Cisco say "% Authorization failed." after successful login using user from Active Directory.

7,795 views
Skip to first unread message

Alexandr Ovsyannikov

unread,
Oct 2, 2015, 8:23:12 AM10/2/15
to Event-Driven Servers
Hello.
And I have strange problem. After successful login to Cisco router using user from Active Directory, Cisco say "% Authorization failed."
Accordingly! in this configuration used fictitious names and domain users.

login as: domainuser
Using keyboard-interactive authentication.
Welcome to Work. We know your ip: 10.0.0.10

Password:
% Authorization failed.

and log drom Cisco router:

*Oct  2 16:58:45: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: domainuser] [Source: 10.0.0.10] [localport: 22] [Reason: Login Authentication Failed] at 16:58:45 KRAST Fri Oct 2 2015

log tacacs:

2015-10-02 16:58:45 +0700       10.20.0.15: shell login for 'domainuser' from 10.0.0.10 on tty322 succeeded


But if I enter the wrong password, the following happens:

login as: domainuser
Using keyboard-interactive authentication.
Welcome to Work. We know your ip: 10.0.0.10

Password:
Using keyboard-interactive authentication.
Password incorrect.
Access denied
Using keyboard-interactive authentication.
Welcome to Work. We know your ip: 10.0.0.10

Password:

logs:

*Oct  2 17:19:56: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: domainuser] [Source: 10.0.0.10] [localport: 22] [Reason: Login Authentication Failed] at 17:19:56 KRAST Fri Oct 2 2015



If I use the user's configuration from tac_plus.cfg, then all is going ok:

login as: rootik
Using keyboard-interactive authentication.
Welcome to Work. We know your ip: 10.0.0.10

Password:
Using keyboard-interactive authentication.

[Admin privileges]

routertest-01#
routertest-01#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
routertest-01(config)#

log from Cisco:

*Oct  2 17:02:37: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: rootik] [Source: 10.0.0.10] [localport: 22] at 17:02:37 KRAST Fri Oct 2 2015
*Oct  2 17:02:57: %SYS-5-CONFIG_I: Configured from console by prootik on vty0 (10.0.0.10)


When using the Hp ProCurve device domain authentication is normal:

login as: domainuser
domai...@10.0.0.10's password:
ProCurve J4899B Switch 2650
Software revision H.10.108

Copyright (C) 1991-2012 Hewlett-Packard Co.  All Rights Reserved.

                           RESTRICTED RIGHTS LEGEND

 Use, duplication, or disclosure by the Government is subject to restrictions
 as set forth in subdivision (b) (3) (ii) of the Rights in Technical Data and
 Computer Software clause at 52.227-7013.

         HEWLETT-PACKARD COMPANY, 3000 Hanover St., Palo Alto, CA 94303

Press any key to continue

Configuration tac_plus.cfg :

id = spawnd {
        listen = { port = 49 }
        spawn = {
                instances min = 1
                instances max = 10
        }
        background = yes
}

id = tac_plus {
        access log = ">/var/log/tac_plus/access/%Y%m%d.log"
        accounting log = ">/var/log/tac_plus/acct/%Y%m%d.log"

        mavis module = external {
                setenv LDAP_SERVER_TYPE = "microsoft"
                setenv LDAP_HOSTS = "ldap://domain.local:389"
                setenv LDAP_SCOPE = sub
                setenv LDAP_BASE = "DC=domain,DC=local"
                setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"
                setenv LDAP_USER = "look...@domain.local"
                setenv LDAP_PASSWD = "******"
#               setenv REQUIRE_TACACS_GROUP_PREFIX = 0
                setenv FLAG_USE_MEMBEROF = 1
                exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
        }

        login backend = mavis
        user backend = mavis
        pap backend = mavis

        host = world {
                address = 0.0.0.0/0
                welcome banner = "Welcome to Work. We know your ip: %%c\n"
                enable 15 = clear secret
                key = ciscokey
        }

        group = ADMINS {
            message = "[Admin privileges]"
            default service = permit
            enable = deny
            service = shell {
                default command = permit
                default attribute = permit
                set priv-lvl = 15
            }
        }

        user = rootik
                {
                member = ADMINS
        login = clear password
        service = shell
        {
        set priv-lvl = 15
        }

}


I dont't use "tacacs" prefix since the policy does not allow using this prefix. 

Cisco tacacs configuration:

enable secret 5 ****************
!
aaa new-model
!
!
aaa group server tacacs+ TACSERVICE
 server 10.10.0.20
!
aaa authentication login default group TACSERVICE local
aaa authentication login CONSOLE local
aaa authentication enable default enable
aaa authorization config-commands
aaa authorization exec default group TACSERVICE if-authenticated
aaa authorization exec CONSOLE local if-authenticated
aaa authorization commands 15 default group TACSERVICE if-authenticated
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group TACSERVICE
aaa accounting commands 15 default start-stop group TACSERVICE
!
aaa session-id common
!
username admin secret 5 ***********
!
!
tacacs-server host 10.10.0.20 key ciscokey
tacacs-server directed-request
tacacs-server administration
!
line con 0
 exec-timeout 120 0
 login authentication CONSOLE
line aux 0
line vty 0 4
 exec-timeout 120 0
 transport input all
line vty 5 15
 exec-timeout 120 0
 transport input ssh
!

Sorry for my English.
Please help ))

Marc Huber

unread,
Oct 3, 2015, 3:06:21 AM10/3/15
to event-driv...@googlegroups.com
Hi,

On 02.10.15 11:53, Alexandr Ovsyannikov wrote:
> I use Centos 6.7 and
> http://www.pro-bono-publico.de/projects/src/DEVEL.tar.bz2 archive.
> And I have strange problem. After successful login to Cisco router
> using user from Active Directory, Cisco say "% Authorization failed."
that typically happens when mapping AD group membership to TACACS+
membership doesn't succeed. "skip missing groups = yes" may be an option.

Cheers,

Marc

Alexandr Ovsyannikov

unread,
Oct 4, 2015, 9:30:12 PM10/4/15
to Event-Driven Servers
Hello.
I add option "skip missing groups = yes" in config:

access log = ">/var/log/tac_plus/access/%Y%m%d.log"
accounting log = ">/var/log/tac_plus/acct/%Y%m%d.log"

skip missing groups = yes


but situation has not changed.

I noticed another strange situation. When I log from console it's all ok, problems arise when I use telnet and ssh.

I changed aaa configuration in Cisco:

aaa authentication login default group TACSERVICE local
aaa authentication enable default group TACSERVICE enable
aaa authorization config-commands
aaa authorization exec default group TACSERVICE if-authenticated
aaa authorization commands 15 default group TACSERVICE if-authenticated
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group TACSERVICE
aaa accounting commands 15 default start-stop group TACSERVICE


to use Tacacs+ to access through console.

From console:

Welcome to Work. We know your ip: async

Username: domainuser
Password:

routertest-01>en
routertest-01>enable

*Oct  5 09:07:55: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: domainuser] [Source: 0.0.0.0] [localport: 0] at 09:07:55 KRAST Mon Oct 5 2015
Password:
mix-routertest-01#

The problem with the entrance is via ssh.




суббота, 3 октября 2015 г., 14:06:21 UTC+7 пользователь Marc Huber написал:

Daniel.H...@swisscom.com

unread,
Oct 5, 2015, 2:38:17 AM10/5/15
to event-driv...@googlegroups.com

Some Cisco devices don't like receiving attributes they don't expect, unless you configure the device with

 

            tacacs-server attribute allow unknown

 

Kind regards,

Daniel

Alexandr Ovsyannikov

unread,
Oct 5, 2015, 2:47:54 AM10/5/15
to Event-Driven Servers, Daniel.H...@swisscom.com
This command has not helped.

Signing device remains through via ssh and telnet, but from console accessing the device without any problems.

понедельник, 5 октября 2015 г., 13:38:17 UTC+7 пользователь Daniel.H...@swisscom.com написал:

Marc Huber

unread,
Oct 5, 2015, 2:53:08 AM10/5/15
to event-driv...@googlegroups.com
Hi,


On 05.10.15 03:30, Alexandr Ovsyannikov wrote:
I add option "skip missing groups = yes" in config:
...

but situation has not changed.
well, it was worth a try. Please enable debugging (e.g. "debug = PACKET AUTHEN AUTHOR"), that should show why authorization fails. I'm still guessing that it's the result of an AD-to-TAC+ group mapping failure.


I noticed another strange situation. When I log from console it's all ok, problems arise when I use telnet and ssh.
By default, authorization is disabled on the serial console (an I'd suggest to leave it that way).

Cheers,

Marc

Alexandr Ovsyannikov

unread,
Oct 5, 2015, 3:36:52 AM10/5/15
to Event-Driven Servers
Oct  5 14:25:15 s-tacacs01 tac_plus[4720]: startup (version 201509121904)
Oct  5 14:25:21 s-tacacs01 tac_plus[4668]: SIGHUP: restarting
Oct  5 14:25:21 s-tacacs01 tac_plus[4668]: startup (version 201509121904)
Oct  5 14:25:21 s-tacacs01 tac_plus[4669]: Terminating, no longer needed.
Oct  5 14:25:21 s-tacacs01 tac_plus[4726]: epoll event notification mechanism is being used
Oct  5 14:25:21 s-tacacs01 tac_plus[4726]: bind to [::]:49 succeeded
Oct  5 14:25:21 s-tacacs01 tac_plus[4727]: Version 201509121904 initialized
Oct  5 14:25:21 s-tacacs01 tac_plus[4727]: epoll event notification mechanism is being used
Oct  5 14:25:48 s-tacacs01 tac_plus[4727]: 10.20.0.15: shell login for 'domainuser' from 10.0.0.10 on tty322 succeeded



tail -f /var/log/tac_plus/acct/20151005.log
2015-10-05 14:25:50 +0700       10.20.0.15           tty322  10.0.0.10   stop    task_id=6       timezone=KRAST  service=shell   disc-cause=9    disc-cause-ext=38       pre-session-time=5  elapsed_time=0   stop_time=1444032558


and log accessing via console:
Oct  5 14:30:22 s-tacacs01 tac_plus[4727]: 10.20.0.15: shell login for 'domainuser' from async on tty0 succeeded
Oct  5 14:31:03 s-tacacs01 tac_plus[4727]: 10.20.0.15: enable 15 for 'domainuser' from async on tty0 succeeded

tail -f /var/log/tac_plus/acct/20151005.log
2015-10-05 14:30:22 +0700       10.20.0.15   domainuser  tty0    async   start   task_id=7       timezone=KRAST  service=shell






