Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > TACACS+ with my sql

Reply
Thread Tools

TACACS+ with my sql

 
 
Manoj Kumar Reddy
Guest
Posts: n/a
 
      10-16-2003
hi friends,

i just installed TACACS 4.4 Beta2 on redhat linux 9. when i tried it
out with /etc/passwd file i am able to authenticate users using
TACACS. but when tried it out with Mysql( after building TACACS with
db support an re-installing it) users are not authenticated, even if
the user name and password are correct. the request is coming to
TACACS. but user is not authenticated.

my tac_plus.cfg is given below:

# Created by Devrim SERAL((E-Mail Removed))
# It's very simple configuration file
# Please read user_guide and tacacs+ FAQ to more information to do
more
# complex tacacs+ configuration files.
#

key = cisco
# If you like to have a common banner across your devices, uncomment
and change
# to one that is appropriate for you. **This accept \n as return
character**
#prompt = "You are into restricted area of APSWAN.contact
http://www.velocityreviews.com/forums/(E-Mail Removed)."

# If you like to have your authentication, authorization and
accounting done
# in a database
default db = "mysql://root:@localhost/tacacs"

# Use /etc/passwd file to do authentication

#default authentication = file /etc/passwd

# Now tacacs+ also use default PAM authentication
#default authentication = pam pap

#If you like to use DB authentication
default authentication = db
"mysql://root:@localhost/tacacs/user?uid&password"
# db_type: mysql or null
# db_user: Database connect username
# db_pass: Database connection password
# db_hostname : Database hostname
# db_name : Database name
# db_table : authentication table name
# name_field and pass_field: Username and password field name at the
db_table

# Accounting records log file

accounting file = /var/log/tac_acc.log

# Would you like to store accounting records in database..
# Same as above..

#All services are alowed..

#user = DEFAULT {
# service = ppp protocol = ip {}
#}

# Yes we have more features like per host key
#host = 127.0.0.1 {
# key = test
# type = cisco
# enable = enablepass
# prompt = "Welcome XXX ISP Access Router \n\nUsername:"
#}
#user = test {
# name = Test User
# pap = cleartext test
# member = staff
#}
#
#group = staff {
# time = "Wd1800-1817|!Wd1819-2000"
#}


my tac_plus.sql filefrom which i built the database):

# This file created by Andrew Young
# For creating tac_plus database and tables

CREATE DATABASE tacacs;
USE tacacs;

# acl table :-
# id : ACL identification
# type : client/host
# seq : Sequence number
# permission: permit/deny rule in acl
# value : user/group id or client subnet
# value1 : if client acl, network of the client subnet
# if host acl, priviledge level
# submask : Subnet mask

CREATE TABLE acl ( id INT(4) NOT NULL, type INT(1) NOT NULL,
seq INT(4) NOT NULL, permission INT(2) NOT NULL,
value VARCHAR(20) NOT NULL, value1 REAL, submask REAL,
PRIMARY KEY (id, type, seq) );
INSERT INTO acl VALUES (0, 1, 1, 57, "0.0.0.0/0", 0, 0);
# host table :-
# ip : IP V4 address of host
# hkey : Decryption key
# enable: Enable password for host that overrides all other enable
passwords.
# prompt: Banner to be displayed on host
# network: Network of the IP
# submask: Subnet mask

CREATE TABLE host (ip varchar(16) NOT NULL PRIMARY KEY, hkey
varchar(20),
enable varchar(35), prompt TEXT, network REAL NOT NULL,
submask REAL NOT NULL, loginacl INT(4), enableacl INT(4),
INDEX net (network), INDEX sub (submask) );

# user table :-
# uid : User/Group id
# gid : Group id (used if the data is a user otherwise NULL)
# comment : Description about the user
# password : Password
# enable : Enable password
# gpassword : Global password
# arap : ARAP
# pap : PAP
# chap : CHAP
# mschap : MSCHAP
# expires : Expiration date and time
# b_author : Before authorization
# a_author : After authorization
# svc_dflt : Default behaviour for service or command
# maxsess : Maximum sessions
# user : 1 - User, 2 - Group
# acl_id : ACL that limits user/group to specific IP ranges
# sess : Current number of sessions open

CREATE TABLE user ( uid varchar(20) NOT NULL PRIMARY KEY, gid
varchar(20),
comment text, password varchar(35), enable varchar(35),
gpassword varchar(35), arap varchar(35), pap varchar(35),
chap varchar(35), mschap varchar(35), expires datetime,
b_author varchar(20), a_author varchar(20), svc_dflt int(4),
maxsess int(4), user int(1), acl_id int(4), sess int(4) );

