Thanks John. I tried to debug aaa information in my switch. I deleted the authorization and accounting setup in my switch trying to make thing simple. Here is my current setup in swtich:<br>aaa new-model<br>aaa authentication login default group tacacs+ line<br>
aaa authentication enable default group tacacs+ enable<br><br>Very simple one.<br><br>And I compared the successful and unsuccessful login debug here. I also checked my Active Directory server, the events there are totally same for successful and unsuccessful login. <br>
<br>Successful login:<br>Feb 18 11:21:30.813 CST: tty1 AAA/DISC: 1/"User Request"<br>Feb 18 11:21:30.817 CST: tty1 AAA/DISC/EXT: 1020/"User Request"<br>Feb 18 11:21:30.817 CST: tty1 AAA/DISC: 9/"NAS Error"<br>
Feb 18 11:21:30.817 CST: tty1 AAA/DISC/EXT: 1002/"Unknown"<br>Feb 18 11:21:30.817 CST: AAA/MEMORY: free_user (0x80CF5BDC) user='' ruser='' port='tty1' rem_addr='10.1.10.1' authen_type=ASCII service=LOGIN priv=1<br>
<br>Unsuccessful login:<br>Feb 18 11:47:45.392 CST: tty1 AAA/DISC: 1/"User Request"<br>Feb 18 11:47:45.392 CST: tty1 AAA/DISC/EXT: 1020/"User Request"<br>Feb 18 11:47:45.392 CST: tty1 AAA/DISC: 9/"NAS Error"<br>
Feb 18 11:47:45.396 CST: tty1 AAA/DISC/EXT: 1002/"Unknown"<br>Feb 18 11:47:45.396 CST: AAA/MEMORY: free_user (0x80CEAC74) user='testuser' ruser='' port='tty1' rem_addr='10.1.10.1' authen_type=ASCII service=LOGIN priv=1<br>
Feb 18 11:48:00.248 CST: AAA: parse name=tty1 idb type=-1 tty=-1<br>Feb 18 11:48:00.248 CST: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0<br>Feb 18 11:48:00.248 CST: AAA/MEMORY: create_user (0x80D7FC00) user='' ruser='' port='tty1' rem_addr='10.1.10.1' authen_type=ASCII service=LOGIN priv=1<br>
<br><br>The difference here is when the successful login happens, the "user" name is empty but unsuccessful login has real user name "testuser" value. This sounds weird to me. Total opposite to my thinking. I did several comparisons. All same log. <br>
<br>I just wonder why background and foreground has this difference. In addition, not sure "NAS error" is a problem or not. It exists in successful login too.<br><br>Thanks for your help. Really appreciated.<br>
<br>Lou<br><br><div class="gmail_quote">On Thu, Feb 18, 2010 at 12:16 AM, john heasley <span dir="ltr"><<a href="mailto:heas@shrubbery.net">heas@shrubbery.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Wed, Feb 17, 2010 at 04:16:04PM -0600, Hailu Meng:<br>
<div><div></div><div class="h5">> Hi All,<br>
><br>
> I have been running tac_plus in my redhat for couple of months. And I always<br>
> run it as "tac_plus -C /etc/tac_plus.conf -t -d 120 -g" at frontground.<br>
> Right now I try to setup a service for tac_plus and run as a daemon. But<br>
> when I tried to run<br>
> "tac_plus -C /etc/tac_plus.conf -t -d 120", I can't login my cisco switch.<br>
> It still ask me for username. but it won't accept my password. The log<br>
> shows:<br>
><br>
> Wed Feb 17 15:44:44 2010 [25229]: Reading config<br>
> Wed Feb 17 15:44:44 2010 [25229]: Version F4.0.4.19 Initialized 1<br>
> Wed Feb 17 15:44:44 2010 [25229]: tac_plus server F4.0.4.19 starting<br>
> Wed Feb 17 15:44:44 2010 [25230]: Backgrounded<br>
> Wed Feb 17 15:44:44 2010 [25231]: uid=505 euid=505 gid=505 egid=505 s=0<br>
> Wed Feb 17 15:44:54 2010 [25231]: session.peerip is 10.1.1.10<br>
> Wed Feb 17 15:44:54 2010 [25234]: connect from 10.1.1.10 [10.1.1.10]<br>
> Wed Feb 17 15:44:55 2010 [25234]: pam_verify username<br>
> Wed Feb 17 15:44:55 2010 [25234]: pam_tacacs received 1 pam_messages<br>
> Wed Feb 17 15:44:55 2010 [25234]: Error 10.1.1.10 tty1: PAM_PROMPT_ECHO_OFF<br>
> Wed Feb 17 15:44:59 2010 [25234]: pam_verify returns 1<br>
> Wed Feb 17 15:44:59 2010 [25234]: Password has not expired <no expiry date<br>
> set><br>
> Wed Feb 17 15:44:59 2010 [25234]: login query for 'username' tty1 from<br>
> 10.1.1.10 accepted<br>
> Wed Feb 17 15:45:05 2010 [25231]: session.peerip is 10.1.1.10<br>
> Wed Feb 17 15:45:05 2010 [25238]: connect from 10.1.1.10 [10.1.1.10]<br>
><br>
> After the above log, the switch pop up "Password" again asking me for the<br>
> password. I compared the normal log. It is same with the above. Wondering<br>
> why it already accepted but still keep asking me the password.<br>
><br>
> Does anyone have idea about this?<br>
<br>
</div></div>you might try -d 256 and verify that the config on the device is correct.<br>
also inspect the syslog for messages from the device.<br>
</blockquote></div><br>