Missing IP address in logfiles / problems with tacacs key

[Luca Pandolfini]

Hello everyone,

I was able to compile and install the software on a Ubuntu 13.10 server without problems.

I've configured it with several Cisco switches and routers (3560 and 6500, with IOS), everything works fine except two problems:

1. In the accounting and authentication logs, there is always 0.0.0.0 as the IP address of the router/switch
   
2. If I use a key in the tac_plus.cfg file (and the same on the switches), the switches aren't able to connect anymore

My configuration is the following:

#!/usr/local/sbin/tac_plus

id = spawnd {

listen = { port = 49 }

spawn = {

instances min = 1

instances max = 10

}

background = yes

}

id = tac_plus {

authentication log = /var/log/tac_plus/authentication.log

authorization log = /var/log/tac_plus/authorization.log

accounting log = /var/log/tac_plus/accounting.log

authorization log group = yes

mavis module = external {

setenv LDAP_SERVER_TYPE = "microsoft"

setenv LDAP_HOSTS = "WWW.XXX.YYY.ZZZ"

setenv LDAP_BASE = "OU=XXXX,DC=mydomain,DC=prv"

setenv LDAP_USER = ldap...@mydomain.prv

setenv LDAP_PASSWD = ldappassword

setenv AD_GROUP_PREFIX = tacacs

setenv REQUIRE_AD_GROUP_PREFIX = 1

exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl

}

login backend = mavis

user backend = mavis

pap backend = mavis

host = world {

address = 0.0.0.0/0

key = ""

}

group = admin {

default service = permit

service = shell {

default command = permit

default attribute = permit

set priv-lvl = 15

}

}

group = guest {

default service = permit

enable = deny

service = shell {

default command = permit

default attribute = permit

set priv-lvl = 1

}

}

user = admin {

password = clear adminpassword

member = admin

}

user = readonly {

password = clear anotherpassword

member = guest

}

}

The configuration on the switches is the following (this one is from a Cisco 3560 switch):

aaa new-model

aaa authentication login telnet group tacacs+ local

aaa authentication login console group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

!

tacacs-server host WWW.XXX.YYY.ZZZ

no tacacs-server directed-request

!

line con 0

 login authentication console

line vty 0 4

 login authentication telnet

line vty 5 15

 login authentication telnet

!

When I add the key, I use the following command on the switches:

tacacs-server key MYKEY

Can someone help me resolving there issues?

Thanks

Luca

[Marc Huber]

Hi Luca,

On 17.03.14 20:02, Luca Pandolfini wrote:
> In the accounting and authentication logs, there is always 0.0.0.0 as
> the IP address of the router/switch

apologies ... I think I've introduced a bug in one of the latest
snapshots. The patch below (or the current snapshot) should fix that
issue, temporarily. I'm currently unsure why this isn't working as expected.

Thanks,

Marc


diff -u -r1.39 misc/net.c
--- misc/net.c 2014/02/25 18:47:35 1.39
+++ misc/net.c 2014/03/17 20:50:50
@@ -65,7 +65,7 @@
if (sa->sa.sa_family == AF_INET && af == AF_INET6) {
sockaddr_union su;
su = *sa;
- memset(sa, 0, sizeof(sockaddr_union));
+ //memset(sa, 0, sizeof(sockaddr_union));
sa->sin6.sin6_port = su.sin.sin_port;
sa->sa.sa_family = AF_INET6;
if (!su_copy_addr(sa, &su))
@@ -78,7 +78,7 @@
if (IN6_IS_ADDR_V4MAPPED(&sa->sin6.sin6_addr)) {
sockaddr_union su;
su = *sa;
- memset(sa, 0, sizeof(sockaddr_union));
+ //memset(sa, 0, sizeof(sockaddr_union));
sa->sin.sin_port = su.sin6.sin6_port;
sa->sa.sa_family = AF_INET;
if (!su_copy_addr(sa, &su))

[Marc Huber]

On 17.03.14 21:53, Marc Huber wrote:
> I'm currently unsure why this isn't working as expected.

Fixed in DEVEL.201403181821.tar.bz2, apparently a pretty long-lasting
bug ...