# contact_info :- ONLY USED FOR THE TRACKING USERS VIA WEB
# uid : User id
# fname : First name
# surname : Surname (last name)
# address1 : Address
# address2 :
# city : City
# state : State
# zip : Zip code
# phone : Telephone number
# email : Email

CREATE TABLE contact_info ( uid varchar(20) NOT NULL PRIMARY KEY,
fname varchar(40) NOT NULL, surname varchar(40) NOT NULL,
address1 varchar(40), address2 varchar(40), city varchar(30),
state char(2), zip char(5), phone varchar(14), email varchar(100));

# admin table :- ONLY USED FOR WEB
# uid : User ID
# password : Password
# priv_lvl : Priviledge Level
# link : Link to user table

CREATE TABLE admin ( uid varchar(20) NOT NULL PRIMARY KEY,
password VARCHAR(35) NOT NULL, priv_lvl INT(2), link INT(1));

INSERT INTO admin VALUES ('admin',ENCRYPT('system'), 15, 0);

# node table :-
# uid : User ID
# seq : Sequence number
# service : Service type (N_svc_cmd, N_svc_exec, N_svc_ppp, etc)
# type : Type of node (N_arg, N_optarg, N_permit, N_deny, etc)
# value : value of node
# value1 : value of node

CREATE TABLE node ( uid varchar(20) NOT NULL, seq int(4) NOT NULL,
service int(4) NOT NULL, type int(4), value varchar(50) NOT NULL,
value1 varchar(50), INDEX service(uid, service),
INDEX command(uid, service, value));

# accounting table :-
# date : Time stamp of occurance
# nas : Network Access Server IP(eq. switch)
# uid : User ID
# terminal : Terminal used to connect to device
# client_ip : Client IP
# type : service type (start, stop, etc..)
# service : service (exec, shell, etc..)
# priv_lvl : Priviledge level (usefull in network device)
# cmd : Command used
# elapsed_time : How much the user spent on router
# bytes_in : Incoming bytes to port
# bytes_out : Outgoing bytes from port

CREATE TABLE accounting( date datetime NOT NULL, nas varchar(16) NOT
NULL,
uid varchar(20) NOT NULL, terminal varchar(20),
client_ip varchar(16) NOT NULL, type varchar(20), service varchar(20),
priv_lvl INT(2), cmd varchar(255), elapsed_time INT(6),
bytes_in INT(10), bytes_out INT(10), INDEX date_index(date),
INDEX acct_index(uid), INDEX nas_index(nas),
INDEX client_index(client_ip));

# access table :-
# date : Time stamp of occurance
# nas : Network Access Server IP(eq. switch)
# terminal : Terminal used to connect to device
# uid : User ID
# client_ip : Client IP
# service : service (login, enable, etc..)
# status : rejected/accepted

CREATE TABLE access( date datetime NOT NULL, nas VARCHAR(16) NOT NULL,
terminal VARCHAR(20), uid VARCHAR(20) NOT NULL,
client_ip VARCHAR(16) NOT NULL, service VARCHAR(10), status
VARCHAR(10),
INDEX date_index(date), INDEX nas_index(nas), INDEX uid_index(uid),
INDEX client_index(client_ip) );

#create users needed to administrate tacacs

GRANT ALL ON tacacs.* TO tacacs@localhost IDENTIFIED BY 'tac_plus';
GRANT ALL ON tacacs.* TO tacacs IDENTIFIED BY 'tac_plus';

when i start the tac_plus with debugging on I am getting following
O/P:


