Tacacs+ with Active Directory setting - Invalid AUTHEN/START packet

[rcst.e...@gmail.com]

Hello,

 

I am currently configuring tac_plus to use with MS Active Directory. I configured the server and router, tried to connect the router with telnet but authentication failed. The server log keep saying that ‘(null) Invalid AUTHEN/START packet’:

 

Oct 25 17:50:10 TACACS-PLUS tac_plus[1096]: 7/7260d03c: 192.168.200.121 New session

Oct 25 17:50:10 TACACS-PLUS tac_plus[1096]: 7/7260d03c: 192.168.200.121 ---<start packet>---

Oct 25 17:50:10 TACACS-PLUS tac_plus[1096]: 7/7260d03c: 192.168.200.121 key used: cisco123

Oct 25 17:50:10 TACACS-PLUS tac_plus[1096]: 7/7260d03c: 192.168.200.121 version: 192, type: 1, seq no: 1, flags: unencrypted

Oct 25 17:50:10 TACACS-PLUS tac_plus[1096]: 7/7260d03c: 192.168.200.121 session id: 3cd06072 data length: 29

Oct 25 17:50:10 TACACS-PLUS tac_plus[1096]: 7/7260d03c: 192.168.200.121 Packet malformed, skipping detailed dump.

Oct 25 17:50:10 TACACS-PLUS tac_plus[1096]: 7/7260d03c: 192.168.200.121 ---<end packet>---

Oct 25 17:50:10 TACACS-PLUS tac_plus[1096]: 7/7260d03c: 192.168.200.121 Error 192.168.200.121 (null): Invalid AUTHEN/START packet

Oct 25 17:50:10 TACACS-PLUS tac_plus[1096]: 192.168.200.121 Error 192.168.200.121 (null): Invalid AUTHEN/START packet

Oct 25 17:50:10 TACACS-PLUS tac_plus[1096]: 7/7260d03c: 192.168.200.121 Writing AUTHEN/ERROR size=45

Oct 25 17:50:10 TACACS-PLUS tac_plus[1096]: 7/7260d03c: 192.168.200.121 ---<start packet>---

Oct 25 17:50:10 TACACS-PLUS tac_plus[1096]: 7/7260d03c: 192.168.200.121 key used: cisco123

Oct 25 17:50:10 TACACS-PLUS tac_plus[1096]: 7/7260d03c: 192.168.200.121 version: 192, type: 1, seq no: 2, flags: unencrypted

Oct 25 17:50:10 TACACS-PLUS tac_plus[1096]: 7/7260d03c: 192.168.200.121 session id: 3cd06072 data length: 33

Oct 25 17:50:10 TACACS-PLUS tac_plus[1096]: 7/7260d03c: 192.168.200.121 AUTHEN status=7 (AUTHEN/ERROR) flags=0x0

Oct 25 17:50:10 TACACS-PLUS tac_plus[1096]: 7/7260d03c: 192.168.200.121 msg_len=27, data_len=0

Oct 25 17:50:10 TACACS-PLUS tac_plus[1096]: 7/7260d03c: 192.168.200.121 msg (len: 27): Invalid AUTHEN/START packet

Oct 25 17:50:10 TACACS-PLUS tac_plus[1096]: 7/7260d03c: 192.168.200.121 0000 49 6e 76 61 6c 69 64 20  41 55 54 48 45 4e 2f 53  Invalid  AUTHEN/S

Oct 25 17:50:10 TACACS-PLUS tac_plus[1096]: 7/7260d03c: 192.168.200.121 0010 54 41 52 54 20 70 61 63  6b 65 74                 TART pac ket

Oct 25 17:50:10 TACACS-PLUS tac_plus[1096]: 7/7260d03c: 192.168.200.121 data (len: 0):

Oct 25 17:50:10 TACACS-PLUS tac_plus[1096]: 7/7260d03c: 192.168.200.121 ---<end packet>---

 

I applied the same configuration to other server which has old version tac_plus and it works fine. 

Would it be possible for me to get help from somebody about this? I am running out of idea honestly. 

Test environment: GNS3 3745 router, Hyper-V virtual machine for TACACS+ server (Debian Jessie)

Also, is it possible to find old version source tarballs? 

Thank you.

[Marc Huber]

Hi,

On 26.10.16 00:51, rcst.e...@gmail.com wrote:

I am currently configuring tac_plus to use with MS Active Directory. I configured the server and router, tried to connect the router with telnet but authentication failed. The server log keep saying that ‘(null) Invalid AUTHEN/START packet’:

the most likely cause for that is the router using a wrong key.

Also, is it possible to find old version source tarballs?

There's no indexed archive. If you know the exact snapshot date (or the file name) you can try http://www.pro-bono-publico.de/projects/src/DEVEL.<date>.tar.bz2, but I tend to remove older tarballs when I'm short on space.

Cheers,

Marc

[rcst.e...@gmail.com]

Hi Marc,

Thanks for your message. What I found is:

• When I compile with './configure tac_plus' command, it works fine.
• When I compile with just './configure' command, it makes the error message.

So, I re-compiled with './configure tac_plus' command and it's working now but I would like to know a bit more about this if possible. Thanks.