https://community.hpe.com/t5/switches-hubs-and-modems/tacacs-enable-authentication-2500-series/m-p/4347748#M17252 Hello everyone,<BR /><BR />I was curious if anyone has any experience or similar issues. Here is the problem:<BR /><BR />I can enable tacacs on the switch with:<BR /><BR />aaa authentication telnet login tacacs local <BR />aaa authentication telnet enable tacacs local <BR />tacacs-server key password <BR />tacacs-server host 10.10.10.151<BR /><BR />and I can telnet into the device using my credentials. But when I attempt to enable myself with the same credentials I'm told the password is incorrect.<BR /><BR />The TACACS server we use is from: <A href="http://www.shrubbery.net/tac_plus/" target="_blank">http://www.shrubbery.net/tac_plus/</A> and we use this one so we can auth against an LDAP/Kerberos setup.<BR /><BR />Here are the logs from our TACACS servers:<BR /><BR />Thu Jan 29 12:41:21 2009 [7533]: cfg_get_value: name= isuser=1 attr=enable rec=1<BR />Thu Jan 29 12:41:21 2009 [7533]: cfg_get_value: no user/group named<BR />Thu Jan 29 12:41:21 2009 [7533]: cfg_get_pvalue: returns NULL<BR />Thu Jan 29 12:41:21 2009 [7533]: cfg_get_hvalue: name=10.10.10.156 attr=enable<BR />Thu Jan 29 12:41:21 2009 [7533]: cfg_get_phvalue: returns cleartext password<BR />Thu Jan 29 12:41:21 2009 [7533]: verify daemon password == NAS supersecretpassword<BR />Thu Jan 29 12:41:21 2009 [7533]: Password is incorrect<BR />Thu Jan 29 12:41:21 2009 [7533]: enable query for 'unknown' unknown from 10.10.10.156 rejected<BR />Thu Jan 29 12:41:21 2009 [7533]: cfg_get_hvalue: name=10.10.10.156 attr=key<BR />Thu Jan 29 12:41:21 2009 [7533]: cfg_get_phvalue: returns password<BR /><BR /><BR />The TACACS server is a production server and is known to work.<BR /><BR />If anyone has any insight or any further questions, please let me know. Thu, 29 Jan 2009 17:53:20 GMT switchtower 2009-01-29T17:53:20Z https://community.hpe.com/t5/switches-hubs-and-modems/tacacs-enable-authentication-2500-series/m-p/4347748#M17252 Hello everyone,<BR /><BR />I was curious if anyone has any experience or similar issues. Here is the problem:<BR /><BR />I can enable tacacs on the switch with:<BR /><BR />aaa authentication telnet login tacacs local <BR />aaa authentication telnet enable tacacs local <BR />tacacs-server key password <BR />tacacs-server host 10.10.10.151<BR /><BR />and I can telnet into the device using my credentials. But when I attempt to enable myself with the same credentials I'm told the password is incorrect.<BR /><BR />The TACACS server we use is from: <A href="http://www.shrubbery.net/tac_plus/" target="_blank">http://www.shrubbery.net/tac_plus/</A> and we use this one so we can auth against an LDAP/Kerberos setup.<BR /><BR />Here are the logs from our TACACS servers:<BR /><BR />Thu Jan 29 12:41:21 2009 [7533]: cfg_get_value: name= isuser=1 attr=enable rec=1<BR />Thu Jan 29 12:41:21 2009 [7533]: cfg_get_value: no user/group named<BR />Thu Jan 29 12:41:21 2009 [7533]: cfg_get_pvalue: returns NULL<BR />Thu Jan 29 12:41:21 2009 [7533]: cfg_get_hvalue: name=10.10.10.156 attr=enable<BR />Thu Jan 29 12:41:21 2009 [7533]: cfg_get_phvalue: returns cleartext password<BR />Thu Jan 29 12:41:21 2009 [7533]: verify daemon password == NAS supersecretpassword<BR />Thu Jan 29 12:41:21 2009 [7533]: Password is incorrect<BR />Thu Jan 29 12:41:21 2009 [7533]: enable query for 'unknown' unknown from 10.10.10.156 rejected<BR />Thu Jan 29 12:41:21 2009 [7533]: cfg_get_hvalue: name=10.10.10.156 attr=key<BR />Thu Jan 29 12:41:21 2009 [7533]: cfg_get_phvalue: returns password<BR /><BR /><BR />The TACACS server is a production server and is known to work.<BR /><BR />If anyone has any insight or any further questions, please let me know. Thu, 29 Jan 2009 17:53:20 GMT https://community.hpe.com/t5/switches-hubs-and-modems/tacacs-enable-authentication-2500-series/m-p/4347748#M17252 switchtower 2009-01-29T17:53:20Z https://community.hpe.com/t5/switches-hubs-and-modems/tacacs-enable-authentication-2500-series/m-p/4347749#M17253 Some things to try to isolate:<BR /><BR />set primary auth source for enable to be local <BR />set primary auth source for login to be local.<BR /><BR />Does enable work in both cases?<BR /> Wed, 04 Feb 2009 02:38:00 GMT https://community.hpe.com/t5/switches-hubs-and-modems/tacacs-enable-authentication-2500-series/m-p/4347749#M17253 Tabasco 2009-02-04T02:38:00Z https://community.hpe.com/t5/switches-hubs-and-modems/tacacs-enable-authentication-2500-series/m-p/4347750#M17254 I see the same problem - looks like the procurve is not sending the username in the enable packet (i.e. user is unknown as opposed to 'czane'): <BR /><BR /><BR />Fri Mar 20 14:30:04 2009 [3607]: connect from 128.171.132.112 [128.171.132.112]<BR />Fri Mar 20 14:30:06 2009 [3607]: login query for 'czane' unknown-port from 128.171.132.112 accepted<BR />Fri Mar 20 14:30:07 2009 [3602]: session.peerip is 128.171.132.112<BR />Fri Mar 20 14:30:07 2009 [3608]: connect from 128.171.132.112 [128.171.132.112]<BR />Fri Mar 20 14:30:09 2009 [3608]: enable query for 'unknown' unknown from 128.171.132.112 rejected<BR /><BR /><BR />A cisco switch works fine (i.e. user in the enable query is 'czane'): <BR /><BR />Fri Mar 20 14:29:46 2009 [3603]: connect from 128.171.132.114 [128.171.132.114]<BR />Fri Mar 20 14:29:48 2009 [3603]: login query for 'czane' tty2 from 128.171.132.114 accepted<BR />Fri Mar 20 14:29:49 2009 [3602]: session.peerip is 128.171.132.114<BR />Fri Mar 20 14:29:49 2009 [3604]: connect from 128.171.132.114 [128.171.132.114]<BR />Fri Mar 20 14:29:51 2009 [3604]: enable query for 'czane' tty2 from 128.171.132.114 accepted<BR /><BR /><BR />Is this a bug with the procurve tacacs implementation? This "feature" is holding me up from recommending these switches to deploy on our campus.<BR /> Tue, 24 Mar 2009 17:22:21 GMT https://community.hpe.com/t5/switches-hubs-and-modems/tacacs-enable-authentication-2500-series/m-p/4347750#M17254 Chris Zane 2009-03-24T17:22:21Z