[tac_plus] Tac Plus Auth Error with IOS 16

Daniel Schmidt daniel.schmidt at wyo.gov
Mon Nov 20 21:21:53 UTC 2017 

wild guess:

try adding pap = cleartext "blahblahblah"

On Mon, Nov 20, 2017 at 8:54 AM, Andrew Villano <andrew.villano at gmail.com>
wrote:

> I have a switch that I recently upgraded to IOS XE 16 (Everest) from 3.x.x.
> It is the only switch that will not authenticate to tacacs. It does allow
> local authentication and I do see traffic during those exchanges.
> tac_plus.conf is setup to do file authentication from /etc/passwd .
>
> This is the debug log I pulled during the failure:
>
> Reading config
> Version F4.0.4.28 Initialized 1
> tac_plus server F4.0.4.28 starting
> socket FD 4 AF 2
> socket FD 5 AF 10
> uid=0 euid=0 gid=0 egid=0 s=37962240
> connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]
> cfg_get_hvalue: name=10.99.99.166 attr=key
> cfg_get_hvalue: no host named 10.99.99.166
> cfg_get_phvalue: returns NULL
> cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
> cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
> cfg_get_phvalue: returns NULL
> cfg_get_value: name=rancid isuser=1 attr=login rec=1
> cfg_get_value: recurse group = rancid
> cfg_get_pvalue: returns NULL
> cfg_get_value: name=rancid isuser=1 attr=login rec=1
> cfg_get_value: recurse group = rancid
> cfg_get_pvalue: returns NULL
> cfg_get_value: name=rancid isuser=1 attr=nopassword rec=1
> cfg_get_value: recurse group = rancid
> cfg_get_intvalue: returns 0
> cfg_get_value: name=rancid isuser=1 attr=login rec=1
> cfg_get_value: recurse group = rancid
> cfg_get_pvalue: returns NULL
> cfg_get_hvalue: name=10.99.99.166 attr=key
> cfg_get_hvalue: no host named 10.99.99.166
> cfg_get_phvalue: returns NULL
> cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
> cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
> cfg_get_phvalue: returns NULL
> cidf-06a.nyed.circ2.dcn tty2: fd 6 eof (connection closed)
> Read -1 bytes from cidf-06a.nyed.circ2.dcn tty2, expecting 12
> cidf-06a.nyed.circ2.dcn tty2: Null reply packet, expecting CONTINUE
> connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]
> cfg_get_hvalue: name=10.99.99.166 attr=key
> cfg_get_hvalue: no host named 10.99.99.166
> cfg_get_phvalue: returns NULL
> cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
> cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
> cfg_get_phvalue: returns NULL
> cfg_get_value: name=rancid isuser=1 attr=login rec=1
> cfg_get_value: recurse group = rancid
> cfg_get_pvalue: returns NULL
> cfg_get_value: name=rancid isuser=1 attr=login rec=1
> cfg_get_value: recurse group = rancid
> cfg_get_pvalue: returns NULL
> cfg_get_value: name=rancid isuser=1 attr=nopassword rec=1
> cfg_get_value: recurse group = rancid
> cfg_get_intvalue: returns 0
> cfg_get_value: name=rancid isuser=1 attr=login rec=1
> cfg_get_value: recurse group = rancid
> cfg_get_pvalue: returns NULL
> cfg_get_hvalue: name=10.99.99.166 attr=key
> cfg_get_hvalue: no host named 10.99.99.166
> cfg_get_phvalue: returns NULL
> cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
> cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
> cfg_get_phvalue: returns NULL
> cidf-06a.nyed.circ2.dcn tty2: fd 6 eof (connection closed)
> Read -1 bytes from cidf-06a.nyed.circ2.dcn tty2, expecting 12
> cidf-06a.nyed.circ2.dcn tty2: Null reply packet, expecting CONTINUE
> connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]
> cfg_get_hvalue: name=10.99.99.166 attr=key
> cfg_get_hvalue: no host named 10.99.99.166
> cfg_get_phvalue: returns NULL
> cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
> cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
> cfg_get_phvalue: returns NULL
> cfg_get_value: name=rancid isuser=1 attr=login rec=1
> cfg_get_value: recurse group = rancid
> cfg_get_pvalue: returns NULL
> cfg_get_value: name=rancid isuser=1 attr=login rec=1
> cfg_get_value: recurse group = rancid
> cfg_get_pvalue: returns NULL
> cfg_get_value: name=rancid isuser=1 attr=nopassword rec=1
> cfg_get_value: recurse group = rancid
> cfg_get_intvalue: returns 0
> cfg_get_value: name=rancid isuser=1 attr=login rec=1
> cfg_get_value: recurse group = rancid
> cfg_get_pvalue: returns NULL
> cfg_get_hvalue: name=10.99.99.166 attr=key
> cfg_get_hvalue: no host named 10.99.99.166
> cfg_get_phvalue: returns NULL
> cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
> cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
> cfg_get_phvalue: returns NULL
> cidf-06a.nyed.circ2.dcn tty2: fd 6 eof (connection closed)
> Read -1 bytes from cidf-06a.nyed.circ2.dcn tty2, expecting 12
> cidf-06a.nyed.circ2.dcn tty2: Null reply packet, expecting CONTINUE
> connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]
>
> //successful connection//
>
> cfg_get_hvalue: name=10.99.99.166 attr=key
> cfg_get_hvalue: no host named 10.99.99.166
> cfg_get_phvalue: returns NULL
> cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
> cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
> cfg_get_phvalue: returns NULL
> cfg_get_value: name=root isuser=1 attr=login rec=1
> cfg_get_value: recurse group = admins
> cfg_get_pvalue: returns NULL
> cfg_get_value: name=root isuser=1 attr=login rec=1
> cfg_get_value: recurse group = admins
> cfg_get_pvalue: returns NULL
> cfg_get_value: name=root isuser=1 attr=nopassword rec=1
> cfg_get_value: recurse group = admins
> cfg_get_intvalue: returns 0
> cfg_get_value: name=root isuser=1 attr=login rec=1
> cfg_get_value: recurse group = admins
> cfg_get_pvalue: returns NULL
> cfg_get_hvalue: name=10.99.99.166 attr=key
> cfg_get_hvalue: no host named 10.99.99.166
> cfg_get_phvalue: returns NULL
> cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
> cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
> cfg_get_phvalue: returns NULL
> cidf-06a.nyed.circ2.dcn tty2: fd 6 eof (connection closed)
> Read -1 bytes from cidf-06a.nyed.circ2.dcn tty2, expecting 12
> cidf-06a.nyed.circ2.dcn tty2: Null reply packet, expecting CONTINUE
> connect from cidf-06a.nyed.circ2.dcn [10.99.99.166]
> cfg_get_hvalue: name=10.99.99.166 attr=key
> cfg_get_hvalue: no host named 10.99.99.166
> cfg_get_phvalue: returns NULL
> cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
> cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
> cfg_get_phvalue: returns NULL
> cfg_get_value: name=root isuser=1 attr=acl rec=1
> cfg_get_value: recurse group = admins
> cfg_get_pvalue: returns NULL
> cfg_get_value: name=root isuser=1 attr=before rec=1
> cfg_get_value: recurse group = admins
> cfg_get_pvalue: returns NULL
> cfg_get_svc_node: username=root N_svc_exec proto= svcname= rec=1
> cfg_get_svc_node: recurse group = admins
> cfg_get_svc_node: found N_svc_exec proto= svcname=
> cfg_get_svc_node: username=root N_svc_exec proto= svcname= rec=1
> cfg_get_svc_node: recurse group = admins
> cfg_get_svc_node: found N_svc_exec proto= svcname=
> cfg_get_value: name=root isuser=1 attr=after rec=1
> cfg_get_value: recurse group = admins
> cfg_get_pvalue: returns NULL
> cfg_get_hvalue: name=10.99.99.166 attr=key
> cfg_get_hvalue: no host named 10.99.99.166
> cfg_get_phvalue: returns NULL
> cfg_get_hvalue: name=cidf-06a.nyed.circ2.dcn attr=prompt
> cfg_get_hvalue: no host named cidf-06a.nyed.circ2.dcn
> cfg_get_phvalue: returns NULL
>
>
>
> Debug from the Switch:
>
> Nov 20 15:43:09.239: TPLUS: Client is not responding Forcefully closing the
> socket
> Nov 20 15:43:09.240: TPLUS: Details of client session
> Nov 20 15:43:09.240:  Client PID : 502
> Nov 20 15:43:09.240:  Allocator PC : 0
> Nov 20 15:43:09.240:  Transaction Type : Authentication
> Nov 20 15:43:09.240:  Transaction Status : GET_PASSWORD
> Nov 20 15:43:09.240:  Service : none
> Nov 20 15:43:09.240:  Protocol : none
> Nov 20 15:47:59.067: TPLUS(00000FCA) login timer stopped
> Nov 20 15:47:59.067: TPLUS(00000FCA)/0/None: Started 120 sec timeout
> Nov 20 15:48:02.055: TPLUS(00000FCA) login timer stopped
> Nov 20 15:48:02.055: TPLUS(00000FCA)/1/None: Started 120 sec timeout
> Nov 20 15:48:10.509: TPLUS: Ignore unknown socket 0
> Nov 20 15:48:10.511: TPLUS: Ignore unknown socket 1
> Nov 20 15:48:17.445: TPLUS(00000FCA)/1/IDLE/FF97E186F0: AAA id is not
> matching between  1 (00000000)
> Nov 20 15:48:17.445: TPLUS(00000FCA) login timer stopped
> Nov 20 15:48:17.445: TPLUS(00000000)/1/None: Timer Stoped
> Nov 20 15:48:19.462: TPLUS(00000FCA) login timer stopped
> Nov 20 15:48:19.462: TPLUS(00000FCA)/0/None: Started 120 sec timeout
> Nov 20 15:48:50.072: TPLUS(00000FCB) login timer stopped
> Nov 20 15:48:50.073: TPLUS: Invalid Client information received as input
> Nov 20 15:48:59.169: TPLUS(00000FCB) login timer stopped
> Nov 20 15:48:59.170: TPLUS: Invalid Client information received as input
> Nov 20 15:49:19.976: TPLUS(00000FCC) login timer stopped
> Nov 20 15:49:19.977: TPLUS: Invalid Client information received as input
> Nov 20 15:49:27.798: TPLUS(00000FCC) login timer stopped
> Nov 20 15:49:27.799: TPLUS: Invalid Client information received as input
>
> Tac_plus.conf:
>
> key = stuffgoeshere
> default authentication = file /etc/passwd
> accounting file = /var/log/tac\_plus.acct
>
> user = $enable$ {
>     login = cleartext "blahblahblah"
> }
>
> user = rancid {
>     member = rancid
> }
>
> user = root {
>     member = admins
> }
>
> group = admins {
>     default service = permit
>     service = exec {
>         priv-lvl = 15
>     }
> }
>
> group = rancid {
>         default service = deny
>         service = exec {
>             priv-lvl = 15
>         }
>         cmd = write {
>                 permit .*
>                 }
>         cmd = dir {
>                 permit .*
>                 }
>         cmd = copy {
>                 permit running-config
>                 }
>         cmd = show {
>                 permit .*
>                 }
>         cmd = terminal {
>                 permit length
>                 }
>         cmd=enable {
>                 permit .*
>                 }
>         cmd=exit {
>                 permit .*
>                 }
>         cmd = admin {
>               permit .*
>               }
>         cmd = more {
>               permit .*
>                 }
> }
>
>
> do_auth.conf
> [users]
>
> root =
>    vdxgroup
>
> admin =
>    vdxgroup
>
> rancid =
>    vdxgroup
>
>
>
> [vdxgroup]
> host_allow =
> .*
> device_permit =
> .*
> command_permit =
>     .*
> av_pairs =
>     priv-lvl=15
>
>     shell:roles="network-admin"
>
>
>
>
> Thanks in Advance.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.shrubbery.net/pipermail/tac_plus/
> attachments/20171120/679ba8d7/attachment.html>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>

-- 

E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20171120/6953ac9e/attachment.html>

More information about the tac_plus mailing list