--- net.c 2014/02/25 18:47:35 1.39
+++ net.c 2014/03/18 17:20:49
@@ -226,7 +226,7 @@
if (!IN6_IS_ADDR_V4MAPPED(&src->sin6.sin6_addr))
return -1;

- dst->sin.sin_addr.s_addr = dst->sin6.sin6_addr.s6_addr32[3];
+ dst->sin.sin_addr.s_addr = src->sin6.sin6_addr.s6_addr32[3];
return 0;
}


Cheers,

Marc

[Luca Pandolfini]

Hi Mark,

Thank you for your help, I updated the source, compiled again and now I have the IP address in the logs.

Do you know also why I'm having the problem with the TACACS key? It can be something related to the Cisco configuration?

Thanks

Luca

[Marc Huber]

Hi Luca,

On 19.03.14 13:13, Luca Pandolfini wrote:
> Do you know also why I'm having the problem with the TACACS key? It
> can be something related to the Cisco configuration?

wasn't this resolved with the latest patch, too?

Cheers,

Marc

[Luca Pandolfini]

Hi mark,

it wasn't resolved, I have the same problem.

This is the debug from the Cisco:

13w3d: TAC+: send AUTHEN/START packet ver=192 id=1834930860

13w3d: TAC+: Using default tacacs server-group "tacacs+" list.

13w3d: TAC+: Opening TCP/IP to 172.20.45.64/49 timeout=5

13w3d: TAC+: Opened TCP/IP handle 0x315C7C8 to 172.20.45.64/49

13w3d: TAC+: 172.20.45.64 (1834930860) AUTHEN/START/LOGIN/ASCII queued

13w3d: TAC+: (1834930860) AUTHEN/START/LOGIN/ASCII processed

13w3d: TAC+: received bad AUTHEN packet: length = 33, expected 100721

13w3d: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).

13w3d: TAC+: Closing TCP/IP 0x315C7C8 connection to 172.20.45.64/49

The key is the same on the server and on the switch, and I restarted the server after the configuration change.

[Marc Huber]

Hi Luca,

On 20.03.14 13:56, Luca Pandolfini wrote:
> it wasn't resolved, I have the same problem.
> This is the debug from the Cisco:

please enable debugging in the daemon (e.g.: id = tac_plus { ... debug =
PACKET ...}).

Cheers,

Marc

[Luca Pandolfini]

Hi Marc,

Il giorno giovedì 20 marzo 2014 17:33:00 UTC+1, Marc Huber ha scritto:

please enable debugging in the daemon (e.g.: id = tac_plus { ... debug =
PACKET ...}).

I configured a key on the server and also on the switch:

tacacs-server host 172.20.45.64

no tacacs-server directed-request

tacacs-server key 7 15190E15

host = world {

        address = 0.0.0.0/0

        key = "key"

}

This is the debug output in the syslog.

Mar 21 09:12:09 ciscolog tac_plus[15721]: 7/7004dca5: New session
Mar 21 09:12:09 ciscolog tac_plus[15721]: 7/a5dc0470: ---<start packet>---
Mar 21 09:12:09 ciscolog tac_plus[15721]: 7/a5dc0470: key used: key
Mar 21 09:12:09 ciscolog tac_plus[15721]: 7/a5dc0470: version: 192, type: 1, seq no: 1, flags: unencrypted
Mar 21 09:12:09 ciscolog tac_plus[15721]: 7/a5dc0470: session id: a5dc0470 data length: 25
Mar 21 09:12:09 ciscolog tac_plus[15721]: 7/a5dc0470: Packet malformed, skipping detailed dump.
Mar 21 09:12:09 ciscolog tac_plus[15721]: 7/a5dc0470: ---<end packet>---
Mar 21 09:12:09 ciscolog tac_plus[15721]: 7/7004dca5: Error 172.21.1.112 (null): Invalid AUTHEN/START packet
Mar 21 09:12:09 ciscolog tac_plus[15721]: Error 172.21.1.112 (null): Invalid AUTHEN/START packet
Mar 21 09:12:09 ciscolog tac_plus[15721]: 7/7004dca5: Writing AUTHEN/ERROR size=45

How can I get a detailed dumb of the packets?

The switch is a Cisco 3560 with IOS 12.2(25)SEB4 but I have the same problem with several Cisco 3750X with IOS 15.0(1)SE2 (standalone and in stack), and also from a Cisco 6500.

Thanks

Luca
 

[Marc Huber]

Hi Luca,

On 21.03.14 09:18, Luca Pandolfini wrote:
> How can I get a detailed dumb of the packets?

your configuration looks fine. The best guess for getting a detailed
packet dump would be Wireshark (which is capable of decoding TACACS+, too).

However, I don't believe that the issue is with your switches. The
daemon uses the correct key but detects a packet length mismatch. This
could be a struct padding issue, could you please try the patch below?

Thanks,

Marc


--- tac_plus/headers.h 2014/03/01 13:42:59 1.406
+++ tac_plus/headers.h 2014/03/21 09:28:01
@@ -315,7 +315,7 @@
int datalength; /* length of encrypted data following */

/* datalength bytes of encrypted data */
-} tac_pak_hdr;
+} __attribute__((__packed__)) tac_pak_hdr;

/* Authentication packet NAS sends to us */

@@ -353,7 +353,7 @@
/* <port_len bytes of char data> */
/* <rem_addr_len bytes of u_char data> */
/* <data_len bytes of u_char data> */
-};
+} __attribute__((__packed__)) ;

#define TAC_AUTHEN_START_FIXED_FIELDS_SIZE 8

@@ -367,7 +367,7 @@

/* <user_msg_len bytes of u_char data> */
/* <user_data_len bytes of u_char data> */
-};
+} __attribute__((__packed__)) ;

#define TAC_AUTHEN_CONT_FIXED_FIELDS_SIZE 5

@@ -390,7 +390,7 @@
u_short data_len;
/* <msg_len bytes of char data> */
/* <data_len bytes of u_char data> */
-};
+} __attribute__((__packed__)) ;

#define TAC_AUTHEN_REPLY_FIXED_FIELDS_SIZE 6

@@ -423,7 +423,7 @@
/* <port_len bytes of char data> */
/* <rem_addr_len bytes of u_char data> */
/* <char data for each arg> */
-};
+} __attribute__((__packed__)) ;

#define TAC_AUTHOR_REQ_FIXED_FIELDS_SIZE 8

@@ -443,7 +443,7 @@
/* <msg_len bytes of char data> */
/* <data_len bytes of char data> */
/* <char data for each arg> */
-};
+} __attribute__((__packed__)) ;

#define TAC_AUTHOR_REPLY_FIXED_FIELDS_SIZE 6

@@ -478,7 +478,7 @@
#define TAC_PLUS_ACCT_STATUS_SUCCESS 0x1
#define TAC_PLUS_ACCT_STATUS_ERROR 0x2
#define TAC_PLUS_ACCT_STATUS_FOLLOW 0x21
-};
+} __attribute__((__packed__)) ;

#define TAC_ACCT_REPLY_FIXED_FIELDS_SIZE 5

[Luca Pandolfini]

Hi Marc,

I applied the patch (I had some problems using patch, so I did it manually), then I did a "make install" again, but nothing has changed. From the output I got from the make install command seems that nothing was changed:

root@ciscolog:/usr/src/tacacs_projects# make install

make[1]: Entering directory `/usr/src/tacacs_projects/mavis'

make[2]: Entering directory `/usr/src/tacacs_projects/mavis/perl'

make[2]: Nothing to be done for `install'.

make[2]: Leaving directory `/usr/src/tacacs_projects/mavis/perl'

make[2]: Entering directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/mavis'

make[3]: Entering directory `/usr/src/tacacs_projects/mavis/perl'

make[3]: Nothing to be done for `install'.

make[3]: Leaving directory `/usr/src/tacacs_projects/mavis/perl'

make[2]: Leaving directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/mavis'

make[1]: Leaving directory `/usr/src/tacacs_projects/mavis'

make[1]: Entering directory `/usr/src/tacacs_projects/spawnd'

make[2]: Entering directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/spawnd'

make[3]: Entering directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/spawnd'

make[3]: Nothing to be done for `install'.

make[3]: Leaving directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/spawnd'

make[2]: Leaving directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/spawnd'

make[2]: Entering directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/spawnd'

make[2]: Nothing to be done for `install'.

