Comments (12)
@RollerMatic
I missed to attach the pcap
from tac_plus.
Hey @iyyapa , I need some additional information to debug this.
-
What exactly is the issue you are observing and What should be the expected response ? Is there a device you are not able to login to and get to the shell prompt ? Are you unable to run a command on the device ?
-
Can you please share your tacacs server config that can help us repro the issue ?
from tac_plus.
Hi @RollerMatic
The issue happens in below scenario.
- User login with tacacs server with wrong password. This is failed due to wrong password and it's expected behavior.
- Then loging with correct password and autherization fails.TAC_PLUS_AUTHOR_STATUS_ERROR := 0x11 .
This is unexpected. From our analysis the client sends the unencrypted autherization request to tacacs server.
Why client sends unencrypted request? - This issue always happen after some login fails attempts then next time user logins.
- It is not seen when we give correct credentials for the first time.
The user role is configured as admin.
It is CISCO ISE.
I requested the tacacs server config and share once I got.
from tac_plus.
From our analysis the client sends the unencrypted autherization request to tacacs server.
Why client sends unencrypted request?
do you have further details on how you confirmed this ? Do you have any packet captures that show the key being specified in cleartext ?
The server has no role to play when it comes to client sending an unencrypted request. You need to check on the client side why this is happening. If the device is an Arista/cisco/juniper, usually the PSK is configured at the server configuration level than at the AAA operation level.
On the server side, it looks to me that the server tries to lookup the key for the host, which isn't configured (indicated by "no host named 192.168.0.233". )
There are two ways to resolve that
- configure the key for all devices by putting this line at the top of your tac_plus.conf
key = <your psk>
- Specify the key for the specific host
host = 192.168.0.233 {
key = <PSK configured on the host>
}
from tac_plus.
Thanks for your inputs. Please find the below pcap snapshot
This is extreme device.
I have doubt, If there is an issue with device it should fail always right. This happens only when first time wrong credentials and then correct credentials.
from tac_plus.
Other than the unencrypted payload, it's surprising that the device hasn't send any authorization arguments which are usually needed to authorize a request from a network device. I am not sure if those arguments got clipped in your pcap snapshot.
As I said before, server cannot influence the client to send an unencrypted packet. This is just not part of the protocol. If the client sends an unencrypted packet , it needs to inform the server through a request flag.
This doesn't look to be a server problem of any kind. I would suggest you work with Cisco ISE and Extreme switch TACs to figure out the correct configuration for your device, and ISE server.
from tac_plus.
The device sends authorization arguments. The issue with Extreme switch because it was working in lower releases and not working after upgrade the higher release.
I will share the server configs once I received from TAC..
Can we suggest the below config to customer to resolve the issue..
There are two ways to resolve that
configure the key for all devices by putting this line at the top of your tac_plus.conf
key = <your psk>
Specify the key for the specific host
host = 192.168.0.233 {
key = <PSK configured on the host>
}
from tac_plus.
@iyyapa we don't have enough information from you to confirm the problem.
You mention
The device sends authorization arguments
and yet , the captured pcap shows no arguments in the authorization packet. We don't have the server config to see what exactly is configured on CISCO's end
I can't speak on what you could refer to the customer at this time. You can try the change I suggested and see if it helps your case, else I would suggest to raise a case with CISCO TAC.
marking as #resolved because this is not a problem in the tac_plus code, and looks to be a device level interaction problem between an EXTREME networks switch and CISCO ISE. Please raise a new issue with all the necessary information if there is any logging driven symptom of tac_plus server exhibiting unexpected behaviour.
from tac_plus.
can't speak on what you could refer to the customer at this time. You can try the change I suggested and see if it helps your case, else I would suggest to raise a case with CISCO TAC.
Sure. Thanks for your help.
from tac_plus.
@RollerMatic I missed to attach the pcap
From this pcap, I can see that the device needs an optional arg to be set in the TACACS config. EXTREME should be able to help you with the arguments that need to be set . Here is a sample config authorizing the user as admin
There is more info here
service = exec {
optional brcd-role = admin;
}
from tac_plus.
Added AV-Pair configuration to Cisco ISE a few days ago but issue still exist.
brcd-role = admin
brcd-AV-Pair1 = "homeLF=30;LFRoleList=admin:1,2,11,12,13,14,15,16,17,18,19,20"
brcd-AV-Pair2 = "chassisRole=admin"
from tac_plus.
Customer has shared the debug logs from server side. Can you please review and share your comments.
Customer entered wrong credentials first two times and then enters correct credentials..
from tac_plus.
Related Issues (11)
- Rebase to F4.0.4.29a? HOT 7
- Segfault in tac_plus HOT 6
- Debian Testing Required HOT 3
- Rhel 7 accounting errors HOT 6
- Compilation error in CentOS8 due to libnsl HOT 2
- Help with Amazon Machine image HOT 1
- setup help - how to add services to a group
- TACACS server closed the connection after accepts authorization from client. HOT 1
- An error occurred during the project build process.
- Error in programs.c, return incorrect NAS name
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tac_plus.