понедельник, 5 октября 2015 г., 13:53:08 UTC+7 пользователь Marc Huber написал:

Daniel.H...@swisscom.com

unread,
Oct 5, 2015, 3:54:40 AM10/5/15
to event-driv...@googlegroups.com
Have you tried enabling debugging on the Cisco device, like with

debug aaa authentication
debug aaa authorization
debug tacacs

and checking the console for messages generated when you fail to login through telnet/ssh?

Daniel

Alexandr Ovsyannikov

unread,
Oct 5, 2015, 4:45:17 AM10/5/15
to Event-Driven Servers, Daniel.H...@swisscom.com
I enabling enabled 

        debug aaa authentication 
        debug aaa authorization 
        debug tacacs 

Using ssh:

Logs for this message:

login as: domainuser
Using keyboard-interactive authentication.
Welcome to Work. We know your ip: 10.0.0.10

Password:
% Authorization failed.

*Oct  5 16:01:07: AAA/BIND(00000003): Bind i/f
*Oct  5 16:01:07: AAA/AUTHEN/LOGIN (00000003): Pick method list 'default'
*Oct  5 16:01:07: TPLUS: Queuing AAA Authentication request 3 for processing
*Oct  5 16:01:07: TPLUS: processing authentication start request id 3
*Oct  5 16:01:07: TPLUS: Authentication start packet created for 3(domainuser)
*Oct  5 16:01:07: TPLUS: Using server 10.10.0.20
*Oct  5 16:01:07: TPLUS(00000003)/0/NB_WAIT/45EFF170: Started 5 sec timeout
*Oct  5 16:01:07: TPLUS(00000003)/0/NB_WAIT: socket event 2
*Oct  5 16:01:07: TPLUS(00000003)/0/NB_WAIT: wrote entire 53 bytes request
*Oct  5 16:01:07: TPLUS(00000003)/0/READ: socket event 1
*Oct  5 16:01:07: TPLUS(00000003)/0/READ: Would block while reading
*Oct  5 16:01:07: TPLUS(00000003)/0/READ: socket event 1
*Oct  5 16:01:07: TPLUS(00000003)/0/READ: read entire 12 header bytes (expect 68 bytes data)
*Oct  5 16:01:07: TPLUS(00000003)/0/READ: socket event 1
*Oct  5 16:01:07: TPLUS(00000003)/0/READ: read entire 80 bytes response
*Oct  5 16:01:07: TPLUS(00000003)/0/45EFF170: Processing the reply packet
*Oct  5 16:01:07: TPLUS: Received authen response status GET_PASSWORD (8)
*Oct  5 16:01:10: TPLUS: Queuing AAA Authentication request 3 for processing
*Oct  5 16:01:10: TPLUS: processing authentication continue request id 3
*Oct  5 16:01:10: TPLUS: Authentication continue packet generated for 3
*Oct  5 16:01:10: TPLUS(00000003)/0/WRITE/45EFF170: Started 5 sec timeout
*Oct  5 16:01:10: TPLUS(00000003)/0/WRITE: wrote entire 28 bytes request
*Oct  5 16:01:10: TPLUS(00000003)/0/READ: socket event 1
*Oct  5 16:01:10: TPLUS(00000003)/0/READ: read entire 12 header bytes (expect 6 bytes data)
*Oct  5 16:01:10: TPLUS(00000003)/0/READ: socket event 1
*Oct  5 16:01:10: TPLUS(00000003)/0/READ: read entire 18 bytes response
*Oct  5 16:01:10: TPLUS(00000003)/0/45EFF170: Processing the reply packet
*Oct  5 16:01:10: TPLUS: Received authen response status PASS (2)
*Oct  5 16:01:10: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: domainuser] [Source: 10.0.0.10] [localport: 22] at 16:01:10 KRAST Mon Oct 5 2015
*Oct  5 16:01:10: AAA/AUTHOR (0x3): Pick method list 'default'
*Oct  5 16:01:10: TPLUS: Queuing AAA Authorization request 3 for processing
*Oct  5 16:01:10: TPLUS: processing authorization request id 3
*Oct  5 16:01:10: TPLUS: Protocol set to None .....Skipping
*Oct  5 16:01:10: TPLUS: Sending AV service=shell
*Oct  5 16:01:10: TPLUS: Sending AV cmd*
*Oct  5 16:01:10: TPLUS: Authorization request created for 3(domainuser)
*Oct  5 16:01:10: TPLUS: using previously set server 10.10.0.20 from group TACSERVICE
*Oct  5 16:01:10: TPLUS(00000003)/0/NB_WAIT/45E79A24: Started 5 sec timeout
*Oct  5 16:01:10: TPLUS(00000003)/0/NB_WAIT: socket event 2
*Oct  5 16:01:10: TPLUS(00000003)/0/NB_WAIT: wrote entire 72 bytes request
*Oct  5 16:01:10: TPLUS(00000003)/0/READ: socket event 1
*Oct  5 16:01:10: TPLUS(00000003)/0/READ: Would block while reading
*Oct  5 16:01:10: TPLUS(00000003)/0/READ: socket event 1
*Oct  5 16:01:10: TPLUS(00000003)/0/READ: read entire 12 header bytes (expect 6 bytes data)
*Oct  5 16:01:10: TPLUS(00000003)/0/READ: socket event 1
*Oct  5 16:01:10: TPLUS(00000003)/0/READ: read entire 18 bytes response
*Oct  5 16:01:10: TPLUS(00000003)/0/45E79A24: Processing the reply packet
*Oct  5 16:01:10: TPLUS: received authorization response for 3: FAIL
*Oct  5 16:01:10: AAA/AUTHOR/EXEC(00000003): Authorization FAILED
*Oct  5 16:01:12: TPLUS: Queuing AAA Accounting request 3 for processing
*Oct  5 16:01:12: TPLUS: processing accounting request id 3
*Oct  5 16:01:12: TPLUS: Sending AV task_id=8
*Oct  5 16:01:12: TPLUS: Sending AV timezone=KRAST
*Oct  5 16:01:12: TPLUS: Sending AV service=shell
*Oct  5 16:01:12: TPLUS: Sending AV disc-cause=9
*Oct  5 16:01:12: TPLUS: Sending AV disc-cause-ext=38
*Oct  5 16:01:12: TPLUS: Sending AV pre-session-time=5
*Oct  5 16:01:12: TPLUS: Sending AV elapsed_time=0
*Oct  5 16:01:12: TPLUS: Sending AV stop_time=1444035672
*Oct  5 16:01:12: TPLUS: Accounting request created for 3()
*Oct  5 16:01:12: TPLUS: using previously set server 10.10.0.20 from group TACSERVICE
*Oct  5 16:01:12: TPLUS(00000003)/0/NB_WAIT/45E79A24: Started 5 sec timeout
*Oct  5 16:01:12: TPLUS(00000003)/0/NB_WAIT: socket event 2
*Oct  5 16:01:12: TPLUS(00000003)/0/NB_WAIT: wrote entire 165 bytes request
*Oct  5 16:01:12: TPLUS(00000003)/0/READ: socket event 1
*Oct  5 16:01:12: TPLUS(00000003)/0/READ: Would block while reading
*Oct  5 16:01:12: TPLUS(00000003)/0/READ: socket event 1
*Oct  5 16:01:12: TPLUS(00000003)/0/READ: read entire 12 header bytes (expect 5 bytes data)
*Oct  5 16:01:12: TPLUS(00000003)/0/READ: socket event 1
*Oct  5 16:01:12: TPLUS(00000003)/0/READ: read entire 17 bytes response
*Oct  5 16:01:12: TPLUS(00000003)/0/45E79A24: Processing the reply packet
*Oct  5 16:01:12: TPLUS: Received accounting response with status PASS



And I specialy generated wrong password to Cisco device:

login as: domainuser
Using keyboard-interactive authentication.
Welcome to Work. We know your ip: 10.0.0.10

Password:
Using keyboard-interactive authentication.
Password incorrect.
Access denied
Using keyboard-interactive authentication.
Welcome to Work. We know your ip: 10.0.0.10

Password:

log from Cisco:
*Oct  5 16:05:51: AAA/BIND(00000005): Bind i/f
*Oct  5 16:05:51: AAA/AUTHEN/LOGIN (00000005): Pick method list 'default'
*Oct  5 16:05:51: TPLUS: Queuing AAA Authentication request 5 for processing
*Oct  5 16:05:51: TPLUS: processing authentication start request id 5
*Oct  5 16:05:51: TPLUS: Authentication start packet created for 5(domainuser)
*Oct  5 16:05:51: TPLUS: Using server 10.10.0.20
*Oct  5 16:05:51: TPLUS(00000005)/1/NB_WAIT/45F1CB58: Started 5 sec timeout
*Oct  5 16:05:51: TPLUS(00000005)/1/NB_WAIT: socket event 2
*Oct  5 16:05:51: TPLUS(00000005)/1/NB_WAIT: wrote entire 53 bytes request
*Oct  5 16:05:51: TPLUS(00000005)/1/READ: socket event 1
*Oct  5 16:05:51: TPLUS(00000005)/1/READ: Would block while reading
*Oct  5 16:05:51: TPLUS(00000005)/1/READ: socket event 1
*Oct  5 16:05:51: TPLUS(00000005)/1/READ: read entire 12 header bytes (expect 68 bytes data)
*Oct  5 16:05:51: TPLUS(00000005)/1/READ: socket event 1
*Oct  5 16:05:51: TPLUS(00000005)/1/READ: read entire 80 bytes response
*Oct  5 16:05:51: TPLUS(00000005)/1/45F1CB58: Processing the reply packet
*Oct  5 16:05:51: TPLUS: Received authen response status GET_PASSWORD (8)
*Oct  5 16:05:54: TPLUS: Queuing AAA Authentication request 5 for processing
*Oct  5 16:05:54: TPLUS: processing authentication continue request id 5
*Oct  5 16:05:54: TPLUS: Authentication continue packet generated for 5
*Oct  5 16:05:54: TPLUS(00000005)/1/WRITE/45F1CB58: Started 5 sec timeout
*Oct  5 16:05:54: TPLUS(00000005)/1/WRITE: wrote entire 27 bytes request
*Oct  5 16:05:54: TPLUS(00000005)/1/READ: socket event 1
*Oct  5 16:05:54: TPLUS(00000005)/1/READ: read entire 12 header bytes (expect 26 bytes data)
*Oct  5 16:05:54: TPLUS(00000005)/1/READ: socket event 1
*Oct  5 16:05:54: TPLUS(00000005)/1/READ: read entire 38 bytes response
*Oct  5 16:05:54: TPLUS(00000005)/1/45F1CB58: Processing the reply packet
*Oct  5 16:05:54: TPLUS: Received authen response status FAIL (3)
*Oct  5 16:05:56: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: domainuser] [Source: 10.0.0.10] [localport: 22] [Reason: Login Authentication Failed] at 16:05:56 KRAST Mon Oct 5 2015
*Oct  5 16:05:56: AAA/AUTHEN/LOGIN (00000005): Pick method list 'default'
*Oct  5 16:05:56: TPLUS: Queuing AAA Authentication request 5 for processing
*Oct  5 16:05:56: TPLUS: processing authentication start request id 5
*Oct  5 16:05:56: TPLUS: Authentication start packet created for 5(domainuser)
*Oct  5 16:05:56: TPLUS: Using server 10.10.0.20
*Oct  5 16:05:56: TPLUS(00000005)/1/NB_WAIT/45F1CB58: Started 5 sec timeout
*Oct  5 16:05:56: TPLUS(00000005)/1/NB_WAIT: socket event 2
*Oct  5 16:05:56: TPLUS(00000005)/1/NB_WAIT: wrote entire 53 bytes request
*Oct  5 16:05:56: TPLUS(00000005)/1/READ: socket event 1
*Oct  5 16:05:56: TPLUS(00000005)/1/READ: Would block while reading
*Oct  5 16:05:56: TPLUS(00000005)/1/READ: socket event 1
*Oct  5 16:05:56: TPLUS(00000005)/1/READ: read entire 12 header bytes (expect 68 bytes data)
*Oct  5 16:05:56: TPLUS(00000005)/1/READ: socket event 1
*Oct  5 16:05:56: TPLUS(00000005)/1/READ: read entire 80 bytes response
*Oct  5 16:05:56: TPLUS(00000005)/1/45F1CB58: Processing the reply packet
*Oct  5 16:05:56: TPLUS: Received authen response status GET_PASSWORD (8)


Using telnet
Welcome to Work. We know your ip: 10.0.0.10

Username: domainuser
Password:
% Authorization failed.

*Oct  5 16:16:38: AAA/BIND(00000008): Bind i/f
*Oct  5 16:16:38: AAA/AUTHEN/LOGIN (00000008): Pick method list 'default'
*Oct  5 16:16:38: TPLUS: Queuing AAA Authentication request 8 for processing
*Oct  5 16:16:38: TPLUS: processing authentication start request id 8
*Oct  5 16:16:38: TPLUS: Authentication start packet created for 8()
*Oct  5 16:16:38: TPLUS: Using server 10.10.0.20
*Oct  5 16:16:38: TPLUS(00000008)/0/NB_WAIT/45E792C8: Started 5 sec timeout
*Oct  5 16:16:38: TPLUS(00000008)/0/NB_WAIT: socket event 2
*Oct  5 16:16:38: TPLUS(00000008)/0/NB_WAIT: wrote entire 39 bytes request
*Oct  5 16:16:38: TPLUS(00000008)/0/READ: socket event 1
*Oct  5 16:16:38: TPLUS(00000008)/0/READ: Would block while reading
*Oct  5 16:16:38: TPLUS(00000008)/0/READ: socket event 1
*Oct  5 16:16:38: TPLUS(00000008)/0/READ: read entire 12 header bytes (expect 68 bytes data)
*Oct  5 16:16:38: TPLUS(00000008)/0/READ: socket event 1
*Oct  5 16:16:38: TPLUS(00000008)/0/READ: read entire 80 bytes response
*Oct  5 16:16:38: TPLUS(00000008)/0/45E792C8: Processing the reply packet
*Oct  5 16:16:38: TPLUS: Received authen response status GET_USER (7)
*Oct  5 16:16:43: TPLUS: Queuing AAA Authentication request 8 for processing
*Oct  5 16:16:43: TPLUS: processing authentication continue request id 8
*Oct  5 16:16:43: TPLUS: Authentication continue packet generated for 8
*Oct  5 16:16:43: TPLUS(00000008)/0/WRITE/45FC1260: Started 5 sec timeout
*Oct  5 16:16:43: TPLUS(00000008)/0/WRITE: wrote entire 31 bytes request
*Oct  5 16:16:43: TPLUS(00000008)/0/READ: socket event 1
*Oct  5 16:16:43: TPLUS(00000008)/0/READ: read entire 12 header bytes (expect 16 bytes data)
*Oct  5 16:16:43: TPLUS(00000008)/0/READ: socket event 1
*Oct  5 16:16:43: TPLUS(00000008)/0/READ: read entire 28 bytes response
*Oct  5 16:16:43: TPLUS(00000008)/0/45FC1260: Processing the reply packet
*Oct  5 16:16:43: TPLUS: Received authen response status GET_PASSWORD (8)
*Oct  5 16:16:46: TPLUS: Queuing AAA Authentication request 8 for processing
*Oct  5 16:16:46: TPLUS: processing authentication continue request id 8
*Oct  5 16:16:46: TPLUS: Authentication continue packet generated for 8
*Oct  5 16:16:46: TPLUS(00000008)/0/WRITE/45FC1260: Started 5 sec timeout
*Oct  5 16:16:46: TPLUS(00000008)/0/WRITE: wrote entire 28 bytes request
*Oct  5 16:16:46: TPLUS(00000008)/0/READ: socket event 1
*Oct  5 16:16:46: TPLUS(00000008)/0/READ: read entire 12 header bytes (expect 6 bytes data)
*Oct  5 16:16:46: TPLUS(00000008)/0/READ: socket event 1
*Oct  5 16:16:46: TPLUS(00000008)/0/READ: read entire 18 bytes response
*Oct  5 16:16:46: TPLUS(00000008)/0/45FC1260: Processing the reply packet
*Oct  5 16:16:46: TPLUS: Received authen response status PASS (2)
*Oct  5 16:16:46: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: domainuser] [Source: 10.0.0.10] [localport: 23] at 16:16:46 KRAST Mon Oct 5 2015
*Oct  5 16:16:46: AAA/AUTHOR (0x8): Pick method list 'default'
*Oct  5 16:16:46: TPLUS: Queuing AAA Authorization request 8 for processing
*Oct  5 16:16:46: TPLUS: processing authorization request id 8
*Oct  5 16:16:46: TPLUS: Protocol set to None .....Skipping
*Oct  5 16:16:46: TPLUS: Sending AV service=shell
*Oct  5 16:16:46: TPLUS: Sending AV cmd*
*Oct  5 16:16:46: TPLUS: Authorization request created for 8(domainuser)
*Oct  5 16:16:46: TPLUS: using previously set server 10.10.0.20 from group TACSERVICE
*Oct  5 16:16:46: TPLUS(00000008)/0/NB_WAIT/45FC1260: Started 5 sec timeout
*Oct  5 16:16:46: TPLUS(00000008)/0/NB_WAIT: socket event 2
*Oct  5 16:16:46: TPLUS(00000008)/0/NB_WAIT: wrote entire 72 bytes request
*Oct  5 16:16:46: TPLUS(00000008)/0/READ: socket event 1
*Oct  5 16:16:46: TPLUS(00000008)/0/READ: Would block while reading
*Oct  5 16:16:46: TPLUS(00000008)/0/READ: socket event 1
*Oct  5 16:16:46: TPLUS(00000008)/0/READ: read entire 12 header bytes (expect 6 bytes data)
*Oct  5 16:16:46: TPLUS(00000008)/0/READ: socket event 1
*Oct  5 16:16:46: TPLUS(00000008)/0/READ: read entire 18 bytes response
*Oct  5 16:16:46: TPLUS(00000008)/0/45FC1260: Processing the reply packet
*Oct  5 16:16:46: TPLUS: received authorization response for 8: FAIL
*Oct  5 16:16:46: AAA/AUTHOR/EXEC(00000008): Authorization FAILED
*Oct  5 16:16:48: TPLUS: Queuing AAA Accounting request 8 for processing
*Oct  5 16:16:48: TPLUS: processing accounting request id 8
*Oct  5 16:16:48: TPLUS: Sending AV task_id=13
*Oct  5 16:16:48: TPLUS: Sending AV timezone=KRAST
*Oct  5 16:16:48: TPLUS: Sending AV service=shell
*Oct  5 16:16:48: TPLUS: Sending AV disc-cause=9
*Oct  5 16:16:48: TPLUS: Sending AV disc-cause-ext=38
*Oct  5 16:16:48: TPLUS: Sending AV pre-session-time=9
*Oct  5 16:16:48: TPLUS: Sending AV elapsed_time=0
*Oct  5 16:16:48: TPLUS: Sending AV stop_time=1444036608
*Oct  5 16:16:48: TPLUS: Accounting request created for 8()
*Oct  5 16:16:48: TPLUS: using previously set server 10.10.0.20 from group TACSERVICE
*Oct  5 16:16:48: TPLUS(00000008)/0/NB_WAIT/45FC1260: Started 5 sec timeout
*Oct  5 16:16:48: TPLUS(00000008)/0/NB_WAIT: socket event 2
*Oct  5 16:16:48: TPLUS(00000008)/0/NB_WAIT: wrote entire 166 bytes request
*Oct  5 16:16:48: TPLUS(00000008)/0/READ: socket event 1
*Oct  5 16:16:48: TPLUS(00000008)/0/READ: Would block while reading
*Oct  5 16:16:48: TPLUS(00000008)/0/READ: socket event 1
*Oct  5 16:16:48: TPLUS(00000008)/0/READ: read entire 12 header bytes (expect 5 bytes data)
*Oct  5 16:16:48: TPLUS(00000008)/0/READ: socket event 1
*Oct  5 16:16:48: TPLUS(00000008)/0/READ: read entire 17 bytes response
*Oct  5 16:16:48: TPLUS(00000008)/0/45FC1260: Processing the reply packet
*Oct  5 16:16:48: TPLUS: Received accounting response with status PASS


Using wrong wrong password:

Welcome to Work. We know your ip: 10.0.0.10

Username: domainuser
Password:
Password incorrect.


Welcome to Work. We know your ip: 10.0.0.10

Username:

*Oct  5 16:21:30: AAA/BIND(0000000B): Bind i/f
*Oct  5 16:21:30: AAA/AUTHEN/LOGIN (0000000B): Pick method list 'default'
*Oct  5 16:21:30: TPLUS: Queuing AAA Authentication request 11 for processing
*Oct  5 16:21:30: TPLUS: processing authentication start request id 11
*Oct  5 16:21:30: TPLUS: Authentication start packet created for 11()
*Oct  5 16:21:30: TPLUS: Using server 10.10.0.20
*Oct  5 16:21:30: TPLUS(0000000B)/0/NB_WAIT/45E792C8: Started 5 sec timeout
*Oct  5 16:21:30: TPLUS(0000000B)/0/NB_WAIT: socket event 2
*Oct  5 16:21:30: TPLUS(0000000B)/0/NB_WAIT: wrote entire 39 bytes request
*Oct  5 16:21:30: TPLUS(0000000B)/0/READ: socket event 1
*Oct  5 16:21:30: TPLUS(0000000B)/0/READ: Would block while reading
*Oct  5 16:21:30: TPLUS(0000000B)/0/READ: socket event 1
*Oct  5 16:21:30: TPLUS(0000000B)/0/READ: read entire 12 header bytes (expect 68 bytes data)
*Oct  5 16:21:30: TPLUS(0000000B)/0/READ: socket event 1
*Oct  5 16:21:30: TPLUS(0000000B)/0/READ: read entire 80 bytes response
*Oct  5 16:21:30: TPLUS(0000000B)/0/45E792C8: Processing the reply packet
*Oct  5 16:21:30: TPLUS: Received authen response status GET_USER (7)
*Oct  5 16:21:34: TPLUS: Queuing AAA Authentication request 11 for processing
*Oct  5 16:21:34: TPLUS: processing authentication continue request id 11
*Oct  5 16:21:34: TPLUS: Authentication continue packet generated for 11
*Oct  5 16:21:34: TPLUS(0000000B)/0/WRITE/45FD835C: Started 5 sec timeout
*Oct  5 16:21:34: TPLUS(0000000B)/0/WRITE: wrote entire 31 bytes request
*Oct  5 16:21:34: TPLUS(0000000B)/0/READ: socket event 1
*Oct  5 16:21:34: TPLUS(0000000B)/0/READ: read entire 12 header bytes (expect 16 bytes data)
*Oct  5 16:21:34: TPLUS(0000000B)/0/READ: socket event 1
*Oct  5 16:21:34: TPLUS(0000000B)/0/READ: read entire 28 bytes response
*Oct  5 16:21:34: TPLUS(0000000B)/0/45FD835C: Processing the reply packet
*Oct  5 16:21:34: TPLUS: Received authen response status GET_PASSWORD (8)
*Oct  5 16:21:36: TPLUS: Queuing AAA Authentication request 11 for processing
*Oct  5 16:21:36: TPLUS: processing authentication continue request id 11
*Oct  5 16:21:36: TPLUS: Authentication continue packet generated for 11
*Oct  5 16:21:36: TPLUS(0000000B)/0/WRITE/45FD835C: Started 5 sec timeout
*Oct  5 16:21:36: TPLUS(0000000B)/0/WRITE: wrote entire 26 bytes request
*Oct  5 16:21:36: TPLUS(0000000B)/0/READ: socket event 1
*Oct  5 16:21:36: TPLUS(0000000B)/0/READ: read entire 12 header bytes (expect 26 bytes data)
*Oct  5 16:21:36: TPLUS(0000000B)/0/READ: socket event 1
*Oct  5 16:21:36: TPLUS(0000000B)/0/READ: read entire 38 bytes response
*Oct  5 16:21:36: TPLUS(0000000B)/0/45FD835C: Processing the reply packet
*Oct  5 16:21:36: TPLUS: Received authen response status FAIL (3)
*Oct  5 16:21:38: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: 10.0.0.10] [localport: 23] [Reason: Login Authentication Failed] at 16:21:38 KRAST Mon Oct 5 2015
*Oct  5 16:21:38: AAA/AUTHEN/LOGIN (0000000B): Pick method list 'default'
*Oct  5 16:21:38: TPLUS: Queuing AAA Authentication request 11 for processing
*Oct  5 16:21:38: TPLUS: processing authentication start request id 11
*Oct  5 16:21:38: TPLUS: Authentication start packet created for 11()
*Oct  5 16:21:38: TPLUS: Using server 10.10.0.20
*Oct  5 16:21:38: TPLUS(0000000B)/0/NB_WAIT/45FD835C: Started 5 sec timeout
*Oct  5 16:21:38: TPLUS(0000000B)/0/NB_WAIT: socket event 2
*Oct  5 16:21:38: TPLUS(0000000B)/0/NB_WAIT: wrote entire 39 bytes request
*Oct  5 16:21:38: TPLUS(0000000B)/0/READ: socket event 1
*Oct  5 16:21:38: TPLUS(0000000B)/0/READ: Would block while reading
*Oct  5 16:21:38: TPLUS(0000000B)/0/READ: socket event 1
*Oct  5 16:21:38: TPLUS(0000000B)/0/READ: read entire 12 header bytes (expect 68 bytes data)
*Oct  5 16:21:38: TPLUS(0000000B)/0/READ: socket event 1
*Oct  5 16:21:38: TPLUS(0000000B)/0/READ: read entire 80 bytes response
*Oct  5 16:21:38: TPLUS(0000000B)/0/45FD835C: Processing the reply packet
*Oct  5 16:21:38: TPLUS: Received authen response status GET_USER (7)





понедельник, 5 октября 2015 г., 14:54:40 UTC+7 пользователь Daniel.H...@swisscom.com написал:

Daniel.H...@swisscom.com

unread,
Oct 5, 2015, 5:26:29 AM10/5/15
to kea...@gmail.com, event-driv...@googlegroups.com
Have you verified that domainuser is member of group tacacsADMINS in AD?

As in

ldapsearch -H ldap://domain.local:389 -D look...@domain.local -w password -b DC=domain,DC=local -s sub "(&(objectClass=user)(sAMAccountName=domainuser))" memberOf

Daniel

Alexandr Ovsyannikov

unread,
Oct 5, 2015, 5:40:10 AM10/5/15
to Event-Driven Servers, kea...@gmail.com, Daniel.H...@swisscom.com
in configurations and logs I used fictitious names and domain users ))

Yes, my user has been added to ADMINS. But group ADMINS is called the server ADMINS. The security policy does not allow us to use a prefix "tacacs".
Using this user I have no problem come on the HP ProCurve devices and Cisco using console.




понедельник, 5 октября 2015 г., 16:26:29 UTC+7 пользователь Daniel.H...@swisscom.com написал:

Daniel.H...@swisscom.com

unread,
Oct 5, 2015, 5:49:20 AM10/5/15
to kea...@gmail.com, event-driv...@googlegroups.com
I would try adding

mavis module = external {
setenv AD_GROUP_PREFIX = ""
setenv UNLIMIT_AD_GROUP_MEMBERSHIP = "1"

Daniel

Alexandr Ovsyannikov

unread,
Oct 5, 2015, 6:00:42 AM10/5/15
to Event-Driven Servers, kea...@gmail.com, Daniel.H...@swisscom.com
Thank you very much. 
I added a line to the configuration data, and everything worked as it should.

Best regards ))

понедельник, 5 октября 2015 г., 16:49:20 UTC+7 пользователь Daniel.H...@swisscom.com написал:

Alexandr Ovsyannikov

unread,
Oct 5, 2015, 11:11:15 PM10/5/15
to Event-Driven Servers, kea...@gmail.com, Daniel.H...@swisscom.com
oops ))

Today I discovered a problem аfter adding these lines.Password to enable is not work.

Welcome to Work. We know your ip: async

Username: domainuser
Password:

[Admin privileges]

routertest-01>
*Oct  6 10:48:47: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: domainuser] [Source: 0.0.0.0] [localport: 0] at 10:48:47 KRAST Tue Oct 6 2015en
routertest-01>enable
Password:
Permission denied.

routertest-01>


If you remove these lines from the configuration, the enable password is working, but the problem with the input via ssh and telnet returns.


понедельник, 5 октября 2015 г., 16:49:20 UTC+7 пользователь Daniel.H...@swisscom.com написал:
I would try adding

Alexandr Ovsyannikov

unread,
Oct 6, 2015, 12:03:44 AM10/6/15
to Event-Driven Servers, kea...@gmail.com, Daniel.H...@swisscom.com
As an option to remove the enable for authorization via the console:

aaa authorization console


But this contradicts the security.


понедельник, 5 октября 2015 г., 16:49:20 UTC+7 пользователь Daniel.H...@swisscom.com написал:
I would try adding
Reply all
Reply to author
Forward
0 new messages