Comware

 View Only

  • 1.  Configuration TACACS comware 7 to TACACS server over Linux

    Posted Sep 22, 2016 01:06 PM

    Hello, I have a problem with my configuration when to try conection to tacacs server over linux (tac_plus version F4.0.4.26), the problem is that my connection have a litle time (seconds) after disconnected from the server.

    this is debug from switch HPE 5130:

    %Mar  7 01:24:08:896 2013 sONEAMXDCPolo2_SB01A SSHS/6/SSHS_CONNECT: SSH user C12240 (IP: 172.19.216.125) connected to the server successfully.

    %Mar  7 01:24:11:051 2013 sONEAMXDCPolo2_SB01A SSHS/6/SSHS_DISCONNECT: SSH user C12240 (IP: 172.19.216.125) disconnected from the server.

    My configuration is: 

    hwtacacs scheme TACAS_CLARO
    primary authentication 172.19.216.49 key simple ciscoman
    primary authorization 172.19.216.49 key simple ciscoman
    primary accounting 172.19.216.49 key simple ciscoman
    nas-ip 10.96.136.130
    user-name-format without-domain

    domain TACAS_CLARO
    authentication default hwtacacs-scheme TACAS_CLARO
    authorization default hwtacacs-scheme TACAS_CLARO
    accounting default hwtacacs-scheme TACAS_CLARO
    access-limit disable
    state active
    idle-cut disable
    self-service-url disable

    domain default enable TACAS_CLARO

    Wait for you help me.

    regards.

    Guillermo



  • 2.  RE: Configuration TACACS comware 7 to TACACS server over Linux

    Posted Sep 27, 2016 10:05 AM

    Hi,

    What software are you running on the switch?

    What is the line vty configuration on the switch?

    I have the exact same setup - almost, (I run F4.0.4.19) on the TACACS+ . It works fine for me. I have no NAS-IP defined.

    Regards

     



  • 3.  RE: Configuration TACACS comware 7 to TACACS server over Linux

    Posted Jan 31, 2018 08:18 AM

    Hello, I know this thread is old but I have the same problem and I can't solve it. My setup is an HPE VSR1000 + Linux Ubuntu . I can't log in the HPE with TACACS via telnet, it shows Connection closed by foreign host.
    I'm running  TACACS+ F4.0.4.26 version on 3.13.0-137-generic #186-Ubuntu 

    Extract of my tacacs conf:

    user = admin {
    member = admin
    login = des "example"
    }

    group = admin {
    default service = permit }

    The logs on my server show:  Jan 31 13:54:11  <ipaddressorigin> admin   vty2    ipaddresstacacs   stop    task_id=0       timezone=0      service=shell   disc_cause=0    disc_cause_ext=0        bytes_in=0      bytes_out=0     paks_in=0  paks_out=0


    TACACS+ configuration on HPE V1000:

    hwtacacs scheme TACACS+CG

    nas-ip <HPEIPloopback>

    primary authentication x.x.x.x key simple test1234

    primary authorization x.x.x.x key simple test1234

    primary accounting x.xx.x key simple test1234
    timer response-timeout 10

    user-name-format without-domain

    quit

     

    domain TACACS+TEST 

    authentication login hwtacacs-scheme TACACS+TEST local

    authentication super hwtacacs-scheme TACACS+TEST

    authentication default hwtacacs-scheme TACACS+TEST local

    authorization login hwtacacs-scheme TACACS+TEST local

    authorization command hwtacacs-scheme TACACS+TEST local

    authorization default hwtacacs-scheme TACACS+TEST local

    accounting login hwtacacs-scheme TACACS+TEST

    accounting command hwtacacs-scheme TACACS+TEST

    accounting default hwtacacs-scheme TACACS+TEST

    quit

    domain default enable TACACS+TEST

    super authentication-mode scheme

    line vty 0 63
    authentication-mode scheme
    command authorization
    command accounting

    __________________

    The output of debugging:

