Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3184
Views
0
Helpful
1
Replies

tacacs+ and Cisco 2950 configuration

fredfisch
Level 1
Level 1

‎03-06-2008 08:50 AM - edited ‎03-10-2019 03:42 PM

Hi everyone!

I want to authenticate to my Switch via Tacacs+. It runs fine as long as I define Users and passwords in the /etc/tac-plus/tacacs.conf. But when I try to authenticate against a MySQL DB or the /etc/passwd file, authentication fails.

With the config below, I'm able to login with username fred. In MySQL DB a user 'test' with password ENCRYPT('test') is correctly set up. I use the DB skel which comes with tacacs+ (in Debian it's in /usr/share/docs/tac-plus, manual from http://www.gazi.edu.tr/tacacs/docs/tacacs_db.txt)

---------------------

My tacacs+ config:

# /etc/tac-plus/tacacs.conf

### TACACS+ Config

# Auth-Key

key = some_key

#default authentication = file /etc/passwd

default authentication = db mysql://user:password@localhost/tacacs/auth?usern&passwd

accounting file = /var/log/tac-plus/account.log

###### USER ######

user = DEFAULT {

default service = permit

}

#user = DEFAULT {

# service = ppp

# protocol = ip {

# }

#}

# Enable-User

#user = $enable$ {

# login = cleartext test

#}

user = fred {

default service = permit

login = cleartext fred_pw

}

--------------------------

--------------------------

My Cisco config:

switch#sh ru

Building configuration...

[some info]

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname MySwitch

!

aaa new-model

aaa group server tacacs+ TACSERV

server 192.168.1.5

!

aaa authentication login default group TACSERV local line

enable secret secret_enable_pw

!

username rescue secret secret_rescue_pw

ip subnet-zero

!

spanning-tree extend system-id

!

!

interface FastEthernet0/1

switchport access vlan 180

switchport mode trunk

switchport nonegotiate

no ip address

!

[some FastEthernet and GigabitEthernet Configuration]

ip default-gateway 192.168.1.1

ip http server

!

tacacs-server host 192.168.1.5 key some_key

!

line con 0

exec-timeout 0 0

line vty 5 15

!

ntp server 192.168.1.60

end

----------------------

It would be great if someone could help.

Greetings,

Fred

Labels:
0 Helpful
1 Reply 1

fredfisch
Level 1
Level 1

‎03-06-2008 11:00 PM

Hi,

I realized that Debian only stores usernames in /etc/passwd - the user's password is stored in /etc/shadow.

I manually edited the passwd file to get the password in. Result: authentication works with /etc/passwd. But when I point to /etc/shadow in the configuration file, authentication doesn't work.

Is there a way to get tacacs+ to use the /etc/shadow properly or to configure Debian not to use /etc/shadow?

The other big problem - authentication against MySQL - doesn't work, yet.

Any Hints?

Thanks,

Fred

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents