Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
890
Views
0
Helpful
2
Replies

External authentication tacacs issue

previousqna
Level 5
Level 5

‎05-09-2017 06:42 AM - edited ‎03-01-2019 03:48 AM

Hi,

 

 

I'm on site in a customer system configuring  external authentication in TACACS with NSO version 4.3.1

 

 

I'm always getting this output:

    • But I can see in the TACACS system that the user is being correctly authenticated

   This correct authentication is partly confirmed by the ncs.log:  (made 3 attempts… second one was with incorrect password)      But audit.log is always logging this has a failure:     Here's the external authentication script I'm using:  

    • Yellow line below in present in the ncs.log confirming successfully authentication in Tacacs.
    • Any thoughts on what I've done wrong in NSO?

 

 

 

>>>>>>>>>>>>>>>>>>>>>>>>

 

#!/usr/bin/perl

 

use Authen::TacacsPlus;

 

 

$line = <>;

 

$line =~ tr/[]//d;

 

@input = split(/;/, $line);

 

$username = $input[0];

 

$password = $input[1];

 

 

my $filename = '/opt/ncs/ncs-4.3.1/tacacs_auth.properties';

 

 

chomp $password;

 

 

open my $in, '<:encoding(UTF-8)', $filename or die "could not open file '$filename' $!";

 

while(<$in>){

 

($name,$val)=m/(\w+)\s*=(.+)/;

 

        $properties{$name}=$val;

 

}

 

close $in;

 

 

print $username;

 

 

chomp $properties{"SERVER"};

 

chomp $properties{"SECRET_KEY"};

 

chomp $properties{"USERS_GROUP"};

 

chomp $properties{"USERS_HOMEDIR"};

 

 

 

if(!$properties{"SERVER"} || !$properties{"SECRET_KEY"}){

 

        die("SERVER or SECRET_KEY are undefined in tacacs_auth.properties");

 

}

 

 

if(!$properties{"USERS_GROUP"} || !$properties{"USERS_HOMEDIR"}){

 

        die("USERS_GROUP or USERS_HOMEDIR are undefined in tacacs_auth.properties");

 

}

 

 

 

$tac = new Authen::TacacsPlus(Host=>$properties{"SERVER"},Port=>'49',Key=>$properties{"SECRET_KEY"});

 

unless ($tac){

 

        print "abort ",Authen::TacacsPlus::errmsg(),"\n";

 

        exit(1);

 

}

 

if ($tac->authen($username,$password)){

 

        print "accept $properties{'USERS_GROUP'} 1003 1003 27 $properties{'USERS_HOMEDIR'}\n";

 

} else {

 

        print "reject ",Authen::TacacsPlus::errmsg(),"\n";

 

}

 

$tac->close();

 

<<<<<<<<<<<<<<<<<<<

1 person had this problem
Labels:
0 Helpful
2 Replies 2

previousqna
Level 5
Level 5

‎05-09-2017 06:42 AM

Sorted… stupid stupid mistake!

 

 

Solution with explanation for anyone search this in the future.

 

If you look at the ncs.log :

 

The reply must be in this format: accept $groups $uid $gid $supplementary_gids $HOME\n

 

 

The one in the log is not following this rule, it contains a leading: 43500097

 

 

This print line was added by the customer to script… I totally missed that for the last 3 hours!

 

(Remove the line marked in orange bellow in the script, and it works)

0 Helpful

kirilb1981
Level 1
Level 1
In response to previousqna

‎06-27-2017 03:38 AM

I can see you are mapping a user to a group in a local tacacs_auth.properties file. Is it possible to store group information on the tacacs server?

0 Helpful
Customers Also Viewed These Support Documents