TACACS+ with my sql

Discussion in 'Cisco' started by Manoj Kumar Reddy, Oct 16, 2003.

  1. hi friends,

    i just installed TACACS 4.4 Beta2 on redhat linux 9. when i tried it
    out with /etc/passwd file i am able to authenticate users using
    TACACS. but when tried it out with Mysql( after building TACACS with
    db support an re-installing it) users are not authenticated, even if
    the user name and password are correct. the request is coming to
    TACACS. but user is not authenticated.

    my tac_plus.cfg is given below:

    # Created by Devrim SERAL()
    # It's very simple configuration file
    # Please read user_guide and tacacs+ FAQ to more information to do
    more
    # complex tacacs+ configuration files.
    #

    key = cisco
    # If you like to have a common banner across your devices, uncomment
    and change
    # to one that is appropriate for you. **This accept \n as return
    character**
    #prompt = "You are into restricted area of APSWAN.contact
    ."

    # If you like to have your authentication, authorization and
    accounting done
    # in a database
    default db = "mysql://root:mad:localhost/tacacs"

    # Use /etc/passwd file to do authentication

    #default authentication = file /etc/passwd

    # Now tacacs+ also use default PAM authentication
    #default authentication = pam pap

    #If you like to use DB authentication
    default authentication = db
    "mysql://root:mad:localhost/tacacs/user?uid&password"
    # db_type: mysql or null
    # db_user: Database connect username
    # db_pass: Database connection password
    # db_hostname : Database hostname
    # db_name : Database name
    # db_table : authentication table name
    # name_field and pass_field: Username and password field name at the
    db_table

    # Accounting records log file

    accounting file = /var/log/tac_acc.log

    # Would you like to store accounting records in database..
    # Same as above..

    #All services are alowed..

    #user = DEFAULT {
    # service = ppp protocol = ip {}
    #}

    # Yes we have more features like per host key
    #host = 127.0.0.1 {
    # key = test
    # type = cisco
    # enable = enablepass
    # prompt = "Welcome XXX ISP Access Router \n\nUsername:"
    #}
    #user = test {
    # name = Test User
    # pap = cleartext test
    # member = staff
    #}
    #
    #group = staff {
    # time = "Wd1800-1817|!Wd1819-2000"
    #}


    my tac_plus.sql filefrom which i built the database):

    # This file created by Andrew Young
    # For creating tac_plus database and tables

    CREATE DATABASE tacacs;
    USE tacacs;

    # acl table :-
    # id : ACL identification
    # type : client/host
    # seq : Sequence number
    # permission: permit/deny rule in acl
    # value : user/group id or client subnet
    # value1 : if client acl, network of the client subnet
    # if host acl, priviledge level
    # submask : Subnet mask

    CREATE TABLE acl ( id INT(4) NOT NULL, type INT(1) NOT NULL,
    seq INT(4) NOT NULL, permission INT(2) NOT NULL,
    value VARCHAR(20) NOT NULL, value1 REAL, submask REAL,
    PRIMARY KEY (id, type, seq) );
    INSERT INTO acl VALUES (0, 1, 1, 57, "0.0.0.0/0", 0, 0);
    # host table :-
    # ip : IP V4 address of host
    # hkey : Decryption key
    # enable: Enable password for host that overrides all other enable
    passwords.
    # prompt: Banner to be displayed on host
    # network: Network of the IP
    # submask: Subnet mask

    CREATE TABLE host (ip varchar(16) NOT NULL PRIMARY KEY, hkey
    varchar(20),
    enable varchar(35), prompt TEXT, network REAL NOT NULL,
    submask REAL NOT NULL, loginacl INT(4), enableacl INT(4),
    INDEX net (network), INDEX sub (submask) );

    # user table :-
    # uid : User/Group id
    # gid : Group id (used if the data is a user otherwise NULL)
    # comment : Description about the user
    # password : Password
    # enable : Enable password
    # gpassword : Global password
    # arap : ARAP
    # pap : PAP
    # chap : CHAP
    # mschap : MSCHAP
    # expires : Expiration date and time
    # b_author : Before authorization
    # a_author : After authorization
    # svc_dflt : Default behaviour for service or command
    # maxsess : Maximum sessions
    # user : 1 - User, 2 - Group
    # acl_id : ACL that limits user/group to specific IP ranges
    # sess : Current number of sessions open

    CREATE TABLE user ( uid varchar(20) NOT NULL PRIMARY KEY, gid
    varchar(20),
    comment text, password varchar(35), enable varchar(35),
    gpassword varchar(35), arap varchar(35), pap varchar(35),
    chap varchar(35), mschap varchar(35), expires datetime,
    b_author varchar(20), a_author varchar(20), svc_dflt int(4),
    maxsess int(4), user int(1), acl_id int(4), sess int(4) );

