<div dir="ltr">I have this setup on tacacs+ side, but user failing to authenticate.<div><br></div><div><div>group = ipso_admin {</div><div><span class="" style="white-space:pre"> </span>service = nokia-ipso {</div><div><span class="" style="white-space:pre"> </span>Nokia-IPSO-User-Role = "adminRole"</div><div><span class="" style="white-space:pre"> </span>Nokia-IPSO-SuperUser-Access = 1</div><div><span class="" style="white-space:pre"> </span>}</div><div>}</div><div><br></div><div><div>user = foo {</div><div> login = PAM </div><div><span class="" style="white-space:pre"> </span>member = ipso_admin</div><div>}</div></div><div><br></div><div><br></div><div>I am seeing these logs. I am not sure where it is getting the ``admin'' login.</div><div><br></div><div><br></div><div><div>Thu Jun 11 16:22:28 2015 [8107]: connect from <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> [192.168.100.33]</div><div>Thu Jun 11 16:22:28 2015 [8107]: login query for 'admin' General from <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> rejected</div><div>Thu Jun 11 16:22:28 2015 [8107]: login failure: admin <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> (192.168.100.33) General</div><div>Thu Jun 11 16:24:51 2015 [11142]: session.peerip is 192.168.100.33</div><div>Thu Jun 11 16:24:51 2015 [14004]: connect from <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> [192.168.100.33]</div><div>Thu Jun 11 16:24:53 2015 [14004]: login query for 'foo' General from <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> rejected</div><div>Thu Jun 11 16:24:53 2015 [14004]: login failure: foo <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> (192.168.100.33) General</div><div>Thu Jun 11 16:25:05 2015 [11142]: session.peerip is 192.168.100.33</div><div>Thu Jun 11 16:25:05 2015 [14653]: connect from <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> [192.168.100.33]</div><div>Thu Jun 11 16:25:06 2015 [14653]: login query for 'foo' General from <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> rejected</div><div>Thu Jun 11 16:25:06 2015 [14653]: login failure: foo <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> (192.168.100.33) General</div><div>Thu Jun 11 16:29:43 2015 [11142]: session.peerip is 192.168.100.33</div><div>Thu Jun 11 16:29:43 2015 [26878]: connect from <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> [192.168.100.33]</div><div>Thu Jun 11 16:29:53 2015 [26878]: <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> General: fd 2 eof (connection closed)</div><div>Thu Jun 11 16:29:53 2015 [26878]: Read -1 bytes from <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> General, expecting 12</div><div>Thu Jun 11 16:29:53 2015 [26878]: Error <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> General: Null reply packet, expecting CONTINUE</div><div>Thu Jun 11 16:30:19 2015 [11142]: session.peerip is 192.168.100.33</div><div>Thu Jun 11 16:30:19 2015 [28716]: connect from <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> [192.168.100.33]</div><div>Thu Jun 11 16:30:19 2015 [28716]: login query for 'admin' General from <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> rejected</div><div>Thu Jun 11 16:30:19 2015 [28716]: login failure: admin <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> (192.168.100.33) General</div><div>Thu Jun 11 16:33:37 2015 [11142]: session.peerip is 192.168.100.33</div><div>Thu Jun 11 16:33:37 2015 [4462]: connect from <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> [192.168.100.33]</div><div>Thu Jun 11 16:33:37 2015 [4462]: login query for 'admin' General from <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> rejected</div><div>Thu Jun 11 16:33:37 2015 [4462]: login failure: admin <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> (192.168.100.33) General</div><div>Thu Jun 11 16:48:21 2015 [11142]: session.peerip is 192.168.100.33</div><div>Thu Jun 11 16:48:21 2015 [4278]: connect from <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> [192.168.100.33]</div><div>Thu Jun 11 16:48:21 2015 [4278]: login query for 'admin' General from <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> rejected</div><div>Thu Jun 11 16:48:21 2015 [4278]: login failure: admin <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> (192.168.100.33) General</div><div>Thu Jun 11 17:10:21 2015 [11142]: session.peerip is 192.168.100.33</div><div>Thu Jun 11 17:10:21 2015 [7781]: connect from <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> [192.168.100.33]</div><div>Thu Jun 11 17:10:31 2015 [7781]: login query for 'foo' General from <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> rejected</div><div>Thu Jun 11 17:10:31 2015 [7781]: login failure: foo <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> (192.168.100.33) General</div><div>Thu Jun 11 17:10:33 2015 [11142]: session.peerip is 192.168.100.33</div><div>Thu Jun 11 17:10:33 2015 [7999]: connect from <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> [192.168.100.33]</div><div>Thu Jun 11 17:10:42 2015 [7999]: <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> General: fd 2 eof (connection closed)</div><div>Thu Jun 11 17:10:42 2015 [7999]: Read -1 bytes from <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> General, expecting 12</div><div>Thu Jun 11 17:10:42 2015 [7999]: Error <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> General: Null reply packet, expecting CONTINUE</div><div>Thu Jun 11 17:10:42 2015 [7999]: Error <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> General: Password change aborted.</div><div>Thu Jun 11 17:10:42 2015 [7999]: login query for 'foo' General from <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> rejected</div><div>Thu Jun 11 17:10:42 2015 [7999]: login failure: foo <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> (192.168.100.33) General</div></div><div><br></div><div><br></div><div>Nokia IPSO firewall guys saying this</div><div><br></div><div><div>Tried authentication again this morning, no luck. Again my firewalls are dropping the packet for being out of TCP state, errors similar to this:</div><div><br></div><div>TCP packet out of state: Unexpected post SYN packet - RST or SYN expected tcp_flags: ACK</div></div><div><br></div><div>That seems to be align with "Read -1 bytes from <a href="http://mpls-vrrp.example.net">mpls-vrrp.example.net</a> General, expecting 12" ?</div><div><br></div><div>Any suggestion how to get a successful authentication? Firewall sshd is doing the TACACS+ authentication only, no command authorization. May be I need a cmd = * { permit .* } ? or just default service = permit and no cmd clause?</div><div><br></div>-- <br><div class="gmail_signature">Asif Iqbal<br>PGP Key: 0xE62693C5 KeyServer: <a href="http://pgp.mit.edu" target="_blank">pgp.mit.edu</a><br>A: Because it messes up the order in which people normally read text.<br>Q: Why is top-posting such a bad thing?<br><br></div>
</div></div>