Tacacs+ Connecttion
924 views
Skip to first unread message
Ozgur
Aug 12, 2011, 4:08:46 AM8/12/11
to Event-Driven Servers, Marc....@web.de
Hi All,
I am a newbie on Tacacs+ :)) So I've problem when I'd like to
connection to Tacacs+. I installed and started tac_plus services on
Centos 5.4 but When I connect to our device (192.168.1.251) that I've
taken error messages. You can find all messages and configuration file
on below.
Firstly, I edited my configuration file
tac_plus.conf ------------------------
#!/usr/local/sbin/tac_plus
id = spawnd {
listen = { port = 4949 }
spawn = {
instances min = 1
instances max = 10
}
background = no
}
id = tac_plus {
debug = PACKET AUTHEN AUTHOR
access log = /var/log/access.log
accounting log = /var/log/acct.log
host = world {
address = 192.168.1.251/24
prompt = "Welcome\n"
enable 15 = clear secret
key = 123456789
}
group = admin {
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
group = guest {
default service = permit
enable = deny
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 1
}
}
user = test {
password = clear test
member = admin
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
user = readonly {
password = clear readonly
member = guest
}
}
--------------------------------------------------------------------------
- After , I tried " tac_plus -P /usr/local/etc/tac_plus.cfg -d16 "
command
- service tac_plus restart
- Finaly, I tried My Cisco device with sss " ssh -l test
192.168.1.251 " and I've taken this messages
[root@dhcppc21 etc]# ssh -l test 192.168.1.251
te...@192.168.1.251's password:
Permission denied, please try again.
Please help :))
Thanks....
I am a newbie on Tacacs+ :)) So I've problem when I'd like to
connection to Tacacs+. I installed and started tac_plus services on
Centos 5.4 but When I connect to our device (192.168.1.251) that I've
taken error messages. You can find all messages and configuration file
on below.
Firstly, I edited my configuration file
tac_plus.conf ------------------------
#!/usr/local/sbin/tac_plus
id = spawnd {
listen = { port = 4949 }
spawn = {
instances min = 1
instances max = 10
}
background = no
}
id = tac_plus {
debug = PACKET AUTHEN AUTHOR
access log = /var/log/access.log
accounting log = /var/log/acct.log
host = world {
address = 192.168.1.251/24
prompt = "Welcome\n"
enable 15 = clear secret
key = 123456789
}
group = admin {
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
group = guest {
default service = permit
enable = deny
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 1
}
}
user = test {
password = clear test
member = admin
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
user = readonly {
password = clear readonly
member = guest
}
}
--------------------------------------------------------------------------
- After , I tried " tac_plus -P /usr/local/etc/tac_plus.cfg -d16 "
command
- service tac_plus restart
- Finaly, I tried My Cisco device with sss " ssh -l test
192.168.1.251 " and I've taken this messages
[root@dhcppc21 etc]# ssh -l test 192.168.1.251
te...@192.168.1.251's password:
Permission denied, please try again.
Please help :))
Thanks....
Marc Huber
Aug 12, 2011, 4:52:28 AM8/12/11
to event-driv...@googlegroups.com, Marc....@web.de
Hi,
On Friday, August 12, 2011 10:08:46 AM UTC+2, Ozgur wrote:
you'll probably need to change the port to standard (port 49) unless you've explicitely told your device to use 4949.
To check for syntax errors please use:
/usr/local/sbin/tac_plus -P /usr/local/etc//tac_plus.cfg
For initial testing just run:
/usr/local/sbin/tac_plus /usr/local/etc//tac_plus.cfg
Then try to authenticate at your device and watch the debug output on screen.
"make install" will not set up any init scripts. You'll need to do that manually. The following might work on CentOS:
# cp /usr/local/lib/mavis/extra/etc_init.d_tac_plus /etc/init.d/tac_plus
# chmod 755 /etc/init.d/tac_plus
followed by
# chkconfig tac_plus on
to run the service at startup or
# service tac_plus start
to manually start the service.
Cheers,
Marc
On Friday, August 12, 2011 10:08:46 AM UTC+2, Ozgur wrote:
id = spawnd {
listen = { port = 4949 }
you'll probably need to change the port to standard (port 49) unless you've explicitely told your device to use 4949.
- After , I tried " tac_plus -P /usr/local/etc/tac_plus.cfg -d16 "
command
To check for syntax errors please use:
/usr/local/sbin/tac_plus -P /usr/local/etc//tac_plus.cfg
For initial testing just run:
/usr/local/sbin/tac_plus /usr/local/etc//tac_plus.cfg
Then try to authenticate at your device and watch the debug output on screen.
- service tac_plus restart
"make install" will not set up any init scripts. You'll need to do that manually. The following might work on CentOS:
# cp /usr/local/lib/mavis/extra/etc_init.d_tac_plus /etc/init.d/tac_plus
# chmod 755 /etc/init.d/tac_plus
followed by
# chkconfig tac_plus on
to run the service at startup or
# service tac_plus start
to manually start the service.
Cheers,
Marc
Ozgur
Aug 12, 2011, 7:21:09 AM8/12/11
to Event-Driven Servers
Hi Marc,
I tried your suggestions but I couldn't connect to my device. Please,
Can you check my configurations? I still get same error.
#!/usr/local/sbin/tac_plus
id = spawnd {
listen = { port = 49 }
accounting log = /tmp/acct.log
Thanks for help...
Özgür
I tried your suggestions but I couldn't connect to my device. Please,
Can you check my configurations? I still get same error.
#!/usr/local/sbin/tac_plus
id = spawnd {
listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = no
}
id = tac_plus {
debug = PACKET AUTHEN AUTHOR
access log = /tmp/access.log
instances min = 1
instances max = 10
}
background = no
}
id = tac_plus {
debug = PACKET AUTHEN AUTHOR
accounting log = /tmp/acct.log
Özgür
Marc Huber
Aug 12, 2011, 7:47:20 AM8/12/11
to event-driv...@googlegroups.com
Hi,
Am Freitag, 12. August 2011 13:21:09 UTC+2 schrieb Ozgur:
your daemon configuration is fine.
Did you make sure that tac_plus is actually running, and did binding to port 49 did work? You can check that using "telnet localhost 49" on your Centos box. Remember that 49 is a privileged port. You'll need to start the daemon as root.
If the daemon is actually running: Make sure you can connect from the router (telnet <server ip> 49).
What does your router configuration look like? For authentication only, you'll need something similar to:
tacacs-server host 10.1.2.3 key 123456789
aaa new-model
aaa authentication login default group tacacs+ local
(and remember to define a local user first, in case something goes wrong ...)
Cheers,
Marc
Am Freitag, 12. August 2011 13:21:09 UTC+2 schrieb Ozgur:
Hi Marc,
I tried your suggestions but I couldn't connect to my device. Please,
Can you check my configurations? I still get same error.
your daemon configuration is fine.
Did you make sure that tac_plus is actually running, and did binding to port 49 did work? You can check that using "telnet localhost 49" on your Centos box. Remember that 49 is a privileged port. You'll need to start the daemon as root.
If the daemon is actually running: Make sure you can connect from the router (telnet <server ip> 49).
What does your router configuration look like? For authentication only, you'll need something similar to:
tacacs-server host 10.1.2.3 key 123456789
aaa new-model
aaa authentication login default group tacacs+ local
(and remember to define a local user first, in case something goes wrong ...)
Cheers,
Marc
özgür umut vurgun
Aug 12, 2011, 8:45:29 AM8/12/11
to event-driv...@googlegroups.com
Dear Marc,
I check port 49 on Centos. Port 49 is open and listening.
>netstat -an |grep 49
tcp 0 0 :::49 :::* LISTEN
>telnet localhost 49 or telnet 192.168.1.4 49 (192.168.1.4 my Centos)
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
Connected to localhost (127.0.0.1).
Escape character is '^]'.
Connection closed by foreign host.
> telnet 192.168.1.251 49 (192.168.1.251 router)
Trying 192.168.1.251...
And Router Configuration;
>aaa authentication administrator tacacs+ local
>tacacs+ server 192.168.1.4 encrypted-key D4491F5A9054DDA5
>tacacs+ server 192.168.1.4 encrypted-key D4491F5A9054DDA5
In router , I check logs that When I connect to router that it realize my login request but It couldn't reach to my tacacs server .. but router to tacacs server pinging and telnet are working over port 49.
Really I don't understand why didn't it. How can I solve that I don't know :(
Thanks for helps...
Özgür...
2011/8/12 Marc Huber <marc.j...@googlemail.com>
--To view this discussion on the web visit https://groups.google.com/d/msg/event-driven-servers/-/wEyyXflJrB8J.
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To post to this group, send email to event-driv...@googlegroups.com.
To unsubscribe from this group, send email to event-driven-ser...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/event-driven-servers?hl=en.