root@localhost root]# tac_plus -C /etc/tacacs/tac_plus.cfg -g -t -d
120
Debug Options Selected:
AUTHORIZATION
AUTHENTICATION
PASSWD
ACCT
Reading config file /etc/tacacs/tac_plus.cfg
parced default db: mysql://root:@localhost/tacacs
Version 4.4beta2 (Extended Tac_plus) Initialized 1
tac_plus server 4.4beta2 starting
uid=0 euid=0 gid=0 egid=0 s=5
db_get_host: getting hkey from nas(10.37.5.2)
Peer address from TACACS is 10.37.5.2
NAC address from TACACS is 203.199.178.113/
db_get_host: getting prompt from nas(10.37.5.2)
db_get_host: getting hkey from nas(10.37.5.2)
authen: sent (
User Access Verification (4.4beta2)
Username: )
db_get_host: getting hkey from nas(10.37.5.2)
db_get_host: getting hkey from nas(10.37.5.2)
db_get_host: getting hkey from nas(10.37.5.2)
tac_login: Switching to DB verification
db_verify: verify user dncctr to mysql database
db_verify: Empty database userid or password
verify: login access for user 'dncctr' to port tty6 on 10.37.5.2 from
203.199.178.113/
cfg_check_host_group_access: checking login access to host '10.37.5.2'
for user 'dncctr'
cfg_check_host_group_access: access permitted because host not defined
verify: using default auth parameters
verify: Using auth_method db(44) with data
mysql://root:@localhost/tacacs/user?uid&password
db_verify: verify user dncctr to mysql database
db_verify: Empty database userid or password
verify: login db authentication unsuccessful
db_access: inserting record is successfull
login query for 'dncctr' tty6 from 10.37.5.2 rejected
db_get_host: getting hkey from nas(10.37.5.2)
db_get_host: getting hkey from nas(10.37.5.2)
Peer address from TACACS is 10.37.5.2
NAC address from TACACS is 203.199.178.113/
db_get_host: getting prompt from nas(10.37.5.2)
db_get_host: getting hkey from nas(10.37.5.2)
authen: sent (
User Access Verification (4.4beta2)
Username: )
db_get_host: getting hkey from nas(10.37.5.2)
db_get_host: getting hkey from nas(10.37.5.2)
db_get_host: getting hkey from nas(10.37.5.2)
tac_login: Switching to DB verification
db_verify: verify user apswan to mysql database
db_verify: Empty database userid or password
verify: login access for user 'apswan' to port tty6 on 10.37.5.2 from
203.199.178.113/
cfg_check_host_group_access: checking login access to host '10.37.5.2'
for user 'apswan'
cfg_check_host_group_access: access permitted because host not defined
verify: using default auth parameters
verify: Using auth_method db(44) with data
mysql://root:@localhost/tacacs/user?uid&password
db_verify: verify user apswan to mysql database
db_verify: Empty database userid or password
verify: login db authentication unsuccessful
db_access: inserting record is successfull
login query for 'apswan' tty6 from 10.37.5.2 rejected
db_get_host: getting hkey from nas(10.37.5.2)
db_get_host: getting hkey from nas(10.37.5.2)
Peer address from TACACS is 10.37.5.2
NAC address from TACACS is 203.199.178.113/
db_get_host: getting prompt from nas(10.37.5.2)
db_get_host: getting hkey from nas(10.37.5.2)
authen: sent (
User Access Verification (4.4beta2)
Username: )
db_get_host: getting hkey from nas(10.37.5.2)
db_get_host: getting prompt from nas(10.37.5.2)
db_get_host: getting hkey from nas(10.37.5.2)
authen: sent (
User Access Verification (4.4beta2)
Username: )
db_get_host: getting hkey from nas(10.37.5.2)
db_get_host: getting hkey from nas(10.37.5.2)
sockread: 10.37.5.2 tty6: fd 7 eof (connection closed)
read_packet: Read -1 bytes from 10.37.5.2 tty6, expecting 12
10.37.5.2 tty6: Null reply packet, expecting CONTINUE
db_get_host: getting hkey from nas(10.37.5.2)
Start accounting request
'Thu Oct 16 16:43:06 2003 10.37.5.2 apswan tty6 203.199.178.5/ stop
task_id=253 timezone=IST service=shell start_time=1066302599
elapsed_time=0 disc-cause=17
'
db_acct: log accounting record to database
db_acct: Empty database userid or password
db_get_host: getting hkey from nas(10.37.5.2)


this is the result i am getting. leave accounting part, as i have not
enabled it for the moment.


can anybody help me solve this problem. ur help is much appreciated.

thank you very much.

bye
Manoj Kumar
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SQL Reference, SQL Queries, SQL help ecoolone ASP .Net 0 01-03-2008 10:58 AM
Do the Self-Paced Training Kits: Microsoft SQL Server 2000 include Eval copy of SQL Server? Brian Whiting Microsoft Certification 2 12-29-2005 04:24 AM
DBI SQL column datatype not jiving with SQL statement requirement dna Perl 1 01-18-2004 04:15 PM
Re: SQL statement working in SQL Server but not in .aspx.cs page David Browne ASP .Net 0 08-21-2003 10:43 PM
Re: SQL statement working in SQL Server but not in .aspx.cs page William \(Bill\) Vaughn ASP .Net 0 08-21-2003 10:41 PM



Advertisments