Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

Configuration TACACS comware 7 to TACACS server over Linux

gcg
Occasional Visitor

Configuration TACACS comware 7 to TACACS server over Linux

Hello, I have a problem with my configuration when to try conection to tacacs server over linux (tac_plus version F4.0.4.26), the problem is that my connection have a litle time (seconds) after disconnected from the server.

this is debug from switch HPE 5130:

%Mar  7 01:24:08:896 2013 sONEAMXDCPolo2_SB01A SSHS/6/SSHS_CONNECT: SSH user C12240 (IP: 172.19.216.125) connected to the server successfully.

%Mar  7 01:24:11:051 2013 sONEAMXDCPolo2_SB01A SSHS/6/SSHS_DISCONNECT: SSH user C12240 (IP: 172.19.216.125) disconnected from the server.

My configuration is: 

hwtacacs scheme TACAS_CLARO
primary authentication 172.19.216.49 key simple ciscoman
primary authorization 172.19.216.49 key simple ciscoman
primary accounting 172.19.216.49 key simple ciscoman
nas-ip 10.96.136.130
user-name-format without-domain

domain TACAS_CLARO
authentication default hwtacacs-scheme TACAS_CLARO
authorization default hwtacacs-scheme TACAS_CLARO
accounting default hwtacacs-scheme TACAS_CLARO
access-limit disable
state active
idle-cut disable
self-service-url disable

domain default enable TACAS_CLARO

Wait for you help me.

regards.

Guillermo

2 REPLIES
sdide
Respected Contributor

Re: Configuration TACACS comware 7 to TACACS server over Linux

Hi,

What software are you running on the switch?

What is the line vty configuration on the switch?

I have the exact same setup - almost, (I run F4.0.4.19) on the TACACS+ . It works fine for me. I have no NAS-IP defined.

Regards

 

Søren Dideriksen, Network Administrator
Region Midtjylland
anonlife
Occasional Visitor

Re: Configuration TACACS comware 7 to TACACS server over Linux

Hello, I know this thread is old but I have the same problem and I can't solve it. My setup is an HPE VSR1000 + Linux Ubuntu . I can't log in the HPE with TACACS via telnet, it shows Connection closed by foreign host.
I'm running  TACACS+ F4.0.4.26 version on 3.13.0-137-generic #186-Ubuntu 

Extract of my tacacs conf:

user = admin {
member = admin
login = des "example"
}

group = admin {
default service = permit }

The logs on my server show:  Jan 31 13:54:11  <ipaddressorigin> admin   vty2    ipaddresstacacs   stop    task_id=0       timezone=0      service=shell   disc_cause=0    disc_cause_ext=0        bytes_in=0      bytes_out=0     paks_in=0  paks_out=0


TACACS+ configuration on HPE V1000:

hwtacacs scheme TACACS+CG

nas-ip <HPEIPloopback>

primary authentication x.x.x.x key simple test1234

primary authorization x.x.x.x key simple test1234

primary accounting x.xx.x key simple test1234
timer response-timeout 10

user-name-format without-domain

quit

 

domain TACACS+TEST 

authentication login hwtacacs-scheme TACACS+TEST local

authentication super hwtacacs-scheme TACACS+TEST

authentication default hwtacacs-scheme TACACS+TEST local

authorization login hwtacacs-scheme TACACS+TEST local

authorization command hwtacacs-scheme TACACS+TEST local

authorization default hwtacacs-scheme TACACS+TEST local

accounting login hwtacacs-scheme TACACS+TEST

accounting command hwtacacs-scheme TACACS+TEST

accounting default hwtacacs-scheme TACACS+TEST

quit

domain default enable TACACS+TEST

super authentication-mode scheme

line vty 0 63
authentication-mode scheme
command authorization
command accounting

__________________

The output of debugging:

*Jan 31 15:08:23:639 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Encapsulating accounting request packet.
*Jan 31 15:08:23:639 2018 HPE6 TACACS/7/send_packet:
version: 0xc0  type: ACCOUNT_REQUEST  seq_no: 1  flag: ENCRYPTED_FLAG
session-id: 0x33ede1b1
length of payload: 63
flags: START
authen_method: TACACSPLUS  authen_service: LOGIN
user_len: 5   port_len: 4   rem_len: 10   arg_cnt: 3
arg0_len: 9     arg1_len: 10    arg2_len: 13
user: admin
port: vty2
rem_addr: XXXX
arg0: task_id=0  arg1: timezone=0
arg2: service=shell 
*Jan 31 15:08:23:642 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.
*Jan 31 15:08:23:642 2018 HPE6 TACACS/7/recv_packet:
version: 0xc0  type: ACCOUNT_REPLY  seq_no: 2  flag: ENCRYPTED_FLAG
session-id: 0x33ede1b1
length of payload: 5
server_msg len: 0  data len: 0  status: STATUS_SUCCESS
server_msg:
data:
*Jan 31 15:08:23:642 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Processing accounting reply packet.
*Jan 31 15:08:23:642 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Processed accounting-start reply message, resultCode: 0.
*Jan 31 15:08:23:642 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: TACACS start-accounting succeeded.
*Jan 31 15:08:23:649 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.
*Jan 31 15:08:23:649 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Processing TACACS stop-accounting.
*Jan 31 15:08:23:650 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Dispatching request, Primitive: accounting-stop.
*Jan 31 15:08:23:650 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Creating request data, data type: START
*Jan 31 15:08:23:650 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Session successfully created.
*Jan 31 15:08:23:650 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Getting available server, server-ip=XXXX, server-port=49, VPN instance=--(public).
*Jan 31 15:08:23:650 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Connecting to server...
*Jan 31 15:08:23:650 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLOUT event.
*Jan 31 15:08:23:650 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Connection succeeded, server-ip=XXXX, port=49, VPN instance=--(public).
*Jan 31 15:08:23:650 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Encapsulating accounting request packet.
*Jan 31 15:08:23:650 2018 HPE6 TACACS/7/send_packet:
version: 0xc0  type: ACCOUNT_REQUEST  seq_no: 1  flag: ENCRYPTED_FLAG
session-id: 0x8efa1082
length of payload: 137
flags: STOP
authen_method: TACACSPLUS  authen_service: LOGIN
user_len: 5   port_len: 4   rem_len: 10   arg_cnt: 9
arg0_len: 9     arg1_len: 10    arg2_len: 13    arg3_len: 12
arg4_len: 16    arg5_len: 10    arg6_len: 11    arg7_len: 9 
arg8_len: 10
user: admin
port: vty2
rem_addr: XXXXX
arg0: task_id=0  arg1: timezone=0
arg2: service=shell  arg3: disc_cause=0
arg4: disc_cause_ext=0  arg5: bytes_in=0
arg6: bytes_out=0  arg7: paks_in=0
arg8: paks_out=0 
*Jan 31 15:08:23:653 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.
*Jan 31 15:08:23:653 2018 HPE6 TACACS/7/recv_packet:
version: 0xc0  type: ACCOUNT_REPLY  seq_no: 2  flag: ENCRYPTED_FLAG
session-id: 0x8efa1082
length of payload: 5
server_msg len: 0  data len: 0  status: STATUS_SUCCESS
server_msg:
data:
*Jan 31 15:08:23:653 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Processing accounting reply packet.
*Jan 31 15:08:23:653 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.
*Jan 31 15:08:23:653 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Processed accounting-stop reply message, resultCode: 0.
*Jan 31 15:08:23:653 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: TACACS stop-accounting succeeded.
*Jan 31 15:08:44:250 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Set status of server to active successfully. serverIP: xxxx, serverPort: 49.

Please, could anybody help me?
Thanks