[tac_plus] tac_plus login and enable password issue
Ricki Z
rz.bangka at yahoo.com
Thu Dec 8 03:54:49 UTC 2011
Hi John,
Previously thanks for your info. I have done change config with default service under group but i still experience the same problem. My problem exactly is why i can login to cisco switch using "login password" or "enable password" and why i can enter priviledge mode using "login password" or "enable password" too.
Below is my new config for tac-plus server:
-----------------------------------cut-----------------------------------
user = user1 {
member = admin
login = cleartext user1
enable = cleartext enauser1
}
user = user2 {
member = admin
login = cleartext user2
enable = cleartext enauser2
}
group = admin {
default service = permit
}
-----------------------------------cut-----------------------------------
And below my cisco switch config for tac-plus authentication:
-----------------------------------cut-----------------------------------
aaa new-model
aaa authentication login default group tacacs+ local line
aaa authentication login user group tacacs+ local
aaa authentication login net_admin group tacacs+ line enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 7 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network default group tacacs+ if-authenticated
aaa accounting exec user start-stop group tacacs+
aaa accounting commands 0 user start-stop group tacacs+
aaa accounting commands 1 user start-stop group tacacs+
aaa accounting commands 7 user start-stop group tacacs+
aaa accounting commands 15 user start-stop group tacacs+
aaa accounting network user start-stop group tacacs+
aaa accounting connection user start-stop group tacacs
!
line con 0
login authentication net_admin
line vty 0 4
accounting connection user
accounting commands 0 user
accounting commands 1 user
accounting commands 7 user
accounting commands 15 user
accounting exec user
line vty 5 15
accounting connection user
accounting commands 0 user
accounting commands 1 user
accounting commands 7 user
accounting commands 15 user
accounting exec user
-----------------------------------cut-----------------------------------
Here the illustration for login to cisco switch:
-----------------------------------cut-----------------------------------
User Access Verification
Username: user1
Password: user1
or
Username: user1
Password: enauser1
-----------------------------------cut-----------------------------------
Here the illustration for enter priviledge to cisco switch:
-----------------------------------cut-----------------------------------
cisco-sw>en
Password: enauser1
or
cisco-sw>en
Password: user1
-----------------------------------cut-----------------------------------
Is there any abnormal with my config on tac-plus server or cisco switch?
Tx,
Ricki
________________________________
From: john heasley <heas at shrubbery.net>
To: Ricki Z <rz.bangka at yahoo.com>
Cc: "tac_plus at shrubbery.net" <tac_plus at shrubbery.net>
Sent: Thursday, December 8, 2011 5:51 AM
Subject: Re: [tac_plus] tac_plus login and enable password issue
Sun, Nov 27, 2011 at 08:58:15PM -0800, Ricki Z:
> Hi All,
>
>
>
> I have issue when i using enable password per user (not on global config with user $enab15$ etc.) and every user using different password for cisco enable on tac_plus server. Refer to the config that i send before i can using AAA for cisco devices with tac_plus but if i login using user1, then i can use password "user1" or "enauser1" and after login success, i can enter privilege mode using password "user1" or "enauser1" and same for user2. In normal condition should be i just can login using user1 with password "user1" (failed if using password "enauser1" and i just can enter priviledge mode using password "enauser1" (failed if using "user1").
>
> user = user1 {
> ??? ??? ??? ??? default service = permit
default service does not belong under user configuration.
otherwise, i can not reproduce the problem that i think you are describing.
given two users configured with different passwords, one can not use the
other's passwords to login or enable.
I'd guess that you have a device configuration problem or there is some
strange problem with how you've compiled tac_plus. more likely the former.
> ??? ??? ??? ??? login = cleartext user1
> ??? ??? ??? ??? enable = cleartext enauser1
> }
>
> user = user2 {
> ??? ??? ??? ??? default service = permit
> ??? ??? ??? ??? login = cleartext user2
> ??? ??? ??? ??? enable = cleartext enauser2
> }
>
> And if i configure enable password per user and every user using the same enable password (like config below), all
> working like suppose to be it mean if i login using user1 i just can using password "user1" (can't using password "enapwd") and i just can enter priviledge mode using password "enauser" (can't using password "user1").
> user = user1 {
> ??? ??? ??? ??? default service = permit
> ??? ??? ??? ??? login = cleartext user1
> ??? ??? ??? ??? enable = cleartext enauser
> }
>
> user = user2 {
> ??? ??? ??? ??? default service = permit
> ??? ??? ??? ??? login = cleartext user2
> ??? ??? ??? ??? enable = cleartext enauser
> }
>
> Need your advice for solve this issue.
>
> Tx,
> Ricki
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20111127/71681cee/attachment.html>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20111207/35d88418/attachment.html>
More information about the tac_plus
mailing list