Network Management

 View Only
last person joined: yesterday 

Keep an informative eye on your network with HPE Aruba Networking network management solutions
Back to discussions
Expand all | Collapse all

TACACS not working on HP 5130 JG937A

This thread has been viewed 14 times

  • 1.  TACACS not working on HP 5130 JG937A

    Posted Jan 16, 2024 10:48 AM

    Hi, I have a problem with TACACS on SW 5130 JG937A version 7.1.070, Release 3507, in clearpass I see authentication accepted, but in logs I see error, but I don't understand what is going on.


    Log

    1 01:04:56:366 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processing TACACS authentication.
    *Jan 1 01:04:56:366 2013 HPE TACACS/7/EVENT: PAM_TACACS: Session successfully created.
    *Jan 1 01:04:56:367 2013 HPE TACACS/7/EVENT: PAM_TACACS: Getting available server, server-ip=2.2.2.2, server-port=49, VPN instance=--(public).
    *Jan 1 01:04:56:368 2013 HPE TACACS/7/EVENT: PAM_TACACS: Connecting to server...
    *Jan 1 01:04:56:371 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLOUT event.
    *Jan 1 01:04:56:372 2013 HPE TACACS/7/EVENT: PAM_TACACS: Connection succeeded, server-ip=2.2.2.2, port=49, VPN instance=--(public).
    *Jan 1 01:04:56:372 2013 HPE TACACS/7/EVENT: PAM_TACACS: Encapsulating authentication request packet.
    *Jan 1 01:04:56:373 2013 HPE TACACS/7/send_packet:
    version: 0xc0 type: AUTHEN_REQUEST seq_no: 1 flag: ENCRYPTED_FLAG
    session-id: 0x1ccf48be
    length of payload: 52
    action: LOGIN priv_lvl: 0 authen_type: ASCII service: LOGIN
    user_len: 13 port_len: 0 rem_len: 10 data_len: 21
    user: ihor.hanichev
    port:
    rem_addr: (IP of my laptop)
    data: ******
    *Jan 1 01:04:56:388 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.
    *Jan 1 01:04:56:392 2013 HPE TACACS/7/recv_packet:
    version: 0xc0 type: AUTHEN_REPLY seq_no: 2 flag: ENCRYPTED_FLAG
    session-id: 0x1ccf48be
    length of payload: 16
    status: STATUS_GETPASS flags: NOECHO
    server_msg len: 10 data len: 0
    server_msg: Password:
    data:
    *Jan 1 01:04:56:392 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processing authentication reply packet.
    *Jan 1 01:04:56:393 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processing TACACS authentication.
    *Jan 1 01:04:56:393 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processing TACACS authentication.
    *Jan 1 01:04:56:393 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.
    *Jan 1 01:04:56:394 2013 HPE TACACS/7/EVENT: PAM_TACACS: Encapsulating authentication continue request packet.
    *Jan 1 01:04:56:395 2013 HPE TACACS/7/EVENT: PAM_TACACS: Sending authentication continue request packet.
    *Jan 1 01:04:56:395 2013 HPE TACACS/7/send_packet:
    version: 0xc0 type: AUTHEN_CONTINUE seq_no: 3 flag: ENCRYPTED_FLAG
    session-id: 0x1ccf48be
    length of payload: 26
    user_msg len: ****** data_len: 0 flags: CONTINUE AUTHEN
    user_msg: ******
    data:
    *Jan 1 01:04:56:427 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.
    *Jan 1 01:04:56:428 2013 HPE TACACS/7/recv_packet:
    version: 0xc0 type: AUTHEN_REPLY seq_no: 4 flag: ENCRYPTED_FLAG
    session-id: 0x1ccf48be
    length of payload: 6
    status: STATUS_PASS flags: ECHO
    server_msg len: 0 data len: 0
    server_msg:
    data:
    *Jan 1 01:04:56:428 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processing authentication reply packet.
    *Jan 1 01:04:56:429 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processing TACACS authentication.
    *Jan 1 01:04:56:429 2013 HPE TACACS/7/EVENT: PAM_TACACS: TACACS authentication succeeded.
    *Jan 1 01:04:56:432 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.
    *Jan 1 01:04:56:463 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processing TACACS authorization.
    *Jan 1 01:04:56:463 2013 HPE TACACS/7/EVENT: PAM_TACACS: Session successfully created.
    *Jan 1 01:04:56:464 2013 HPE TACACS/7/EVENT: PAM_TACACS: Getting available server, server-ip=2.2.2.2, server-port=49, VPN instance=--(public).
    *Jan 1 01:04:56:465 2013 HPE TACACS/7/EVENT: PAM_TACACS: Connecting to server...
    *Jan 1 01:04:56:467 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLOUT event.
    *Jan 1 01:04:56:467 2013 HPE TACACS/7/EVENT: PAM_TACACS: Connection succeeded, server-ip=2.2.2.2, port=49, VPN instance=--(public).
    *Jan 1 01:04:56:468 2013 HPE TACACS/7/EVENT: PAM_TACACS: Encapsulating authorization request packet.
    *Jan 1 01:04:56:468 2013 HPE TACACS/7/send_packet:
    version: 0xc0 type: AUTHOR_REQUEST seq_no: 1 flag: ENCRYPTED_FLAG
    session-id: 0xd2673fcc
    length of payload: 50
    authen_method: TACACSPLUS priv_lvl: 0 authen_type: ASCII authen_service: LOGIN
    user_len: 13 port_len: 0 rem_len: 10 arg_cnt: 2
    arg0_len: 13 arg1_len: 4
    user: ihor.hanichev
    port:
    rem_addr: (IP of my laptop)
    arg0: service=shell arg1: cmd*
    *Jan 1 01:04:56:478 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.
    *Jan 1 01:04:56:479 2013 HPE TACACS/7/recv_packet:
    version: 0xc0 type: AUTHOR_REPLY seq_no: 2 flag: ENCRYPTED_FLAG
    session-id: 0xd2673fcc
    length of payload: 34
    Status: STATUS_FAIL arg_cnt: 0 server_msg len: 28 data len: 0
    server_msg: Tacacs authorization failed

     

    Config
    hwtacacs scheme softtek
    primary authentication 2.2.2.2 key cipher ***************************************
    primary authorization 2.2.2.2 key cipher ********************************************
    secondary authentication 1.1.1.1 key cipher *******************************************
    secondary authorization 1.1.1.1 key cipher **********************************************
    user-name-format without-domain
    nas-ip (IP of SW)
    #
    radius scheme softtek
    primary authentication 2.2.2.2 key cipher ********************************************* weight 80
    primary accounting 2.2.2.2 key cipher ************************************************ weight 80
    secondary authentication 1.1.1.1 key cipher ************************************************ weight 80
    secondary accounting 1.1.1.1 key cipher *************************************************** weight 80
    user-name-format without-domain
    nas-ip (IP of SW)
    #
    radius scheme system
    user-name-format without-domain
    #
    domain local
    authentication login local
    authorization command local
    #
    domain softtek
    authentication lan-access radius-scheme softtek
    authorization lan-access radius-scheme softtek
    accounting lan-access radius-scheme softtek
    authentication default hwtacacs-scheme softtek
    authorization default hwtacacs-scheme softtek
    accounting default hwtacacs-scheme softtek none
    #
    domain system
    #
    domain default enable softtek
    #



  • 2.  RE: TACACS not working on HP 5130 JG937A

    Posted Jan 19, 2024 11:29 AM

    Seems like authentication is succeeding but the switch is not getting the authorisation attributes back it's expecting. Have a look at Florian's very thorough blog post on the topic: Operator Login with ClearPass TACACS+ - Flomain Networking

    Mine looks like this:


    Original Message


  • 3.  RE: TACACS not working on HP 5130 JG937A

    MVP EXPERT
    Posted Jan 19, 2024 01:41 PM

    Here my 5130 switch configuration for tacacs

    hwtacacs scheme clearpass
 	primary authentication //ip-clearpass//
 	primary authorization //ip-clearpass//
 	primary accounting //ip-clearpass//
 	key authentication cipher //keyhere//
 	key authorization cipher //keyhere//
 	key accounting cipher //keyhere//
	nas-ip #.#.#.#
 	user-name-format without-domain

domain tacacs
 	authentication login hwtacacs-scheme clearpass local
 	authorization login hwtacacs-scheme clearpass local
 	accounting login hwtacacs-scheme clearpass local
 	authorization command hwtacacs-scheme clearpass local	

domain default enable tacacs

public-key local create rsa
ssh server enable

user-interface vty 0 15
 authentication-mode scheme
 protocol inbound ssh


    ------------------------------
    Marcel Koedijk | MVP Expert 2023 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------

    Original Message


  • 4.  RE: TACACS not working on HP 5130 JG937A
    Best Answer

    MVP EXPERT
    Posted Jan 19, 2024 01:44 PM
      |   view attached

    see attached my full configuration notes in the PDF.

    note: have fun with my hashes;)



    ------------------------------
    Marcel Koedijk | MVP Expert 2023 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------

    Original Message


  • 5.  RE: TACACS not working on HP 5130 JG937A

    Posted Jan 22, 2024 05:40 AM

    Thank you guys so much, you have helped me a lot.


    Original Message