Monday, June 24, 2019

TACACS not working on HP Comware 7

Hi!

First let me say that we've got working Cisco IOS, NX-OS, IOS-XR, Juniper OS, Brocade Fabric OS, HP ProCurve and Comware 5; however NOT Comware 7.

For TACACS we're using tac_plus probono! (read carefully as there are several versions out there)

Configuration on the HP Comware 7:

hwtacacs scheme tacacs primary authentication 1.1.1.1 49 key authentication simple myPassword primary authorization 1.1.1.1 49 key authorization simple myPassword user-name-format without-domain ! domain tacacs authentication login hwtacacs-scheme tacacs local authorization login hwtacacs-scheme tacacs local state active ! domain default enable tacacs ! line vty 0 63 authentication-mode scheme user-role network-admin !

TACACS Server Config (only showing necessary, keep in mind this is working with most vendors!)

group = admin { enable = permit # Allow access to Privileged EXEC service = shell { # Vendor: Cisco, HP, Brocade optional brcd-role = admin # Fabric OS (must be optional!) set priv-lvl = 15 # IOS/XE, NX-OS, PriVision, Comware set role = network-admin } service = junos-exec { # Vendor: Juniper set local-user-name = remote-su # Junos OS } }

Logging from tacacs-server

/var/log/tac_plus/access/20190624.log 2019-06-24 16:40:58 +0200 10.10.10.10 myUser Vlan-interface2001 10.10.10.20 ascii login succeeded 2019-06-24 16:43:30 +0200 10.10.10.10 myUser Vlan-interface2001 10.10.10.20 ascii login succeeded

Debug from Comware 7 switch

*Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing TACACS authentication. *Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Dispatching request, Primitive: authentication. *Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Creating request data, data type: START *Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Session successfully created. *Jun 24 16:43:30:062 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Getting available server, server-ip=1.1.1.1, server-port=49, VPN instance=--(public). *Jun 24 16:43:30:158 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connecting to server... *Jun 24 16:43:30:362 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLOUT event. *Jun 24 16:43:30:362 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connection succeeded, server-ip=1.1.1.1, port=49, VPN instance=--(public). *Jun 24 16:43:30:362 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Encapsulating authentication request packet. *Jun 24 16:43:30:362 2019 mySwitch TACACS/7/send_packet: version: 0xc0 type: AUTHEN_REQUEST seq_no: 1 flag: ENCRYPTED_FLAG session-id: 0xafc472d8 length of payload: 61 action: LOGIN priv_lvl: 0 authen_type: ASCII service: LOGIN user_len: 9 port_len: 18 rem_len: 14 data_len: 12 user: myUser port: Vlan-interface2001 rem_addr: 10.10.10.20 data: ****** *Jun 24 16:43:30:400 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event. *Jun 24 16:43:30:400 2019 mySwitch TACACS/7/recv_packet: version: 0xc0 type: AUTHEN_REPLY seq_no: 2 flag: ENCRYPTED_FLAG session-id: 0xafc472d8 length of payload: 6 status: STATUS_PASS flags: ECHO server_msg len: 0 data len: 0 server_msg: data: *Jun 24 16:43:30:400 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing authentication reply packet. *Jun 24 16:43:30:400 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent. *Jun 24 16:43:30:401 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processed authentication reply message, resultCode: 0. *Jun 24 16:43:30:401 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: TACACS authentication succeeded. *Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing TACACS authorization. *Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Dispatching request, Primitive: authorization. *Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Creating request data, data type: START *Jun 24 16:43:30:402 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Session successfully created. *Jun 24 16:43:30:403 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Getting available server, server-ip=1.1.1.1, server-port=49, VPN instance=--(public). *Jun 24 16:43:30:594 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connecting to server... *Jun 24 16:43:30:762 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLOUT event. *Jun 24 16:43:30:762 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Connection succeeded, server-ip=1.1.1.1, port=49, VPN instance=--(public). *Jun 24 16:43:30:762 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Encapsulating authorization request packet. *Jun 24 16:43:30:763 2019 mySwitch TACACS/7/send_packet: version: 0xc0 type: AUTHOR_REQUEST seq_no: 1 flag: ENCRYPTED_FLAG session-id: 0xee0175cb length of payload: 68 authen_method: TACACSPLUS priv_lvl: 0 authen_type: ASCII authen_service: LOGIN user_len: 9 port_len: 18 rem_len: 14 arg_cnt: 2 arg0_len: 13 arg1_len: 4 user: myUser port: Vlan-interface2001 rem_addr: 10.10.10.20 arg0: service=shell arg1: cmd* *Jun 24 16:43:30:767 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event. *Jun 24 16:43:30:767 2019 mySwitch TACACS/7/recv_packet: version: 0xc0 type: AUTHOR_REPLY seq_no: 2 flag: ENCRYPTED_FLAG session-id: 0xee0175cb length of payload: 37 Status: STATUS_PASS_ADD arg_cnt: 2 server_msg len: 0 data len: 0 arg0_len: 11 arg1_len: 18 server_msg: data: arg0: priv-lvl=15 arg1: role=network-admin *Jun 24 16:43:30:767 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processing authorization reply packet. *Jun 24 16:43:30:767 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent. *Jun 24 16:43:30:768 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: Processed authorization reply message, resultCode: 0. *Jun 24 16:43:30:768 2019 mySwitch TACACS/7/EVENT: PAM_TACACS: TACACS authorization succeeded. %Jun 24 16:43:30:772 2019 mySwitch SSHS/6/SSHS_LOG: Accepted password for myUser from 10.10.10.20 port 54064 ssh2. %Jun 24 16:43:30:808 2019 mySwitch SSHS/6/SSHS_CONNECT: SSH user myUser (IP: 10.10.10.20) connected to the server successfully. %Jun 24 16:43:30:936 2019 mySwitch LOGIN/6/LOGIN_FAILED: myUser failed to log in from 10.10.10.20. %Jun 24 16:43:34:009 2019 mySwitch SSHS/6/SSHS_DISCONNECT: SSH user myUser (IP: 10.10.10.20) disconnected from the server.

Output from HP Comware Login Attempt

****************************************************************************** * Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP * * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ****************************************************************************** Login failed. Connection to myswitch.my.domain closed.

What might I be missing? Right now I'm thinking vendor attributes or if I need to create a role on the switch like with Juniper.

// David



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)