TACACS+ configuration

[ObiektywNy]

Hi I just set up TACACS+ again this time I used FreeBSD

8.2-RELEASE FreeBSD 8.2-RELEASE

tac_plus-F4.0.4.19

When I set up:

group = netadmins {
        default service = permit
        login = file /etc/passwd
        service = exec {
                priv-lvl = 15
                }
}

it doesn't work. I need to set the "des" method to make it work.

         login  = des PA33W0RD
         enable = des PA33W0RD

I used Debian before and use /etc/passwd file works with no problem but FreeBSD gives me a hard time. Any ideas why?

Thanks.

 

[AndyUKG]

Hi,

FreeBSD uses a different passwd file format than Linux so it's quite possible TACACS+ just hasn't been coded to work with the FreeBSD passwd file. We use TACACS+ with users and passwords defined in the TACACS+ config file.

ta Andy.

 

[h1n1]

Hi! I use Tacacs 4.0.19 for the server and the client.
Server: FreeBSD 7.4
Client: FreeBSD 8.2

Config on the server: tac_plus.conf

key = super_secret
user = user1 {
#password on passwd - pass
 login = cleartext password
}

The user specified in config is added to the group "wheel" in the system.

On the client: /etc/pam.d/tacacs

auth       sufficient   pam_tacplus.so encrypt try_first_pass
account    sufficient   pam_tacplus.so encrypt
session    sufficient   pam_tacplus.so encrypt

When I try to authenticate on the server, it returns an error:

Fri Apr 20 12:39:43 2012 [4567]: session request from 10.171.50.244 sock=2
Fri Apr 20 12:39:43 2012 [4610]: connect from 10.171.50.244 [10.171.50.244]
Fri Apr 20 12:39:43 2012 [4610]: Waiting for packet
Fri Apr 20 12:39:43 2012 [4610]: Read AUTHEN/START size=36
Fri Apr 20 12:39:43 2012 [4610]: validation request from 10.171.50.244
Fri Apr 20 12:39:43 2012 [4610]: PACKET: key=super_secret
Fri Apr 20 12:39:43 2012 [4610]: version 192 (0xc0), type 1, seq no 1, flags 0x1
Fri Apr 20 12:39:43 2012 [4610]: session_id 2574088082 (0x996d7792), Data length 24 (0x18)
Fri Apr 20 12:39:43 2012 [4610]: End header
Fri Apr 20 12:39:43 2012 [4610]: type=AUTHEN/START, priv_lvl = 1
Fri Apr 20 12:39:43 2012 [4610]: action=login
Fri Apr 20 12:39:43 2012 [4610]: authen_type=ascii
Fri Apr 20 12:39:43 2012 [4610]: service=login
Fri Apr 20 12:39:43 2012 [4610]: user_len=3 port_len=0 (0x0), rem_addr_len=13 (0xd)
Fri Apr 20 12:39:43 2012 [4610]: data_len=0
Fri Apr 20 12:39:43 2012 [4610]: User:
Fri Apr 20 12:39:43 2012 [4610]: user1
Fri Apr 20 12:39:43 2012 [4610]: port:
Fri Apr 20 12:39:43 2012 [4610]: rem_addr:
Fri Apr 20 12:39:43 2012 [4610]: 10.171.50.200
Fri Apr 20 12:39:43 2012 [4610]: data:
Fri Apr 20 12:39:43 2012 [4610]: End packet
Fri Apr 20 12:39:43 2012 [4610]: Authen Start request
Fri Apr 20 12:39:43 2012 [4610]: choose_authen chose default_fn
Fri Apr 20 12:39:43 2012 [4610]: Calling authentication function
Fri Apr 20 12:39:43 2012 [4610]: Writing AUTHEN/GETPASS size=28
Fri Apr 20 12:39:43 2012 [4610]: PACKET: key=super_secret
Fri Apr 20 12:39:43 2012 [4610]: version 192 (0xc0), type 1, seq no 2, flags 0x1
Fri Apr 20 12:39:43 2012 [4610]: session_id 2574088082 (0x996d7792), Data length 16 (0x10)
Fri Apr 20 12:39:43 2012 [4610]: End header
Fri Apr 20 12:39:43 2012 [4610]: type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
Fri Apr 20 12:39:43 2012 [4610]: msg_len=10, data_len=0
Fri Apr 20 12:39:43 2012 [4610]: msg:
Fri Apr 20 12:39:43 2012 [4610]: Password:
Fri Apr 20 12:39:43 2012 [4610]: data:
Fri Apr 20 12:39:43 2012 [4610]: End packet
Fri Apr 20 12:39:43 2012 [4610]: Waiting for packet


Fri Apr 20 12:39:50 2012 [4610]: Read AUTHEN/CONT size=30
Fri Apr 20 12:39:50 2012 [4610]: PACKET: key=super_secret
Fri Apr 20 12:39:50 2012 [4610]: version 192 (0xc0), type 1, seq no 3, flags 0x1
Fri Apr 20 12:39:50 2012 [4610]: session_id 2574088082 (0x996d7792), Data length 18 (0x12)
Fri Apr 20 12:39:50 2012 [4610]: End header
Fri Apr 20 12:39:50 2012 [4610]: type=AUTHEN/CONT
Fri Apr 20 12:39:50 2012 [4610]: user_msg_len 13 (0xd), user_data_len 0 (0x0)
Fri Apr 20 12:39:50 2012 [4610]: flags=0x0
Fri Apr 20 12:39:50 2012 [4610]: User msg:
Fri Apr 20 12:39:50 2012 [4610]:  0x8  0xa
Fri Apr 20 12:39:50 2012 [4610]: User data:
Fri Apr 20 12:39:50 2012 [4610]: End packet
Fri Apr 20 12:39:50 2012 [4610]: login query for 'user1' unknown-port from 10.171.50.244 rejected
Fri Apr 20 12:39:50 2012 [4610]: login failure: zvs 10.171.50.244 (10.171.50.244) unknown-port
Fri Apr 20 12:39:50 2012 [4610]: Writing AUTHEN/FAIL size=18
Fri Apr 20 12:39:50 2012 [4610]: PACKET: key=super_secret
Fri Apr 20 12:39:50 2012 [4610]: version 192 (0xc0), type 1, seq no 4, flags 0x1
Fri Apr 20 12:39:50 2012 [4610]: session_id 2574088082 (0x996d7792), Data length 6 (0x6)
Fri Apr 20 12:39:50 2012 [4610]: End header
Fri Apr 20 12:39:50 2012 [4610]: type=AUTHEN status=2 (AUTHEN/FAIL) flags=0x0
Fri Apr 20 12:39:50 2012 [4610]: msg_len=0, data_len=0
Fri Apr 20 12:39:50 2012 [4610]: msg:
Fri Apr 20 12:39:50 2012 [4610]: data:
Fri Apr 20 12:39:50 2012 [4610]: End packet
Fri Apr 20 12:39:50 2012 [4610]: 10.171.50.244: disconnect

There's the following error while authenticating:

Apr 20 13:01:07 tac_client sshd[3868]: Invalid user user1 from 10.171.50.200
Apr 20 13:01:09 tac_client sshd[3868]: Failed keyboard-interactive/pam for invalid user user1 from 10.171.50.200 port 56907 ssh2

What's the problem there?
Thanks.