- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- TACACS not working on HP Comware 7
-
-
Forums
- Products
- Servers and Operating Systems
- Storage
- Software
- Services
- HPE GreenLake
- Company
- Events
- Webinars
- Partner Solutions and Certifications
- Local Language
- China - 简体中文
- Japan - 日本語
- Korea - 한국어
- Taiwan - 繁體中文
-
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
- HPE Blog, Austria, Germany & Switzerland
- Blog HPE, France
- HPE Blog, Italy
- HPE Blog, Japan
- HPE Blog, Middle East
- HPE Blog, Latin America
- HPE Blog, Russia
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
- HPE Blog, Poland
-
Blogs
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Blog, Latin America
- HPE Blog, Middle East
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
-
Information
- Community
- Welcome
- Getting Started
- FAQ
- Ranking Overview
- Rules of Participation
- Tips and Tricks
- Resources
- Announcements
- Email us
- Feedback
- Information Libraries
- Integrated Systems
- Networking
- Servers
- Storage
- Other HPE Sites
- Support Center
- Aruba Airheads Community
- Enterprise.nxt
- HPE Dev Community
- Cloud28+ Community
- Marketplace
-
Forums
-
Forums
-
Blogs
-
Information
-
English
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-24-2019 08:13 AM
06-24-2019 08:13 AM
TACACS not working on HP Comware 7
Hi!
First let me say that we've got working Cisco IOS, NX-OS, IOS-XR, Juniper OS, Brocade Fabric OS, HP ProCurve and Comware 5; however NOT Comware 7.
For TACACS we're using tac_plus probono! (read carefully as there are several versions out there)
Configuration on the HP Comware 7:
hwtacacs scheme tacacs
primary authentication 1.1.1.1 49
key authentication simple myPassword
primary authorization 1.1.1.1 49
key authorization simple myPassword
user-name-format without-domain
!
domain tacacs
authentication login hwtacacs-scheme tacacs local
authorization login hwtacacs-scheme tacacs local
state active
!
domain default enable tacacs
!
line vty 0 63
authentication-mode scheme
user-role network-admin
!
TACACS Server Config (only showing necessary, keep in mind this is working with most vendors!)
group = admin {
enable = permit # Allow access to Privileged EXEC
service = shell { # Vendor: Cisco, HP, Brocade
optional brcd-role = admin # Fabric OS (must be optional!)
set priv-lvl = 15 # IOS/XE, NX-OS, PriVision, Comware
set role = network-admin
}
service = junos-exec { # Vendor: Juniper
set local-user-name = remote-su # Junos OS
}
}
Logging from tacacs-server
/var/log/tac_plus/access/20190624.log
2019-06-24 16:40:58 +0200 10.10.10.10 myUser Vlan-interface2001 10.10.10.20 ascii login succeeded
2019-06-24 16:43:30 +0200 10.10.10.10 myUser Vlan-interface2001 10.10.10.20 ascii login succeeded
Debug from Comware 7 switch
*Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing TACACS authentication.
*Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Dispatching request, Primitive: authentication.
*Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Creating request data, data type: START
*Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Session successfully created.
*Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Getting available server, server-ip=1.1.1.1, server-port=49, VPN instance=--(public).
*Jun 24 16:43:30:158 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connecting to server...
*Jun 24 16:43:30:362 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLOUT event.
*Jun 24 16:43:30:362 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connection succeeded, server-ip=1.1.1.1, port=49, VPN instance=--(public).
*Jun 24 16:43:30:362 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Encapsulating authentication request packet.
*Jun 24 16:43:30:362 2019 mySwitch TACACS/7/send_packet:
version: 0xc0 type: AUTHEN_REQUEST seq_no: 1 flag: ENCRYPTED_FLAG
session-id: 0xafc472d8
length of payload: 61
action: LOGIN priv_lvl: 0 authen_type: ASCII service: LOGIN
user_len: 9 port_len: 18 rem_len: 14 data_len: 12
user: myUser
port: Vlan-interface2001
rem_addr: 10.10.10.20
data: ******
*Jun 24 16:43:30:400 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.
*Jun 24 16:43:30:400 2019 mySwitch TACACS/7/recv_packet:
version: 0xc0 type: AUTHEN_REPLY seq_no: 2 flag: ENCRYPTED_FLAG
session-id: 0xafc472d8
length of payload: 6
status: STATUS_PASS flags: ECHO
server_msg len: 0 data len: 0
server_msg:
data:
*Jun 24 16:43:30:400 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing authentication reply packet.
