tacacs pro bono with HP hp procurve version 15.12.0015
550 views
Skip to first unread message
Tom Vaknin
Feb 9, 2017, 8:54:40 AM2/9/17
to Event-Driven Servers
hello all,
im trying to add our HP procurve J9778A to authenticate with the TACACS.
HP commands:
aaa authentication ssh login tacacs local
aaa authentication ssh enable tacacs local
tacacs-server host 10.10.10.10 key "shared-key"
tac_plus configuration:
debug = AUTHOR AUTHEN ACCT CONFIG PACKET HEX LOCK REGEX ACL CMD BUFFER PROC NET PATH CONTROL INDEX AV MAVIS
host = allother {
inherit = no
address = 0.0.0.0/0
enable 15 = crypt lrgho8ht48ptjrlnglfjngo8h48pth5rgnrlh
key = shared-key
prompt =
BLA BLA BLA
group = ipgroup {
service = shell {
default command = permit
set idletime = 30 # disconnect if there is no traffic for 5 minutes
set timeout = 60 # disconnect unconditionally after one hour
set priv-lvl = 15
}
}
group = ADMINS {
member = ipgroup@allother
this configuration work well with cisco.
i also have groups that work well with juniper and A10.
when trying to ssh the HP there is nothing on the logs files.
when performing telnet 10.10.10.10 49 - and then ctrl^c -->
Feb 9 12:01:21 tacacsserver tac_plus[9487]: - Error 10.10.10.1: Illegal major version specified: found 255 wanted 192
am i missing something?
thanks to you all.
best regards,
Johnny Massengill
Feb 9, 2017, 3:54:49 PM2/9/17
to Event-Driven Servers
check this out:
I think it might help you out
Message has been deleted
Tom Vaknin
Feb 13, 2017, 4:31:34 AM2/13/17
to Event-Driven Servers
hi
ive changed the file, without any success.
this is my new packet.c config:
}
if (ctx->hdroff != TAC_PLUS_HDR_SIZE)
return;
ctx->hdroff = 0;
if ((ctx->hdr.version & TAC_PLUS_MAJOR_VER_MASK) != TAC_PLUS_MAJOR_VER) {
report(NULL, LOG_ERR, ~0, "%s: Illegal major version specified: ")
}
any other idea?
thanks.
Daniel Hartmeier
Feb 13, 2017, 4:43:23 AM2/13/17
to event-driv...@googlegroups.com
On Thu, Feb 09, 2017 at 05:54:40AM -0800, Tom Vaknin wrote:
> when trying to ssh the HP there is nothing on the logs files.
Start the TACACS server manually with debug logging to stdout, as in
> when trying to ssh the HP there is nothing on the logs files.
# tac_plus -f -d -1 /path/to/tac_plus.cfg
Then try to login to the network element.
You should see some debug output related to the network element.
Could be something as simple as a key mismatch.
If you see nothing, use tcpdump on the TACACS server to show whether the
network element is sending anything at all. If not, the problem is with
the network element, i.e. its TACACS configuration is incomplete.
> when performing telnet 10.10.10.10 49 - and then ctrl^c -->
> Feb 9 12:01:21 tacacsserver tac_plus[9487]: - Error 10.10.10.1: Illegal
> major version specified: found 255 wanted 192
The error message itself is a red herring, as your telnet connection is
not valid TACACS protocol data.
HTH,
Daniel
Tom Vaknin
Feb 13, 2017, 5:21:30 AM2/13/17
to Event-Driven Servers, dan...@benzedrine.ch
Hi Daniel,
thanks for you reply.
the TACACS server has been started manually, and i noticed something weird.
there is no mention to my username tom.vaknin on the log of the HP, just the IP that im coming from.
on the log from login to cisco my username can be found.
Login to CISCO switch successfully: (1.1.1.1)
26530: 12:04:54.454 3/00000000: - cidr match level 0 = allother
26530: 12:04:54.454 3/00000000: - connection request from 1.1.1.1 (key: sharedkey)
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 New session
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 ---<start packet>---
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 key used: sharedkey
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 version: 192, type: 1, seq no: 1, flags: unencrypted
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 session id: aa2adbf2 data length: 34
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 packet body (len: 34): \001\001\001\001\n\004\f\000tom.vaknintty210.10.10.10
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 0000 01 01 01 01 0a 04 0c 00 74 6f 6d 2e 76 61 6b 6e ........ tom.vakn
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 0010 69 6e 74 74 79 32 31 30 2e 31 30 2e 31 38 32 2e intty210 .10.10..
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 0020 10 10
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 AUTHEN/START, priv_lvl=1
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 action=login (1)
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 authen_type=ascii (1)
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 service=login (1)
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 user_len=10 port_len=4 rem_addr_len=12
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 data_len=0
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 user (len: 10): tom.vaknin
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 0000 74 6f 6d 2e 76 61 6b 6e 69 6e tom.vakn in
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 port (len: 4): tty2
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 0000 74 74 79 32 tty2
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 rem_addr (len: 12): 10.10.10.10
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 0000 31 30 2e 31 30 2e 31 38 32 2e 36 33 10.10.10.10
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 data (len: 0):
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 ---<end packet>---
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 authen: hdr->seq_no: 1
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 looking for user tom.vaknin realm default
Login to HP: (2.2.2.2)
26530: 12:05:31.078 5/00000000: - cidr match level 0 = allother
26530: 12:05:31.078 5/00000000: - connection request from 2.2.2.2 (key: sharedkey)
26530: 12:05:31.094 5/0479268d: 2.2.2.2 New session
26530: 12:05:31.094 5/0479268d: 2.2.2.2 ---<start packet>---
26530: 12:05:31.094 5/0479268d: 2.2.2.2 key used: sharedkey
26530: 12:05:31.094 5/0479268d: 2.2.2.2 version: 192, type: 1, seq no: 1, flags: unencrypted
26530: 12:05:31.094 5/0479268d: 2.2.2.2 session id: 8d267904 data length: 20
26530: 12:05:31.094 5/0479268d: 2.2.2.2 packet body (len: 20): \001\001\001\001\000\000\f\00010.10.10.10
26530: 12:05:31.094 5/0479268d: 2.2.2.2 0000 01 01 01 01 00 00 0c 00 31 30 2e 31 30 2e 31 38 ........ 10.10.10
26530: 12:05:31.094 5/0479268d: 2.2.2.2 0010 32 2e 36 33 10
26530: 12:05:31.094 5/0479268d: 2.2.2.2 AUTHEN/START, priv_lvl=1
26530: 12:05:31.094 5/0479268d: 2.2.2.2 action=login (1)
26530: 12:05:31.094 5/0479268d: 2.2.2.2 authen_type=ascii (1)
26530: 12:05:31.094 5/0479268d: 2.2.2.2 service=login (1)
26530: 12:05:31.094 5/0479268d: 2.2.2.2 user_len=0 port_len=0 rem_addr_len=12
26530: 12:05:31.094 5/0479268d: 2.2.2.2 data_len=0
26530: 12:05:31.094 5/0479268d: 2.2.2.2 user (len: 0):
26530: 12:05:31.094 5/0479268d: 2.2.2.2 port (len: 0):
26530: 12:05:31.094 5/0479268d: 2.2.2.2 rem_addr (len: 12): 10.10.182.63
26530: 12:05:31.094 5/0479268d: 2.2.2.2 0000 31 30 2e 31 30 2e 31 38 32 2e 36 33 10.10.10.10
26530: 12:05:31.094 5/0479268d: 2.2.2.2 data (len: 0):
26530: 12:05:31.094 5/0479268d: 2.2.2.2 ---<end packet>---
26530: 12:05:31.094 5/0479268d: 2.2.2.2 authen: hdr->seq_no: 1
26530: 12:05:31.094 5/0479268d: 2.2.2.2 Writing AUTHEN/GETUSER size=262
26530: 12:05:31.094 5/0479268d: 2.2.2.2 ---<start packet>---
26530: 12:05:31.094 5/0479268d: 2.2.2.2 key used: sharedkey
26530: 12:05:31.094 5/0479268d: 2.2.2.2 version: 192, type: 1, seq no: 2, flags: unencrypted
26530: 12:05:31.094 5/0479268d: 2.2.2.2 session id: 8d267904 data length: 250
Thanks and regards,
Daniel Hartmeier
Feb 13, 2017, 5:44:27 AM2/13/17
to Tom Vaknin, Event-Driven Servers
On Mon, Feb 13, 2017 at 02:21:29AM -0800, Tom Vaknin wrote:
> Login to HP: (2.2.2.2)
> 26530: 12:05:31.078 5/00000000: - cidr match level 0 = allother
> 26530: 12:05:31.078 5/00000000: - connection request from 2.2.2.2 (key:
> sharedkey)
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 New session
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 ---<start packet>---
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 key used: sharedkey
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 version: 192, type: 1, seq no: 1,
> flags: unencrypted
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 session id: 8d267904 data length: 20
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 packet body (len: 20):
> \001\001\001\001\000\000\f\000*10.10.10.10*
> Login to HP: (2.2.2.2)
> 26530: 12:05:31.078 5/00000000: - cidr match level 0 = allother
> 26530: 12:05:31.078 5/00000000: - connection request from 2.2.2.2 (key:
> sharedkey)
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 New session
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 ---<start packet>---
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 key used: sharedkey
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 version: 192, type: 1, seq no: 1,
> flags: unencrypted
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 session id: 8d267904 data length: 20
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 packet body (len: 20):
The network element should receive the AUTHEN/GETUSER response and
prompt for your username, then send that to the TACACS server, in
subsequent packets.
If the network element receives the GETUSER, but doesn't react to it,
you might have to enable TACACS debugging in the network element, and
see if there's anything in the server response that the element doesn't
like. For HP Procurve, I think it's something like
debug destination session
debug security tacacs-server
Daniel
Message has been deleted
Tom Vaknin
Feb 13, 2017, 6:58:16 AM2/13/17
to Event-Driven Servers, tom...@gmail.com, dan...@benzedrine.ch
the log continue:
26530: 12:04:54.454 3/00000000: - cidr match level 0 = allother
26530: 12:04:54.454 3/00000000: - connection request from 1.1.1.1 (key: sharedkey)
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 New session
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 ---<start packet>---
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 key used: sharedkey
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 version: 192, type: 1, seq no: 1, flags: unencrypted
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 session id: aa2adbf2 data length: 34
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 packet body (len: 34): \001\001\001\001\n\004\f\000tom.vaknintty210.10.10.10
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 0000 01 01 01 01 0a 04 0c 00 74 6f 6d 2e 76 61 6b 6e ........ tom.vakn
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 0010 69 6e 74 74 79 32 31 30 2e 31 30 2e 31 38 32 2e intty210 .10.10.
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 0020 36 33 10
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 AUTHEN/START, priv_lvl=1
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 action=login (1)
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 authen_type=ascii (1)
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 service=login (1)
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 user_len=10 port_len=4 rem_addr_len=12
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 data_len=0
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 user (len: 10): tom.vaknin
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 0000 74 6f 6d 2e 76 61 6b 6e 69 6e tom.vakn in
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 port (len: 4): tty2
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 0000 74 74 79 32 tty2
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 rem_addr (len: 12): 10.10.10.10
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 0000 31 30 2e 31 30 2e 31 38 32 2e 36 33 10.10.10.10
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 data (len: 0):
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 ---<end packet>---
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 authen: hdr->seq_no: 1
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 looking for user tom.vaknin realm default
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 cfg_get: checking user/group tom.vaknin, tag (NULL)
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 tom.v...@10.10.10.10: ACL __internal__realm_default: NAS matched (unrestricted)
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 tom.v...@10.10.10.10: ACL __internal__realm_default: NAC matched (unrestricted)
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 tom.v...@10.10.10.10: ACL __internal__realm_default: Port matched (unrestricted)
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 tom.v...@10.10.10.10: ACL __internal__realm_default line 1: Realm "default" <=> "default"
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 tom.v...@10.10.10.10: ACL __internal__realm_default: Realm matched
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 tom.v...@10.10.10.10: ACL __internal__realm_default: Timespec matched (unrestricted)
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 tom.v...@10.10.10.10: ACL __internal__realm_default: ACL matched (unrestricted)
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 tom.v...@10.10.10.10: ACL __internal__realm_default: match
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 cfg_get: checking user/group Networking, tag (NULL)
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 tom.v...@10.10.10.10: ACL __internal__realm_default: match (cached)
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 cfg_get: checking user/group ipgroup, tag (NULL)
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 user lookup succeded
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 Writing AUTHEN/GETPASS size=262
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 ---<start packet>---
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 key used: sharedkey
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 version: 192, type: 1, seq no: 2, flags: unencrypted
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 session id: aa2adbf2 data length: 250
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 packet body (len: 250): \005\001\000ô\000\000\n\nWARNING: This router system and data herein are available\n only for authorized purposes and by authorized users.\n Use for any other purpose may result in administrative\n or legal actions against the user.\n\n\n\nPassword:
...
BANNER
...
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 msg_len=244, data_len=0
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 msg (len: 244): \n\nWARNING: This router system and data herein are available\n only for authorized purposes and by authorized users.\n Use for any other purpose may result in administrative\n or legal actions against the user.\n\n\n\nPassword:
...
BANNER
...
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 00f0 72 64 3a 20 rd:
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 data (len: 0):
26530: 12:04:54.454 3/f2db2aaa: 1.1.1.1 ---<end packet>---
26530: 12:04:54.459 3/f2db2aaa: 1.1.1.1 ---<start packet>---
26530: 12:04:54.459 3/f2db2aaa: 1.1.1.1 key used: sharedkey
26530: 12:04:54.459 3/f2db2aaa: 1.1.1.1 version: 192, type: 1, seq no: 3, flags: unencrypted
26530: 12:04:54.459 3/f2db2aaa: 1.1.1.1 session id: aa2adbf2 data length: 13
26530: 12:04:54.459 3/f2db2aaa: 1.1.1.1 packet body (len: 13): \000\b\000\000\000userpass
26530: 12:04:54.459 3/f2db2aaa: 1.1.1.1 0000 00 08 00 00 00 4c 61 62 61 74 34 35 36 .....user paa
26530: 12:04:54.459 3/f2db2aaa: 1.1.1.1 AUTHEN/CONT user_msg_len=8, user_data_len=0
26530: 12:04:54.459 3/f2db2aaa: 1.1.1.1 user_msg (len: 8): userpass
26530: 12:04:54.459 3/f2db2aaa: 1.1.1.1 0000 4c 61 62 61 74 34 35 36 userpass
26530: 12:04:54.459 3/f2db2aaa: 1.1.1.1 user_data (len: 0):
26530: 12:04:54.459 3/f2db2aaa: 1.1.1.1 ---<end packet>---
26530: 12:04:54.459 3/f2db2aaa: 1.1.1.1 authen: hdr->seq_no: 3
26530: 12:04:54.459 3/f2db2aaa: 1.1.1.1 looking for user tom.vaknin realm default
26530: 12:04:54.459 3/f2db2aaa: 1.1.1.1 cfg_get: checking user/group tom.vaknin, tag (NULL)
26530: 12:04:54.459 3/f2db2aaa: 1.1.1.1 tom.v...@10.10.10.10: ACL __internal__realm_default: match (cached)
26530: 12:04:54.459 3/f2db2aaa: 1.1.1.1 cfg_get: checking user/group Networking, tag (NULL)
26530: 12:04:54.459 3/f2db2aaa: 1.1.1.1 tom.v...@10.10.10.10: ACL __internal__realm_default: match (cached)
26530: 12:04:54.459 3/f2db2aaa: 1.1.1.1 cfg_get: checking user/group ipgroup, tag (NULL)
26530: 12:04:54.459 3/f2db2aaa: 1.1.1.1 user lookup succeded
26530: 12:04:54.471 0/00000000: - creating user tom.vaknin in realm default
...
all groups from AD
...
26530: 12:04:54.471 3/f2db2aaa: 1.1.1.1 looking for user tom.vaknin realm default
26530: 12:04:54.471 3/f2db2aaa: 1.1.1.1 cfg_get: checking user/group tom.vaknin, tag (NULL)
26530: 12:04:54.471 3/f2db2aaa: 1.1.1.1 tom.v...@10.10.10.10: ACL __internal__realm_default: match (cached)
...
Groups from tac.file and AD
...
26530: 12:04:54.471 3/f2db2aaa: 1.1.1.1 Writing AUTHEN/PASS size=18
26530: 12:04:54.471 3/f2db2aaa: 1.1.1.1 ---<start packet>---
26530: 12:04:54.471 3/f2db2aaa: 1.1.1.1 key used: sharedkey
26530: 12:04:54.471 3/f2db2aaa: 1.1.1.1 version: 192, type: 1, seq no: 4, flags: unencrypted
26530: 12:04:54.471 3/f2db2aaa: 1.1.1.1 session id: aa2adbf2 data length: 6
26530: 12:04:54.471 3/f2db2aaa: 1.1.1.1 packet body (len: 6): \001\000\000\000\000\000
26530: 12:04:54.471 3/f2db2aaa: 1.1.1.1 0000 01 00 00 00 00 00 ......
26530: 12:04:54.471 3/f2db2aaa: 1.1.1.1 AUTHEN status=1 (AUTHEN/PASS) flags=0x0
26530: 12:04:54.471 3/f2db2aaa: 1.1.1.1 msg_len=0, data_len=0
26530: 12:04:54.471 3/f2db2aaa: 1.1.1.1 msg (len: 0):
26530: 12:04:54.471 3/f2db2aaa: 1.1.1.1 data (len: 0):
26530: 12:04:54.471 3/f2db2aaa: 1.1.1.1 ---<end packet>---
26530: 12:04:54.503 4/00000000: - cidr match level 0 = allother
26530: 12:04:54.503 4/00000000: - connection request from 1.1.1.1 (key: sharedkey)
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 New session
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 ---<start packet>---
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 key used: sharedkey
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 version: 192, type: 2, seq no: 1, flags: unencrypted
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 session id: 420a5cbe data length: 53
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 packet body (len: 53): \006\001\001\001\n\004\f\002\r\004tom.vaknintty210.10.10.10service=shellcmd*
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 0000 06 01 01 01 0a 04 0c 02 0d 04 74 6f 6d 2e 76 61 ........ ..tom.va
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 0010 6b 6e 69 6e 74 74 79 32 31 30 2e 31 30 2e 31 38 knintty2 10.10.18
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 0020 32 2e 36 33 73 65 72 76 69 63 65 3d 73 68 65 6c 2.63serv ice=shel
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 0030 6c 63 6d 64 2a lcmd*
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 AUTHOR priv_lvl=1 authen=1 method=tacacs+ (6) svc=1
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 user_len=10 port_len=4 rem_addr_len=12 arg_cnt=2
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 user (len: 10): tom.vaknin
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 0000 74 6f 6d 2e 76 61 6b 6e 69 6e tom.vakn in
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 port (len: 4): tty2
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 0000 74 74 79 32 tty2
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 rem_addr (len: 12): 10.10.10.10
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 0000 31 30 2e 31 30 2e 31 38 32 2e 36 33 10.10.10.10
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 arg[0] (len: 13): service=shell
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 0000 73 65 72 76 69 63 65 3d 73 68 65 6c 6c service= shell
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 arg[1] (len: 4): cmd*
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 0000 63 6d 64 2a cmd*
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 ---<end packet>---
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 Start authorization request
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 cfg_get: checking user/group tom.vaknin, tag (NULL)
...
Groups
...
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 cfg_get_svc_attrs_func: found svcname=shell proto=
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 nas:service=shell (passed thru)
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 nas:cmd* (passed thru)
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 nas:absent srv:idletime=30 -> add idletime=30 (k)
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 nas:absent srv:priv-lvl=15 -> add priv-lvl=15 (k)
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 nas:absent srv:timeout=60 -> add timeout=60 (k)
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 added 3 args
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 Writing AUTHOR/PASS_ADD size=53
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 ---<start packet>---
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 key used: sharedkey
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 version: 192, type: 2, seq no: 2, flags: unencrypted
