Timer Stoped
Nov 20 15:48:19.462: TPLUS(00000FCA) login timer stopped
Nov 20 15:48:19.462: TPLUS(00000FCA)/0/None: Started 120 sec timeout
Nov 20 15:48:50.072: TPLUS(00000FCB) login timer stopped
Nov 20 15:48:50.073: TPLUS: Invalid Client information received as input
Nov 20 15:48:59.169: TPLUS(00000FCB) login timer stopped
Nov 20 15:48:59.170: TPLUS: Invalid Client information received as input
Nov 20 15:49:19.976: TPLUS(00000FCC) login timer stopped
Nov 20 15:49:19.977: TPLUS: Invalid Client information received as input
Nov 20 15:49:27.798: TPLUS(00000FCC) login timer stopped
Nov 20 15:49:27.799: TPLUS: Invalid Client information received as input
Tac_plus.conf:
key = stuffgoeshere
default authentication = file /etc/passwd
accounting file = /var/log/tac\_plus.acct
user = $enable$ {
login = cleartext "blahblahblah"
}
user = rancid {
member = rancid
}
user = root {
member = admins
}
group = admins {
default service = permit
service = exec {
priv-lvl = 15
}
}
group = rancid {
default service = deny
service = exec {
priv-lvl = 15
}
cmd = write {
permit .*
}
cmd = dir {
permit .*
}
cmd = copy {
permit running-config
}
cmd = show {
permit .*
}
cmd = terminal {
permit length
}
cmd=enable {
permit .*
}
cmd=exit {
permit .*
}
cmd = admin {
permit .*
}
cmd = more {
permit .*
}
}
do_auth.conf
[users]
root =
vdxgroup
admin =
vdxgroup
rancid =
vdxgroup
[vdxgroup]
host_allow =
.*
device_permit =
.*
command_permit =
.*
av_pairs =
priv-lvl=15
shell:roles="network-admin"
Thanks in Advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20171120/679ba8d7/attachment.html>
More information about the tac_plus
mailing list