Re: PacketLogic tacacs login problem
234 views
Skip to first unread message
Marc Huber
Sep 29, 2012, 3:10:16 AM9/29/12
to event-driv...@googlegroups.com
Hi Andreas,
On 28.09.12 21:18, Andreas Jacobi wrote:
> Hi,
>
> Got some problems when a PacketLogic from Procera Networks is going to
> authenticate users using your tacacs server. It uses pap and it works
> with the tacacs version from shrubbery but I have migrated to your
> software now and would like to continue to use tacacs logins on the
> PacketLogic.
> This is the error I get on the tacacs server:
<snip>
> 7191: 21:01:53.512 1/00000000: data_len=0
The packet doesn't contain a password (are you actually using an empty
one?), and judging from
> 7191: 21:01:53.512 1/00000000: 1.1.1.1 (null): Invalid or unsupported
> AUTHEN/START (action=1 authen_type=2)
> 7191: 21:01:53.512 1/00000000: Writing AUTHEN/ERROR size=78
> 7191: 21:01:53.514 0/00000000: 1.1.1.1: Stray packet (sequence number:
> 3) for session 00000000
your PL tries to send another packet after the daemon already rejected
the initial AUTHEN/START packet. The PL might want to send the password
in that last packet. For Inbound PAP, that would be a protocol
violation. To quote from draft-grant-tacacs-02.txt: "The entire exchange
MUST consist of a single START packet and a single REPLY. The START
packet MUST contain a username and the data field MUST contain the PAP
ASCII password. A PAP authentication only consists of a username and
password [4]. The REPLY from the daemon MUST be either a PASS or FAIL."
Or are you indeed trying this with an empty password?
> Also, the "unencrypted" tag does that mean that the packets are
> unencrypted even though a key is used?
No (and I agree that it's misleading in this context).
Cheers,
Marc
On 28.09.12 21:18, Andreas Jacobi wrote:
> Hi,
>
> Got some problems when a PacketLogic from Procera Networks is going to
> authenticate users using your tacacs server. It uses pap and it works
> with the tacacs version from shrubbery but I have migrated to your
> software now and would like to continue to use tacacs logins on the
> PacketLogic.
> This is the error I get on the tacacs server:
<snip>
> 7191: 21:01:53.512 1/00000000: data_len=0
The packet doesn't contain a password (are you actually using an empty
one?), and judging from
> 7191: 21:01:53.512 1/00000000: 1.1.1.1 (null): Invalid or unsupported
> AUTHEN/START (action=1 authen_type=2)
> 7191: 21:01:53.512 1/00000000: Writing AUTHEN/ERROR size=78
> 7191: 21:01:53.514 0/00000000: 1.1.1.1: Stray packet (sequence number:
> 3) for session 00000000
your PL tries to send another packet after the daemon already rejected
the initial AUTHEN/START packet. The PL might want to send the password
in that last packet. For Inbound PAP, that would be a protocol
violation. To quote from draft-grant-tacacs-02.txt: "The entire exchange
MUST consist of a single START packet and a single REPLY. The START
packet MUST contain a username and the data field MUST contain the PAP
ASCII password. A PAP authentication only consists of a username and
password [4]. The REPLY from the daemon MUST be either a PASS or FAIL."
Or are you indeed trying this with an empty password?
> Also, the "unencrypted" tag does that mean that the packets are
> unencrypted even though a key is used?
No (and I agree that it's misleading in this context).
Cheers,
Marc
Andreas Jacobi
Sep 29, 2012, 4:27:58 AM9/29/12
to event-driv...@googlegroups.com, marc.j...@googlemail.com
Hi,
First of all thanks for your quick reply.
No, not using an empty password.
I will contact their support and ask them about it.
// Andreas
First of all thanks for your quick reply.
No, not using an empty password.
I will contact their support and ask them about it.
// Andreas
Marc Huber
Sep 29, 2012, 6:48:27 AM9/29/12
to event-driv...@googlegroups.com
Hi Andreas,
I've just uploaded a new snapshot, DEVEL.201209291242.tar.bz2, which
might support the broken PacketLogic PAP authentication if
pap two-step = yes
is configured at realm or host level. Could you please check if that
fixes the PAP problem you've seen?
Cheers,
Marc
I've just uploaded a new snapshot, DEVEL.201209291242.tar.bz2, which
might support the broken PacketLogic PAP authentication if
pap two-step = yes
is configured at realm or host level. Could you please check if that
fixes the PAP problem you've seen?
Cheers,
Marc
Andreas Jacobi
Sep 29, 2012, 7:07:41 AM9/29/12
to event-driv...@googlegroups.com, marc.j...@googlemail.com
Hi,
Still the same problem and the debug output is identical. I tried placing the "pap two-step = yes" both on a global level and at the host in question.
// Andreas
Still the same problem and the debug output is identical. I tried placing the "pap two-step = yes" both on a global level and at the host in question.
// Andreas
Marc Huber
Sep 29, 2012, 7:24:34 AM9/29/12
to event-driv...@googlegroups.com
Hi Andreas,
my guess about the packet contents expected might have been wrong, and
I'd need to see the actual packet flow (unencrypted) of a successful
authentication to implement a workaround. Can you arrange that?
Cheers,
Marc
I'd need to see the actual packet flow (unencrypted) of a successful
authentication to implement a workaround. Can you arrange that?
Cheers,
Marc
Andreas Jacobi
Sep 29, 2012, 7:49:04 AM9/29/12
to event-driv...@googlegroups.com, marc.j...@googlemail.com
Hi,
Yes I could arrange that. By packet flow you mean a tcpdump, right? Do you need a debug from the tac_plus app as well? If yes any particular debug options I should activate?
I wont have time to do it now but hopefully in the beginning of next week.
// Andreas
Yes I could arrange that. By packet flow you mean a tcpdump, right? Do you need a debug from the tac_plus app as well? If yes any particular debug options I should activate?
I wont have time to do it now but hopefully in the beginning of next week.
// Andreas
Marc Huber
Sep 29, 2012, 8:00:36 AM9/29/12
to event-driv...@googlegroups.com
Hi Andreas,
On 29.09.12 13:49, Andreas Jacobi wrote:
Yes I could arrange that. By packet flow you mean a tcpdump, right? Do you need a debug from the tac_plus app as well? If yes any particular debug options I should activate?