Marc Huber
Aug 12, 2011, 9:16:38 AM8/12/11
to event-driv...@googlegroups.com
Hi Özgür,
please run
service tac_plus stop
Then please verify that nothing is listening on port 49 any more. Now run, as root,
/usr/local/sbin/tac_plus /usr/local/etc//tac_plus.cfg
Try to login at your router. When your router connects there should be a wealth of debugging output from tac_plus, looking similar to:
11336: 3/40cee609: New session
11336: 3/09e6ce40: ---<start packet>---
11336: 3/09e6ce40: key used: cisco
11336: 3/09e6ce40: version: 192, type: 1, seq no: 1, flags: unencrypted
11336: 3/09e6ce40: session id: 09e6ce40 data length: 30
11336: 3/09e6ce40: AUTHEN/START, priv_lvl=0
11336: 3/09e6ce40: action=login (1)
11336: 3/09e6ce40: authen_type=ascii (1)
11336: 3/09e6ce40: service=login (1)
11336: 3/09e6ce40: user_len=4 port_len=9 rem_addr_len=9
11336: 3/09e6ce40: data_len=0
11336: 3/09e6ce40: user (len: 4): test
11336: 3/09e6ce40: 0000 74 65 73 74 test
11336: 3/09e6ce40: port (len: 9): Virtual00
11336: 3/09e6ce40: 0000 56 69 72 74 75 61 6c 30 30 Virtual0 0
11336: 3/09e6ce40: rem_addr (len: 9): 127.0.0.1
11336: 3/09e6ce40: 0000 31 32 37 2e 30 2e 30 2e 31 127.0.0. 1
11336: 3/09e6ce40: data (len: 0):
11336: 3/09e6ce40: ---<end packet>---
11336: 3/40cee609: authen:1633: hdr->seq_no == 1
11336: 3/40cee609: cfg_get: checking user/group test, tag (NULL)
11336: 3/40cee609: cfg_get: checking user/group admin, tag (NULL)
11336: 3/40cee609: Writing AUTHEN/GETPASS size=37
...
If you don't see any output, then try "debug tacacs+ authentication" on your router (a Redback box? "aaa authentication administrator" doesn't look like IOS.).
Cheers,
Marc
please run
service tac_plus stop
Then please verify that nothing is listening on port 49 any more. Now run, as root,
/usr/local/sbin/tac_plus /usr/local/etc//tac_plus.cfg
Try to login at your router. When your router connects there should be a wealth of debugging output from tac_plus, looking similar to:
11336: 3/40cee609: New session
11336: 3/09e6ce40: ---<start packet>---
11336: 3/09e6ce40: key used: cisco
11336: 3/09e6ce40: version: 192, type: 1, seq no: 1, flags: unencrypted
11336: 3/09e6ce40: session id: 09e6ce40 data length: 30
11336: 3/09e6ce40: AUTHEN/START, priv_lvl=0
11336: 3/09e6ce40: action=login (1)
11336: 3/09e6ce40: authen_type=ascii (1)
11336: 3/09e6ce40: service=login (1)
11336: 3/09e6ce40: user_len=4 port_len=9 rem_addr_len=9
11336: 3/09e6ce40: data_len=0
11336: 3/09e6ce40: user (len: 4): test
11336: 3/09e6ce40: 0000 74 65 73 74 test
11336: 3/09e6ce40: port (len: 9): Virtual00
11336: 3/09e6ce40: 0000 56 69 72 74 75 61 6c 30 30 Virtual0 0
11336: 3/09e6ce40: rem_addr (len: 9): 127.0.0.1
11336: 3/09e6ce40: 0000 31 32 37 2e 30 2e 30 2e 31 127.0.0. 1
11336: 3/09e6ce40: data (len: 0):
11336: 3/09e6ce40: ---<end packet>---
11336: 3/40cee609: authen:1633: hdr->seq_no == 1
11336: 3/40cee609: cfg_get: checking user/group test, tag (NULL)
11336: 3/40cee609: cfg_get: checking user/group admin, tag (NULL)
11336: 3/40cee609: Writing AUTHEN/GETPASS size=37
...
If you don't see any output, then try "debug tacacs+ authentication" on your router (a Redback box? "aaa authentication administrator" doesn't look like IOS.).
Cheers,
Marc
özgür umut vurgun
Aug 12, 2011, 10:05:00 AM8/12/11
to event-driv...@googlegroups.com
Dear Marc,
I found source of problem. I said that in last my posted, Router couldn't connect to Tacacs server. I checked tacacs server firewall. Firewall is close after that I checked iptables configuration and I saw "REJECT all -- anywhere anywhere " so I executed " iptables -P OUTPUT ACCEPT " and " iptables -A INPUT -p tcp --dport 49 -j ACCEPT " . So it works :))
Now , I try for Authorization (command deny,permit etc...)
Thanks for everything.
Özgür Umut VURGUN
Cheers,
Marc
--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To view this discussion on the web visit https://groups.google.com/d/msg/event-driven-servers/-/mAbga2FDC7AJ.
Reply all
Reply to author
Forward
0 new messages