Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

TACACS not working on HP Comware 7

 
Highlighted
davaba
Occasional Collector

TACACS not working on HP Comware 7

Hi!

First let me say that we've got working Cisco IOS, NX-OS, IOS-XR, Juniper OS, Brocade Fabric OS, HP ProCurve and Comware 5; however NOT Comware 7.

For TACACS we're using tac_plus probono! (read carefully as there are several versions out there)

Configuration on the HP Comware 7:

hwtacacs scheme tacacs
 primary authentication 1.1.1.1 49
 key authentication simple myPassword
 primary authorization 1.1.1.1 49
 key authorization simple myPassword
 user-name-format without-domain
!
domain tacacs
 authentication login hwtacacs-scheme tacacs local
 authorization login hwtacacs-scheme tacacs local
 state active
!
domain default enable tacacs
!
line vty 0 63
 authentication-mode scheme
 user-role network-admin
!

TACACS Server Config (only showing necessary, keep in mind this is working with most vendors!)

group = admin {
    enable = permit                                      # Allow access to Privileged EXEC
    service = shell {                                    # Vendor: Cisco, HP, Brocade
        optional brcd-role = admin                       # Fabric OS (must be optional!)
        set priv-lvl = 15                                # IOS/XE, NX-OS, PriVision, Comware
        set role = network-admin
    }
    service = junos-exec {                               # Vendor: Juniper
      set local-user-name = remote-su                    # Junos OS
    }
}

Logging from tacacs-server

/var/log/tac_plus/access/20190624.log
2019-06-24 16:40:58 +0200	10.10.10.10	myUser	Vlan-interface2001	10.10.10.20	ascii login succeeded
2019-06-24 16:43:30 +0200	10.10.10.10	myUser	Vlan-interface2001	10.10.10.20	ascii login succeeded

Debug from Comware 7 switch

*Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing TACACS authentication.
*Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Dispatching request, Primitive: authentication.
*Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Creating request data, data type: START
*Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Session successfully created.
*Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Getting available server, server-ip=1.1.1.1, server-port=49, VPN instance=--(public).
*Jun 24 16:43:30:158 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connecting to server...
*Jun 24 16:43:30:362 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLOUT event.
*Jun 24 16:43:30:362 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connection succeeded, server-ip=1.1.1.1, port=49, VPN instance=--(public).
*Jun 24 16:43:30:362 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Encapsulating authentication request packet.
*Jun 24 16:43:30:362 2019 mySwitch TACACS/7/send_packet:
version: 0xc0  type: AUTHEN_REQUEST  seq_no: 1  flag: ENCRYPTED_FLAG
session-id: 0xafc472d8
length of payload: 61
action: LOGIN  priv_lvl: 0  authen_type: ASCII  service: LOGIN
user_len: 9   port_len: 18   rem_len: 14   data_len: 12
user: myUser
port: Vlan-interface2001
rem_addr: 10.10.10.20
data: ******
*Jun 24 16:43:30:400 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.
*Jun 24 16:43:30:400 2019 mySwitch TACACS/7/recv_packet:
version: 0xc0  type: AUTHEN_REPLY  seq_no: 2  flag: ENCRYPTED_FLAG
session-id: 0xafc472d8
length of payload: 6
status: STATUS_PASS  flags: ECHO
server_msg len: 0  data len: 0
server_msg:
data:
*Jun 24 16:43:30:400 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing authentication reply packet.
*Jun 24 16:43:30:400 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.
*Jun 24 16:43:30:401 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processed authentication reply message, resultCode: 0.
*Jun 24 16:43:30:401 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: TACACS authentication succeeded.
*Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing TACACS authorization.
*Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Dispatching request, Primitive: authorization.
*Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Creating request data, data type: START
*Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Session successfully created.
*Jun 24 16:43:30:403 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Getting available server, server-ip=1.1.1.1, server-port=49, VPN instance=--(public).
*Jun 24 16:43:30:594 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connecting to server...
*Jun 24 16:43:30:762 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLOUT event.
*Jun 24 16:43:30:762 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connection succeeded, server-ip=1.1.1.1, port=49, VPN instance=--(public).
*Jun 24 16:43:30:762 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Encapsulating authorization request packet.
*Jun 24 16:43:30:763 2019 mySwitch TACACS/7/send_packet:
version: 0xc0  type: AUTHOR_REQUEST  seq_no: 1  flag: ENCRYPTED_FLAG
session-id: 0xee0175cb
length of payload: 68
authen_method: TACACSPLUS  priv_lvl: 0  authen_type: ASCII  authen_service: LOGIN
user_len: 9   port_len: 18   rem_len: 14   arg_cnt: 2
arg0_len: 13    arg1_len: 4
user: myUser
port: Vlan-interface2001
rem_addr: 10.10.10.20
arg0: service=shell  arg1: cmd*
*Jun 24 16:43:30:767 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.
*Jun 24 16:43:30:767 2019 mySwitch TACACS/7/recv_packet:
version: 0xc0  type: AUTHOR_REPLY  seq_no: 2  flag: ENCRYPTED_FLAG
session-id: 0xee0175cb
length of payload: 37
Status: STATUS_PASS_ADD  arg_cnt: 2  server_msg len: 0  data len: 0
arg0_len: 11    arg1_len: 18
server_msg:
data:
arg0: priv-lvl=15  arg1: role=network-admin
*Jun 24 16:43:30:767 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing authorization reply packet.
*Jun 24 16:43:30:767 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.
*Jun 24 16:43:30:768 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processed authorization reply message, resultCode: 0.
*Jun 24 16:43:30:768 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: TACACS authorization succeeded.
%Jun 24 16:43:30:772 2019 mySwitch SSHS/6/SSHS_LOG: Accepted password for myUser from 10.10.10.20 port 54064 ssh2.

%Jun 24 16:43:30:808 2019 mySwitch SSHS/6/SSHS_CONNECT: SSH user myUser (IP: 10.10.10.20) connected to the server successfully.
%Jun 24 16:43:30:936 2019 mySwitch LOGIN/6/LOGIN_FAILED: myUser failed to log in from 10.10.10.20.
%Jun 24 16:43:34:009 2019 mySwitch SSHS/6/SSHS_DISCONNECT: SSH user myUser (IP: 10.10.10.20) disconnected from the server.

Output from HP Comware Login Attempt

******************************************************************************
* Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP          *
* Without the owner's prior written consent,                                 *
* no decompiling or reverse-engineering shall be allowed.                    *
******************************************************************************

Login failed.
Connection to myswitch.my.domain closed.

What might I be missing? Right now I'm thinking vendor attributes or if I need to create a role on the switch like with Juniper.

// David

1 REPLY 1
Santhu0025
Occasional Visitor

Re: TACACS not working on HP Comware 7

Hi David,

What is the Firware version that is running on the switch?
Also share the complete SSH configuration and vty configuration.

From the debugg logs shared, i can see the Telnet user has already logged in has been disconnected. This is hitting a bug LSV7D000489.
There are several bugs related to TACACS if you are using a older version it is recommended to upgarde the FW to version 7.10. R2432P05 or later.

Also TACACS configuration looks good except for a one of optional commands. (but recommended)

1) In the ISP domain, Specify the accounting method for login users.
accounting login { hwtacacs-scheme hwtacacs-scheme-name | [ local ] | [ none ] } -
By default, the default accounting method is used for login users. if you dont want to use the accounting then specifiy it as none.


Hope this helps.