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 session id: 420a5cbe data length: 41
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 packet body (len: 41): \001\003\000\000\000\000\v\v\nidletime=30priv-lvl=15timeout=60
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 0000 01 03 00 00 00 00 0b 0b 0a 69 64 6c 65 74 69 6d ........ .idletim
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 0010 65 3d 33 30 70 72 69 76 2d 6c 76 6c 3d 31 35 74 e=30priv -lvl=15t
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 0020 69 6d 65 6f 75 74 3d 36 30 imeout=6 0
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 AUTHOR/REPLY status=1 (AUTHOR/PASS_ADD)
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 msg_len=0, data_len=0, arg_cnt=3
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 msg (len: 0):
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 data (len: 0):
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 arg[0] (len: 11): idletime=30
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 0000 69 64 6c 65 74 69 6d 65 3d 33 30 idletime =30
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 arg[1] (len: 11): priv-lvl=15
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 0000 70 72 69 76 2d 6c 76 6c 3d 31 35 priv-lvl =15
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 arg[2] (len: 10): timeout=60
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 0000 74 69 6d 65 6f 75 74 3d 36 30 timeout= 60
26530: 12:04:54.503 4/be5c0a42: 1.1.1.1 ---<end packet>---
Full HP log:
26530: 12:05:31.078 5/00000000: - cidr match level 0 = allother
26530: 12:05:31.078 5/00000000: - connection request from 2.2.2.2 (key: sharedkey)
26530: 12:05:31.094 5/0479268d: 2.2.2.2 New session
26530: 12:05:31.094 5/0479268d: 2.2.2.2 ---<start packet>---
26530: 12:05:31.094 5/0479268d: 2.2.2.2 key used: sharedkey
26530: 12:05:31.094 5/0479268d: 2.2.2.2 version: 192, type: 1, seq no: 1, flags: unencrypted
26530: 12:05:31.094 5/0479268d: 2.2.2.2 session id: 8d267904 data length: 20
26530: 12:05:31.094 5/0479268d: 2.2.2.2 packet body (len: 20): \001\001\001\001\000\000\f\00010.10.10.10
26530: 12:05:31.094 5/0479268d: 2.2.2.2 0000 01 01 01 01 00 00 0c 00 31 30 2e 31 30 2e 31 38 ........ 10.10.10
26530: 12:05:31.094 5/0479268d: 2.2.2.2 0010 32 2e 36 33 2.10
26530: 12:05:31.094 5/0479268d: 2.2.2.2 AUTHEN/START, priv_lvl=1
26530: 12:05:31.094 5/0479268d: 2.2.2.2 action=login (1)
26530: 12:05:31.094 5/0479268d: 2.2.2.2 authen_type=ascii (1)
26530: 12:05:31.094 5/0479268d: 2.2.2.2 service=login (1)
26530: 12:05:31.094 5/0479268d: 2.2.2.2 user_len=0 port_len=0 rem_addr_len=12
26530: 12:05:31.094 5/0479268d: 2.2.2.2 data_len=0
26530: 12:05:31.094 5/0479268d: 2.2.2.2 user (len: 0):
26530: 12:05:31.094 5/0479268d: 2.2.2.2 port (len: 0):
26530: 12:05:31.094 5/0479268d: 2.2.2.2 rem_addr (len: 12): 10.10.10.10
26530: 12:05:31.094 5/0479268d: 2.2.2.2 0000 31 30 2e 31 30 2e 31 38 32 2e 36 33 10.10.10.10
26530: 12:05:31.094 5/0479268d: 2.2.2.2 data (len: 0):
26530: 12:05:31.094 5/0479268d: 2.2.2.2 ---<end packet>---
26530: 12:05:31.094 5/0479268d: 2.2.2.2 authen: hdr->seq_no: 1
26530: 12:05:31.094 5/0479268d: 2.2.2.2 Writing AUTHEN/GETUSER size=262
26530: 12:05:31.094 5/0479268d: 2.2.2.2 ---<start packet>---
26530: 12:05:31.094 5/0479268d: 2.2.2.2 key used: sharedkey
26530: 12:05:31.094 5/0479268d: 2.2.2.2 version: 192, type: 1, seq no: 2, flags: unencrypted
26530: 12:05:31.094 5/0479268d: 2.2.2.2 session id: 8d267904 data length: 250
26530: 12:05:31.094 5/0479268d: 2.2.2.2 packet body (len: 250): \004\000\000ô\000\000\n\nWARNING: This router system and data herein are available\n only for authorized purposes and by authorized users.\n Use for any other purpose may result in administrative\n or legal actions against the user.\n\n\n\nUsername:
...
BANNER
...
26530: 12:05:31.094 5/0479268d: 2.2.2.2 AUTHEN status=4 (AUTHEN/GETUSER) flags=0x0
26530: 12:05:31.094 5/0479268d: 2.2.2.2 msg_len=244, data_len=0
26530: 12:05:31.094 5/0479268d: 2.2.2.2 msg (len: 244): \n\nWARNING: This router system and data herein are available\n only for authorized purposes and by authorized users.\n Use for any other purpose may result in administrative\n or legal actions against the user.\n\n\n\nUsername:
...