I wont have time to do it now but hopefully in the beginning of next week.
a tcpdump packet capture would be fine. However, I'd prefer a *successful* authentication session for
that, so, alas, you'd have to use the shrubbery daemon. If that's
out of scope I'd be interested in the "debug = PACKET" output (which
should, with "pap two-step = yes" enabled, show the contents of the
third packet, too).
Cheers,
Marc
Cheers,
Marc
Andreas Jacobi
Oct 2, 2012, 5:21:12 AM10/2/12
to event-driv...@googlegroups.com, marc.j...@googlemail.com
Hi,
I have the captures, do you have an email I could send them to (I don't want them to be public)?
// Andreas
I have the captures, do you have an email I could send them to (I don't want them to be public)?
// Andreas
Marc Huber
Oct 2, 2012, 11:27:14 AM10/2/12
to event-driv...@googlegroups.com, Andreas Jacobi
Hi Andreas,
On 02.10.12 11:21, Andreas Jacobi wrote:
> I have the captures, do you have an email I could send them to (I
> don't want them to be public)?
marc.j...@googlemail.com or marc....@web.de
Cheers,
Marc
On 02.10.12 11:21, Andreas Jacobi wrote:
> I have the captures, do you have an email I could send them to (I
> don't want them to be public)?
Cheers,
Marc
Marc Huber
Oct 2, 2012, 2:56:05 PM10/2/12
to event-driv...@googlegroups.com
Hi Andreas,
while the capture wasn't really useful without the server key, the debug
output was. Your PacketLogic device is using the minor_version 0 PAP
method, and the daemon did only recognize minor_version 1.
You could give DEVEL.201210022050.tar.bz2 a shot -- I'm pretty certain
that the older PAP version will work now.
Thanks,
Marc
while the capture wasn't really useful without the server key, the debug
output was. Your PacketLogic device is using the minor_version 0 PAP
method, and the daemon did only recognize minor_version 1.
You could give DEVEL.201210022050.tar.bz2 a shot -- I'm pretty certain
that the older PAP version will work now.
Thanks,
Marc
Andreas Jacobi
Oct 2, 2012, 3:22:45 PM10/2/12
to event-driv...@googlegroups.com, marc.j...@googlemail.com
Hi,
I appologize, I completely forgot about the key. I will give the latest version a try and get back to you.
// Andreas
I appologize, I completely forgot about the key. I will give the latest version a try and get back to you.
// Andreas
Andreas Jacobi
Oct 2, 2012, 4:09:42 PM10/2/12
to event-driv...@googlegroups.com, marc.j...@googlemail.com
The latest release got pass that issue, nice work! But I can't seem to get the pap auth to work.
I have tried using pap with mavis backend and a clear text password but whatever I do I get:
"pap login for 'test' failed"
Debug log using clear text password:
24217: 01:00:00.000 0/00000000: Version 201210022050 initialized
24217: 22:03:49.653 0/00000000: cidr match level 0 = shaper
24217: 22:03:49.653 0/00000000: connection request from 1.1.1.1 (key: key1)
24217: 22:03:49.653 0/00000000: New session
24217: 22:03:49.653 0/00000000: ---<start packet>---
24217: 22:03:49.653 0/00000000: key used: key1
24217: 22:03:49.653 0/00000000: version: 192, type: 1, seq no: 1, flags: unencrypted
24217: 22:03:49.653 0/00000000: session id: 00000000 data length: 12
24217: 22:03:49.653 0/00000000: packet body (len: 12): \001\001\002\001\004\000\000\000test
24217: 22:03:49.653 0/00000000: 0000 01 01 02 01 04 00 00 00 74 65 73 74 ........ test
24217: 22:03:49.653 0/00000000: AUTHEN/START, priv_lvl=1
24217: 22:03:49.653 0/00000000: action=login (1)
24217: 22:03:49.653 0/00000000: authen_type=pap (2)
24217: 22:03:49.653 0/00000000: service=login (1)
24217: 22:03:49.653 0/00000000: user_len=4 port_len=0 rem_addr_len=0
24217: 22:03:49.653 0/00000000: data_len=0
24217: 22:03:49.653 0/00000000: user (len: 4): test
24217: 22:03:49.653 0/00000000: 0000 74 65 73 74 test
24217: 22:03:49.653 0/00000000: port (len: 0):
24217: 22:03:49.653 0/00000000: rem_addr (len: 0):
24217: 22:03:49.653 0/00000000: data (len: 0):
24217: 22:03:49.653 0/00000000: ---<end packet>---
24217: 22:03:49.653 0/00000000: authen: hdr->seq_no: 1
24217: 22:03:49.653 0/00000000: Writing AUTHEN/GETPASS size=28
24217: 22:03:49.653 0/00000000: ---<start packet>---
24217: 22:03:49.653 0/00000000: key used: key1
24217: 22:03:49.653 0/00000000: version: 192, type: 1, seq no: 2, flags: unencrypted
24217: 22:03:49.653 0/00000000: session id: 00000000 data length: 16
24217: 22:03:49.653 0/00000000: packet body (len: 16): \005\001\000\n\000\000Password:
24217: 22:03:49.653 0/00000000: 0000 05 01 00 0a 00 00 50 61 73 73 77 6f 72 64 3a 20 ......Pa ssword:
24217: 22:03:49.653 0/00000000: AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
24217: 22:03:49.653 0/00000000: msg_len=10, data_len=0
24217: 22:03:49.653 0/00000000: msg (len: 10): Password:
24217: 22:03:49.653 0/00000000: 0000 50 61 73 73 77 6f 72 64 3a 20 Password :
24217: 22:03:49.653 0/00000000: data (len: 0):
24217: 22:03:49.653 0/00000000: ---<end packet>---
24217: 22:03:49.655 0/00000000: ---<start packet>---
24217: 22:03:49.655 0/00000000: key used: key1
24217: 22:03:49.655 0/00000000: version: 192, type: 1, seq no: 3, flags: unencrypted
24217: 22:03:49.655 0/00000000: session id: 00000000 data length: 9
24217: 22:03:49.655 0/00000000: packet body (len: 9): \000\004\000\000\000test
24217: 22:03:49.655 0/00000000: 0000 00 04 00 00 00 74 65 73 74 .....tes t
24217: 22:03:49.655 0/00000000: AUTHEN/CONT user_msg_len=4, user_data_len=0
24217: 22:03:49.655 0/00000000: user_msg (len: 4): test
24217: 22:03:49.655 0/00000000: 0000 74 65 73 74 test
24217: 22:03:49.655 0/00000000: user_data (len: 0):
24217: 22:03:49.655 0/00000000: ---<end packet>---
24217: 22:03:49.655 0/00000000: authen: hdr->seq_no: 3
24217: 22:03:49.655 0/00000000: looking for user test realm default
24217: 22:03:49.655 0/00000000: cfg_get: checking user/group test, tag (NULL)
24217: 22:03:49.655 0/00000000: cfg_get: checking user/group packetlogic-admin, tag (NULL)
24217: 22:03:49.655 0/00000000: user lookup succeded
24217: 22:03:49.655 0/00000000: 1.1.1.1: pap login for 'test' failed
24217: 22:03:49.655 0/00000000: Writing AUTHEN/FAIL size=18
24217: 22:03:49.655 0/00000000: ---<start packet>---
24217: 22:03:49.655 0/00000000: key used: 1.1.1.1
24217: 22:03:49.655 0/00000000: version: 192, type: 1, seq no: 4, flags: unencrypted
24217: 22:03:49.655 0/00000000: session id: 00000000 data length: 6
24217: 22:03:49.655 0/00000000: packet body (len: 6): \002\000\000\000\000\000
24217: 22:03:49.655 0/00000000: 0000 02 00 00 00 00 00 ......
24217: 22:03:49.655 0/00000000: AUTHEN status=2 (AUTHEN/FAIL) flags=0x0
24217: 22:03:49.655 0/00000000: msg_len=0, data_len=0
24217: 22:03:49.655 0/00000000: msg (len: 0):
24217: 22:03:49.655 0/00000000: data (len: 0):
24217: 22:03:49.655 0/00000000: ---<end packet>---
This might be a config error on my part so if you feel this is not related to the original issue you can just close this case and I'll troubleshoot on my own.
// Andreas
I have tried using pap with mavis backend and a clear text password but whatever I do I get:
"pap login for 'test' failed"
Debug log using clear text password:
24217: 01:00:00.000 0/00000000: Version 201210022050 initialized
24217: 22:03:49.653 0/00000000: cidr match level 0 = shaper
24217: 22:03:49.653 0/00000000: connection request from 1.1.1.1 (key: key1)
24217: 22:03:49.653 0/00000000: New session
24217: 22:03:49.653 0/00000000: ---<start packet>---
24217: 22:03:49.653 0/00000000: key used: key1
24217: 22:03:49.653 0/00000000: version: 192, type: 1, seq no: 1, flags: unencrypted
24217: 22:03:49.653 0/00000000: session id: 00000000 data length: 12
24217: 22:03:49.653 0/00000000: packet body (len: 12): \001\001\002\001\004\000\000\000test
24217: 22:03:49.653 0/00000000: 0000 01 01 02 01 04 00 00 00 74 65 73 74 ........ test
24217: 22:03:49.653 0/00000000: AUTHEN/START, priv_lvl=1
24217: 22:03:49.653 0/00000000: action=login (1)
24217: 22:03:49.653 0/00000000: authen_type=pap (2)
24217: 22:03:49.653 0/00000000: service=login (1)
24217: 22:03:49.653 0/00000000: user_len=4 port_len=0 rem_addr_len=0
24217: 22:03:49.653 0/00000000: data_len=0
24217: 22:03:49.653 0/00000000: user (len: 4): test
24217: 22:03:49.653 0/00000000: 0000 74 65 73 74 test
24217: 22:03:49.653 0/00000000: port (len: 0):
24217: 22:03:49.653 0/00000000: rem_addr (len: 0):
24217: 22:03:49.653 0/00000000: data (len: 0):
24217: 22:03:49.653 0/00000000: ---<end packet>---
24217: 22:03:49.653 0/00000000: authen: hdr->seq_no: 1
24217: 22:03:49.653 0/00000000: Writing AUTHEN/GETPASS size=28
24217: 22:03:49.653 0/00000000: ---<start packet>---
24217: 22:03:49.653 0/00000000: key used: key1
24217: 22:03:49.653 0/00000000: version: 192, type: 1, seq no: 2, flags: unencrypted
24217: 22:03:49.653 0/00000000: session id: 00000000 data length: 16
24217: 22:03:49.653 0/00000000: packet body (len: 16): \005\001\000\n\000\000Password:
24217: 22:03:49.653 0/00000000: 0000 05 01 00 0a 00 00 50 61 73 73 77 6f 72 64 3a 20 ......Pa ssword:
24217: 22:03:49.653 0/00000000: AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
24217: 22:03:49.653 0/00000000: msg_len=10, data_len=0
24217: 22:03:49.653 0/00000000: msg (len: 10): Password:
24217: 22:03:49.653 0/00000000: 0000 50 61 73 73 77 6f 72 64 3a 20 Password :
24217: 22:03:49.653 0/00000000: data (len: 0):
24217: 22:03:49.653 0/00000000: ---<end packet>---
24217: 22:03:49.655 0/00000000: ---<start packet>---
24217: 22:03:49.655 0/00000000: key used: key1
24217: 22:03:49.655 0/00000000: version: 192, type: 1, seq no: 3, flags: unencrypted
24217: 22:03:49.655 0/00000000: session id: 00000000 data length: 9
24217: 22:03:49.655 0/00000000: packet body (len: 9): \000\004\000\000\000test
24217: 22:03:49.655 0/00000000: 0000 00 04 00 00 00 74 65 73 74 .....tes t
24217: 22:03:49.655 0/00000000: AUTHEN/CONT user_msg_len=4, user_data_len=0
24217: 22:03:49.655 0/00000000: user_msg (len: 4): test
24217: 22:03:49.655 0/00000000: 0000 74 65 73 74 test
24217: 22:03:49.655 0/00000000: user_data (len: 0):
24217: 22:03:49.655 0/00000000: ---<end packet>---
24217: 22:03:49.655 0/00000000: authen: hdr->seq_no: 3
24217: 22:03:49.655 0/00000000: looking for user test realm default
24217: 22:03:49.655 0/00000000: cfg_get: checking user/group test, tag (NULL)
24217: 22:03:49.655 0/00000000: cfg_get: checking user/group packetlogic-admin, tag (NULL)
24217: 22:03:49.655 0/00000000: user lookup succeded
24217: 22:03:49.655 0/00000000: 1.1.1.1: pap login for 'test' failed
24217: 22:03:49.655 0/00000000: Writing AUTHEN/FAIL size=18
24217: 22:03:49.655 0/00000000: ---<start packet>---
24217: 22:03:49.655 0/00000000: key used: 1.1.1.1
24217: 22:03:49.655 0/00000000: version: 192, type: 1, seq no: 4, flags: unencrypted
24217: 22:03:49.655 0/00000000: session id: 00000000 data length: 6
24217: 22:03:49.655 0/00000000: packet body (len: 6): \002\000\000\000\000\000
24217: 22:03:49.655 0/00000000: 0000 02 00 00 00 00 00 ......
24217: 22:03:49.655 0/00000000: AUTHEN status=2 (AUTHEN/FAIL) flags=0x0
24217: 22:03:49.655 0/00000000: msg_len=0, data_len=0
24217: 22:03:49.655 0/00000000: msg (len: 0):
24217: 22:03:49.655 0/00000000: data (len: 0):
24217: 22:03:49.655 0/00000000: ---<end packet>---
This might be a config error on my part so if you feel this is not related to the original issue you can just close this case and I'll troubleshoot on my own.
// Andreas
Marc Huber
Oct 3, 2012, 3:08:58 AM10/3/12
to event-driv...@googlegroups.com
Hi Andreas,
On 02.10.12 22:09, Andreas Jacobi wrote:
> 24217: 22:03:49.655 0/00000000: ---<start packet>---
> 24217: 22:03:49.655 0/00000000: key used: key1
> 24217: 22:03:49.655 0/00000000: version: 192, type: 1, seq no: 3,
> flags: unencrypted
> 24217: 22:03:49.655 0/00000000: session id: 00000000 data length: 9
> 24217: 22:03:49.655 0/00000000: packet body (len: 9):
> \000\004\000\000\000test
> 24217: 22:03:49.655 0/00000000: 0000 00 04 00 00 00 74 65 73
> 74 .....tes t
> 24217: 22:03:49.655 0/00000000: AUTHEN/CONT user_msg_len=4,
> user_data_len=0
> 24217: 22:03:49.655 0/00000000: user_msg (len: 4): test
> 24217: 22:03:49.655 0/00000000: 0000 74 65 73
> 74 test
> 24217: 22:03:49.655 0/00000000: user_data (len: 0):
> 24217: 22:03:49.655 0/00000000: ---<end packet>---
ah, got it, thanks. In this case, the password is in user_msg, not in
user_data. The patch below should finally make PAP with minor version 0
work, as should DEVEL.201210030903.tar.bz2 (just uploaded).
Thanks,
Marc
--- authen.c 2012/10/02 18:41:21 1.367
+++ authen.c 2012/10/03 07:00:39
@@ -1471,8 +1471,6 @@
if (session->password)
mempool_free(session->pool, session->password);
- session->password = (char *) session->authen_data->data;
- session->authen_data->data = NULL;
if (session->version != TAC_PLUS_VER_ONE && session->seq_no == 1) {
send_authen_reply(session, TAC_PLUS_AUTHEN_STATUS_GETPASS,
@@ -1481,6 +1479,14 @@
return;
}
+ if (session->version == TAC_PLUS_VER_ONE) {
+ session->password = (char *) session->authen_data->data;
+ session->authen_data->data = NULL;
+ } else {
+ session->password = (char *) session->authen_data->msg;
+ session->authen_data->msg = NULL;
+ }
+
lookup_and_set_user(session);
if (query_mavis_info_pap(session, do_pap))
return;
On 02.10.12 22:09, Andreas Jacobi wrote:
> 24217: 22:03:49.655 0/00000000: ---<start packet>---
> 24217: 22:03:49.655 0/00000000: key used: key1
> 24217: 22:03:49.655 0/00000000: version: 192, type: 1, seq no: 3,
> flags: unencrypted
> 24217: 22:03:49.655 0/00000000: session id: 00000000 data length: 9
> 24217: 22:03:49.655 0/00000000: packet body (len: 9):
> \000\004\000\000\000test
> 24217: 22:03:49.655 0/00000000: 0000 00 04 00 00 00 74 65 73
> 74 .....tes t
> 24217: 22:03:49.655 0/00000000: AUTHEN/CONT user_msg_len=4,
> user_data_len=0
> 24217: 22:03:49.655 0/00000000: user_msg (len: 4): test
> 24217: 22:03:49.655 0/00000000: 0000 74 65 73
> 74 test
> 24217: 22:03:49.655 0/00000000: user_data (len: 0):
> 24217: 22:03:49.655 0/00000000: ---<end packet>---
user_data. The patch below should finally make PAP with minor version 0
work, as should DEVEL.201210030903.tar.bz2 (just uploaded).
