Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1327
Views
0
Helpful
4
Replies

Tacacs+ docker container returns encrypted response

Go to solution
ygorelik
Cisco Employee
Cisco Employee

‎07-15-2022 10:31 AM

I am trying to use Tacacs+ docker container with Mac as a docker host. It starts the container fine although I had to add -P option to map docker exposed port 49 to some local host port. The tac_plus server seems running fine:

$ ps -ef | grep tac
root 1 0 0 16:48 pts/0 00:00:00 /bin/sh -c service tacacs_plus restart && bash
root 29 1 0 16:48 pts/0 00:00:00 /usr/sbin/tac_plus -C /etc/tacacs+/tac_plus.conf
root 51 43 0 16:49 pts/1 00:00:00 grep tac
$ service tacacs_plus status
Checking status of TACACS+ authentication daemon tacacs+ [ OK ]

Unfortunately the Tacacs+ client from Python package tacacs-plus returns some encrypted values:

$ tacacs_client -v -H 127.0.0.1 -p 55005 -k testing123 -u tacadmin authenticate --password password
status: UNKNOWN: 215
server_msg: b’T\x17#\x0c\xed\x8d[#jE\xc2\xdb4\xeev\xcb\xfa\x95&\x96\xf6\xed\xf4[\x9aOP\x0c\xb8[\xd6D\xc2\xc2\x01\x08h\xea!\xda\xf8\xfe\xd9V;$c\xcd\x15z\xac\x1f\x0e’
flags: 166

And the tac_plus server does not create any logs, which makes it difficult to understand, what is going wrong. Do you have any suggestions, how I can overcome these issues?

Yan

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ygorelik
Cisco Employee
Cisco Employee
In response to ygorelik

‎07-18-2022 03:46 PM

The kudos go to Luiz Lima, who developed the TACACS+ docker container, which I tried to use. The RC was typo in copy paste, which created mismatch between Tacacs configuration key and the key supplied in the command line. The configuration contained line "key = tacacs123" and CLI "-k testing 123". Once command line corrected I got expected result:

$ tacacs_client -v -H 127.0.0.1 -p 55005 -k tacacs123 -u tacadmin authenticate --password password
status: PASS

Yan 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
ahollifield
VIP
VIP

‎07-15-2022 10:43 AM

Does this have anything to do with any Cisco products?  Identity Services Engine?

0 Helpful

Go to solution
ygorelik
Cisco Employee
Cisco Employee
In response to ahollifield

‎07-15-2022 12:05 PM

As I know, the Tacacs is Cisco developed product and ISE based on it.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to ygorelik

‎07-16-2022 05:40 PM

Although ISE provides T+ protocol, it is definitely not the same as the one you tried to run from the docker container, which has no clear info of sources and support.

If you would like to try ISE, please contact us directly.

0 Helpful

Go to solution
ygorelik
Cisco Employee
Cisco Employee
In response to ygorelik

‎07-18-2022 03:46 PM

The kudos go to Luiz Lima, who developed the TACACS+ docker container, which I tried to use. The RC was typo in copy paste, which created mismatch between Tacacs configuration key and the key supplied in the command line. The configuration contained line "key = tacacs123" and CLI "-k testing 123". Once command line corrected I got expected result:

$ tacacs_client -v -H 127.0.0.1 -p 55005 -k tacacs123 -u tacadmin authenticate --password password
status: PASS

Yan 

0 Helpful
Customers Also Viewed These Support Documents