TACACS+ / MDS9513

Mike_Lowrey · ‎12-12-2008

Hi,

I have problems to implement TACACS+ for managing ssh user authentication (via configfile - no database).

Maybe you can have look and help me...

Switch (MDS 9513):

fcsw# show tacacs-server

Global TACACS+ shared secret:********

timeout value:30

deadtime value:30

total number of servers:1

following TACACS+ servers are configured:

X.X.X.77:

available on port:49

TACACS+ shared secret:********

fcsw# show tacacs-server groups

total number of groups:1

following TACACS+ server groups are configured:

group TAC1:

server X.X.X.77 on port 49

deadtime is 0

fcsw# show aaa authentication

default: group TAC1 local

console: group TAC1 local

iscsi: local

dhchap: local

Server (Suse Linux 10):

X.X.X.77# /usr/local/sbin/tac_plus -v

tac_plus version 4.4rc2-3 (Extended Tac_plus)

config-file:

X.X.X.77 # cat /usr/local/etc/tacacs/tac_plus.cfg

key = "key"

accounting file = /var/log/tac_acc.log

user = adminuser {

default service = permit

login = cleartext "all"

}

I get these standard error messages when I try to login with the TACACS-User:

2008 Dec 12 14:04:38 fcsw %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user adminuser from xxx.com

2008 Dec 12 14:04:39 fcsw %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user adminuser from xxx.com

2008 Dec 12 14:04:40 fcsw %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user adminuser from xxx.com

Thanks for your help guys!

Btw. - Is there an offical TACACS+ download website? I downloaded it from http://www.networkforums.net/ and compiled it but I am not sure if that is the proper way ?!

Cheers,

Mike

Michael Brown · ‎12-12-2008

Mike,

Can you test with telnet? There is also a test command you can issue from the MDS command line to validate a user/password against a specific tacacs+ server. the syntax is 'test aaa server tacacs+ x.x.x.x username password' You may want to use this to test the tacacs+ operation. I'm not sure what that message means, but it almost looks like the username being sent from the MDS is not valid. It might be something like admin@mds.com or something like that depending on how the SSH client sends the username/pass into the MDS upon login. Also remember that you will need to have your tacacs+ server pass back a role for the user, or even if the password is valid, the user will end up with 'network-operator'. TACACS+ uses 2 separate flows to authenticate and then authorize a user. First the user/pass is checked, then a second flow is used when the MDS 'asks' the tacacs+ server what role the user should get. The role name passed back by the server must be configured in the MDS, or the user gets' network-operator'. The role name is passed back using the 'cisco-av-pairs' attribute.

Also, your configured 'key' should match what is configured in the MDS tacacs-server host line, and in the tacacs+ server configuration for the MDS as a valid device to send authentication requests to the tacacs+ server.

Here is how I configured user test with password test2 and role = barroom-keeper in a program called TAC_PLUS.

user = test2 {

default service = permit

pap = cleartext test2

service = exec {

cisco-av-pair="shell:roles=barroom-keeper"

}

Hope this helps,

Mike

Mike_Lowrey · ‎12-15-2008

Hi Mike,

thanks very much for your reply. Your config example works fine. Great!

Just another quick question. I still have a local net-admin user if the tacacs server is down for any reason.

I am not able to log in with that local user while the tacacs server is running. It works fine when the server is not reachable. I guess this "works as designed", right?

Cheers,

Mike

Michael Brown · ‎12-15-2008

Yes...it is working as designed. The MDS will only use the local user database if the TACACS+ server is not reachable. This is not the same as getting a negative response for the user. If configured to use the TACACS+ to authenticate users, it will send auth request to the TACACS+ server. The only time the user would be validated against the local database is if the TACACS+ server did not respond at all.

Thanks,

Mike