Thanks,
Marc
--- authen.c 2012/10/02 18:41:21 1.367
+++ authen.c 2012/10/03 07:00:39
@@ -1471,8 +1471,6 @@
if (session->password)
mempool_free(session->pool, session->password);
- session->password = (char *) session->authen_data->data;
- session->authen_data->data = NULL;
if (session->version != TAC_PLUS_VER_ONE && session->seq_no == 1) {
send_authen_reply(session, TAC_PLUS_AUTHEN_STATUS_GETPASS,
@@ -1481,6 +1479,14 @@
return;
}
+ if (session->version == TAC_PLUS_VER_ONE) {
+ session->password = (char *) session->authen_data->data;
+ session->authen_data->data = NULL;
+ } else {
+ session->password = (char *) session->authen_data->msg;
+ session->authen_data->msg = NULL;
+ }
+
lookup_and_set_user(session);
if (query_mavis_info_pap(session, do_pap))
return;
Andreas Jacobi
Oct 3, 2012, 6:58:47 AM10/3/12
to event-driv...@googlegroups.com, marc.j...@googlemail.com
Hi,
The patch worked and I get auth succeful in the tacacs debug. But got a new error now... :(
From what I can se the config:
group = packetlogic-admin {
default service = permit
service = exec {
set local-user = tac-admin
}
}
Does not get sent to the shaper. Debug logs:
17879: 12:44:16.469 0/00000000: cidr match level 0 = shaper
17879: 12:44:16.469 0/00000000: connection request from 1.1.1.1 (key: key1)
17879: 12:44:16.469 0/00000000: New session
17879: 12:44:16.469 0/00000000: ---<start packet>---
17879: 12:44:16.469 0/00000000: key used: key1
17879: 12:44:16.469 0/00000000: version: 192, type: 1, seq no: 1, flags: unencrypted
17879: 12:44:16.469 0/00000000: session id: 00000000 data length: 12
17879: 12:44:16.469 0/00000000: packet body (len: 12): \001\001\002\001\004\000\000\000test
17879: 12:44:16.469 0/00000000: 0000 01 01 02 01 04 00 00 00 74 65 73 74 ........ test
17879: 12:44:16.469 0/00000000: AUTHEN/START, priv_lvl=1
17879: 12:44:16.469 0/00000000: action=login (1)
17879: 12:44:16.469 0/00000000: authen_type=pap (2)
17879: 12:44:16.469 0/00000000: service=login (1)
17879: 12:44:16.469 0/00000000: user_len=4 port_len=0 rem_addr_len=0
17879: 12:44:16.469 0/00000000: data_len=0
17879: 12:44:16.469 0/00000000: user (len: 4): test
17879: 12:44:16.469 0/00000000: 0000 74 65 73 74 test
17879: 12:44:16.469 0/00000000: port (len: 0):
17879: 12:44:16.469 0/00000000: rem_addr (len: 0):
17879: 12:44:16.469 0/00000000: data (len: 0):
17879: 12:44:16.469 0/00000000: ---<end packet>---
17879: 12:44:16.469 0/00000000: authen: hdr->seq_no: 1
17879: 12:44:16.469 0/00000000: Writing AUTHEN/GETPASS size=28
17879: 12:44:16.469 0/00000000: ---<start packet>---
17879: 12:44:16.469 0/00000000: key used: key1
17879: 12:44:16.469 0/00000000: version: 192, type: 1, seq no: 2, flags: unencrypted
17879: 12:44:16.469 0/00000000: session id: 00000000 data length: 16
17879: 12:44:16.469 0/00000000: packet body (len: 16): \005\001\000\n\000\000Password:
17879: 12:44:16.469 0/00000000: 0000 05 01 00 0a 00 00 50 61 73 73 77 6f 72 64 3a 20 ......Pa ssword:
17879: 12:44:16.469 0/00000000: AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
17879: 12:44:16.469 0/00000000: msg_len=10, data_len=0
17879: 12:44:16.469 0/00000000: msg (len: 10): Password:
17879: 12:44:16.469 0/00000000: 0000 50 61 73 73 77 6f 72 64 3a 20 Password :
17879: 12:44:16.469 0/00000000: data (len: 0):
17879: 12:44:16.469 0/00000000: ---<end packet>---
17879: 12:44:16.470 0/00000000: ---<start packet>---
17879: 12:44:16.470 0/00000000: key used: key1
17879: 12:44:16.470 0/00000000: version: 192, type: 1, seq no: 3, flags: unencrypted
17879: 12:44:16.470 0/00000000: session id: 00000000 data length: 9
17879: 12:44:16.470 0/00000000: packet body (len: 9): \000\004\000\000\000test
17879: 12:44:16.470 0/00000000: 0000 00 04 00 00 00 74 65 73 74 .....tes t
17879: 12:44:16.470 0/00000000: AUTHEN/CONT user_msg_len=4, user_data_len=0
17879: 12:44:16.470 0/00000000: user_msg (len: 4): test
17879: 12:44:16.470 0/00000000: 0000 74 65 73 74 test
17879: 12:44:16.470 0/00000000: user_data (len: 0):
17879: 12:44:16.470 0/00000000: ---<end packet>---
17879: 12:44:16.470 0/00000000: authen: hdr->seq_no: 3
17879: 12:44:16.470 0/00000000: looking for user test realm default
17879: 12:44:16.470 0/00000000: cfg_get: checking user/group test, tag (NULL)
17879: 12:44:16.470 0/00000000: cfg_get: checking user/group packetlogic-admin, tag (NULL)
17879: 12:44:16.470 0/00000000: user lookup succeded
17879: 12:44:16.470 0/00000000: cfg_get: checking user/group test, tag (NULL)
17879: 12:44:16.470 0/00000000: cfg_get: checking user/group packetlogic-admin, tag (NULL)
17879: 12:44:16.470 0/00000000: cfg_get: checking user/group test, tag (NULL)
17879: 12:44:16.470 0/00000000: cfg_get: checking user/group packetlogic-admin, tag (NULL)
17879: 12:44:16.470 0/00000000: cfg_get: checking user/group test, tag (NULL)
17879: 12:44:16.470 0/00000000: cfg_get: checking user/group packetlogic-admin, tag (NULL)
17879: 12:44:16.470 0/00000000: 1.1.1.1: pap login for 'test' succeeded
17879: 12:44:16.470 0/00000000: Writing AUTHEN/PASS size=18
17879: 12:44:16.470 0/00000000: ---<start packet>---
17879: 12:44:16.470 0/00000000: key used: key1
17879: 12:44:16.470 0/00000000: version: 192, type: 1, seq no: 4, flags: unencrypted
17879: 12:44:16.470 0/00000000: session id: 00000000 data length: 6
17879: 12:44:16.470 0/00000000: packet body (len: 6): \001\000\000\000\000\000
17879: 12:44:16.470 0/00000000: 0000 01 00 00 00 00 00 ......
17879: 12:44:16.470 0/00000000: AUTHEN status=1 (AUTHEN/PASS) flags=0x0
17879: 12:44:16.470 0/00000000: msg_len=0, data_len=0
17879: 12:44:16.470 0/00000000: msg (len: 0):
17879: 12:44:16.470 0/00000000: data (len: 0):
17879: 12:44:16.470 0/00000000: ---<end packet>---
17879: 12:44:16.472 1/00000000: cidr match level 0 = shaper
17879: 12:44:16.472 1/00000000: connection request from 1.1.1.1 (key: key1)
17879: 12:44:16.473 1/00000000: New session
17879: 12:44:16.473 1/00000000: ---<start packet>---
17879: 12:44:16.473 1/00000000: key used: key1
17879: 12:44:16.473 1/00000000: version: 192, type: 2, seq no: 1, flags: unencrypted
17879: 12:44:16.473 1/00000000: session id: 00000000 data length: 43
17879: 12:44:16.473 1/00000000: packet body (len: 43): \006\001\002\001\004\000\000\003\r\004\vtestservice=shellcmd=local-user*
17879: 12:44:16.473 1/00000000: 0000 06 01 02 01 04 00 00 03 0d 04 0b 74 65 73 74 73 ........ ...tests
17879: 12:44:16.473 1/00000000: 0010 65 72 76 69 63 65 3d 73 68 65 6c 6c 63 6d 64 3d ervice=s hellcmd=
17879: 12:44:16.473 1/00000000: 0020 6c 6f 63 61 6c 2d 75 73 65 72 2a local-us er*
17879: 12:44:16.473 1/00000000: AUTHOR priv_lvl=1 authen=2 method=tacacs+ (6) svc=1
17879: 12:44:16.473 1/00000000: user_len=4 port_len=0 rem_addr_len=0 arg_cnt=3
17879: 12:44:16.473 1/00000000: user (len: 4): test
17879: 12:44:16.473 1/00000000: 0000 74 65 73 74 test
17879: 12:44:16.473 1/00000000: port (len: 0):
17879: 12:44:16.473 1/00000000: rem_addr (len: 0):
17879: 12:44:16.473 1/00000000: arg[0] (len: 13): service=shell
17879: 12:44:16.473 1/00000000: 0000 73 65 72 76 69 63 65 3d 73 68 65 6c 6c service= shell
17879: 12:44:16.473 1/00000000: arg[1] (len: 4): cmd=
17879: 12:44:16.473 1/00000000: 0000 63 6d 64 3d cmd=
17879: 12:44:16.473 1/00000000: arg[2] (len: 11): local-user*
17879: 12:44:16.473 1/00000000: 0000 6c 6f 63 61 6c 2d 75 73 65 72 2a local-us er*
17879: 12:44:16.473 1/00000000: ---<end packet>---
17879: 12:44:16.473 1/00000000: Start authorization request
17879: 12:44:16.473 1/00000000: cfg_get: checking user/group test, tag (NULL)
17879: 12:44:16.473 1/00000000: cfg_get: checking user/group packetlogic-admin, tag (NULL)
17879: 12:44:16.473 1/00000000: cfg_get: checking user/group test, tag (NULL)
17879: 12:44:16.473 1/00000000: cfg_get: checking user/group packetlogic-admin, tag (NULL)
17879: 12:44:16.473 1/00000000: user 'test' found
17879: 12:44:16.473 1/00000000: cfg_get: checking user/group test, tag (NULL)
17879: 12:44:16.473 1/00000000: te...@1.1.1.1: not found: svcname=shell@shaper protocol=
17879: 12:44:16.473 1/00000000: te...@1.1.1.1: not found: svcname=shell protocol=
17879: 12:44:16.473 1/00000000: cfg_get: checking user/group packetlogic-admin, tag (NULL)
17879: 12:44:16.473 1/00000000: te...@1.1.1.1: not found: svcname=shell@shaper protocol=
17879: 12:44:16.473 1/00000000: te...@1.1.1.1: not found: svcname=shell protocol=
17879: 12:44:16.473 1/00000000: nas:service=shell (passed thru)
17879: 12:44:16.473 1/00000000: nas:cmd= (passed thru)
17879: 12:44:16.473 1/00000000: nas:local-user* svr:absent/deny -> delete local-user* (i)
17879: 12:44:16.473 1/00000000: replaced 1 args
17879: 12:44:16.473 1/00000000: Writing AUTHOR/PASS_REPL size=37
17879: 12:44:16.473 1/00000000: ---<start packet>---
17879: 12:44:16.473 1/00000000: key used: key1
17879: 12:44:16.473 1/00000000: version: 192, type: 2, seq no: 2, flags: unencrypted
17879: 12:44:16.473 1/00000000: session id: 00000000 data length: 25
17879: 12:44:16.473 1/00000000: packet body (len: 25): \002\002\000\000\000\000\r\004service=shellcmd=
17879: 12:44:16.473 1/00000000: 0000 02 02 00 00 00 00 0d 04 73 65 72 76 69 63 65 3d ........ service=
17879: 12:44:16.473 1/00000000: 0010 73 68 65 6c 6c 63 6d 64 3d shellcmd =
17879: 12:44:16.473 1/00000000: AUTHOR/REPLY status=2 (AUTHOR/PASS_REPL)
17879: 12:44:16.473 1/00000000: msg_len=0, data_len=0, arg_cnt=2
17879: 12:44:16.473 1/00000000: msg (len: 0):
17879: 12:44:16.473 1/00000000: data (len: 0):
17879: 12:44:16.473 1/00000000: arg[0] (len: 13): service=shell
17879: 12:44:16.473 1/00000000: 0000 73 65 72 76 69 63 65 3d 73 68 65 6c 6c service= shell
17879: 12:44:16.473 1/00000000: arg[1] (len: 4): cmd=
17879: 12:44:16.473 1/00000000: 0000 63 6d 64 3d cmd=
17879: 12:44:16.473 1/00000000: ---<end packet>---
It is the line 17879: 12:44:16.473 1/00000000: nas:local-user* svr:absent/deny -> delete local-user* (i) that looks wrong to me.
// Andreas
The patch worked and I get auth succeful in the tacacs debug. But got a new error now... :(
From what I can se the config:
group = packetlogic-admin {
default service = permit
service = exec {
set local-user = tac-admin
}
}
Does not get sent to the shaper. Debug logs:
17879: 12:44:16.469 0/00000000: cidr match level 0 = shaper
17879: 12:44:16.469 0/00000000: connection request from 1.1.1.1 (key: key1)
17879: 12:44:16.469 0/00000000: New session
17879: 12:44:16.469 0/00000000: ---<start packet>---
17879: 12:44:16.469 0/00000000: key used: key1
17879: 12:44:16.469 0/00000000: version: 192, type: 1, seq no: 1, flags: unencrypted
17879: 12:44:16.469 0/00000000: session id: 00000000 data length: 12
17879: 12:44:16.469 0/00000000: packet body (len: 12): \001\001\002\001\004\000\000\000test
17879: 12:44:16.469 0/00000000: 0000 01 01 02 01 04 00 00 00 74 65 73 74 ........ test
17879: 12:44:16.469 0/00000000: AUTHEN/START, priv_lvl=1
17879: 12:44:16.469 0/00000000: action=login (1)
17879: 12:44:16.469 0/00000000: authen_type=pap (2)
17879: 12:44:16.469 0/00000000: service=login (1)
17879: 12:44:16.469 0/00000000: user_len=4 port_len=0 rem_addr_len=0
17879: 12:44:16.469 0/00000000: data_len=0
17879: 12:44:16.469 0/00000000: user (len: 4): test
17879: 12:44:16.469 0/00000000: 0000 74 65 73 74 test
17879: 12:44:16.469 0/00000000: port (len: 0):
17879: 12:44:16.469 0/00000000: rem_addr (len: 0):
17879: 12:44:16.469 0/00000000: data (len: 0):
17879: 12:44:16.469 0/00000000: ---<end packet>---
17879: 12:44:16.469 0/00000000: authen: hdr->seq_no: 1
17879: 12:44:16.469 0/00000000: Writing AUTHEN/GETPASS size=28
17879: 12:44:16.469 0/00000000: ---<start packet>---
17879: 12:44:16.469 0/00000000: key used: key1
17879: 12:44:16.469 0/00000000: version: 192, type: 1, seq no: 2, flags: unencrypted
17879: 12:44:16.469 0/00000000: session id: 00000000 data length: 16
17879: 12:44:16.469 0/00000000: packet body (len: 16): \005\001\000\n\000\000Password:
17879: 12:44:16.469 0/00000000: 0000 05 01 00 0a 00 00 50 61 73 73 77 6f 72 64 3a 20 ......Pa ssword:
17879: 12:44:16.469 0/00000000: AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
17879: 12:44:16.469 0/00000000: msg_len=10, data_len=0
17879: 12:44:16.469 0/00000000: msg (len: 10): Password:
17879: 12:44:16.469 0/00000000: 0000 50 61 73 73 77 6f 72 64 3a 20 Password :
17879: 12:44:16.469 0/00000000: data (len: 0):
17879: 12:44:16.469 0/00000000: ---<end packet>---
17879: 12:44:16.470 0/00000000: ---<start packet>---
17879: 12:44:16.470 0/00000000: key used: key1
17879: 12:44:16.470 0/00000000: version: 192, type: 1, seq no: 3, flags: unencrypted
17879: 12:44:16.470 0/00000000: session id: 00000000 data length: 9
17879: 12:44:16.470 0/00000000: packet body (len: 9): \000\004\000\000\000test
17879: 12:44:16.470 0/00000000: 0000 00 04 00 00 00 74 65 73 74 .....tes t
17879: 12:44:16.470 0/00000000: AUTHEN/CONT user_msg_len=4, user_data_len=0
17879: 12:44:16.470 0/00000000: user_msg (len: 4): test
17879: 12:44:16.470 0/00000000: 0000 74 65 73 74 test
17879: 12:44:16.470 0/00000000: user_data (len: 0):
17879: 12:44:16.470 0/00000000: ---<end packet>---
17879: 12:44:16.470 0/00000000: authen: hdr->seq_no: 3
17879: 12:44:16.470 0/00000000: looking for user test realm default
17879: 12:44:16.470 0/00000000: cfg_get: checking user/group test, tag (NULL)
17879: 12:44:16.470 0/00000000: cfg_get: checking user/group packetlogic-admin, tag (NULL)
17879: 12:44:16.470 0/00000000: user lookup succeded
17879: 12:44:16.470 0/00000000: cfg_get: checking user/group test, tag (NULL)
17879: 12:44:16.470 0/00000000: cfg_get: checking user/group packetlogic-admin, tag (NULL)
17879: 12:44:16.470 0/00000000: cfg_get: checking user/group test, tag (NULL)
17879: 12:44:16.470 0/00000000: cfg_get: checking user/group packetlogic-admin, tag (NULL)
17879: 12:44:16.470 0/00000000: cfg_get: checking user/group test, tag (NULL)
17879: 12:44:16.470 0/00000000: cfg_get: checking user/group packetlogic-admin, tag (NULL)
17879: 12:44:16.470 0/00000000: 1.1.1.1: pap login for 'test' succeeded
17879: 12:44:16.470 0/00000000: Writing AUTHEN/PASS size=18
17879: 12:44:16.470 0/00000000: ---<start packet>---
17879: 12:44:16.470 0/00000000: key used: key1
17879: 12:44:16.470 0/00000000: version: 192, type: 1, seq no: 4, flags: unencrypted
17879: 12:44:16.470 0/00000000: session id: 00000000 data length: 6
17879: 12:44:16.470 0/00000000: packet body (len: 6): \001\000\000\000\000\000
17879: 12:44:16.470 0/00000000: 0000 01 00 00 00 00 00 ......