BANNER
...
26530: 12:05:31.094 5/0479268d: 2.2.2.2 data (len: 0):
26530: 12:05:31.094 5/0479268d: 2.2.2.2 ---<end packet>---
isi the missing username on the HP log indicates on the problem?
thanks and regareds
בתאריך יום שני, 13 בפברואר 2017 בשעה 12:44:27 UTC+2, מאת Daniel Hartmeier:
Daniel Hartmeier
Feb 13, 2017, 8:47:26 AM2/13/17
to event-driv...@googlegroups.com, tom...@gmail.com
On Mon, Feb 13, 2017 at 03:58:15AM -0800, Tom Vaknin wrote:
> Full HP log:
> [...]
Is it displaying the banner provided by the TACACS server?
Have you tried without a banner?
Daniel
> Full HP log:
> [...]
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 Writing AUTHEN/GETUSER size=262
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 ---<start packet>---
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 key used: sharedkey
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 version: 192, type: 1, seq no: 2,
> flags: unencrypted
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 session id: 8d267904 data length:
> 250
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 packet body (len: 250):
> \004\000\000??\000\000\n\nWARNING: This router system and data herein are
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 ---<start packet>---
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 key used: sharedkey
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 version: 192, type: 1, seq no: 2,
> flags: unencrypted
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 session id: 8d267904 data length:
> 250
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 packet body (len: 250):
> available\n only for authorized purposes and by authorized users.\n
> Use for any other purpose may result in administrative\n or
> legal actions against the user.\n\n\n\nUsername:
> ...
> BANNER
> ...
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 AUTHEN status=4 (AUTHEN/GETUSER)
> flags=0x0
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 msg_len=244, data_len=0
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 msg (len: 244): \n\nWARNING: This
> router system and data herein are available\n only for authorized
> purposes and by authorized users.\n Use for any other purpose may
> result in administrative\n or legal actions against the
> user.\n\n\n\nUsername:
> ...
> BANNER
> ...
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 data (len: 0):
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 ---<end packet>---
>
>
> isi the missing username on the HP log indicates on the problem?
No, it seems the HP device is not reacting to the GETUSER packet.
> Use for any other purpose may result in administrative\n or
> legal actions against the user.\n\n\n\nUsername:
> ...
> BANNER
> ...
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 AUTHEN status=4 (AUTHEN/GETUSER)
> flags=0x0
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 msg_len=244, data_len=0
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 msg (len: 244): \n\nWARNING: This
> router system and data herein are available\n only for authorized
> purposes and by authorized users.\n Use for any other purpose may
> result in administrative\n or legal actions against the
> user.\n\n\n\nUsername:
> ...
> BANNER
> ...
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 data (len: 0):
> 26530: 12:05:31.094 5/0479268d: 2.2.2.2 ---<end packet>---
>
>
> isi the missing username on the HP log indicates on the problem?
Is it displaying the banner provided by the TACACS server?
Have you tried without a banner?
Daniel
Tom Vaknin
Feb 13, 2017, 9:09:21 AM2/13/17
to Event-Driven Servers, tom...@gmail.com, dan...@benzedrine.ch
hi
it is displaying the banner configured on the HP switch.
i also try to remove the banner from the HP and from the TACACS.
the banner from the tacacs will not appear on ssh connection.
still not working..
בתאריך יום שני, 13 בפברואר 2017 בשעה 15:47:26 UTC+2, מאת Daniel Hartmeier:
Daniel Hartmeier
Feb 13, 2017, 9:13:57 AM2/13/17
to Tom Vaknin, Event-Driven Servers
On Mon, Feb 13, 2017 at 06:09:21AM -0800, Tom Vaknin wrote:
> it is displaying the banner configured on the HP switch.
> i also try to remove the banner from the HP and from the TACACS.
> the banner from the tacacs will not appear on ssh connection.
>
> still not working..
I'd try to enable aaa debug loggin in the switch and see if anything
> it is displaying the banner configured on the HP switch.
> i also try to remove the banner from the HP and from the TACACS.
> the banner from the tacacs will not appear on ssh connection.
>
> still not working..
interesting pops up there.
