HPE Community
Comware Based
1821870 Members
3219 Online
109638 Solutions
New Discussion

Re: Configuration TACACS comware 7 to TACACS server over Linux

 
gcg
New Member

‎09-22-2016 10:06 AM

‎09-22-2016 10:06 AM

Configuration TACACS comware 7 to TACACS server over Linux

Hello, I have a problem with my configuration when to try conection to tacacs server over linux (tac_plus version F4.0.4.26), the problem is that my connection have a litle time (seconds) after disconnected from the server.

this is debug from switch HPE 5130:

%Mar  7 01:24:08:896 2013 sONEAMXDCPolo2_SB01A SSHS/6/SSHS_CONNECT: SSH user C12240 (IP: 172.19.216.125) connected to the server successfully.

%Mar  7 01:24:11:051 2013 sONEAMXDCPolo2_SB01A SSHS/6/SSHS_DISCONNECT: SSH user C12240 (IP: 172.19.216.125) disconnected from the server.

My configuration is: 

hwtacacs scheme TACAS_CLARO
primary authentication 172.19.216.49 key simple ciscoman
primary authorization 172.19.216.49 key simple ciscoman
primary accounting 172.19.216.49 key simple ciscoman
nas-ip 10.96.136.130
user-name-format without-domain

domain TACAS_CLARO
authentication default hwtacacs-scheme TACAS_CLARO
authorization default hwtacacs-scheme TACAS_CLARO
accounting default hwtacacs-scheme TACAS_CLARO
access-limit disable
state active
idle-cut disable
self-service-url disable

domain default enable TACAS_CLARO

Wait for you help me.

regards.

Guillermo

0 Kudos
2 REPLIES 2
sdide
Respected Contributor

‎09-27-2016 07:05 AM

‎09-27-2016 07:05 AM

Re: Configuration TACACS comware 7 to TACACS server over Linux

Hi,

What software are you running on the switch?

What is the line vty configuration on the switch?

I have the exact same setup - almost, (I run F4.0.4.19) on the TACACS+ . It works fine for me. I have no NAS-IP defined.

Regards

 

Søren Dideriksen, Network Administrator
Region Midtjylland
0 Kudos
anonlife
Occasional Visitor

‎01-31-2018 05:17 AM

‎01-31-2018 05:17 AM

Re: Configuration TACACS comware 7 to TACACS server over Linux

Hello, I know this thread is old but I have the same problem and I can't solve it. My setup is an HPE VSR1000 + Linux Ubuntu . I can't log in the HPE with TACACS via telnet, it shows Connection closed by foreign host.
I'm running  TACACS+ F4.0.4.26 version on 3.13.0-137-generic #186-Ubuntu 

Extract of my tacacs conf:

user = admin {
member = admin
login = des "example"
}

group = admin {
default service = permit }

The logs on my server show:  Jan 31 13:54:11  <ipaddressorigin> admin   vty2    ipaddresstacacs   stop    task_id=0       timezone=0      service=shell   disc_cause=0    disc_cause_ext=0        bytes_in=0      bytes_out=0     paks_in=0  paks_out=0


TACACS+ configuration on HPE V1000:

hwtacacs scheme TACACS+CG

nas-ip <HPEIPloopback>

primary authentication x.x.x.x key simple test1234

primary authorization x.x.x.x key simple test1234

primary accounting x.xx.x key simple test1234
timer response-timeout 10

user-name-format without-domain

quit

 

domain TACACS+TEST 

authentication login hwtacacs-scheme TACACS+TEST local

authentication super hwtacacs-scheme TACACS+TEST

authentication default hwtacacs-scheme TACACS+TEST local

authorization login hwtacacs-scheme TACACS+TEST local

authorization command hwtacacs-scheme TACACS+TEST local

authorization default hwtacacs-scheme TACACS+TEST local

accounting login hwtacacs-scheme TACACS+TEST

accounting command hwtacacs-scheme TACACS+TEST

accounting default hwtacacs-scheme TACACS+TEST

quit

domain default enable TACACS+TEST

super authentication-mode scheme

line vty 0 63
authentication-mode scheme
command authorization
command accounting

__________________

The output of debugging:

*Jan 31 15:08:23:639 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Encapsulating accounting request packet.
*Jan 31 15:08:23:639 2018 HPE6 TACACS/7/send_packet:
version: 0xc0  type: ACCOUNT_REQUEST  seq_no: 1  flag: ENCRYPTED_FLAG
session-id: 0x33ede1b1
length of payload: 63
flags: START
authen_method: TACACSPLUS  authen_service: LOGIN
user_len: 5   port_len: 4   rem_len: 10   arg_cnt: 3
arg0_len: 9     arg1_len: 10    arg2_len: 13
user: admin
port: vty2
rem_addr: XXXX
arg0: task_id=0  arg1: timezone=0
arg2: service=shell 
*Jan 31 15:08:23:642 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.
*Jan 31 15:08:23:642 2018 HPE6 TACACS/7/recv_packet:
version: 0xc0  type: ACCOUNT_REPLY  seq_no: 2  flag: ENCRYPTED_FLAG
session-id: 0x33ede1b1
length of payload: 5
server_msg len: 0  data len: 0  status: STATUS_SUCCESS
server_msg:
data:
*Jan 31 15:08:23:642 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Processing accounting reply packet.
*Jan 31 15:08:23:642 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Processed accounting-start reply message, resultCode: 0.
*Jan 31 15:08:23:642 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: TACACS start-accounting succeeded.
*Jan 31 15:08:23:649 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.
*Jan 31 15:08:23:649 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Processing TACACS stop-accounting.
*Jan 31 15:08:23:650 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Dispatching request, Primitive: accounting-stop.
*Jan 31 15:08:23:650 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Creating request data, data type: START
*Jan 31 15:08:23:650 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Session successfully created.
*Jan 31 15:08:23:650 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Getting available server, server-ip=XXXX, server-port=49, VPN instance=--(public).
*Jan 31 15:08:23:650 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Connecting to server...
*Jan 31 15:08:23:650 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLOUT event.
*Jan 31 15:08:23:650 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Connection succeeded, server-ip=XXXX, port=49, VPN instance=--(public).
*Jan 31 15:08:23:650 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Encapsulating accounting request packet.
*Jan 31 15:08:23:650 2018 HPE6 TACACS/7/send_packet:
version: 0xc0  type: ACCOUNT_REQUEST  seq_no: 1  flag: ENCRYPTED_FLAG
session-id: 0x8efa1082
length of payload: 137
flags: STOP
authen_method: TACACSPLUS  authen_service: LOGIN
user_len: 5   port_len: 4   rem_len: 10   arg_cnt: 9
arg0_len: 9     arg1_len: 10    arg2_len: 13    arg3_len: 12
arg4_len: 16    arg5_len: 10    arg6_len: 11    arg7_len: 9 
arg8_len: 10
user: admin
port: vty2
rem_addr: XXXXX
arg0: task_id=0  arg1: timezone=0
arg2: service=shell  arg3: disc_cause=0
arg4: disc_cause_ext=0  arg5: bytes_in=0
arg6: bytes_out=0  arg7: paks_in=0
arg8: paks_out=0 
*Jan 31 15:08:23:653 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.
*Jan 31 15:08:23:653 2018 HPE6 TACACS/7/recv_packet:
version: 0xc0  type: ACCOUNT_REPLY  seq_no: 2  flag: ENCRYPTED_FLAG
session-id: 0x8efa1082
length of payload: 5
server_msg len: 0  data len: 0  status: STATUS_SUCCESS
server_msg:
data:
*Jan 31 15:08:23:653 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Processing accounting reply packet.
*Jan 31 15:08:23:653 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.
*Jan 31 15:08:23:653 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Processed accounting-stop reply message, resultCode: 0.
*Jan 31 15:08:23:653 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: TACACS stop-accounting succeeded.
*Jan 31 15:08:44:250 2018 HPE6 TACACS/7/EVENT: PAM_TACACS: Set status of server to active successfully. serverIP: xxxx, serverPort: 49.

Please, could anybody help me?
Thanks

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.