cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1055
Views
4
Helpful
3
Replies

TACACS+ / MDS9513

Mike_Lowrey
Level 1
Level 1

Hi,

I have problems to implement TACACS+ for managing ssh user authentication (via configfile - no database).

Maybe you can have look and help me...

Switch (MDS 9513):

fcsw# show tacacs-server

Global TACACS+ shared secret:********

timeout value:30

deadtime value:30

total number of servers:1

following TACACS+ servers are configured:

X.X.X.77:

available on port:49

TACACS+ shared secret:********

fcsw# show tacacs-server groups

total number of groups:1

following TACACS+ server groups are configured:

group TAC1:

server X.X.X.77 on port 49

deadtime is 0

fcsw# show aaa authentication

default: group TAC1 local

console: group TAC1 local

iscsi: local

dhchap: local

Server (Suse Linux 10):

X.X.X.77# /usr/local/sbin/tac_plus -v

tac_plus version 4.4rc2-3 (Extended Tac_plus)

config-file:

X.X.X.77 # cat /usr/local/etc/tacacs/tac_plus.cfg

key = "key"

accounting file = /var/log/tac_acc.log

user = adminuser {

default service = permit

login = cleartext "all"

}

I get these standard error messages when I try to login with the TACACS-User:

2008 Dec 12 14:04:38 fcsw %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user adminuser from xxx.com

2008 Dec 12 14:04:39 fcsw %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user adminuser from xxx.com

2008 Dec 12 14:04:40 fcsw %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user adminuser from xxx.com

Thanks for your help guys!

Btw. - Is there an offical TACACS+ download website? I downloaded it from http://www.networkforums.net/ and compiled it but I am not sure if that is the proper way ?!

Cheers,

Mike

3 Replies 3

Michael Brown
Cisco Employee
Cisco Employee

Mike,

Can you test with telnet? There is also a test command you can issue from the MDS command line to validate a user/password against a specific tacacs+ server. the syntax is 'test aaa server tacacs+ x.x.x.x username password' You may want to use this to test the tacacs+ operation. I'm not sure what that message means, but it almost looks like the username being sent from the MDS is not valid. It might be something like admin@mds.com or something like that depending on how the SSH client sends the username/pass into the MDS upon login. Also remember that you will need to have your tacacs+ server pass back a role for the user, or even if the password is valid, the user will end up with 'network-operator'. TACACS+ uses 2 separate flows to authenticate and then authorize a user. First the user/pass is checked, then a second flow is used when the MDS 'asks' the tacacs+ server what role the user should get. The role name passed back by the server must be configured in the MDS, or the user gets' network-operator'. The role name is passed back using the 'cisco-av-pairs' attribute.

Also, your configured 'key' should match what is configured in the MDS tacacs-server host line, and in the tacacs+ server configuration for the MDS as a valid device to send authentication requests to the tacacs+ server.

Here is how I configured user test with password test2 and role = barroom-keeper in a program called TAC_PLUS.

user = test2 {

default service = permit

pap = cleartext test2

service = exec {

cisco-av-pair="shell:roles=barroom-keeper"

}

}

Hope this helps,

Mike

Hi Mike,

thanks very much for your reply. Your config example works fine. Great!

Just another quick question. I still have a local net-admin user if the tacacs server is down for any reason.

I am not able to log in with that local user while the tacacs server is running. It works fine when the server is not reachable. I guess this "works as designed", right?

Cheers,

Mike

Yes...it is working as designed. The MDS will only use the local user database if the TACACS+ server is not reachable. This is not the same as getting a negative response for the user. If configured to use the TACACS+ to authenticate users, it will send auth request to the TACACS+ server. The only time the user would be validated against the local database is if the TACACS+ server did not respond at all.

Thanks,

Mike

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: