<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jun 11, 2015 at 2:37 PM, Asif Iqbal <span dir="ltr"><<a href="mailto:vadud3@gmail.com" target="_blank">vadud3@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">I have this setup on tacacs+ side, but user failing to authenticate.<div><br></div><div><div>group = ipso_admin {</div><div><span style="white-space:pre-wrap"> </span>service = nokia-ipso {</div><div><span style="white-space:pre-wrap"> </span>Nokia-IPSO-User-Role = "adminRole"</div><div><span style="white-space:pre-wrap"> </span>Nokia-IPSO-SuperUser-Access = 1</div><div><span style="white-space:pre-wrap"> </span>}</div><div>}</div><div><br></div><div><div>user = foo {</div><div> login = PAM </div><div><span style="white-space:pre-wrap"> </span>member = ipso_admin</div><div>}</div></div><div><br></div><div><br></div><div>I am seeing these logs. I am not sure where it is getting the ``admin'' login.</div><div><br></div><div><br></div><div><div>Thu Jun 11 16:22:28 2015 [8107]: connect from <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> [192.168.100.33]</div><div>Thu Jun 11 16:22:28 2015 [8107]: login query for 'admin' General from <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> rejected</div><div>Thu Jun 11 16:22:28 2015 [8107]: login failure: admin <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> (192.168.100.33) General</div><div>Thu Jun 11 16:24:51 2015 [11142]: session.peerip is 192.168.100.33</div><div>Thu Jun 11 16:24:51 2015 [14004]: connect from <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> [192.168.100.33]</div><div>Thu Jun 11 16:24:53 2015 [14004]: login query for 'foo' General from <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> rejected</div><div>Thu Jun 11 16:24:53 2015 [14004]: login failure: foo <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> (192.168.100.33) General</div><div>Thu Jun 11 16:25:05 2015 [11142]: session.peerip is 192.168.100.33</div><div>Thu Jun 11 16:25:05 2015 [14653]: connect from <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> [192.168.100.33]</div><div>Thu Jun 11 16:25:06 2015 [14653]: login query for 'foo' General from <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> rejected</div><div>Thu Jun 11 16:25:06 2015 [14653]: login failure: foo <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> (192.168.100.33) General</div><div>Thu Jun 11 16:29:43 2015 [11142]: session.peerip is 192.168.100.33</div><div>Thu Jun 11 16:29:43 2015 [26878]: connect from <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> [192.168.100.33]</div><div>Thu Jun 11 16:29:53 2015 [26878]: <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> General: fd 2 eof (connection closed)</div><div>Thu Jun 11 16:29:53 2015 [26878]: Read -1 bytes from <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> General, expecting 12</div><div>Thu Jun 11 16:29:53 2015 [26878]: Error <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> General: Null reply packet, expecting CONTINUE</div><div>Thu Jun 11 16:30:19 2015 [11142]: session.peerip is 192.168.100.33</div><div>Thu Jun 11 16:30:19 2015 [28716]: connect from <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> [192.168.100.33]</div><div>Thu Jun 11 16:30:19 2015 [28716]: login query for 'admin' General from <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> rejected</div><div>Thu Jun 11 16:30:19 2015 [28716]: login failure: admin <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> (192.168.100.33) General</div><div>Thu Jun 11 16:33:37 2015 [11142]: session.peerip is 192.168.100.33</div><div>Thu Jun 11 16:33:37 2015 [4462]: connect from <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> [192.168.100.33]</div><div>Thu Jun 11 16:33:37 2015 [4462]: login query for 'admin' General from <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> rejected</div><div>Thu Jun 11 16:33:37 2015 [4462]: login failure: admin <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> (192.168.100.33) General</div><div>Thu Jun 11 16:48:21 2015 [11142]: session.peerip is 192.168.100.33</div><div>Thu Jun 11 16:48:21 2015 [4278]: connect from <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> [192.168.100.33]</div><div>Thu Jun 11 16:48:21 2015 [4278]: login query for 'admin' General from <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> rejected</div><div>Thu Jun 11 16:48:21 2015 [4278]: login failure: admin <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> (192.168.100.33) General</div><div>Thu Jun 11 17:10:21 2015 [11142]: session.peerip is 192.168.100.33</div><div>Thu Jun 11 17:10:21 2015 [7781]: connect from <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> [192.168.100.33]</div><div>Thu Jun 11 17:10:31 2015 [7781]: login query for 'foo' General from <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> rejected</div><div>Thu Jun 11 17:10:31 2015 [7781]: login failure: foo <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> (192.168.100.33) General</div><div>Thu Jun 11 17:10:33 2015 [11142]: session.peerip is 192.168.100.33</div><div>Thu Jun 11 17:10:33 2015 [7999]: connect from <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> [192.168.100.33]</div><div>Thu Jun 11 17:10:42 2015 [7999]: <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> General: fd 2 eof (connection closed)</div><div>Thu Jun 11 17:10:42 2015 [7999]: Read -1 bytes from <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> General, expecting 12</div><div>Thu Jun 11 17:10:42 2015 [7999]: Error <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> General: Null reply packet, expecting CONTINUE</div><div>Thu Jun 11 17:10:42 2015 [7999]: Error <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> General: Password change aborted.</div><div>Thu Jun 11 17:10:42 2015 [7999]: login query for 'foo' General from <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> rejected</div><div>Thu Jun 11 17:10:42 2015 [7999]: login failure: foo <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> (192.168.100.33) General</div></div><div><br></div><div><br></div><div>Nokia IPSO firewall guys saying this</div><div><br></div><div><div>Tried authentication again this morning, no luck. Again my firewalls are dropping the packet for being out of TCP state, errors similar to this:</div><div><br></div><div>TCP packet out of state: Unexpected post SYN packet - RST or SYN expected tcp_flags: ACK</div></div><div><br></div><div>That seems to be align with "Read -1 bytes from <a href="http://mpls-vrrp.example.net" target="_blank">mpls-vrrp.example.net</a> General, expecting 12" ?</div><div><br></div><div>Any suggestion how to get a successful authentication? Firewall sshd is doing the TACACS+ authentication only, no command authorization. May be I need a cmd = * { permit .* } ? or just default service = permit and no cmd clause?</div><span class=""><font color="#888888"><div><br></div></font></span></div></div></blockquote><div><br></div><div><br></div><div>I was reported by firewall team of successful T+ authentication. And the RST was related some misconfig on NAT.</div><div><br></div><div>I have not made any change on my original config which followed the doc on Nokia IPSO TACACS+ config, provided by our firewall team.</div><div><br></div><div>Thanks a lot for your help! <br></div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div><span class=""><font color="#888888"><div></div>-- <br><div>Asif Iqbal<br>PGP Key: 0xE62693C5 KeyServer: <a href="http://pgp.mit.edu" target="_blank">pgp.mit.edu</a><br>A: Because it messes up the order in which people normally read text.<br>Q: Why is top-posting such a bad thing?<br><br></div>
</font></span></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature">Asif Iqbal<br>PGP Key: 0xE62693C5 KeyServer: <a href="http://pgp.mit.edu" target="_blank">pgp.mit.edu</a><br>A: Because it messes up the order in which people normally read text.<br>Q: Why is top-posting such a bad thing?<br><br></div>
</div></div>