[tac_plus] Tac Plus Auth Error with IOS 16

Andrew Villano andrew.villano at gmail.com
Mon Nov 20 15:54:40 UTC 2017 

I have a switch that I recently upgraded to IOS XE 16 (Everest) from 3.x.x.
It is the only switch that will not authenticate to tacacs. It does allow
local authentication and I do see traffic during those exchanges.
tac_plus.conf is setup to do file authentication from /etc/passwd .

This is the debug log I pulled during the failure:

Reading config
Version F4.0.4.28 Initialized 1
tac_plus server F4.0.4.28 starting
socket FD 4 AF 2
socket FD 5 AF 10
uid=0 euid=0 gid=0 egid=0 s=37962240
connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=nopassword rec=1
cfg_get_value: recurse group = rancid
cfg_get_intvalue: returns 0
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cidf-06a.nyed.circ2.dcn tty2: fd 6 eof (connection closed)
Read -1 bytes from cidf-06a.nyed.circ2.dcn tty2, expecting 12
cidf-06a.nyed.circ2.dcn tty2: Null reply packet, expecting CONTINUE
connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=nopassword rec=1
cfg_get_value: recurse group = rancid
cfg_get_intvalue: returns 0
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cidf-06a.nyed.circ2.dcn tty2: fd 6 eof (connection closed)
Read -1 bytes from cidf-06a.nyed.circ2.dcn tty2, expecting 12
cidf-06a.nyed.circ2.dcn tty2: Null reply packet, expecting CONTINUE
connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_value: name=rancid isuser=1 attr=nopassword rec=1
cfg_get_value: recurse group = rancid
cfg_get_intvalue: returns 0
cfg_get_value: name=rancid isuser=1 attr=login rec=1
cfg_get_value: recurse group = rancid
cfg_get_pvalue: returns NULL
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cidf-06a.nyed.circ2.dcn tty2: fd 6 eof (connection closed)
Read -1 bytes from cidf-06a.nyed.circ2.dcn tty2, expecting 12
cidf-06a.nyed.circ2.dcn tty2: Null reply packet, expecting CONTINUE
connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]

//successful connection//

cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cfg_get_value: name=root isuser=1 attr=login rec=1
cfg_get_value: recurse group = admins
cfg_get_pvalue: returns NULL
cfg_get_value: name=root isuser=1 attr=login rec=1
cfg_get_value: recurse group = admins
cfg_get_pvalue: returns NULL
cfg_get_value: name=root isuser=1 attr=nopassword rec=1
cfg_get_value: recurse group = admins
cfg_get_intvalue: returns 0
cfg_get_value: name=root isuser=1 attr=login rec=1
cfg_get_value: recurse group = admins
cfg_get_pvalue: returns NULL
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cidf-06a.nyed.circ2.dcn tty2: fd 6 eof (connection closed)
Read -1 bytes from cidf-06a.nyed.circ2.dcn tty2, expecting 12
cidf-06a.nyed.circ2.dcn tty2: Null reply packet, expecting CONTINUE
connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL
cfg_get_value: name=root isuser=1 attr=acl rec=1
cfg_get_value: recurse group = admins
cfg_get_pvalue: returns NULL
cfg_get_value: name=root isuser=1 attr=before rec=1
cfg_get_value: recurse group = admins
cfg_get_pvalue: returns NULL
cfg_get_svc_node: username=root N_svc_exec proto= svcname= rec=1
cfg_get_svc_node: recurse group = admins
cfg_get_svc_node: found N_svc_exec proto= svcname=
cfg_get_svc_node: username=root N_svc_exec proto= svcname= rec=1
cfg_get_svc_node: recurse group = admins
cfg_get_svc_node: found N_svc_exec proto= svcname=
cfg_get_value: name=root isuser=1 attr=after rec=1
cfg_get_value: recurse group = admins
cfg_get_pvalue: returns NULL
cfg_get_hvalue: name=10.99.99.166 attr=key
cfg_get_hvalue: no host named 10.99.99.166
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
cfg_get_phvalue: returns NULL



Debug from the Switch:

Nov 20 15:43:09.239: TPLUS: Client is not responding Forcefully closing the
socket
Nov 20 15:43:09.240: TPLUS: Details of client session
Nov 20 15:43:09.240:  Client PID : 502
Nov 20 15:43:09.240:  Allocator PC : 0
Nov 20 15:43:09.240:  Transaction Type : Authentication
Nov 20 15:43:09.240:  Transaction Status : GET_PASSWORD
Nov 20 15:43:09.240:  Service : none
Nov 20 15:43:09.240:  Protocol : none
Nov 20 15:47:59.067: TPLUS(00000FCA) login timer stopped
Nov 20 15:47:59.067: TPLUS(00000FCA)/0/None: Started 120 sec timeout
Nov 20 15:48:02.055: TPLUS(00000FCA) login timer stopped
Nov 20 15:48:02.055: TPLUS(00000FCA)/1/None: Started 120 sec timeout
Nov 20 15:48:10.509: TPLUS: Ignore unknown socket 0
Nov 20 15:48:10.511: TPLUS: Ignore unknown socket 1
Nov 20 15:48:17.445: TPLUS(00000FCA)/1/IDLE/FF97E186F0: AAA id is not
matching between  1 (00000000)
Nov 20 15:48:17.445: TPLUS(00000FCA) login timer stopped
Nov 20 15:48:17.445: TPLUS(00000000)/1/None: Timer Stoped
Nov 20 15:48:19.462: TPLUS(00000FCA) login timer stopped
Nov 20 15:48:19.462: TPLUS(00000FCA)/0/None: Started 120 sec timeout
Nov 20 15:48:50.072: TPLUS(00000FCB) login timer stopped
Nov 20 15:48:50.073: TPLUS: Invalid Client information received as input
Nov 20 15:48:59.169: TPLUS(00000FCB) login timer stopped
Nov 20 15:48:59.170: TPLUS: Invalid Client information received as input
Nov 20 15:49:19.976: TPLUS(00000FCC) login timer stopped
Nov 20 15:49:19.977: TPLUS: Invalid Client information received as input
Nov 20 15:49:27.798: TPLUS(00000FCC) login timer stopped
Nov 20 15:49:27.799: TPLUS: Invalid Client information received as input

Tac_plus.conf:

key = stuffgoeshere
default authentication = file /etc/passwd
accounting file = /var/log/tac\_plus.acct

user = $enable$ {
    login = cleartext "blahblahblah"
}

user = rancid {
    member = rancid
}

user = root {
    member = admins
}

group = admins {
    default service = permit
    service = exec {
        priv-lvl = 15
    }
}

group = rancid {
        default service = deny
        service = exec {
            priv-lvl = 15
        }
        cmd = write {
                permit .*
                }
        cmd = dir {
                permit .*
                }
        cmd = copy {
                permit running-config
                }
        cmd = show {
                permit .*
                }
        cmd = terminal {
                permit length
                }
        cmd=enable {
                permit .*
                }
        cmd=exit {
                permit .*
                }
        cmd = admin {
              permit .*
              }
        cmd = more {
              permit .*
                }
}


do_auth.conf
[users]

root =
   vdxgroup

admin =
   vdxgroup

rancid =
   vdxgroup



[vdxgroup]
host_allow =
.*
device_permit =
.*
command_permit =
    .*
av_pairs =
    priv-lvl=15

    shell:roles="network-admin"




Thanks in Advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20171120/679ba8d7/attachment.html>

More information about the tac_plus mailing list