TACACS+ configuration

ObiektywNy · #1 February 24th, 2012, 17:30

Hi I just set up TACACS+ again this time I used FreeBSD

Code:

8.2-RELEASE FreeBSD 8.2-RELEASE

tac_plus-F4.0.4.19

When I set up:

Code:

group = netadmins {
        default service = permit
        login = file /etc/passwd
        service = exec {
                priv-lvl = 15
                }
}

it doesn't work. I need to set the "des" method to make it work.

Code:

         login  = des PA33W0RD
         enable = des PA33W0RD

I used Debian before and use /etc/passwd file works with no problem but FreeBSD gives me a hard time. Any ideas why?

Thanks.

AndyUKG · #2 February 25th, 2012, 13:13

Hi,

FreeBSD uses a different passwd file format than Linux so it's quite possible TACACS+ just hasn't been coded to work with the FreeBSD passwd file. We use TACACS+ with users and passwords defined in the TACACS+ config file.

ta Andy.

h1n1 · #3 April 20th, 2012, 18:42

Hi! I use Tacacs 4.0.19 for the server and the client.
Server: FreeBSD 7.4
Client: FreeBSD 8.2

Config on the server: tac_plus.conf

Code:

key = super_secret
user = user1 {
#password on passwd - pass
 login = cleartext password
}

The user specified in config is added to the group "wheel" in the system.

On the client: /etc/pam.d/tacacs

Code:

auth       sufficient   pam_tacplus.so encrypt try_first_pass
account    sufficient   pam_tacplus.so encrypt
session    sufficient   pam_tacplus.so encrypt

When I try to authenticate on the server, it returns an error:

Code:

Fri Apr 20 12:39:43 2012 [4567]: session request from 10.171.50.244 sock=2
Fri Apr 20 12:39:43 2012 [4610]: connect from 10.171.50.244 [10.171.50.244]
Fri Apr 20 12:39:43 2012 [4610]: Waiting for packet
Fri Apr 20 12:39:43 2012 [4610]: Read AUTHEN/START size=36
Fri Apr 20 12:39:43 2012 [4610]: validation request from 10.171.50.244
Fri Apr 20 12:39:43 2012 [4610]: PACKET: key=super_secret
Fri Apr 20 12:39:43 2012 [4610]: version 192 (0xc0), type 1, seq no 1, flags 0x1
Fri Apr 20 12:39:43 2012 [4610]: session_id 2574088082 (0x996d7792), Data length 24 (0x18)
Fri Apr 20 12:39:43 2012 [4610]: End header
Fri Apr 20 12:39:43 2012 [4610]: type=AUTHEN/START, priv_lvl = 1
Fri Apr 20 12:39:43 2012 [4610]: action=login
Fri Apr 20 12:39:43 2012 [4610]: authen_type=ascii
Fri Apr 20 12:39:43 2012 [4610]: service=login
Fri Apr 20 12:39:43 2012 [4610]: user_len=3 port_len=0 (0x0), rem_addr_len=13 (0xd)
Fri Apr 20 12:39:43 2012 [4610]: data_len=0
Fri Apr 20 12:39:43 2012 [4610]: User:
Fri Apr 20 12:39:43 2012 [4610]: user1
Fri Apr 20 12:39:43 2012 [4610]: port:
Fri Apr 20 12:39:43 2012 [4610]: rem_addr:
Fri Apr 20 12:39:43 2012 [4610]: 10.171.50.200
Fri Apr 20 12:39:43 2012 [4610]: data:
Fri Apr 20 12:39:43 2012 [4610]: End packet
Fri Apr 20 12:39:43 2012 [4610]: Authen Start request
Fri Apr 20 12:39:43 2012 [4610]: choose_authen chose default_fn
Fri Apr 20 12:39:43 2012 [4610]: Calling authentication function
Fri Apr 20 12:39:43 2012 [4610]: Writing AUTHEN/GETPASS size=28
Fri Apr 20 12:39:43 2012 [4610]: PACKET: key=super_secret
Fri Apr 20 12:39:43 2012 [4610]: version 192 (0xc0), type 1, seq no 2, flags 0x1
Fri Apr 20 12:39:43 2012 [4610]: session_id 2574088082 (0x996d7792), Data length 16 (0x10)
Fri Apr 20 12:39:43 2012 [4610]: End header
Fri Apr 20 12:39:43 2012 [4610]: type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
Fri Apr 20 12:39:43 2012 [4610]: msg_len=10, data_len=0
Fri Apr 20 12:39:43 2012 [4610]: msg:
Fri Apr 20 12:39:43 2012 [4610]: Password:
Fri Apr 20 12:39:43 2012 [4610]: data:
Fri Apr 20 12:39:43 2012 [4610]: End packet
Fri Apr 20 12:39:43 2012 [4610]: Waiting for packet


