Malformed packet received from tac_plus on HP ProCurve switches
1,100 views
Skip to first unread message
Daniel Kristinn Gunnarsson
Apr 25, 2014, 6:45:30 AM4/25/14
to event-driv...@googlegroups.com
Hi there
I've been using tac_plus with great success on Cisco equipment but now I'm faced with implementing some HP ProCurve switches in to the setup. I'm currently testing with a HP ProCurve J9452A Switch 6600ml-48G-4XG, revision K.14.41, ROM K.12.21.
tac_plus receives the request fine but when sending back the HP switch reports the following:
W 04/25/14 18:00:33 00419 auth: Invalid user name/password on SSH session
I 04/25/14 18:01:25 00983 tacacs: malformed packet received from 172.16.155.30 server
While running tac_plus in debug ALL mode:
30751: 11:17:28.219 0/e6630355: New session
30751: 11:17:28.219 0/550363e6: ---<start packet>---
30751: 11:17:28.219 0/550363e6: key used: xxx
30751: 11:17:28.219 0/550363e6: version: 192, type: 1, seq no: 1, flags: unencrypted
30751: 11:17:28.219 0/550363e6: session id: 550363e6 data length: 8
30751: 11:17:28.219 0/550363e6: packet body (len: 8): \001\001\001\001\000\000\000\000
30751: 11:17:28.219 0/550363e6: 0000 01 01 01 01 00 00 00 00 ........
30751: 11:17:28.219 0/550363e6: AUTHEN/START, priv_lvl=1
30751: 11:17:28.219 0/550363e6: action=login (1)
30751: 11:17:28.219 0/550363e6: authen_type=ascii (1)
30751: 11:17:28.219 0/550363e6: service=login (1)
30751: 11:17:28.219 0/550363e6: user_len=0 port_len=0 rem_addr_len=0
30751: 11:17:28.219 0/550363e6: data_len=0
30751: 11:17:28.219 0/550363e6: user (len: 0):
30751: 11:17:28.219 0/550363e6: port (len: 0):
30751: 11:17:28.219 0/550363e6: rem_addr (len: 0):
30751: 11:17:28.219 0/550363e6: data (len: 0):
30751: 11:17:28.219 0/550363e6: ---<end packet>---
30751: 11:17:28.219 0/e6630355: authen: hdr->seq_no: 1
30751: 11:17:28.219 0/e6630355: Writing AUTHEN/GETUSER size=473
Any idea why the packet gets malformed?
Best regards,
Daniel
Marc Huber
Apr 25, 2014, 2:05:54 PM4/25/14
to event-driv...@googlegroups.com
Hi Daniel,
On 25.04.14 12:45, Daniel Kristinn Gunnarsson wrote:
I've been using tac_plus with great success on Cisco equipment but now I'm faced with implementing some HP ProCurve switches in to the setup. I'm currently testing with a HP ProCurve J9452A Switch 6600ml-48G-4XG, revision K.14.41, ROM K.12.21.
tac_plus receives the request fine but when sending back the HP switch reports the following:
W 04/25/14 18:00:33 00419 auth: Invalid user name/password on SSH sessionI 04/25/14 18:01:25 00983 tacacs: malformed packet received from 172.16.155.30 server
this might be related to the following snippet from:
http://h20566.www2.hp.com/portal/site/hpsc/template.BINARYPORTLET/public/kb/docDisplay/resource.process/?spf_p.tpst=kbDocDisplay_ws_BI&spf_p.rid_kbDocDisplay=docDisplayResURL&javax.portlet.begCacheTok=com.vignette.cachetoken&spf_p.rst_kbDocDisplay=wsrp-resourceState%3DdocId%253Demr_na-c02863330-1%257CdocLocale%253D&javax.portlet.endCacheTok=com.vignette.cachetoken
That document lists
Even if that's not the exact problem: upgrading the switch software would be a reasonable next step -- it's actually not the daemon's answer that's malformed, but the (essentially empty) initial TACACS+ packet the switch sends.
Cheers,
Marc
http://h20566.www2.hp.com/portal/site/hpsc/template.BINARYPORTLET/public/kb/docDisplay/resource.process/?spf_p.tpst=kbDocDisplay_ws_BI&spf_p.rid_kbDocDisplay=docDisplayResURL&javax.portlet.begCacheTok=com.vignette.cachetoken&spf_p.rst_kbDocDisplay=wsrp-resourceState%3DdocId%253Demr_na-c02863330-1%257CdocLocale%253D&javax.portlet.endCacheTok=com.vignette.cachetoken
That document lists
TACACS (PR_0000067897) - When a configuration file is downloaded to the switch and the file contains a separate configuration entry for the TACACS key, after the switch is rebooted, authentication via TACACS may fail with this message:00983 tacacs: malformed packet received from <IP address> serveras a bug fixed in K.14.83.