make[2]: Leaving directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/spawnd'

make[1]: Leaving directory `/usr/src/tacacs_projects/spawnd'

make[1]: Entering directory `/usr/src/tacacs_projects/mavisd'

make[2]: Entering directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/mavisd'

make[3]: Entering directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/mavisd'

make[3]: Nothing to be done for `install'.

make[3]: Leaving directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/mavisd'

make[2]: Leaving directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/mavisd'

make[2]: Entering directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/mavisd'

make[2]: Nothing to be done for `install'.

make[2]: Leaving directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/mavisd'

make[1]: Leaving directory `/usr/src/tacacs_projects/mavisd'

make[1]: Entering directory `/usr/src/tacacs_projects/ftpd'

make[2]: Entering directory `/usr/src/tacacs_projects/ftpd/extra'

make[2]: Nothing to be done for `all'.

make[2]: Leaving directory `/usr/src/tacacs_projects/ftpd/extra'

make[2]: Entering directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/ftpd'

make[3]: Entering directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/ftpd'

make[4]: Entering directory `/usr/src/tacacs_projects/ftpd/extra'

make[4]: Nothing to be done for `install'.

make[4]: Leaving directory `/usr/src/tacacs_projects/ftpd/extra'

make[3]: Leaving directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/ftpd'

make[2]: Leaving directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/ftpd'

make[2]: Entering directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/ftpd'

make[3]: Entering directory `/usr/src/tacacs_projects/ftpd/extra'

make[3]: Nothing to be done for `install'.

make[3]: Leaving directory `/usr/src/tacacs_projects/ftpd/extra'

make[2]: Leaving directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/ftpd'

make[1]: Leaving directory `/usr/src/tacacs_projects/ftpd'

make[1]: Entering directory `/usr/src/tacacs_projects/tac_plus'

make[2]: Entering directory `/usr/src/tacacs_projects/tac_plus/extra'

make[2]: Nothing to be done for `all'.

make[2]: Leaving directory `/usr/src/tacacs_projects/tac_plus/extra'

make[2]: Entering directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/tac_plus'

make[3]: Entering directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/tac_plus'

make[4]: Entering directory `/usr/src/tacacs_projects/tac_plus/extra'

make[4]: Nothing to be done for `install'.

make[4]: Leaving directory `/usr/src/tacacs_projects/tac_plus/extra'

make[3]: Leaving directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/tac_plus'

make[2]: Leaving directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/tac_plus'

make[2]: Entering directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/tac_plus'

make[3]: Entering directory `/usr/src/tacacs_projects/tac_plus/extra'

make[3]: Nothing to be done for `install'.

make[3]: Leaving directory `/usr/src/tacacs_projects/tac_plus/extra'

make[2]: Leaving directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/tac_plus'

make[1]: Leaving directory `/usr/src/tacacs_projects/tac_plus'

make[1]: Entering directory `/usr/src/tacacs_projects/tcprelay'

make[2]: Entering directory `/usr/src/tacacs_projects/tcprelay/extra'

make[2]: Nothing to be done for `all'.

make[2]: Leaving directory `/usr/src/tacacs_projects/tcprelay/extra'

make[2]: Entering directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/tcprelay'

make[3]: Entering directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/tcprelay'

make[4]: Entering directory `/usr/src/tacacs_projects/tcprelay/extra'

make[4]: Nothing to be done for `install'.

make[4]: Leaving directory `/usr/src/tacacs_projects/tcprelay/extra'

make[3]: Leaving directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/tcprelay'

make[2]: Leaving directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/tcprelay'

make[2]: Entering directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/tcprelay'

make[3]: Entering directory `/usr/src/tacacs_projects/tcprelay/extra'

make[3]: Nothing to be done for `install'.

make[3]: Leaving directory `/usr/src/tacacs_projects/tcprelay/extra'

make[2]: Leaving directory `/usr/src/tacacs_projects/build/linux-3.11.0-18-generic-x86_64/tcprelay'

make[1]: Leaving directory `/usr/src/tacacs_projects/tcprelay'

Please note that I renamed the folder "DEVEL" to "tacacs_projects".

