03-06-2008 08:50 AM - edited 03-10-2019 03:42 PM
Hi everyone!
I want to authenticate to my Switch via Tacacs+. It runs fine as long as I define Users and passwords in the /etc/tac-plus/tacacs.conf. But when I try to authenticate against a MySQL DB or the /etc/passwd file, authentication fails.
With the config below, I'm able to login with username fred. In MySQL DB a user 'test' with password ENCRYPT('test') is correctly set up. I use the DB skel which comes with tacacs+ (in Debian it's in /usr/share/docs/tac-plus, manual from http://www.gazi.edu.tr/tacacs/docs/tacacs_db.txt)
---------------------
My tacacs+ config:
# /etc/tac-plus/tacacs.conf
### TACACS+ Config
# Auth-Key
key = some_key
#default authentication = file /etc/passwd
default authentication = db mysql://user:password@localhost/tacacs/auth?usern&passwd
accounting file = /var/log/tac-plus/account.log
###### USER ######
user = DEFAULT {
default service = permit
}
#user = DEFAULT {
# service = ppp
# protocol = ip {
# }
#}
# Enable-User
#user = $enable$ {
# login = cleartext test
#}
user = fred {
default service = permit
login = cleartext fred_pw
}
--------------------------
--------------------------
My Cisco config:
switch#sh ru
Building configuration...
[some info]
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname MySwitch
!
aaa new-model
aaa group server tacacs+ TACSERV
server 192.168.1.5
!
aaa authentication login default group TACSERV local line
enable secret secret_enable_pw
!
username rescue secret secret_rescue_pw
ip subnet-zero
!
spanning-tree extend system-id
!
!
interface FastEthernet0/1
switchport access vlan 180
switchport mode trunk
switchport nonegotiate
no ip address
!
[some FastEthernet and GigabitEthernet Configuration]
ip default-gateway 192.168.1.1
ip http server
!
tacacs-server host 192.168.1.5 key some_key
!
line con 0
exec-timeout 0 0
line vty 5 15
!
ntp server 192.168.1.60
end
----------------------
It would be great if someone could help.
Greetings,
Fred
03-06-2008 11:00 PM
Hi,
I realized that Debian only stores usernames in /etc/passwd - the user's password is stored in /etc/shadow.
I manually edited the passwd file to get the password in. Result: authentication works with /etc/passwd. But when I point to /etc/shadow in the configuration file, authentication doesn't work.
Is there a way to get tacacs+ to use the /etc/shadow properly or to configure Debian not to use /etc/shadow?
The other big problem - authentication against MySQL - doesn't work, yet.
Any Hints?
Thanks,
Fred
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide