How to make users from AD to authenticate in juniper devices ?
820 views
Skip to first unread message
Zapino
Jan 31, 2021, 3:09:34 AM1/31/21
to Event-Driven Servers
Hello guys,
Please help to find where is the issue, need to make work together network devices + TACACS + AD, I am struggling couples days with authentication of user from AD which belong to specific group into switch through TACACS
When I try to authenticate I have message in log of juniper switch "User 'remote' authenticated successfully but no local login-id configured.", if I add user "remote" then that work, usually user "remote" need when "authenticated user does not exist localy on the router or switch", in my case I have user in switch with name "SU" but mapping with TACACS seems doesnt work :(
The scope is to allow users from AD which bellongs to "Network_admin" group to have super-user rights and users others users from AD to give them operators rights.
Example : User "zapino" belongs to group "Network_admin" provide him rights "SU" in the switch.
Below is my config and user AUTH verification:
Input attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-11737-1612063448-0
USER zapino
PASSWORD Pass123
TACTYPE AUTH
Output attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-11737-1612063448-0
USER zapino
RESULT ACK
PASSWORD Pass123
SERIAL eWUrRKY2bn+H6G7QrxY/ow=
DBPASSWORD Pass123
TACMEMBER "Users","Network_admin","video","support","cloud"
TACTYPE AUTH
tac_plus.conf
#!/usr/local/sbin/tac_plus
id = spawnd {
listen = { address = 0.0.0.0 port = 49 }
#Uncomment the line below for IPv6 support
#listen = { address = :: port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = yes
}
id = tac_plus {
debug = ALL -PARSE
access log = /var/log/tac_plus/access/%Y/%m/access-%m-%d-%Y.txt
accounting log = /var/log/tac_plus/accounting/%Y/%m/accounting-%m-%d-%Y.txt
authentication log = /var/log/tac_plus/authentication/%Y/%m/authentication-%m-%d-%Y.txt
mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "172.16.133.10"
setenv LDAP_BASE = "DC=corp,DC=test,DC=com"
setenv LDAP_SCOPE = sub
setenv LDAP_FILTER = "(&(objectClass=user)(objectClass=person)(sAMAccountName=%s))"
setenv LDAP_USER = "ldap...@corp.test.com"
setenv LDAP_PASSWD = "1234"
setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
setenv EXPAND_AD_GROUP_MEMBERSHIP = 0
setenv AD_GROUP_PREFIX = ""
setenv REQUIRE_TACACS_GROUP_PREFIX = 1
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
login backend = mavis
user backend = mavis
pap backend = mavis
skip missing groups = yes
host = mgmtnet {
address = 0.0.0.0/0
key = "mykey"
}
group = Network_admin {
service = junos-exec {
set local-user-name = SU }
}
}
Config on JUNIPER device :
set system authentication-order tacplus
set system tacplus-server 172.16.133.13 secret "xxxxxx"
set system tacplus-server 172.16.133.13 timeout 10
set system tacplus-server 172.16.133.13 single-connection
set system tacplus-server 172.16.133.13 source-address 172.30.11.103
set system accounting destination tacplus
set system login user SU uid 2006
set system login user SU class super-user
Marc Huber
Jan 31, 2021, 7:41:22 AM1/31/21
to event-driv...@googlegroups.com
On 31.01.21 05:11, Zapino wrote:
> When I try to authenticate I have message in log of juniper switch
> "User 'remote' authenticated successfully but no local login-id
> configured.", if I add user "remote" then that work, usually user
> "remote" need when "authenticated user does not exist localy on the
> router or switch", in my case I have user in switch with name "SU"
> but mapping with TACACS seems doesnt work :(
>
> The scope is to allow users from AD which bellongs to "Network_admin"
> group to have super-user rights and users others users from AD to give
> them operators rights.
>
> Example : User "zapino" belongs to group "Network_admin" provide him
> rights "SU" in the switch.
SU might be just too short. According to
> When I try to authenticate I have message in log of juniper switch
> "User 'remote' authenticated successfully but no local login-id
> configured.", if I add user "remote" then that work, usually user
> "remote" need when "authenticated user does not exist localy on the
> router or switch", in my case I have user in switch with name "SU"
> but mapping with TACACS seems doesnt work :(
>
> The scope is to allow users from AD which bellongs to "Network_admin"
> group to have super-user rights and users others users from AD to give
> them operators rights.
>
> Example : User "zapino" belongs to group "Network_admin" provide him
> rights "SU" in the switch.
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/user-access-tacacs-authentication.html
the minimum length for the local-user-name VSA is 3.
