shell login denied by ACL
69 views
Skip to first unread message
LEI CHU
Mar 15, 2024, 4:32:37 AMMar 15
to Event-Driven Servers
Hi,
I encountered a problem when using tac_plus-ng. My configuration file is simplified. I think it is very simple, but I always cannot log in. Can you help me find out where the problem lies?
My simplified configuration file is as follows:
#!../../../sbin/tac_plus-ng
id = spawnd {
background = no
# single process = yes
# listen { port = 49 realm = heck }
listen { port = 49 }
spawn {
instances min = 1
instances max = 5
}
}
id = tac_plus-ng {
# debug = PACKET AUTHEN AUTHOR
log mysyslog
log accesslog { destination = /root/tac_plus-ng/logs/access.log }
log authorlog { destination = /root/tac_plus-ng/logs/author.log }
access log = mysyslog
access log = accesslog
authorization log = authorlog
accounting log = mysyslog
device permit_dev {
address = 0.0.0.0/0
key = 12345678
welcome banner = "Welcome, you're coming from ${client.address}\n"
}
user demo1 {
password login = clear demo123
password pap = login
# member = admin
}
}
#!../../../sbin/tac_plus-ng
id = spawnd {
background = no
# single process = yes
# listen { port = 49 realm = heck }
listen { port = 49 }
spawn {
instances min = 1
instances max = 5
}
}
id = tac_plus-ng {
# debug = PACKET AUTHEN AUTHOR
log mysyslog
log accesslog { destination = /root/tac_plus-ng/logs/access.log }
log authorlog { destination = /root/tac_plus-ng/logs/author.log }
access log = mysyslog
access log = accesslog
authorization log = authorlog
accounting log = mysyslog
device permit_dev {
address = 0.0.0.0/0
key = 12345678
welcome banner = "Welcome, you're coming from ${client.address}\n"
}
user demo1 {
password login = clear demo123
password pap = login
# member = admin
}
}
I captured the packet through wireshark and found that the username and password were not entered incorrectly, but I just couldn't log in.
Marc Huber
Mar 15, 2024, 10:42:31 AMMar 15
to event-driv...@googlegroups.com
Hi,
your configuration lacks vital parts. Please check out the samples and
documentation for details.
https://github.com/MarcJHuber/event-driven-servers/blob/master/tac_plus-ng/sample/tac_plus-ng.cfg
Cheers,
Marc
On 15.03.2024 09:32, LEI CHU wrote:
> Hi,
> I encountered a problem when using tac_plus-ng. My configuration file
> is simplified. I think it is very simple, but I always cannot log in.
> Can you help me find out where the problem lies?
> My simplified configuration file is as follows:
>
> #!../../../sbin/tac_plus-ng
>
> id = spawnd {
> background = no
> #single process = yes
your configuration lacks vital parts. Please check out the samples and
documentation for details.
https://github.com/MarcJHuber/event-driven-servers/blob/master/tac_plus-ng/sample/tac_plus-ng.cfg
Cheers,
Marc
On 15.03.2024 09:32, LEI CHU wrote:
> Hi,
> I encountered a problem when using tac_plus-ng. My configuration file
> is simplified. I think it is very simple, but I always cannot log in.
> Can you help me find out where the problem lies?
> My simplified configuration file is as follows:
>
> #!../../../sbin/tac_plus-ng
>
> id = spawnd {
> background = no
LEI CHU
Mar 18, 2024, 10:55:13 AMMar 18
to Event-Driven Servers
Hi,Thank you very much for helping me.
I am currently using tac_plus in another project, and I have encountered another problem. I would like to ask your help to find out what is going on.
I am currently using tac_plus in another project, and I have encountered another problem. I would like to ask your help to find out what is going on.
When I want to configure limit_demo, this user can only use or prohibit the use of certain specific instructions, but my configuration does not take effect, and neither the instruction configuration nor the banner configuration takes effect.
I have restarted the tac_plus server.
Marc Huber
Mar 18, 2024, 1:12:06 PMMar 18
to event-driv...@googlegroups.com
Hi,
your router/switch may not have a suitable AAA setup. If it has, please
provide some debug output.
Cheers,
Marc
your router/switch may not have a suitable AAA setup. If it has, please
provide some debug output.
Cheers,
Marc
Marc Huber
Mar 19, 2024, 12:55:10 PMMar 19
to event-driv...@googlegroups.com
Hi,
I don't see any command authorization in your debug log, so I'd suspect
your Huawei device just isn't configured for command authorization.
I've googled that for you, and you're probably missing a
authorization-cmd line.
[Switch-aaa]*authorization-scheme sch2*
[Switch-aaa-author-sch2]*authorization-mode hwtacacs**local*
[Switch-aaa-author-sch2]*authorization-cmd 15 hwtacacs* *local*
[Switch-aaa-author-sch2]*quit *
https://support.huawei.com/enterprise/en/doc/EDOC1100127063/3f77db49/example-for-configuring-hwtacacslocal-authentication-command-authorization-and-command-auditing-for-administrators
Cheers,
Marc
> --
> You received this message because you are subscribed to the Google
> Groups "Event-Driven Servers" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to event-driven-ser...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/event-driven-servers/7242a949-3c04-4afd-aa88-2b869721cc8bn%40googlegroups.com
> <https://groups.google.com/d/msgid/event-driven-servers/7242a949-3c04-4afd-aa88-2b869721cc8bn%40googlegroups.com?utm_medium=email&utm_source=footer>.
I don't see any command authorization in your debug log, so I'd suspect
your Huawei device just isn't configured for command authorization.
I've googled that for you, and you're probably missing a
authorization-cmd line.
[Switch-aaa]*authorization-scheme sch2*
[Switch-aaa-author-sch2]*authorization-mode hwtacacs**local*
[Switch-aaa-author-sch2]*authorization-cmd 15 hwtacacs* *local*
[Switch-aaa-author-sch2]*quit *
https://support.huawei.com/enterprise/en/doc/EDOC1100127063/3f77db49/example-for-configuring-hwtacacslocal-authentication-command-authorization-and-command-auditing-for-administrators
Cheers,
Marc
> You received this message because you are subscribed to the Google
> Groups "Event-Driven Servers" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to event-driven-ser...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/event-driven-servers/7242a949-3c04-4afd-aa88-2b869721cc8bn%40googlegroups.com
> <https://groups.google.com/d/msgid/event-driven-servers/7242a949-3c04-4afd-aa88-2b869721cc8bn%40googlegroups.com?utm_medium=email&utm_source=footer>.
LEI CHU
Mar 22, 2024, 6:13:44 AMMar 22
to Event-Driven Servers
Thank you very much for your reply. According to your prompts, I added configurations to Huawei equipment and streamlined tac_plus.cfg. I only want the demo user to be able to execute system-view and display commands and prohibit the execution of interface commands. . But now the demo user cannot execute system-view after logging in. Moreover, I found a phenomenon through the data packets captured by wireshark. During the authorization phase, the response packet given by the tac_plus server contained Privilege Level = 0, which made it impossible to enter the configuration mode. But if I configure set priv-lvl = xxx in the service, the response message will carry priv-lvl. This is when the cmd configured below does not work.
May I ask, what is the principle behind this phenomenon? I really appreciate you taking the time to help me resolve this issue.
May I ask, what is the principle behind this phenomenon? I really appreciate you taking the time to help me resolve this issue.