Fri Apr 20 12:39:50 2012 [4610]: Read AUTHEN/CONT size=30
Fri Apr 20 12:39:50 2012 [4610]: PACKET: key=super_secret
Fri Apr 20 12:39:50 2012 [4610]: version 192 (0xc0), type 1, seq no 3, flags 0x1
Fri Apr 20 12:39:50 2012 [4610]: session_id 2574088082 (0x996d7792), Data length 18 (0x12)
Fri Apr 20 12:39:50 2012 [4610]: End header
Fri Apr 20 12:39:50 2012 [4610]: type=AUTHEN/CONT
Fri Apr 20 12:39:50 2012 [4610]: user_msg_len 13 (0xd), user_data_len 0 (0x0)
Fri Apr 20 12:39:50 2012 [4610]: flags=0x0
Fri Apr 20 12:39:50 2012 [4610]: User msg:
Fri Apr 20 12:39:50 2012 [4610]:  0x8  0xa
Fri Apr 20 12:39:50 2012 [4610]: User data:
Fri Apr 20 12:39:50 2012 [4610]: End packet
Fri Apr 20 12:39:50 2012 [4610]: login query for 'user1' unknown-port from 10.171.50.244 rejected
Fri Apr 20 12:39:50 2012 [4610]: login failure: zvs 10.171.50.244 (10.171.50.244) unknown-port
Fri Apr 20 12:39:50 2012 [4610]: Writing AUTHEN/FAIL size=18
Fri Apr 20 12:39:50 2012 [4610]: PACKET: key=super_secret
Fri Apr 20 12:39:50 2012 [4610]: version 192 (0xc0), type 1, seq no 4, flags 0x1
Fri Apr 20 12:39:50 2012 [4610]: session_id 2574088082 (0x996d7792), Data length 6 (0x6)
Fri Apr 20 12:39:50 2012 [4610]: End header
Fri Apr 20 12:39:50 2012 [4610]: type=AUTHEN status=2 (AUTHEN/FAIL) flags=0x0
Fri Apr 20 12:39:50 2012 [4610]: msg_len=0, data_len=0
Fri Apr 20 12:39:50 2012 [4610]: msg:
Fri Apr 20 12:39:50 2012 [4610]: data:
Fri Apr 20 12:39:50 2012 [4610]: End packet
Fri Apr 20 12:39:50 2012 [4610]: 10.171.50.244: disconnect

There's the following error while authenticating:

Code:

Apr 20 13:01:07 tac_client sshd[3868]: Invalid user user1 from 10.171.50.200
Apr 20 13:01:09 tac_client sshd[3868]: Failed keyboard-interactive/pam for invalid user user1 from 10.171.50.200 port 56907 ssh2

What's the problem there?
Thanks.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
3G and PPP Configuration	Amzo	Networking	9	June 11th, 2012 15:18
Qmail configuration	pralive	Web & Network Services	2	October 7th, 2011 17:37
Using TACACS to authenticate	supadee718	Web & Network Services	3	July 25th, 2011 07:43
IPv6 configuration	MikeyWines	Networking	4	August 30th, 2010 07:08
cluster configuration	isantoshchiniwar	Installing & Upgrading	2	August 25th, 2009 14:04