[Marc Huber]

Hi Luca,

On 21.03.14 14:24, Luca Pandolfini wrote:
> I applied the patch (I had some problems using patch, so I did it
> manually), then I did a "make install" again, but nothing has changed.
> From the output I got from the make install command seems that nothing
> was changed:

I'm afraid the Makefiles aren't sophisticated enough. You'll have to run
"make clean" first.

Cheers,

Marc

[Luca Pandolfini]

Hi Marc,

Il giorno venerdì 21 marzo 2014 14:47:10 UTC+1, Marc Huber ha scritto:

I'm afraid the Makefiles aren't sophisticated enough. You'll have to run
"make clean" first.

Thanks, I'm not so used to makefiles... I did a make clean, then a make and make install, the output now seems ok.

I tried again, but it works only without the key. If I add the key the log output is the same as before:

Mar 21 15:20:59 ciscolog tac_plus[26529]: 1/68e9a937: New session
Mar 21 15:20:59 ciscolog tac_plus[26529]: 1/37a9e968: ---<start packet>---
Mar 21 15:20:59 ciscolog tac_plus[26529]: 1/37a9e968: key used: key
Mar 21 15:20:59 ciscolog tac_plus[26529]: 1/37a9e968: version: 192, type: 1, seq no: 1, flags: unencrypted
Mar 21 15:20:59 ciscolog tac_plus[26529]: 1/37a9e968: session id: 37a9e968 data length: 25
Mar 21 15:20:59 ciscolog tac_plus[26529]: 1/37a9e968: Packet malformed, skipping detailed dump.
Mar 21 15:20:59 ciscolog tac_plus[26529]: 1/37a9e968: ---<end packet>---
Mar 21 15:20:59 ciscolog tac_plus[26529]: 1/68e9a937: Error 172.21.1.112 (null): Invalid AUTHEN/START packet
Mar 21 15:20:59 ciscolog tac_plus[26529]: Error 172.21.1.112 (null): Invalid AUTHEN/START packet
Mar 21 15:20:59 ciscolog tac_plus[26529]: 1/68e9a937: Writing AUTHEN/ERROR size=45

Thanks

Luca

[Marc Huber]

Hi Luca,

On 21.03.14 15:25, Luca Pandolfini wrote:
> I tried again, but it works only without the key. If I add the key the
> log output is the same as before:

then I'm at a loss.

Is anyone else on the list having this issue?

Cheers,

Marc

[akschu1]

Marc,

I'm having this issue.  I was able to build a simple test to confirm:

Here is my tac_plus config:

id = spawnd {
        listen = { port = 49 }
}

id = tac_plus {
        debug = PACKET


        host = any { address = 0.0.0.0/0 key = cisco }


        # repeat as necessary for each user
        user = test { login = clear test }
}

Here is what I'm testing with:

#!/usr/bin/perl


$username = 'test';
$password = 'test';


use Net::TacacsPlus::Client;
use Net::TacacsPlus::Constants;


my $tac = new Net::TacacsPlus::Client(
                        host => '127.0.0.1',
                        key => 'cisco');


if ($tac->authenticate($username, $password, TAC_PLUS_AUTHEN_TYPE_PAP)){
        print "Authentication successful.\n";
} else {
        print "Authentication failed: ".$tac->errmsg()."\n";
}

Here is what I get:

27623: 12:05:25.420 0/00000000: Version 201403181821 initialized
27623: 12:05:31.032 0/00000000: cidr match level 0 = any
27623: 12:05:31.032 0/00000000: connection request from 127.0.0.1 (key: cisco)
27623: 12:05:31.034 0/cb0d7286: New session
27623: 12:05:31.034 0/86720dcb: ---<start packet>---
27623: 12:05:31.034 0/86720dcb: key used: cisco
27623: 12:05:31.034 0/86720dcb: version: 193, type: 1, seq no: 1, flags: unencrypted
27623: 12:05:31.034 0/86720dcb: session id: 86720dcb data length: 34
27623: 12:05:31.034 0/86720dcb: packet body (len: 34): \001\0006#¾\025ybÆ(wäæÌua\0058±Ê¥àûÊ.1>Ù\034rst
27623: 12:05:31.034 0/86720dcb: 0000 01 00 36 9c 23 be 15 79  62 c6 28 77 e4 e6 cc 92  ..6.#..y b.(w....
27623: 12:05:31.034 0/86720dcb: 0010 75 61 05 38 b1 ca a5 e0  fb ca 2e 31 3e d9 1c 72  ua.8.... ...1>..r
27623: 12:05:31.034 0/86720dcb: 0020 73 74                                             st
27623: 12:05:31.034 0/86720dcb: Packet malformed, skipping detailed dump.
27623: 12:05:31.034 0/86720dcb: ---<end packet>---
27623: 12:05:31.034 0/cb0d7286: 127.0.0.1 (null): Invalid AUTHEN/START packet
27623: 12:05:31.034 0/cb0d7286: Writing AUTHEN/ERROR size=45
27623: 12:05:31.034 0/86720dcb: ---<start packet>---
27623: 12:05:31.034 0/86720dcb: key used: cisco
27623: 12:05:31.034 0/86720dcb: version: 193, type: 1, seq no: 2, flags: unencrypted
27623: 12:05:31.034 0/86720dcb: session id: 86720dcb data length: 33
27623: 12:05:31.034 0/86720dcb: packet body (len: 33): \a\000\000\033\000\000Invalid AUTHEN/START packet
27623: 12:05:31.034 0/86720dcb: 0000 07 00 00 1b 00 00 49 6e  76 61 6c 69 64 20 41 55  ......In valid AU
27623: 12:05:31.034 0/86720dcb: 0010 54 48 45 4e 2f 53 54 41  52 54 20 70 61 63 6b 65  THEN/STA RT packe
27623: 12:05:31.034 0/86720dcb: 0020 74                                                t
27623: 12:05:31.034 0/86720dcb: AUTHEN status=7 (AUTHEN/ERROR) flags=0x0
27623: 12:05:31.034 0/86720dcb: msg_len=27, data_len=0
27623: 12:05:31.034 0/86720dcb: msg (len: 27): Invalid AUTHEN/START packet
27623: 12:05:31.034 0/86720dcb: 0000 49 6e 76 61 6c 69 64 20  41 55 54 48 45 4e 2f 53  Invalid  AUTHEN/S
27623: 12:05:31.034 0/86720dcb: 0010 54 41 52 54 20 70 61 63  6b 65 74                 TART pac ket
27623: 12:05:31.034 0/86720dcb: data (len: 0):
27623: 12:05:31.034 0/86720dcb: ---<end packet>---

I get the same thing from a cisco switch:

27623: 12:06:55.857 1/00000000: cidr match level 0 = any
27623: 12:06:55.857 1/00000000: connection request from 192.168.7.98 (key: cisco)
27623: 12:06:55.858 1/664c8079: New session
27623: 12:06:55.858 1/79804c66: ---<start packet>---
27623: 12:06:55.858 1/79804c66: key used: cisco
27623: 12:06:55.858 1/79804c66: version: 192, type: 1, seq no: 1, flags: unencrypted
27623: 12:06:55.858 1/79804c66: session id: 79804c66 data length: 24
27623: 12:06:55.858 1/79804c66: packet body (len: 24): \001\001ÇMs4ü\003\023\000|<øÒ16¦9À¢Y
27623: 12:06:55.858 1/79804c66: 0000 01 01 c7 82 99 4d 73 34  fc 03 13 00 7c 3c f8 d2  .....Ms4 ....|<..
27623: 12:06:55.858 1/79804c66: 0010 31 36 a6 9f 39 c0 a2 59                           16..9..Y
27623: 12:06:55.858 1/79804c66: Packet malformed, skipping detailed dump.
27623: 12:06:55.858 1/79804c66: ---<end packet>---
27623: 12:06:55.858 1/664c8079: 192.168.7.98 (null): Invalid AUTHEN/START packet
27623: 12:06:55.858 1/664c8079: Writing AUTHEN/ERROR size=45
27623: 12:06:55.858 1/79804c66: ---<start packet>---
27623: 12:06:55.858 1/79804c66: key used: cisco
27623: 12:06:55.858 1/79804c66: version: 192, type: 1, seq no: 2, flags: unencrypted
27623: 12:06:55.858 1/79804c66: session id: 79804c66 data length: 33
27623: 12:06:55.858 1/79804c66: packet body (len: 33): \a\000\000\033\000\000Invalid AUTHEN/START packet
27623: 12:06:55.858 1/79804c66: 0000 07 00 00 1b 00 00 49 6e  76 61 6c 69 64 20 41 55  ......In valid AU
27623: 12:06:55.858 1/79804c66: 0010 54 48 45 4e 2f 53 54 41  52 54 20 70 61 63 6b 65  THEN/STA RT packe
27623: 12:06:55.858 1/79804c66: 0020 74                                                t
27623: 12:06:55.858 1/79804c66: AUTHEN status=7 (AUTHEN/ERROR) flags=0x0
27623: 12:06:55.858 1/79804c66: msg_len=27, data_len=0
27623: 12:06:55.858 1/79804c66: msg (len: 27): Invalid AUTHEN/START packet
27623: 12:06:55.858 1/79804c66: 0000 49 6e 76 61 6c 69 64 20  41 55 54 48 45 4e 2f 53  Invalid  AUTHEN/S
27623: 12:06:55.858 1/79804c66: 0010 54 41 52 54 20 70 61 63  6b 65 74                 TART pac ket
27623: 12:06:55.858 1/79804c66: data (len: 0):
27623: 12:06:55.858 1/79804c66: ---<end packet>---

No matter what I do the key is wrong even when it's correct.  If I use the tac_plus server from shrubbery then my perl code and switch work, so I'm thinking it's an issue with the mavis tac_plus server.

I did try your patch above but it didn't resolve the problem for me.

More information:

I'm running Slackware64 14.1 with the following:

glibc-2.17

Linux 3.10.17 x86_64

gcc-4.8.2

Thanks,

schu

[Marc Huber]

Hi schu,

On 21.04.14 22:10, akschu1 wrote:
> I'm running Slackware64 14.1 with the following:
> glibc-2.17
> Linux 3.10.17 x86_64
> gcc-4.8.2

thanks for your report. Alas, I won't be able to assist in this issue.
I've just wasted quite some time trying set up a working Slackware
install that would me allow to verify the problem you're seeing, but
finally gave up after recognizing that Slackware lacks some header files
(sys/poll.h, for example), which breaks the "configure" script, and
comes with no obvious way (well, to me) to install these.

I'm absolutely not willing to invest any more time in this. This is
actually pretty sad as Slackware was the first Linux distribution I've
installed some 20 years ago. Anyway, it's now the first one on the
"officially unsupported" list.

Cheers,

Marc

[akschu1]

Hey Marc,

I sure appreciate your response, and am sorry for the frustration with slackware.  I'm not sure what happened since slackware does come with sys/poll.h.  Its in the glibc package so I'm not running into any problems compiling.

Anyway, I have more (useful) information to share and would really appreciate any thoughts you have as to why this is happening:

tac_plus works fine on slackware64 14.0.  I'm able to have it decrypt the packet and process the request.  On slackware64-14.1 it keeps acting like the key is wrong unless I remove the key then it works fine.  Now that I have a working and non-working example I started trying to figure out the difference between the two, and while doing that I started removing dependencies.  Ultimately I got it stripped down to:

# ldd /usr/sbin/tac_plus

        linux-vdso.so.1 (0x00007fff2416c000)

        libmavis.so => /usr/sbin/../lib64/libmavis.so (0x00007f53207b1000)

        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f532055b000)

        libc.so.6 => /lib64/libc.so.6 (0x00007f5320192000)

        libdl.so.2 => /lib64/libdl.so.2 (0x00007f531ff8e000)

        /lib64/ld-linux-x86-64.so.2 (0x00007f53209d5000)

using these compile options (--prefix=/usr --etcdir=/etc --libdir=/usr/lib${LIBDIRSUFFIX} --without-epoll --without-sctp --without-lwres --without-pcre --without-ssl --without-zlib --without-freeradius --without-pam --without-execinfo --without-sctp --without-curl --without-ipc)

Even that stripped down it wouldn't work on 14.1, but compiled the exact same way with the same build script it works fine on 14.0 (confirmed by diffing the compiler output).

So we are basically down to the difference being glibc and gcc.  Slackware 14.0 uses gblic2.15/gcc4.7.1 and slackware 14.1 uses glibc2.17/gcc4.8.2.

So trying to figure out if it was a library or compile issue I decided to copy the 14.0 binary to the 14.1 machine and vise versa.  When I did this the 14.0 binary on the 14.1 host worked fine and the 14.1 binary on the 14.0 machine has the issue.  So the problem is in the binary itself.  

