Community
Comware Based

TACACS not working on HP Comware 7

 
davaba
Occasional Collector

‎06-24-2019 08:13 AM

‎06-24-2019 08:13 AM

TACACS not working on HP Comware 7

Hi!

First let me say that we've got working Cisco IOS, NX-OS, IOS-XR, Juniper OS, Brocade Fabric OS, HP ProCurve and Comware 5; however NOT Comware 7.

For TACACS we're using tac_plus probono! (read carefully as there are several versions out there)

Configuration on the HP Comware 7:

hwtacacs scheme tacacs
 primary authentication 1.1.1.1 49
 key authentication simple myPassword
 primary authorization 1.1.1.1 49
 key authorization simple myPassword
 user-name-format without-domain
!
domain tacacs
 authentication login hwtacacs-scheme tacacs local
 authorization login hwtacacs-scheme tacacs local
 state active
!
domain default enable tacacs
!
line vty 0 63
 authentication-mode scheme
 user-role network-admin
!

TACACS Server Config (only showing necessary, keep in mind this is working with most vendors!)

group = admin {
    enable = permit                                      # Allow access to Privileged EXEC
    service = shell {                                    # Vendor: Cisco, HP, Brocade
        optional brcd-role = admin                       # Fabric OS (must be optional!)
        set priv-lvl = 15                                # IOS/XE, NX-OS, PriVision, Comware
        set role = network-admin
    }
    service = junos-exec {                               # Vendor: Juniper
      set local-user-name = remote-su                    # Junos OS
    }
}

Logging from tacacs-server

/var/log/tac_plus/access/20190624.log
2019-06-24 16:40:58 +0200	10.10.10.10	myUser	Vlan-interface2001	10.10.10.20	ascii login succeeded
2019-06-24 16:43:30 +0200	10.10.10.10	myUser	Vlan-interface2001	10.10.10.20	ascii login succeeded

Debug from Comware 7 switch

*Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing TACACS authentication.
*Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Dispatching request, Primitive: authentication.
*Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Creating request data, data type: START
*Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Session successfully created.
*Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Getting available server, server-ip=1.1.1.1, server-port=49, VPN instance=--(public).
*Jun 24 16:43:30:158 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connecting to server...
*Jun 24 16:43:30:362 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLOUT event.
*Jun 24 16:43:30:362 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connection succeeded, server-ip=1.1.1.1, port=49, VPN instance=--(public).
*Jun 24 16:43:30:362 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Encapsulating authentication request packet.
*Jun 24 16:43:30:362 2019 mySwitch TACACS/7/send_packet:
version: 0xc0  type: AUTHEN_REQUEST  seq_no: 1  flag: ENCRYPTED_FLAG
session-id: 0xafc472d8
length of payload: 61
action: LOGIN  priv_lvl: 0  authen_type: ASCII  service: LOGIN
user_len: 9   port_len: 18   rem_len: 14   data_len: 12
user: myUser
port: Vlan-interface2001
rem_addr: 10.10.10.20
data: ******
*Jun 24 16:43:30:400 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.
*Jun 24 16:43:30:400 2019 mySwitch TACACS/7/recv_packet:
version: 0xc0  type: AUTHEN_REPLY  seq_no: 2  flag: ENCRYPTED_FLAG
session-id: 0xafc472d8
length of payload: 6
status: STATUS_PASS  flags: ECHO
server_msg len: 0  data len: 0
server_msg:
data:
*Jun 24 16:43:30:400 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing authentication reply packet.
*Jun 24 16:43:30:400 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.
*Jun 24 16:43:30:401 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processed authentication reply message, resultCode: 0.
*Jun 24 16:43:30:401 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: TACACS authentication succeeded.
*Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing TACACS authorization.
*Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Dispatching request, Primitive: authorization.
*Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Creating request data, data type: START
*Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Session successfully created.
*Jun 24 16:43:30:403 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Getting available server, server-ip=1.1.1.1, server-port=49, VPN instance=--(public).
*Jun 24 16:43:30:594 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connecting to server...
*Jun 24 16:43:30:762 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLOUT event.
*Jun 24 16:43:30:762 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connection succeeded, server-ip=1.1.1.1, port=49, VPN instance=--(public).
*Jun 24 16:43:30:762 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Encapsulating authorization request packet.
*Jun 24 16:43:30:763 2019 mySwitch TACACS/7/send_packet:
version: 0xc0  type: AUTHOR_REQUEST  seq_no: 1  flag: ENCRYPTED_FLAG
session-id: 0xee0175cb
length of payload: 68
authen_method: TACACSPLUS  priv_lvl: 0  authen_type: ASCII  authen_service: LOGIN
user_len: 9   port_len: 18   rem_len: 14   arg_cnt: 2
arg0_len: 13    arg1_len: 4
user: myUser
port: Vlan-interface2001
rem_addr: 10.10.10.20
arg0: service=shell  arg1: cmd*
*Jun 24 16:43:30:767 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.
*Jun 24 16:43:30:767 2019 mySwitch TACACS/7/recv_packet:
version: 0xc0  type: AUTHOR_REPLY  seq_no: 2  flag: ENCRYPTED_FLAG
session-id: 0xee0175cb
length of payload: 37
Status: STATUS_PASS_ADD  arg_cnt: 2  server_msg len: 0  data len: 0
arg0_len: 11    arg1_len: 18
server_msg:
data:
arg0: priv-lvl=15  arg1: role=network-admin
*Jun 24 16:43:30:767 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing authorization reply packet.
*Jun 24 16:43:30:767 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.
*Jun 24 16:43:30:768 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processed authorization reply message, resultCode: 0.
*Jun 24 16:43:30:768 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: TACACS authorization succeeded.
%Jun 24 16:43:30:772 2019 mySwitch SSHS/6/SSHS_LOG: Accepted password for myUser from 10.10.10.20 port 54064 ssh2.

%Jun 24 16:43:30:808 2019 mySwitch SSHS/6/SSHS_CONNECT: SSH user myUser (IP: 10.10.10.20) connected to the server successfully.
%Jun 24 16:43:30:936 2019 mySwitch LOGIN/6/LOGIN_FAILED: myUser failed to log in from 10.10.10.20.
%Jun 24 16:43:34:009 2019 mySwitch SSHS/6/SSHS_DISCONNECT: SSH user myUser (IP: 10.10.10.20) disconnected from the server.

Output from HP Comware Login Attempt

******************************************************************************
* Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP          *
* Without the owner's prior written consent,                                 *
* no decompiling or reverse-engineering shall be allowed.                    *
******************************************************************************

Login failed.
Connection to myswitch.my.domain closed.

What might I be missing? Right now I'm thinking vendor attributes or if I need to create a role on the switch like with Juniper.

// David

0 Kudos
1 REPLY 1
Santhu0025
HPE Pro

‎07-03-2019 04:22 PM

‎07-03-2019 04:22 PM

Re: TACACS not working on HP Comware 7

Hi David,

What is the Firware version that is running on the switch?
Also share the complete SSH configuration and vty configuration.

From the debugg logs shared, i can see the Telnet user has already logged in has been disconnected. This is hitting a bug LSV7D000489.
There are several bugs related to TACACS if you are using a older version it is recommended to upgarde the FW to version 7.10. R2432P05 or later.

Also TACACS configuration looks good except for a one of optional commands. (but recommended)

1) In the ISP domain, Specify the accounting method for login users.
accounting login { hwtacacs-scheme hwtacacs-scheme-name | [ local ] | [ none ] } -
By default, the default accounting method is used for login users. if you dont want to use the accounting then specifiy it as none.


Hope this helps.

I am a HPE Employee

Accept or Kudo

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.