Cheers,
Marc
Zapino
Jan 31, 2021, 9:17:19 AM1/31/21
to event-driv...@googlegroups.com
Thank you very much for answering Marc , but I have tried different user names in the past doesn't work :( , I tried and renamed SU => netadmin, the same issue :(
I attached a portion of syslog maybe can help
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 cfg_get: checking user/group zapino, tag (NULL)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 zap...@172.30.11.103: not found: svcname=junos-exec@mgmtnet protocol=
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 zap...@172.30.11.103: not found: svcname=junos-exec protocol=
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 zap...@172.16.65.174: ACL __internal__realm_default: match (cached)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 cfg_get: checking user/group Network_admin, tag (NULL)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 zap...@172.30.11.103: not found: svcname=junos-exec@mgmtnet protocol=
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 zap...@172.30.11.103: found: svcname=junos-exec protocol=
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 cfg_get_svc_attrs_func: found svcname=junos-exec proto=
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 nas:service=junos-exec (passed thru)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 nas:absent srv:allow-commands=.* -> add allow-commands=.* (k)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 nas:absent srv:allow-configurations=.* -> add allow-configurations=.* (k)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 nas:absent srv:local-user-name=remote -> add local-user-name=remote (k)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 nas:absent srv:user-permissions=all -> add user-permissions=all (k)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 added 4 args
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 Writing AUTHOR/PASS_ADD size=104
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 ---<start packet>---
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 key used: phatcat
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 version: 192, type: 2, seq no: 2, flags: unencrypted
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 session id: a37f205d, data length: 92
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 packet body (len: 92): \001\004\000\000\000\000\021\027\026\024allow-commands=.*allow-configurations=.*local-user-name=remoteuser-permissions=all
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0000 01 04 00 00 00 00 11 17 16 14 61 6c 6c 6f 77 2d ........ ..allow-
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0010 63 6f 6d 6d 61 6e 64 73 3d 2e 2a 61 6c 6c 6f 77 commands =.*allow
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0020 2d 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 73 3d -configu rations=
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0030 2e 2a 6c 6f 63 61 6c 2d 75 73 65 72 2d 6e 61 6d .*local- user-nam
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0040 65 3d 72 65 6d 6f 74 65 75 73 65 72 2d 70 65 72 e=remote user-per
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0050 6d 69 73 73 69 6f 6e 73 3d 61 6c 6c missions =all
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 AUTHOR/REPLY, status=1 (AUTHOR/PASS_ADD)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 msg_len=0, data_len=0, arg_cnt=4
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 msg (len: 0):
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 data (len: 0):
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 arg[0] (len: 17): allow-commands=.*
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0000 61 6c 6c 6f 77 2d 63 6f 6d 6d 61 6e 64 73 3d 2e allow-co mmands=.
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0010 2a *
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 arg[1] (len: 23): allow-configurations=.*
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0000 61 6c 6c 6f 77 2d 63 6f 6e 66 69 67 75 72 61 74 allow-co nfigurat
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0010 69 6f 6e 73 3d 2e 2a ions=.*
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 arg[2] (len: 22): local-user-name=remote
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0000 6c 6f 63 61 6c 2d 75 73 65 72 2d 6e 61 6d 65 3d local-us er-name=
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0010 72 65 6d 6f 74 65 remote
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 arg[3] (len: 20): user-permissions=all
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0000 75 73 65 72 2d 70 65 72 6d 69 73 73 69 6f 6e 73 user-per missions
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0010 3d 61 6c 6c =all
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 ---<end packet>---
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 zap...@172.30.11.103: not found: svcname=junos-exec@mgmtnet protocol=
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 zap...@172.30.11.103: not found: svcname=junos-exec protocol=
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 zap...@172.16.65.174: ACL __internal__realm_default: match (cached)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 cfg_get: checking user/group Network_admin, tag (NULL)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 zap...@172.30.11.103: not found: svcname=junos-exec@mgmtnet protocol=
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 zap...@172.30.11.103: found: svcname=junos-exec protocol=
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 cfg_get_svc_attrs_func: found svcname=junos-exec proto=
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 nas:service=junos-exec (passed thru)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 nas:absent srv:allow-commands=.* -> add allow-commands=.* (k)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 nas:absent srv:allow-configurations=.* -> add allow-configurations=.* (k)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 nas:absent srv:local-user-name=remote -> add local-user-name=remote (k)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 nas:absent srv:user-permissions=all -> add user-permissions=all (k)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 added 4 args
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 Writing AUTHOR/PASS_ADD size=104
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 ---<start packet>---
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 key used: phatcat
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 version: 192, type: 2, seq no: 2, flags: unencrypted
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 session id: a37f205d, data length: 92
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 packet body (len: 92): \001\004\000\000\000\000\021\027\026\024allow-commands=.*allow-configurations=.*local-user-name=remoteuser-permissions=all
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0000 01 04 00 00 00 00 11 17 16 14 61 6c 6c 6f 77 2d ........ ..allow-
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0010 63 6f 6d 6d 61 6e 64 73 3d 2e 2a 61 6c 6c 6f 77 commands =.*allow
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0020 2d 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 73 3d -configu rations=
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0030 2e 2a 6c 6f 63 61 6c 2d 75 73 65 72 2d 6e 61 6d .*local- user-nam
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0040 65 3d 72 65 6d 6f 74 65 75 73 65 72 2d 70 65 72 e=remote user-per
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0050 6d 69 73 73 69 6f 6e 73 3d 61 6c 6c missions =all
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 AUTHOR/REPLY, status=1 (AUTHOR/PASS_ADD)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 msg_len=0, data_len=0, arg_cnt=4
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 msg (len: 0):
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 data (len: 0):
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 arg[0] (len: 17): allow-commands=.*
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0000 61 6c 6c 6f 77 2d 63 6f 6d 6d 61 6e 64 73 3d 2e allow-co mmands=.
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0010 2a *
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 arg[1] (len: 23): allow-configurations=.*
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0000 61 6c 6c 6f 77 2d 63 6f 6e 66 69 67 75 72 61 74 allow-co nfigurat
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0010 69 6f 6e 73 3d 2e 2a ions=.*
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 arg[2] (len: 22): local-user-name=remote
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0000 6c 6f 63 61 6c 2d 75 73 65 72 2d 6e 61 6d 65 3d local-us er-name=
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0010 72 65 6d 6f 74 65 remote
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 arg[3] (len: 20): user-permissions=all
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0000 75 73 65 72 2d 70 65 72 6d 69 73 73 69 6f 6e 73 user-per missions
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0010 3d 61 6c 6c =all
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 ---<end packet>---
вс, 31 янв. 2021 г. в 07:41, Marc Huber <marc.j...@gmail.com>:
--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/event-driven-servers/adc0f094-4c5b-3cb6-67e0-5e2dda398fbb%40googlemail.com.
Marc Huber
Jan 31, 2021, 10:38:08 AM1/31/21
to event-driv...@googlegroups.com, Zapino
On 31.01.21 15:17, Zapino wrote:
> Thank you very much for answering Marc , but I have tried different
> user names in the past doesn't work :( , I tried and renamed SU =>
> netadmin, the same issue :(
I'm afraid I won't be of much help then -- I have no access to Junos
> Thank you very much for answering Marc , but I have tried different
> user names in the past doesn't work :( , I tried and renamed SU =>
> netadmin, the same issue :(
devices. The daemon debug doesn't show any error either.
However, "allow-configurations" looks wrong; the correct VSA here is
"allow-configuration". Your Junos device may very well reject the
session for that (unrecognized but mandatory VSA from daemon).
Cheers,
Marc
Zapino
Jan 31, 2021, 12:06:11 PM1/31/21
to Event-Driven Servers
Thank you Marc but I wondering from where in debug log during the authentication session there are rights assigned? , in Tacacs config is
just "set local-user-name = netadmin"
Zapino
Jan 31, 2021, 12:06:11 PM1/31/21
to Event-Driven Servers
Need to mention the AD is not under my control
On Sunday, January 31, 2021 at 10:38:08 a.m. UTC-5 Marc Huber wrote:
Marc Huber
Jan 31, 2021, 12:17:41 PM1/31/21
to event-driv...@googlegroups.com
Hi,
On 31.01.21 17:47, Zapino wrote:
> Thank you Marc but I wondering from where in debug log during the
> authentication session there are rights assigned? , in Tacacs config
> is just "set local-user-name = netadmin"
you are certain about this? You debug output showed that there were
mandatory arguments configured ...
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103
nas:service=junos-exec (passed thru)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103
nas:absent srv:allow-commands=.* -> add allow-commands=.* (k)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103
nas:absent srv:allow-configurations=.* -> add allow-configurations=.* (k)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103
nas:absent srv:local-user-name=remote -> add local-user-name=remote (k)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103
nas:absent srv:user-permissions=all -> add user-permissions=all (k)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103
added 4 args
Cheers,
Marc
On 31.01.21 17:47, Zapino wrote:
> Thank you Marc but I wondering from where in debug log during the
> authentication session there are rights assigned? , in Tacacs config
> is just "set local-user-name = netadmin"
mandatory arguments configured ...
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103
nas:service=junos-exec (passed thru)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103
nas:absent srv:allow-commands=.* -> add allow-commands=.* (k)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103
nas:absent srv:allow-configurations=.* -> add allow-configurations=.* (k)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103
nas:absent srv:local-user-name=remote -> add local-user-name=remote (k)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103
nas:absent srv:user-permissions=all -> add user-permissions=all (k)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103
added 4 args
Marc
Zapino
Jan 31, 2021, 4:22:42 PM1/31/21
to Event-Driven Servers
Hi Marc, thank you very much for pointing me to the issue.
I did so stupid :) mistake, since the beginning I went with tacacs another package "shrubbery" before found tacacs MAVIS which is documented very well, I thought I did service down but during the troubleshoot I bring both tacacs UP, which basically made another tacacs to answer to my request instead of MAVIS Tacacs.
Thank you very much
Reply all
Reply to author
Forward
0 new messages