17879: 12:44:16.470 0/00000000: AUTHEN status=1 (AUTHEN/PASS) flags=0x0
17879: 12:44:16.470 0/00000000: msg_len=0, data_len=0
17879: 12:44:16.470 0/00000000: msg (len: 0):
17879: 12:44:16.470 0/00000000: data (len: 0):
17879: 12:44:16.470 0/00000000: ---<end packet>---
17879: 12:44:16.472 1/00000000: cidr match level 0 = shaper
17879: 12:44:16.472 1/00000000: connection request from 1.1.1.1 (key: key1)
17879: 12:44:16.473 1/00000000: New session
17879: 12:44:16.473 1/00000000: ---<start packet>---
17879: 12:44:16.473 1/00000000: key used: key1
17879: 12:44:16.473 1/00000000: version: 192, type: 2, seq no: 1, flags: unencrypted
17879: 12:44:16.473 1/00000000: session id: 00000000 data length: 43
17879: 12:44:16.473 1/00000000: packet body (len: 43): \006\001\002\001\004\000\000\003\r\004\vtestservice=shellcmd=local-user*
17879: 12:44:16.473 1/00000000: 0000 06 01 02 01 04 00 00 03 0d 04 0b 74 65 73 74 73 ........ ...tests
17879: 12:44:16.473 1/00000000: 0010 65 72 76 69 63 65 3d 73 68 65 6c 6c 63 6d 64 3d ervice=s hellcmd=
17879: 12:44:16.473 1/00000000: 0020 6c 6f 63 61 6c 2d 75 73 65 72 2a local-us er*
17879: 12:44:16.473 1/00000000: AUTHOR priv_lvl=1 authen=2 method=tacacs+ (6) svc=1
17879: 12:44:16.473 1/00000000: user_len=4 port_len=0 rem_addr_len=0 arg_cnt=3
17879: 12:44:16.473 1/00000000: user (len: 4): test
17879: 12:44:16.473 1/00000000: 0000 74 65 73 74 test
17879: 12:44:16.473 1/00000000: port (len: 0):
17879: 12:44:16.473 1/00000000: rem_addr (len: 0):
17879: 12:44:16.473 1/00000000: arg[0] (len: 13): service=shell
17879: 12:44:16.473 1/00000000: 0000 73 65 72 76 69 63 65 3d 73 68 65 6c 6c service= shell
17879: 12:44:16.473 1/00000000: arg[1] (len: 4): cmd=
17879: 12:44:16.473 1/00000000: 0000 63 6d 64 3d cmd=
17879: 12:44:16.473 1/00000000: arg[2] (len: 11): local-user*
17879: 12:44:16.473 1/00000000: 0000 6c 6f 63 61 6c 2d 75 73 65 72 2a local-us er*
17879: 12:44:16.473 1/00000000: ---<end packet>---
17879: 12:44:16.473 1/00000000: Start authorization request
17879: 12:44:16.473 1/00000000: cfg_get: checking user/group test, tag (NULL)
17879: 12:44:16.473 1/00000000: cfg_get: checking user/group packetlogic-admin, tag (NULL)
17879: 12:44:16.473 1/00000000: cfg_get: checking user/group test, tag (NULL)
17879: 12:44:16.473 1/00000000: cfg_get: checking user/group packetlogic-admin, tag (NULL)
17879: 12:44:16.473 1/00000000: user 'test' found
17879: 12:44:16.473 1/00000000: cfg_get: checking user/group test, tag (NULL)
17879: 12:44:16.473 1/00000000: te...@1.1.1.1: not found: svcname=shell@shaper protocol=
17879: 12:44:16.473 1/00000000: te...@1.1.1.1: not found: svcname=shell protocol=
17879: 12:44:16.473 1/00000000: cfg_get: checking user/group packetlogic-admin, tag (NULL)
17879: 12:44:16.473 1/00000000: te...@1.1.1.1: not found: svcname=shell@shaper protocol=
17879: 12:44:16.473 1/00000000: te...@1.1.1.1: not found: svcname=shell protocol=
17879: 12:44:16.473 1/00000000: nas:service=shell (passed thru)
17879: 12:44:16.473 1/00000000: nas:cmd= (passed thru)
17879: 12:44:16.473 1/00000000: nas:local-user* svr:absent/deny -> delete local-user* (i)
17879: 12:44:16.473 1/00000000: replaced 1 args
17879: 12:44:16.473 1/00000000: Writing AUTHOR/PASS_REPL size=37
17879: 12:44:16.473 1/00000000: ---<start packet>---
17879: 12:44:16.473 1/00000000: key used: key1
17879: 12:44:16.473 1/00000000: version: 192, type: 2, seq no: 2, flags: unencrypted
17879: 12:44:16.473 1/00000000: session id: 00000000 data length: 25
17879: 12:44:16.473 1/00000000: packet body (len: 25): \002\002\000\000\000\000\r\004service=shellcmd=
17879: 12:44:16.473 1/00000000: 0000 02 02 00 00 00 00 0d 04 73 65 72 76 69 63 65 3d ........ service=
17879: 12:44:16.473 1/00000000: 0010 73 68 65 6c 6c 63 6d 64 3d shellcmd =
17879: 12:44:16.473 1/00000000: AUTHOR/REPLY status=2 (AUTHOR/PASS_REPL)
17879: 12:44:16.473 1/00000000: msg_len=0, data_len=0, arg_cnt=2
17879: 12:44:16.473 1/00000000: msg (len: 0):
17879: 12:44:16.473 1/00000000: data (len: 0):
17879: 12:44:16.473 1/00000000: arg[0] (len: 13): service=shell
17879: 12:44:16.473 1/00000000: 0000 73 65 72 76 69 63 65 3d 73 68 65 6c 6c service= shell
17879: 12:44:16.473 1/00000000: arg[1] (len: 4): cmd=
17879: 12:44:16.473 1/00000000: 0000 63 6d 64 3d cmd=
17879: 12:44:16.473 1/00000000: ---<end packet>---
It is the line 17879: 12:44:16.473 1/00000000: nas:local-user* svr:absent/deny -> delete local-user* (i) that looks wrong to me.
// Andreas
Marc Huber
Oct 3, 2012, 7:08:59 AM10/3/12
to event-driv...@googlegroups.com
Hi Andreas,
On 03.10.12 12:58, Andreas Jacobi wrote:
> The patch worked and I get auth succeful in the tacacs debug. But got
> a new error now... :(
>
> From what I can se the config:
> group = packetlogic-admin {
> default service = permit
> service = exec {
> set local-user = tac-admin
> }
> }
please try setting service to "shell" instead of "exec".
Cheers,
Marc
On 03.10.12 12:58, Andreas Jacobi wrote:
> The patch worked and I get auth succeful in the tacacs debug. But got
> a new error now... :(
>
> From what I can se the config:
> group = packetlogic-admin {
> default service = permit
> service = exec {
> set local-user = tac-admin
> }
> }
Cheers,
Marc
Andreas Jacobi
Oct 7, 2012, 12:59:32 PM10/7/12
to event-driv...@googlegroups.com, marc.j...@googlemail.com
Hi,
It works! Thanks for all your help with this.
// Andreas
It works! Thanks for all your help with this.
// Andreas
Reply all
Reply to author
Forward
0 new messages