Even if that's not the exact problem: upgrading the switch software would be a reasonable next step -- it's actually not the daemon's answer that's malformed, but the (essentially empty) initial TACACS+ packet the switch sends.
Cheers,
Marc
Daniel Kristinn Gunnarsson
Apr 28, 2014, 9:59:36 AM4/28/14
to event-driv...@googlegroups.com
Thanks for your reply Mark. I'll schedule an update for the server and let you know what happends.
Best regards,
Daniel
Daniel Kristinn Gunnarsson
May 6, 2014, 5:10:42 PM5/6/14
to event-driv...@googlegroups.com
So after upgrading two of the J9452A 6600 switches that I have to different firmwares (one is running K.14.83 and the other is running the latest firmware, K.15.13.0005) I've still been unsuccessful at trying to authenticate via tac_plus. How ever while trying both ssh and telnet I noticed that the HP server complaints about the TACACS server being unreachable.
This is what I saw in the tac_plus debug (happend as soon as I telneted to the device, before user/pass prompt):
31686: 22:00:52.914 7/718ff0c2: New session
31686: 22:00:52.914 7/c2f08f71: ---<start packet>---
31686: 22:00:52.914 7/c2f08f71: key used: vie5puSh
31686: 22:00:52.914 7/c2f08f71: version: 192, type: 1, seq no: 1, flags: unencrypted
31686: 22:00:52.914 7/c2f08f71: session id: c2f08f71 data length: 8
31686: 22:00:52.914 7/c2f08f71: packet body (len: 8): \001\001\001\001\000\000\000\000
31686: 22:00:52.914 7/c2f08f71: 0000 01 01 01 01 00 00 00 00 ........
31686: 22:00:52.914 7/c2f08f71: AUTHEN/START, priv_lvl=1
31686: 22:00:52.914 7/c2f08f71: action=login (1)
31686: 22:00:52.914 7/c2f08f71: authen_type=ascii (1)
31686: 22:00:52.914 7/c2f08f71: service=login (1)
31686: 22:00:52.914 7/c2f08f71: user_len=0 port_len=0 rem_addr_len=0
31686: 22:00:52.914 7/c2f08f71: data_len=0
31686: 22:00:52.914 7/c2f08f71: user (len: 0):
31686: 22:00:52.914 7/c2f08f71: port (len: 0):
31686: 22:00:52.914 7/c2f08f71: rem_addr (len: 0):
31686: 22:00:52.914 7/c2f08f71: data (len: 0):
31686: 22:00:52.914 7/c2f08f71: ---<end packet>---
31686: 22:00:52.914 7/718ff0c2: authen: hdr->seq_no: 1
31686: 22:00:52.914 7/718ff0c2: Writing AUTHEN/GETUSER size=473
Is HP's TACACS+ support this bad that it only works on Cisco's ACS servers? :)
Best regards,
Daniel
Johnny Massengill
May 8, 2014, 10:40:36 AM5/8/14
to event-driv...@googlegroups.com
Daniel,
I'm using Marc's version of TACACS+ on about 200 HP Procurve switches with no problems.
The commands on the switch are as follows:
tacacs-server host <IP address of TACACS+ server> key <key from the tac_plus.cfg file>
aaa authentication <ssh or telnet> login tacacs local
aaa authentication <ssh or telnet> enable tacacs local
The "local" at the end of those commands to tell the switch to fall back to the local switch username and password if TACACS+ isn't running.
I'm using LDAP for the login and the tac_plus.cfg for the enable password.
I have also seen logs similar to yours if the switch IP address was not in the tac_plus.cfg file.
Much good luck
Johnny
Message has been deleted
Daniel Kristinn Gunnarsson
Jun 28, 2017, 4:07:26 PM6/28/17
to Event-Driven Servers
Hi guys
So almost 3 years later I think we figured this out. As soon as you configure a welcome banner to be sent to devices from tac_plus HP switches will fail with the following error visible in tac_plus in debug mode:
06/28/17 16:22:36 00983 tacacs: malformed packet received from x.x.x.x
This has been confirmed by removing the welcome banner statement and retrying logins on the HP switches.
It's possible to bypass this in 2 ways:
1. Remove the welcome banner option from your tac_plus.cfg
2. Create a device group for your HP switches and have them without the welcome banner option being sent to them
Hope this helps!
Daniel
Reply all
Reply to author
Forward
0 new messages