Hi!
First let me say that we've got working Cisco IOS, NX-OS, IOS-XR, Juniper OS, Brocade Fabric OS, HP ProCurve and Comware 5; however NOT Comware 7.
For TACACS we're using tac_plus probono! (read carefully as there are several versions out there)
Configuration on the HP Comware 7:
hwtacacs scheme tacacs
primary authentication 1.1.1.1 49
key authentication simple myPassword
primary authorization 1.1.1.1 49
key authorization simple myPassword
user-name-format without-domain
!
domain tacacs
authentication login hwtacacs-scheme tacacs local
authorization login hwtacacs-scheme tacacs local
state active
!
domain default enable tacacs
!
line vty 0 63
authentication-mode scheme
user-role network-admin
!
TACACS Server Config (only showing necessary, keep in mind this is working with most vendors!)
group = admin {
enable = permit # Allow access to Privileged EXEC
service = shell { # Vendor: Cisco, HP, Brocade
optional brcd-role = admin # Fabric OS (must be optional!)
set priv-lvl = 15 # IOS/XE, NX-OS, PriVision, Comware
set role = network-admin
}
service = junos-exec { # Vendor: Juniper
set local-user-name = remote-su # Junos OS
}
}
Logging from tacacs-server
/var/log/tac_plus/access/20190624.log
2019-06-24 16:40:58 +0200 10.10.10.10 myUser Vlan-interface2001 10.10.10.20 ascii login succeeded
2019-06-24 16:43:30 +0200 10.10.10.10 myUser Vlan-interface2001 10.10.10.20 ascii login succeeded
Debug from Comware 7 switch
*Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing TACACS authentication.
*Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Dispatching request, Primitive: authentication.
*Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Creating request data, data type: START
*Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Session successfully created.
*Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Getting available server, server-ip=1.1.1.1, server-port=49, VPN instance=--(public).
*Jun 24 16:43:30:158 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connecting to server...
*Jun 24 16:43:30:362 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLOUT event.
*Jun 24 16:43:30:362 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connection succeeded, server-ip=1.1.1.1, port=49, VPN instance=--(public).
*Jun 24 16:43:30:362 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Encapsulating authentication request packet.
*Jun 24 16:43:30:362 2019 mySwitch TACACS/7/send_packet:
version: 0xc0 type: AUTHEN_REQUEST seq_no: 1 flag: ENCRYPTED_FLAG
session-id: 0xafc472d8
length of payload: 61
action: LOGIN priv_lvl: 0 authen_type: ASCII service: LOGIN
user_len: 9 port_len: 18 rem_len: 14 data_len: 12
user: myUser
port: Vlan-interface2001
rem_addr: 10.10.10.20
data: ******
*Jun 24 16:43:30:400 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.
*Jun 24 16:43:30:400 2019 mySwitch TACACS/7/recv_packet:
version: 0xc0 type: AUTHEN_REPLY seq_no: 2 flag: ENCRYPTED_FLAG
session-id: 0xafc472d8
length of payload: 6
status: STATUS_PASS flags: ECHO
server_msg len: 0 data len: 0
server_msg:
data:
*Jun 24 16:43:30:400 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing authentication reply packet.
*Jun 24 16:43:30:400 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.
*Jun 24 16:43:30:401 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processed authentication reply message, resultCode: 0.
*Jun 24 16:43:30:401 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: TACACS authentication succeeded.
*Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing TACACS authorization.
*Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Dispatching request, Primitive: authorization.
*Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Creating request data, data type: START
*Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Session successfully created.
*Jun 24 16:43:30:403 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Getting available server, server-ip=1.1.1.1, server-port=49, VPN instance=--(public).
*Jun 24 16:43:30:594 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connecting to server...
*Jun 24 16:43:30:762 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLOUT event.
*Jun 24 16:43:30:762 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connection succeeded, server-ip=1.1.1.1, port=49, VPN instance=--(public).
*Jun 24 16:43:30:762 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Encapsulating authorization request packet.
*Jun 24 16:43:30:763 2019 mySwitch TACACS/7/send_packet:
version: 0xc0 type: AUTHOR_REQUEST seq_no: 1 flag: ENCRYPTED_FLAG
session-id: 0xee0175cb
length of payload: 68
authen_method: TACACSPLUS priv_lvl: 0 authen_type: ASCII authen_service: LOGIN
user_len: 9 port_len: 18 rem_len: 14 arg_cnt: 2
arg0_len: 13 arg1_len: 4
user: myUser
port: Vlan-interface2001
rem_addr: 10.10.10.20
arg0: service=shell arg1: cmd*
*Jun 24 16:43:30:767 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.
*Jun 24 16:43:30:767 2019 mySwitch TACACS/7/recv_packet:
version: 0xc0 type: AUTHOR_REPLY seq_no: 2 flag: ENCRYPTED_FLAG
session-id: 0xee0175cb
length of payload: 37
Status: STATUS_PASS_ADD arg_cnt: 2 server_msg len: 0 data len: 0
arg0_len: 11 arg1_len: 18
server_msg:
data:
arg0: priv-lvl=15 arg1: role=network-admin
*Jun 24 16:43:30:767 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing authorization reply packet.
*Jun 24 16:43:30:767 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.
*Jun 24 16:43:30:768 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processed authorization reply message, resultCode: 0.
*Jun 24 16:43:30:768 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: TACACS authorization succeeded.
%Jun 24 16:43:30:772 2019 mySwitch SSHS/6/SSHS_LOG: Accepted password for myUser from 10.10.10.20 port 54064 ssh2.
%Jun 24 16:43:30:808 2019 mySwitch SSHS/6/SSHS_CONNECT: SSH user myUser (IP: 10.10.10.20) connected to the server successfully.
%Jun 24 16:43:30:936 2019 mySwitch LOGIN/6/LOGIN_FAILED: myUser failed to log in from 10.10.10.20.
%Jun 24 16:43:34:009 2019 mySwitch SSHS/6/SSHS_DISCONNECT: SSH user myUser (IP: 10.10.10.20) disconnected from the server.
Output from HP Comware Login Attempt
******************************************************************************
* Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
Login failed.
Connection to myswitch.my.domain closed.
What might I be missing? Right now I'm thinking vendor attributes or if I need to create a role on the switch like with Juniper.
// David
#comware7#HP