TACACS Authentication for device accessing example

Tacacs server------switch-------user

Customer feedback the auth based on Tacacs is not working.

After check the debug info, the Tacacs server is not reply the correct message

*Jan  5 05:24:30:044 2021 HU-SW-4F TACACS/7/send_packet:

version: 0xc0  type: AUTHEN_REQUEST  seq_no: 1  flag: ENCRYPTED_FLAG

session-id: 0x76642845

length of payload: 35

action: LOGIN  priv_lvl: 0  authen_type: ASCII  service: LOGIN

user_len: 5   port_len: 0   rem_len: 11   data_len: 11

user: admin

port:

rem_addr: 10.20.2.239

data: ******

*Jan  5 05:24:30:045 2021 HU-SW-4F TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.

*Jan  5 05:24:30:046 2021 HU-SW-4F TACACS/7/ERROR: PAM_TACACS: Invalid reply packet.

*Jan  5 05:24:30:046 2021 HU-SW-4F TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.

*Jan  5 05:24:30:046 2021 HU-SW-4F TACACS/7/EVENT: PAM_TACACS: Received socket close event.

*Jan  5 05:24:30:047 2021 HU-SW-4F TACACS/7/ERROR: PAM_TACACS: Failed to get available server.

Correct the configuration as following:

1.Switch configuration:

#

hwtacacs scheme liang

primary authentication 192.168.207.116

primary authorization 192.168.207.116

primary accounting 192.168.207.116

key authentication cipher $c$3$9a8o4Y2zeFeDPK2ypq8WXINP0usL9MogMYeNIqg=

key authorization cipher $c$3$3f2qc9Evi+aVWp68RprJFaP2t+xUE4u1VI0Sz7Q=

key accounting cipher $c$3$vQwmZmNXmP93/Tv2MSv1QgLjw0HGJmBkAaOB2zU=

user-name-format without-domain

#

#

domain liang

authentication login hwtacacs-scheme liang

authorization login hwtacacs-scheme liang

accounting login hwtacacs-scheme liang

#

#

line vty 0 4

authentication-mode scheme

user-role network-admin

user-role network-operator

idle-timeout 35791 0

#

2.Tacacs server configuration

The step of Tacacs server configuration:

Step 1: configure device area

Step 2: configure Device type(can ignore)

Step 3: add your switch for control

Step 4: Configure Authorized Time Range Policies

Step 5: Configure Shell Profiles

Step 6: Configure Command Sets

Step 7: Configure Authorization Policies

Step 8: add the users for login devices, and bind the policy.

Then test the login is okay

<AC>telnet  172.16.209.102

Trying 172.16.209.102 ...

Press CTRL+K to abort

Connected to 172.16.209.102 ...

Login: admin

Password:

E65060: Failed to check IP address binding.

AAA authentication failed.

Login: liang

Password:

******************************************************************************

* Copyright (c) 2004-2022 New H3C Technologies Co., Ltd. All rights reserved.*

* Without the owner's prior written consent,                                 *

* no decompiling or reverse-engineering shall be allowed.                    *

******************************************************************************

<Tacacs>

The correct debug :

*Sep 27 11:52:31:966 2023 Tacacs TACACS/7/send_packet:

version: 0xc0  type: AUTHEN_REQUEST  seq_no: 1  flag: ENCRYPTED_FLAG

session-id: 0x38eae03d

length of payload: 39

action: LOGIN  priv_lvl: 0  authen_type: ASCII  service: LOGIN

user_len: 5   port_len: 4   rem_len: 12   data_len: 10

user: admin

port: vty1

rem_addr: 172.16.209.1

data: ******

*Sep 27 11:52:31:970 2023 Tacacs TACACS/7/EVENT: PAM_TACACS: Epoll event=1, src port = 14022.

*Sep 27 11:52:31:972 2023 Tacacs TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.

*Sep 27 11:52:31:974 2023 Tacacs TACACS/7/recv_packet:                          -----------àwe can receive the Tacacs server reply, but your environment can not receive…

version: 0xc0  type: AUTHEN_REPLY  seq_no: 2  flag: ENCRYPTED_FLAG

session-id: 0x38eae03d

length of payload: 15

status: STATUS_GETPASS  flags: NOECHO

server_msg len: 9  data len: 0

server_msg: Password:

data:

*Sep 27 11:52:31:974 2023 Tacacs TACACS/7/EVENT: PAM_TACACS: Processing authentication reply packet.