I suppose I could compile the older gcc on the 14.1 host to test the compiler, but I figured I would post what I have so far and ask if you had any thoughts.

If you want I can provide you will shell access to a sandbox host to work with so that you don't need to replicate the environment.  I know you already said you weren't going to work on this further, but I thought I would mention it anyway since I'm more than happy to help in any way that I can.  My slackware and sys engineering works pretty decent, but my C is terrible otherwise I would track this down myself. :)

Thanks,

schu

[akschu1]

Hey Marc,

I figured it out.  So if I use this patch to remove the compiler optimizations:

diff -ruN PROJECTS.orig/Makefile.inc PROJECTS/Makefile.inc
--- PROJECTS.orig/Makefile.inc  2014-03-14 05:42:06.000000000 -0800
+++ PROJECTS/Makefile.inc       2014-04-22 15:47:16.222137197 -0800
@@ -69,7 +69,7 @@
 endif
 
 ifeq ($(CC_GCC),1)
-       CFLAGS          ?= -O -Wall -W -Wno-strict-prototypes
+       CFLAGS          ?= -O0 -Wall -W -Wno-strict-prototypes
        CFLAGS_PIC      ?= -fPIC
 
        LDOPT_R         ?= -Wl,-rpath,

Then it works.  

I wasn't expecting the compiler to cause this issue, but there it is.

So thanks for your time looking at this!  Perhaps you can put slackware back on the supported list. :)

schu

[Marc Huber]

Hi schu,

On 23.04.14 01:57, akschu1 wrote:

I figured it out.  So if I use this patch to remove the compiler optimizations:

diff -ruN PROJECTS.orig/Makefile.inc PROJECTS/Makefile.inc
--- PROJECTS.orig/Makefile.inc  2014-03-14 05:42:06.000000000 -0800
+++ PROJECTS/Makefile.inc       2014-04-22 15:47:16.222137197 -0800
@@ -69,7 +69,7 @@
 endif
 
 ifeq ($(CC_GCC),1)
-       CFLAGS          ?= -O -Wall -W -Wno-strict-prototypes
+       CFLAGS          ?= -O0 -Wall -W -Wno-strict-prototypes
        CFLAGS_PIC      ?= -fPIC
 
        LDOPT_R         ?= -Wl,-rpath,

Then it works. 

thanks a lot for your perfect analysis of this problem!

I've recovered my broken Slackware-14.1-64 VM installation from the trash and managed to (re?)install the packages that were missing (luckily, the packages.slackware.com site provides a search function: glibc, libmpc, mpfr and libxml). Yes, you're absolutely right, the -O0 binary does work, and the -O1 one is broken.

Interestingly, replacing -O1 with all the options that -O1 is supposed to turn on results in a working binary, too :-(

I'll change Makefile.inc to disable optimization for gcc-4.8.2, but I'm not happy with this at all.

Thanks,

Marc

[Matthew Schumacher]

On 04/23/2014 11:03 AM, Marc Huber wrote:
> thanks a lot for your perfect analysis of this problem!
>
> I've recovered my broken Slackware-14.1-64 VM installation from the
> trash and managed to (re?)install the packages that were missing
> (luckily, the packages.slackware.com site provides a search function:
> glibc, libmpc, mpfr and libxml). Yes, you're absolutely right, the -O0
> binary does work, and the -O1 one is broken.
>
> Interestingly, replacing -O1 with all the options that -O1 is supposed
> to turn on results in a working binary, too :-(
>
> I'll change Makefile.inc to disable optimization for gcc-4.8.2, but I'm
> not happy with this at all.
>

I don't blame you, it's pretty annoying.

At this point I wouldn't bother mucking with the Makefile since very few
distros if any use that gcc, and there is a fix on the mailing list if
someone runs into the problem. I would be tempted to just let it go for
now and see if it comes up again later of if a newer gcc resolves the issue.

At any rate thanks for the reply and for the excellent software. It's
not very often you find a project with such good documentation and support.

schu

[Luca Pandolfini]

Hi Marc, hi schu,

I would like to thank you all, I downloaded the new version and now it's working flawlessly.

Thanks for your support!

Luca