If it's not the commands I mentioned before, see pages 148 and 149 on
https://www.manualslib.com/manual/881933/Hp-Procurve-Secure-7000dl-Series.html?page=148#manual
In particular, I'd check if the switch is logging reception of the
GETUSER packet, any error within, and if it's trying to send a CONTINUE
with the user name...
Daniel
Johnny Massengill
Feb 13, 2017, 9:25:26 AM2/13/17
to Event-Driven Servers, tom...@gmail.com, dan...@benzedrine.ch
I have never gotten banners to work from my TACACS server for HP switches using SSH (one exception to that was old HP Procurve 2524 switches) but I know i have the banners are configured correctly because they show up in the few Cisco switches I have using SSH.
Tom Vaknin
Feb 13, 2017, 10:50:33 AM2/13/17
to Event-Driven Servers
בתאריך יום חמישי, 9 בפברואר 2017 בשעה 15:54:40 UTC+2, מאת Tom Vaknin:
Tom Vaknin
Feb 14, 2017, 3:41:18 AM2/14/17
to Event-Driven Servers, tom...@gmail.com, dan...@benzedrine.ch
the aaa debug options is for HP routers, cant find aaa debug on procurve switches.
the value of (AUTHEN/GETUSER) = 0 :
AUTHEN status=4 (AUTHEN/GETUSER) flags=0x0
the show tacacs-server commands from the HP is look fine:
HP-PROCURE1# show tacacs
Status and Counters - TACACS Information
Timeout : 10
Source IP Selection : Outgoing Interface
Encryption Key :
Server IP Addr Opens Closes Aborts Errors Pkts Rx Pkts Tx
--------------- ------ ------ ------ ------ ------- -------
ip-of-tacacs-ser 29 1 1 27 3 30
when applying:
debug security tacacs-server
debug destination session
VOICE_SW11.HEZ01#
0284:17:48:06.12 TAC mTacacsCtrl:AUTHENTICATION START session: 3163765950
sequence: 1 to ip-of-tacacs-serv, action: login, privilege level: user, service:
login.
0284:17:48:16.12 TAC mTacacsCtrl:TIMEOUT session: 3163765950 sequence: 1 to
ip-of-tacacs-serv, User-Name: tom.vaknin while waiting for server reply.
thanks.
בתאריך יום שני, 13 בפברואר 2017 בשעה 16:25:26 UTC+2, מאת Johnny Massengill:
Tom Vaknin
Feb 14, 2017, 7:07:43 AM2/14/17
to Event-Driven Servers, tom...@gmail.com, dan...@benzedrine.ch
Hi
it seems that the HP switch doesn't send the user name to tacacs server:
attached a Success login to cisco and fail login to HP.
am i missing commands on the HP side?
tacacs-server host 10.10.10.10 key sharedkey
aaa authorization commands local
aaa authentication login privilege-mode
aaa authentication ssh login tacacs local
aaa authentication ssh enable tacacs local
thanks and regards,
David Abarca
Jun 14, 2019, 1:04:55 PM6/14/19
to Event-Driven Servers
Hi!
I can also confirm that a user that does not have priv-15 will not be allowd into priv exec-mode.
I'm aware this is an old thread but if someone else is experiencing the same issue this might help.
I can confirm that once you try to enter priv mode the user-name is lost (see line 2 below testuser):
tail -f /var/log/tac_plus/access/20190614.log
2019-06-xx xx:42:24 +0200 x.x.x.x testuser x.x.x.x shell login succeeded
2019-06-xx xx:42:29 +0200 x.x.x.x x.x.x.x enable 15 failed (password not set)However after I add this row to the HP ProCurve, it works.
switch(config)# aaa authentication login privilege-mode Specify that switch respects the authentication server's privilege level.tail -f /var/log/tac_plus/access/201906xx.log
2019-06-xx xx:55:15 +0200 x.x.x.x testuser x.x.x.x shell login succeededI can also confirm that a user that does not have priv-15 will not be allowd into priv exec-mode.
Here's a HP ProCurve working config.
tacacs-server host 1.1.1.1 key "tacacsKey"
tacacs-server host 2.2.2.2 key "tacacsKey"
aaa authentication login privilege-mode
aaa authentication console login tacacs local
aaa authentication console enable tacacs local
aaa authentication ssh login tacacs local
aaa authentication ssh enable tacacs local// David
Reply all
Reply to author
Forward
0 new messages