    *Jan 31 15:08:23:639 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Encapsulating accounting request packet.
    *Jan 31 15:08:23:639 2018 HPE6 TACACS/7/send_packet:
    version: 0xc0  type: ACCOUNT_REQUEST  seq_no: 1  flag: ENCRYPTED_FLAG
    session-id: 0x33ede1b1
    length of payload: 63
    flags: START
    authen_method: TACACSPLUS  authen_service: LOGIN
    user_len: 5   port_len: 4   rem_len: 10   arg_cnt: 3
    arg0_len: 9     arg1_len: 10    arg2_len: 13
    user: admin
    port: vty2
    rem_addr: XXXX
    arg0: task_id=0  arg1: timezone=0
    arg2: service=shell 
    *Jan 31 15:08:23:642 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.
    *Jan 31 15:08:23:642 2018 HPE6 TACACS/7/recv_packet:
    version: 0xc0  type: ACCOUNT_REPLY  seq_no: 2  flag: ENCRYPTED_FLAG
    session-id: 0x33ede1b1
    length of payload: 5
    server_msg len: 0  data len: 0  status: STATUS_SUCCESS
    server_msg:
    data:
    *Jan 31 15:08:23:642 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Processing accounting reply packet.
    *Jan 31 15:08:23:642 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Processed accounting-start reply message, resultCode: 0.
    *Jan 31 15:08:23:642 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: TACACS start-accounting succeeded.
    *Jan 31 15:08:23:649 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.
    *Jan 31 15:08:23:649 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Processing TACACS stop-accounting.
    *Jan 31 15:08:23:650 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Dispatching request, Primitive: accounting-stop.
    *Jan 31 15:08:23:650 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Creating request data, data type: START
    *Jan 31 15:08:23:650 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Session successfully created.
    *Jan 31 15:08:23:650 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Getting available server, server-ip=XXXX, server-port=49, VPN instance=--(public).
    *Jan 31 15:08:23:650 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Connecting to server...
    *Jan 31 15:08:23:650 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLOUT event.
    *Jan 31 15:08:23:650 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Connection succeeded, server-ip=XXXX, port=49, VPN instance=--(public).
    *Jan 31 15:08:23:650 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Encapsulating accounting request packet.
    *Jan 31 15:08:23:650 2018 HPE6 TACACS/7/send_packet:
    version: 0xc0  type: ACCOUNT_REQUEST  seq_no: 1  flag: ENCRYPTED_FLAG
    session-id: 0x8efa1082
    length of payload: 137
    flags: STOP
    authen_method: TACACSPLUS  authen_service: LOGIN
    user_len: 5   port_len: 4   rem_len: 10   arg_cnt: 9
    arg0_len: 9     arg1_len: 10    arg2_len: 13    arg3_len: 12
    arg4_len: 16    arg5_len: 10    arg6_len: 11    arg7_len: 9 
    arg8_len: 10
    user: admin
    port: vty2
    rem_addr: XXXXX
    arg0: task_id=0  arg1: timezone=0
    arg2: service=shell  arg3: disc_cause=0
    arg4: disc_cause_ext=0  arg5: bytes_in=0
    arg6: bytes_out=0  arg7: paks_in=0
    arg8: paks_out=0 
    *Jan 31 15:08:23:653 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.
    *Jan 31 15:08:23:653 2018 HPE6 TACACS/7/recv_packet:
    version: 0xc0  type: ACCOUNT_REPLY  seq_no: 2  flag: ENCRYPTED_FLAG
    session-id: 0x8efa1082
    length of payload: 5
    server_msg len: 0  data len: 0  status: STATUS_SUCCESS
    server_msg:
    data:
    *Jan 31 15:08:23:653 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Processing accounting reply packet.
    *Jan 31 15:08:23:653 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.
    *Jan 31 15:08:23:653 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Processed accounting-stop reply message, resultCode: 0.
    *Jan 31 15:08:23:653 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: TACACS stop-accounting succeeded.
    *Jan 31 15:08:44:250 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Set status of server to active successfully. serverIP: xxxx, serverPort: 49.

    Please, could anybody help me?
    Thanks



Related Content