The debug log is as follows:
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 New session
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 ---<start packet>---
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 key used: 12345678
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 version: 192, type: 1, seq no: 1, flags: unencrypted
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 session id: 36880f8b, data length: 29
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 AUTHEN/START, priv_lvl=0
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 action=login (1)
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 authen_type=ascii (1)
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 service=login (1)
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 user_len=4 port_len=4 rem_addr_len=13
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 data_len=0
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 user (len: 4): demo
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 port (len: 4): vty0
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 rem_addr (len: 13): 192.168.100.2
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 ---<end packet>---
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 authen: hdr->seq_no: 1
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 looking for user demo realm default
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 user lookup succeded
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 Writing AUTHEN/GETPASS size=29
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 ---<start packet>---
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 key used: 12345678
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 version: 192, type: 1, seq no: 2, flags: unencrypted
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 session id: 36880f8b, data length: 17
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 AUTHEN, status=5 (AUTHEN/GETPASS) flags=0x1
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 msg_len=11, data_len=0
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 msg (len: 11): \nPassword:
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 data (len: 0):
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 ---<end packet>---
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 ---<start packet>---
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 key used: 12345678
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 version: 192, type: 1, seq no: 3, flags: unencrypted
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 session id: 36880f8b, data length: 9
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 AUTHEN/CONT user_msg_len=4, user_data_len=0
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 ---<end packet>---
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 authen: hdr->seq_no: 3
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 looking for user demo realm default
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 user lookup succeded
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 shell login for 'demo' from 192.168.100.2 on vty0 succeeded
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 Writing AUTHEN/PASS size=18
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 ---<start packet>---
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 key used: 12345678
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 version: 192, type: 1, seq no: 4, flags: unencrypted
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 session id: 36880f8b, data length: 6
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 AUTHEN, status=1 (AUTHEN/PASS) flags=0x0
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 msg_len=0, data_len=0
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 msg (len: 0):
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 data (len: 0):
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 ---<end packet>---
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 New session
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 ---<start packet>---
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 key used: 12345678
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 version: 192, type: 2, seq no: 1, flags: unencrypted
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 session id: 1f1c70f6, data length: 48
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 AUTHOR, priv_lvl=0
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 authen_type=ascii (1)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 authen_method=tacacs+ (6)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 service=login (1)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 user_len=4 port_len=4 rem_addr_len=13 arg_cnt=2
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 user (len: 4): demo
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 port (len: 4): vty0
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 rem_addr (len: 13): 192.168.100.2
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 arg[0] (len: 13): service=shell
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 arg[1] (len: 4): cmd*
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 ---<end packet>---
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 Start authorization request
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 user 'demo' found
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 de...@192.168.100.201: not found: svcname=shell@world protocol=
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 de...@192.168.100.201: found: svcname=shell protocol=
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 nas:service=shell (passed thru)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 nas:cmd* (passed thru)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 Writing AUTHOR/PASS_ADD size=18
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 ---<start packet>---
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 key used: 12345678
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 version: 192, type: 2, seq no: 2, flags: unencrypted
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 session id: 1f1c70f6, data length: 6
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 AUTHOR/REPLY, status=1 (AUTHOR/PASS_ADD)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 msg_len=0, data_len=0, arg_cnt=0
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 msg (len: 0):
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 data (len: 0):
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 ---<end packet>---
237: 10:08:01.931 2/6d16512c: 192.168.100.201 New session
237: 10:08:01.931 2/6d16512c: 192.168.100.201 ---<start packet>---
237: 10:08:01.931 2/6d16512c: 192.168.100.201 key used: 12345678
237: 10:08:01.931 2/6d16512c: 192.168.100.201 version: 192, type: 3, seq no: 1, flags: unencrypted
237: 10:08:01.931 2/6d16512c: 192.168.100.201 session id: 2c51166d, data length: 66
237: 10:08:01.931 2/6d16512c: 192.168.100.201 ACCT, priv_lvl=0 flags=0x2
237: 10:08:01.931 2/6d16512c: 192.168.100.201 authen_type=ascii (1)
237: 10:08:01.931 2/6d16512c: 192.168.100.201 authen_method=tacacs+ (6)
237: 10:08:01.931 2/6d16512c: 192.168.100.201 service=login (1)
237: 10:08:01.931 2/6d16512c: 192.168.100.201 user_len=4 port_len=4 rem_addr_len=13 arg_cnt=3
237: 10:08:01.931 2/6d16512c: 192.168.100.201 user (len: 4): demo
237: 10:08:01.931 2/6d16512c: 192.168.100.201 port (len: 4): vty0
237: 10:08:01.931 2/6d16512c: 192.168.100.201 rem_addr (len: 13): 192.168.100.2
237: 10:08:01.931 2/6d16512c: 192.168.100.201 arg[0] (len: 10): task_id=53
237: 10:08:01.931 2/6d16512c: 192.168.100.201 arg[1] (len: 10): timezone=0
237: 10:08:01.931 2/6d16512c: 192.168.100.201 arg[2] (len: 13): service=shell
237: 10:08:01.931 2/6d16512c: 192.168.100.201 ---<end packet>---
237: 10:08:01.931 2/6d16512c: 192.168.100.201 Writing ACCT size=17
237: 10:08:01.931 2/6d16512c: 192.168.100.201 ---<start packet>---
237: 10:08:01.931 2/6d16512c: 192.168.100.201 key used: 12345678
237: 10:08:01.931 2/6d16512c: 192.168.100.201 version: 192, type: 3, seq no: 2, flags: unencrypted
237: 10:08:01.931 2/6d16512c: 192.168.100.201 session id: 2c51166d, data length: 5
237: 10:08:01.931 2/6d16512c: 192.168.100.201 ACCT/REPLY, status=1, msg_len=0, data_len=0
237: 10:08:01.931 2/6d16512c: 192.168.100.201 msg (len: 0):
237: 10:08:01.931 2/6d16512c: 192.168.100.201 data (len: 0):
237: 10:08:01.931 2/6d16512c: 192.168.100.201 ---<end packet>---
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 New session
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 ---<start packet>---
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 key used: 12345678
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 version: 192, type: 1, seq no: 1, flags: unencrypted
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 session id: 36880f8b, data length: 29
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 AUTHEN/START, priv_lvl=0
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 action=login (1)
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 authen_type=ascii (1)
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 service=login (1)
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 user_len=4 port_len=4 rem_addr_len=13
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 data_len=0
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 user (len: 4): demo
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 port (len: 4): vty0
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 rem_addr (len: 13): 192.168.100.2
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 ---<end packet>---
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 authen: hdr->seq_no: 1
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 looking for user demo realm default
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 user lookup succeded
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 Writing AUTHEN/GETPASS size=29
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 ---<start packet>---
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 key used: 12345678
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 version: 192, type: 1, seq no: 2, flags: unencrypted
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 session id: 36880f8b, data length: 17
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 AUTHEN, status=5 (AUTHEN/GETPASS) flags=0x1
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 msg_len=11, data_len=0
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 msg (len: 11): \nPassword:
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 data (len: 0):
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 ---<end packet>---
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 ---<start packet>---
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 key used: 12345678
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 version: 192, type: 1, seq no: 3, flags: unencrypted
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 session id: 36880f8b, data length: 9
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 AUTHEN/CONT user_msg_len=4, user_data_len=0
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 ---<end packet>---
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 authen: hdr->seq_no: 3
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 looking for user demo realm default
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 user lookup succeded
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 shell login for 'demo' from 192.168.100.2 on vty0 succeeded
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 Writing AUTHEN/PASS size=18
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 ---<start packet>---
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 key used: 12345678
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 version: 192, type: 1, seq no: 4, flags: unencrypted
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 session id: 36880f8b, data length: 6
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 AUTHEN, status=1 (AUTHEN/PASS) flags=0x0
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 msg_len=0, data_len=0
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 msg (len: 0):
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 data (len: 0):
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 ---<end packet>---
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 New session
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 ---<start packet>---
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 key used: 12345678
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 version: 192, type: 2, seq no: 1, flags: unencrypted
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 session id: 1f1c70f6, data length: 48
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 AUTHOR, priv_lvl=0
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 authen_type=ascii (1)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 authen_method=tacacs+ (6)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 service=login (1)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 user_len=4 port_len=4 rem_addr_len=13 arg_cnt=2
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 user (len: 4): demo
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 port (len: 4): vty0
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 rem_addr (len: 13): 192.168.100.2
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 arg[0] (len: 13): service=shell
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 arg[1] (len: 4): cmd*
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 ---<end packet>---
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 Start authorization request
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 user 'demo' found
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 de...@192.168.100.201: not found: svcname=shell@world protocol=
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 de...@192.168.100.201: found: svcname=shell protocol=
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 nas:service=shell (passed thru)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 nas:cmd* (passed thru)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 Writing AUTHOR/PASS_ADD size=18
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 ---<start packet>---
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 key used: 12345678
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 version: 192, type: 2, seq no: 2, flags: unencrypted
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 session id: 1f1c70f6, data length: 6
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 AUTHOR/REPLY, status=1 (AUTHOR/PASS_ADD)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 msg_len=0, data_len=0, arg_cnt=0
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 msg (len: 0):
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 data (len: 0):
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 ---<end packet>---
237: 10:08:01.931 2/6d16512c: 192.168.100.201 New session
237: 10:08:01.931 2/6d16512c: 192.168.100.201 ---<start packet>---
237: 10:08:01.931 2/6d16512c: 192.168.100.201 key used: 12345678
237: 10:08:01.931 2/6d16512c: 192.168.100.201 version: 192, type: 3, seq no: 1, flags: unencrypted
237: 10:08:01.931 2/6d16512c: 192.168.100.201 session id: 2c51166d, data length: 66
237: 10:08:01.931 2/6d16512c: 192.168.100.201 ACCT, priv_lvl=0 flags=0x2
237: 10:08:01.931 2/6d16512c: 192.168.100.201 authen_type=ascii (1)
237: 10:08:01.931 2/6d16512c: 192.168.100.201 authen_method=tacacs+ (6)
237: 10:08:01.931 2/6d16512c: 192.168.100.201 service=login (1)
237: 10:08:01.931 2/6d16512c: 192.168.100.201 user_len=4 port_len=4 rem_addr_len=13 arg_cnt=3
237: 10:08:01.931 2/6d16512c: 192.168.100.201 user (len: 4): demo
237: 10:08:01.931 2/6d16512c: 192.168.100.201 port (len: 4): vty0
237: 10:08:01.931 2/6d16512c: 192.168.100.201 rem_addr (len: 13): 192.168.100.2
237: 10:08:01.931 2/6d16512c: 192.168.100.201 arg[0] (len: 10): task_id=53
237: 10:08:01.931 2/6d16512c: 192.168.100.201 arg[1] (len: 10): timezone=0
237: 10:08:01.931 2/6d16512c: 192.168.100.201 arg[2] (len: 13): service=shell
237: 10:08:01.931 2/6d16512c: 192.168.100.201 ---<end packet>---
237: 10:08:01.931 2/6d16512c: 192.168.100.201 Writing ACCT size=17
237: 10:08:01.931 2/6d16512c: 192.168.100.201 ---<start packet>---
237: 10:08:01.931 2/6d16512c: 192.168.100.201 key used: 12345678
237: 10:08:01.931 2/6d16512c: 192.168.100.201 version: 192, type: 3, seq no: 2, flags: unencrypted
237: 10:08:01.931 2/6d16512c: 192.168.100.201 session id: 2c51166d, data length: 5
237: 10:08:01.931 2/6d16512c: 192.168.100.201 ACCT/REPLY, status=1, msg_len=0, data_len=0
237: 10:08:01.931 2/6d16512c: 192.168.100.201 msg (len: 0):
237: 10:08:01.931 2/6d16512c: 192.168.100.201 data (len: 0):
237: 10:08:01.931 2/6d16512c: 192.168.100.201 ---<end packet>---
Cheers
Marc Huber
Mar 22, 2024, 9:21:39 AMMar 22
to event-driv...@googlegroups.com
Hi,
the "Privilege Level: 0" field in your TACACS+ authorization query is
the privilege level of your user as your device sees it. In an
authorization answer for shell startup ("service=shell cmd*") the daemon
may assign a privilege level to the CLI session, e.g. "priv_lvl=15".
While I think that's supported on Huawei devices too, I've no clue on
how to configure it. I just don't know the Huawei CLI.
Cheers,
Marc
the "Privilege Level: 0" field in your TACACS+ authorization query is
the privilege level of your user as your device sees it. In an
authorization answer for shell startup ("service=shell cmd*") the daemon
may assign a privilege level to the CLI session, e.g. "priv_lvl=15".
While I think that's supported on Huawei devices too, I've no clue on
how to configure it. I just don't know the Huawei CLI.
Cheers,
Marc
Reply all
Reply to author
Forward
0 new messages