*Jun 24 16:43:30:400 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.
*Jun 24 16:43:30:401 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processed authentication reply message, resultCode: 0.
*Jun 24 16:43:30:401 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: TACACS authentication succeeded.
*Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing TACACS authorization.
*Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Dispatching request, Primitive: authorization.
*Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Creating request data, data type: START
*Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Session successfully created.
*Jun 24 16:43:30:403 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Getting available server, server-ip=1.1.1.1, server-port=49, VPN instance=--(public).
*Jun 24 16:43:30:594 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connecting to server...
*Jun 24 16:43:30:762 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLOUT event.
*Jun 24 16:43:30:762 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connection succeeded, server-ip=1.1.1.1, port=49, VPN instance=--(public).
*Jun 24 16:43:30:762 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Encapsulating authorization request packet.
*Jun 24 16:43:30:763 2019 mySwitch TACACS/7/send_packet:
version: 0xc0 type: AUTHOR_REQUEST seq_no: 1 flag: ENCRYPTED_FLAG
session-id: 0xee0175cb
length of payload: 68
authen_method: TACACSPLUS priv_lvl: 0 authen_type: ASCII authen_service: LOGIN
user_len: 9 port_len: 18 rem_len: 14 arg_cnt: 2
arg0_len: 13 arg1_len: 4
user: myUser
port: Vlan-interface2001
rem_addr: 10.10.10.20
arg0: service=shell arg1: cmd*
*Jun 24 16:43:30:767 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.
*Jun 24 16:43:30:767 2019 mySwitch TACACS/7/recv_packet:
version: 0xc0 type: AUTHOR_REPLY seq_no: 2 flag: ENCRYPTED_FLAG
session-id: 0xee0175cb
length of payload: 37
Status: STATUS_PASS_ADD arg_cnt: 2 server_msg len: 0 data len: 0
arg0_len: 11 arg1_len: 18
server_msg:
data:
arg0: priv-lvl=15 arg1: role=network-admin
*Jun 24 16:43:30:767 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing authorization reply packet.
*Jun 24 16:43:30:767 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.
*Jun 24 16:43:30:768 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processed authorization reply message, resultCode: 0.
*Jun 24 16:43:30:768 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: TACACS authorization succeeded.
%Jun 24 16:43:30:772 2019 mySwitch SSHS/6/SSHS_LOG: Accepted password for myUser from 10.10.10.20 port 54064 ssh2.
%Jun 24 16:43:30:808 2019 mySwitch SSHS/6/SSHS_CONNECT: SSH user myUser (IP: 10.10.10.20) connected to the server successfully.
%Jun 24 16:43:30:936 2019 mySwitch LOGIN/6/LOGIN_FAILED: myUser failed to log in from 10.10.10.20.
%Jun 24 16:43:34:009 2019 mySwitch SSHS/6/SSHS_DISCONNECT: SSH user myUser (IP: 10.10.10.20) disconnected from the server.
Output from HP Comware Login Attempt
******************************************************************************
* Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
Login failed.
Connection to myswitch.my.domain closed.
What might I be missing? Right now I'm thinking vendor attributes or if I need to create a role on the switch like with Juniper.
// David
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-03-2019 04:22 PM
07-03-2019 04:22 PM
Re: TACACS not working on HP Comware 7
Hi David,
What is the Firware version that is running on the switch?
Also share the complete SSH configuration and vty configuration.
From the debugg logs shared, i can see the Telnet user has already logged in has been disconnected. This is hitting a bug LSV7D000489.
There are several bugs related to TACACS if you are using a older version it is recommended to upgarde the FW to version 7.10. R2432P05 or later.
Also TACACS configuration looks good except for a one of optional commands. (but recommended)
1) In the ISP domain, Specify the accounting method for login users.
accounting login { hwtacacs-scheme hwtacacs-scheme-name | [ local ] | [ none ] } -
By default, the default accounting method is used for login users. if you dont want to use the accounting then specifiy it as none.
Hope this helps.
Hewlett Packard Enterprise International
- Communities
- HPE Blogs and Forum
© Copyright 2022 Hewlett Packard Enterprise Development LP