tacacs authen success but author fail

432 views
Skip to first unread message

zhushil...@163.com

unread,
Dec 26, 2017, 4:17:10 AM12/26/17
to Event-Driven Servers
all
     I have a problem with TACACS authentication. I call the authentication repeatedly through a demo, and there will be a discontinuous authentication of the failure of the successful authorization. My configuration is as follows:
     #!../../../sbin/tac_plus

id = spawnd {
        listen = { port = 49 }
        spawn = {
                instances min = 50
                instances max = 100
        }
        background = no
}

id = tac_plus {

        debug = PACKET AUTHEN AUTHOR MAVIS

        access log = /var/tac_plus/access.log
        accounting log = /var/tac_plus/acct.log
        authorization log = /var/tac_plus/auth.log


       retire limit = 1000

       password max-attempts =3

       password backoff=2

       mavis path= /usr/local/lib64/mavis

mavis module = external {
         exec = /usr/local/lib/mavis/mavis_tacplus_radius.pl
         setenv RADIUS_HOST = *.*.*.*:1812
        #setenv RADIUS_HOST = 127.0.0.1:1812
         setenv RADIUS_SECRET = "cisco"
         setenv RADIUS_GROUP_ATTR = Callback-Id
}

login backend = mavis
        
pap backend = mavis

host = world {
                address = ::/0
                prompt = "Welcome\n"
                enable 15 = clear secret
                key = cisco
        }

        group = admin {

                default service = permit
                service = shell {
                        default command = permit
                        default attribute = permit
                        set priv-lvl =15
                }
                service = exec {
                        set priv-lvl =15
                }


        }

}

Marc Huber

unread,
Dec 28, 2017, 2:12:43 PM12/28/17
to event-driv...@googlegroups.com
Hi,

On 26.12.17 10:15, zhushil...@163.com wrote:
> all
>      I have a problem with TACACS authentication. I call the
> authentication repeatedly through a demo, and there will be a
> discontinuous authentication of the failure of the successful
> authorization. My configuration is as follows:
...
> mavis module = external {
>          exec = /usr/local/lib/mavis/mavis_tacplus_radius.pl
RADIUS merges authentication and authorization into a single packet.
Using it as a TACACS+ backend may work with either extensive caching
(and single-connection) or as a pure password backend (password = radius).

Cheers,

Marc

zhushil...@163.com

unread,
Feb 4, 2018, 3:43:56 AM2/4/18
to Event-Driven Servers
dear sir,
     I'm glad to receive your reply,According to your opinion, I have separated the authentication and authorization configuration,and now the configuration file is as follows. but there is still a case of authorization failure.I read the official website to explain whether it is necessary to increase the configuration of single-connection on the network device.
   #!/usr/local/sbin/tac_plus
id = spawnd {
    listen = { port = 49 }
spawn = {
                instances min = 200
                instances max = 250
    }
    background = no
     
    # listen = { port = 4949 }
    # see the spawnd configuration guide for further configuration options
}

id = tac_plus {
    
   authentication log = /var/tac_plus/authen.log
   authorization log = /var/tac_plus/author.log
   accounting log =  /var/tac_plus/account.log
   access log = /var/tac_plus/access.log
   access log = /var/log/tac_plus/%Y%m%d.access
      
    mavis module = external {
        exec = /usr/local/lib/mavis/mavis_tacplus_radius.pl
        setenv RADIUS_HOST = 127.0.0.1:1812
        setenv RADIUS_SECRET = "cisio"
        setenv RADIUS_GROUP_ATTR = Callback-Id
    }

  
            user backend = mavis

            login backend = mavis


            pap backend = mavis


            mavis noauthcache


            mavis cache timeout = 600

    host = world {
        #welcome banner = "\nHitherto shalt thou come, but no further. (Job 38.11)\n\n"
        #key = venusKey
        #enable 15 = clear test
        #address = ::/0
        
address = 0.0.0.0/0
        prompt = "Welcome\n"
        enable 15 = clear secret
        key = cisco
    }

    group = Gauthor {
        default service = permit
        enable = permit
        service = exec {
            set priv-lvl = 15
        }
    }
group = Gauthen {
        default service = permit
        enable = permit
        service = shell {
           set priv-lvl = 15
        }
        
    }

}

thanks

在 2017年12月29日星期五 UTC+8上午3:12:43,Marc Huber写道:

zhushil...@163.com

unread,
Feb 8, 2018, 10:04:03 AM2/8/18
to Event-Driven Servers
hi,Marc
      Thank you for your reply. I've updated the configuration, and the configuration information is as follows:
    #!/usr/local/sbin/tac_plus
id = spawnd {
    listen = { port = 49 }
        spawn = {
                instances min = 200
                instances max = 350
                users max = 200 
   }
    background = no
     
    # listen = { port = 4949 }
    # see the spawnd configuration guide for further configuration options
}

id = tac_plus {

    log separator = " "


    authorization log group = yes
    
    # retire timeout  = 3s
    # log separator = " "
    #authorization log group = yes
    #accounting log = "|exec  /usr/local/sbin/tacspooflog.pl 192.168.1.7"
    #authorization log = "|exec  /usr/local/sbin/tacspooflog.pl 192.168.1.7"
    #access log = "|exec  /usr/local/sbin/tacspooflog.pl 192.168.1.7"
    authentication log = "|exec /usr/bin/logger -p local5.info -t class=aaa_log_authentication"
    authorization log = "|exec /usr/bin/logger -p local5.info -t class=aaa_log_authorization"
    accounting log = "|exec /usr/bin/logger -p local5.info -t class=aaa_log_accounting"
    access log = "|exec /usr/bin/logger -p local5.info -t class=aaa_log_access"
    
    #authentication log = /var/tac_plus/authen.log
    #authorization log = /var/tac_plus/author.log
    #accounting log =  /var/tac_plus/account.log
    #access log = /var/tac_plus/access.log
    #access log = /var/log/tac_plus/%Y%m%d.access
      
    mavis module = external {
        exec = /usr/local/lib/mavis/mavis_tacplus_radius.pl
        setenv RADIUS_HOST = 127.0.0.1:1812
        setenv RADIUS_SECRET = "2017"
        setenv RADIUS_GROUP_ATTR = Callback-Id
    }

            user backend = mavis

            login backend = mavis

            pap backend = mavis

            mavis noauthcache


            mavis cache timeout = 86400

           single-connection = yes
            
           skip missing groups = yes

    host = world {
       
        address = 0.0.0.0/0
        prompt = "Welcome\n"
        enable 15 = clear secret
        key = cisco
    }

    group = admin_zx {
        default service = permit
        
        service = exec {
            set priv-lvl = 15
        }
    }
group = admin_hw {
        default service = permit
        #enable = permit
        service = shell {
            default command = permit
           default attribute = permit 
           set priv-lvl = 15
        }
        service = exec {
            set priv-lvl = 15
        }
    }


group = admin {
        default service = permit
        #enable = permit
        service = shell {
            default command = permit
            default attribute = permit
            set priv-lvl = 15
        }
        service = exec {
            set priv-lvl = 15
        }
    }


group = admin_alcate {
        default service = permit
        #enable = permit
        service = shell {
            default command = permit
          cmd = .*{
           permit .*
        } 
    }
user = test  {
                password = crypt cT2voQwQY0onc
                member = admin
                service = shell {
                        default command = permit
                        default attribute = permit
                        set priv-lvl = 15
                }
        }    

}
Now about 2 hours after the emergence of PAP login failed, how to solve the problem

在 2017年12月29日星期五 UTC+8上午3:12:43,Marc Huber写道:
Hi,
Reply all
Reply to author
Forward
0 new messages