- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- TACACS not working on HP Comware 7
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-24-2019 08:13 AM
06-24-2019 08:13 AM
TACACS not working on HP Comware 7
Hi!
First let me say that we've got working Cisco IOS, NX-OS, IOS-XR, Juniper OS, Brocade Fabric OS, HP ProCurve and Comware 5; however NOT Comware 7.
For TACACS we're using tac_plus probono! (read carefully as there are several versions out there)
Configuration on the HP Comware 7:
hwtacacs scheme tacacs
primary authentication 1.1.1.1 49
key authentication simple myPassword
primary authorization 1.1.1.1 49
key authorization simple myPassword
user-name-format without-domain
!
domain tacacs
authentication login hwtacacs-scheme tacacs local
authorization login hwtacacs-scheme tacacs local
state active
!
domain default enable tacacs
!
line vty 0 63
authentication-mode scheme
user-role network-admin
!
TACACS Server Config (only showing necessary, keep in mind this is working with most vendors!)
group = admin {
enable = permit # Allow access to Privileged EXEC
service = shell { # Vendor: Cisco, HP, Brocade
optional brcd-role = admin # Fabric OS (must be optional!)
set priv-lvl = 15 # IOS/XE, NX-OS, PriVision, Comware
set role = network-admin
}
service = junos-exec { # Vendor: Juniper
set local-user-name = remote-su # Junos OS
}
}
Logging from tacacs-server
/var/log/tac_plus/access/20190624.log
2019-06-24 16:40:58 +0200 10.10.10.10 myUser Vlan-interface2001 10.10.10.20 ascii login succeeded
2019-06-24 16:43:30 +0200 10.10.10.10 myUser Vlan-interface2001 10.10.10.20 ascii login succeeded
Debug from Comware 7 switch
*Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing TACACS authentication.
*Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Dispatching request, Primitive: authentication.
*Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Creating request data, data type: START
*Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Session successfully created.
*Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Getting available server, server-ip=1.1.1.1, server-port=49, VPN instance=--(public).
*Jun 24 16:43:30:158 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connecting to server...
*Jun 24 16:43:30:362 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLOUT event.
*Jun 24 16:43:30:362 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connection succeeded, server-ip=1.1.1.1, port=49, VPN instance=--(public).
*Jun 24 16:43:30:362 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Encapsulating authentication request packet.
*Jun 24 16:43:30:362 2019 mySwitch TACACS/7/send_packet:
version: 0xc0 type: AUTHEN_REQUEST seq_no: 1 flag: ENCRYPTED_FLAG
session-id: 0xafc472d8
length of payload: 61
action: LOGIN priv_lvl: 0 authen_type: ASCII service: LOGIN
user_len: 9 port_len: 18 rem_len: 14 data_len: 12
user: myUser
port: Vlan-interface2001
rem_addr: 10.10.10.20
data: ******
*Jun 24 16:43:30:400 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.
*Jun 24 16:43:30:400 2019 mySwitch TACACS/7/recv_packet:
version: 0xc0 type: AUTHEN_REPLY seq_no: 2 flag: ENCRYPTED_FLAG
session-id: 0xafc472d8
length of payload: 6
status: STATUS_PASS flags: ECHO
server_msg len: 0 data len: 0
server_msg:
data:
*Jun 24 16:43:30:400 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing authentication reply packet.
*Jun 24 16:43:30:400 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.
*Jun 24 16:43:30:401 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processed authentication reply message, resultCode: 0.
*Jun 24 16:43:30:401 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: TACACS authentication succeeded.
*Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing TACACS authorization.
*Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Dispatching request, Primitive: authorization.
*Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Creating request data, data type: START
*Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Session successfully created.
*Jun 24 16:43:30:403 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Getting available server, server-ip=1.1.1.1, server-port=49, VPN instance=--(public).
*Jun 24 16:43:30:594 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connecting to server...
*Jun 24 16:43:30:762 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLOUT event.
*Jun 24 16:43:30:762 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connection succeeded, server-ip=1.1.1.1, port=49, VPN instance=--(public).
*Jun 24 16:43:30:762 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Encapsulating authorization request packet.
*Jun 24 16:43:30:763 2019 mySwitch TACACS/7/send_packet:
version: 0xc0 type: AUTHOR_REQUEST seq_no: 1 flag: ENCRYPTED_FLAG
session-id: 0xee0175cb
length of payload: 68
authen_method: TACACSPLUS priv_lvl: 0 authen_type: ASCII authen_service: LOGIN
user_len: 9 port_len: 18 rem_len: 14 arg_cnt: 2
arg0_len: 13 arg1_len: 4
user: myUser
port: Vlan-interface2001
rem_addr: 10.10.10.20
arg0: service=shell arg1: cmd*
*Jun 24 16:43:30:767 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.
*Jun 24 16:43:30:767 2019 mySwitch TACACS/7/recv_packet:
version: 0xc0 type: AUTHOR_REPLY seq_no: 2 flag: ENCRYPTED_FLAG
session-id: 0xee0175cb
length of payload: 37
Status: STATUS_PASS_ADD arg_cnt: 2 server_msg len: 0 data len: 0
arg0_len: 11 arg1_len: 18
server_msg:
data:
arg0: priv-lvl=15 arg1: role=network-admin
*Jun 24 16:43:30:767 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing authorization reply packet.
*Jun 24 16:43:30:767 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.
*Jun 24 16:43:30:768 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processed authorization reply message, resultCode: 0.
*Jun 24 16:43:30:768 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: TACACS authorization succeeded.
%Jun 24 16:43:30:772 2019 mySwitch SSHS/6/SSHS_LOG: Accepted password for myUser from 10.10.10.20 port 54064 ssh2.
%Jun 24 16:43:30:808 2019 mySwitch SSHS/6/SSHS_CONNECT: SSH user myUser (IP: 10.10.10.20) connected to the server successfully.
%Jun 24 16:43:30:936 2019 mySwitch LOGIN/6/LOGIN_FAILED: myUser failed to log in from 10.10.10.20.
%Jun 24 16:43:34:009 2019 mySwitch SSHS/6/SSHS_DISCONNECT: SSH user myUser (IP: 10.10.10.20) disconnected from the server.
Output from HP Comware Login Attempt
******************************************************************************
* Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
Login failed.
Connection to myswitch.my.domain closed.
What might I be missing? Right now I'm thinking vendor attributes or if I need to create a role on the switch like with Juniper.
// David
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-03-2019 04:22 PM
07-03-2019 04:22 PM
Re: TACACS not working on HP Comware 7
Hi David,
What is the Firware version that is running on the switch?
Also share the complete SSH configuration and vty configuration.
From the debugg logs shared, i can see the Telnet user has already logged in has been disconnected. This is hitting a bug LSV7D000489.
There are several bugs related to TACACS if you are using a older version it is recommended to upgarde the FW to version 7.10. R2432P05 or later.
Also TACACS configuration looks good except for a one of optional commands. (but recommended)
1) In the ISP domain, Specify the accounting method for login users.
accounting login { hwtacacs-scheme hwtacacs-scheme-name | [ local ] | [ none ] } -
By default, the default accounting method is used for login users. if you dont want to use the accounting then specifiy it as none.
Hope this helps.