    # contact_info :- ONLY USED FOR THE TRACKING USERS VIA WEB
    # uid : User id
    # fname : First name
    # surname : Surname (last name)
    # address1 : Address
    # address2 :
    # city : City
    # state : State
    # zip : Zip code
    # phone : Telephone number
    # email : Email

    CREATE TABLE contact_info ( uid varchar(20) NOT NULL PRIMARY KEY,
    fname varchar(40) NOT NULL, surname varchar(40) NOT NULL,
    address1 varchar(40), address2 varchar(40), city varchar(30),
    state char(2), zip char(5), phone varchar(14), email varchar(100));

    # admin table :- ONLY USED FOR WEB
    # uid : User ID
    # password : Password
    # priv_lvl : Priviledge Level
    # link : Link to user table

    CREATE TABLE admin ( uid varchar(20) NOT NULL PRIMARY KEY,
    password VARCHAR(35) NOT NULL, priv_lvl INT(2), link INT(1));

    INSERT INTO admin VALUES ('admin',ENCRYPT('system'), 15, 0);

    # node table :-
    # uid : User ID
    # seq : Sequence number
    # service : Service type (N_svc_cmd, N_svc_exec, N_svc_ppp, etc)
    # type : Type of node (N_arg, N_optarg, N_permit, N_deny, etc)
    # value : value of node
    # value1 : value of node

    CREATE TABLE node ( uid varchar(20) NOT NULL, seq int(4) NOT NULL,
    service int(4) NOT NULL, type int(4), value varchar(50) NOT NULL,
    value1 varchar(50), INDEX service(uid, service),
    INDEX command(uid, service, value));

    # accounting table :-
    # date : Time stamp of occurance
    # nas : Network Access Server IP(eq. switch)
    # uid : User ID
    # terminal : Terminal used to connect to device
    # client_ip : Client IP
    # type : service type (start, stop, etc..)
    # service : service (exec, shell, etc..)
    # priv_lvl : Priviledge level (usefull in network device)
    # cmd : Command used
    # elapsed_time : How much the user spent on router
    # bytes_in : Incoming bytes to port
    # bytes_out : Outgoing bytes from port

    CREATE TABLE accounting( date datetime NOT NULL, nas varchar(16) NOT
    NULL,
    uid varchar(20) NOT NULL, terminal varchar(20),
    client_ip varchar(16) NOT NULL, type varchar(20), service varchar(20),
    priv_lvl INT(2), cmd varchar(255), elapsed_time INT(6),
    bytes_in INT(10), bytes_out INT(10), INDEX date_index(date),
    INDEX acct_index(uid), INDEX nas_index(nas),
    INDEX client_index(client_ip));

    # access table :-
    # date : Time stamp of occurance
    # nas : Network Access Server IP(eq. switch)
    # terminal : Terminal used to connect to device
    # uid : User ID
    # client_ip : Client IP
    # service : service (login, enable, etc..)
    # status : rejected/accepted

    CREATE TABLE access( date datetime NOT NULL, nas VARCHAR(16) NOT NULL,
    terminal VARCHAR(20), uid VARCHAR(20) NOT NULL,
    client_ip VARCHAR(16) NOT NULL, service VARCHAR(10), status
    VARCHAR(10),
    INDEX date_index(date), INDEX nas_index(nas), INDEX uid_index(uid),
    INDEX client_index(client_ip) );

    #create users needed to administrate tacacs

    GRANT ALL ON tacacs.* TO tacacs@localhost IDENTIFIED BY 'tac_plus';
    GRANT ALL ON tacacs.* TO tacacs IDENTIFIED BY 'tac_plus';

    when i start the tac_plus with debugging on I am getting following
    O/P:


    root@localhost root]# tac_plus -C /etc/tacacs/tac_plus.cfg -g -t -d
    120
    Debug Options Selected:
    AUTHORIZATION
    AUTHENTICATION
    PASSWD
    ACCT
    Reading config file /etc/tacacs/tac_plus.cfg
    parced default db: mysql://root:mad:localhost/tacacs
    Version 4.4beta2 (Extended Tac_plus) Initialized 1
    tac_plus server 4.4beta2 starting
    uid=0 euid=0 gid=0 egid=0 s=5
    db_get_host: getting hkey from nas(10.37.5.2)
    Peer address from TACACS is 10.37.5.2
    NAC address from TACACS is 203.199.178.113/
    db_get_host: getting prompt from nas(10.37.5.2)
    db_get_host: getting hkey from nas(10.37.5.2)
    authen: sent (
    User Access Verification (4.4beta2)
    Username: )
    db_get_host: getting hkey from nas(10.37.5.2)
    db_get_host: getting hkey from nas(10.37.5.2)
    db_get_host: getting hkey from nas(10.37.5.2)
    tac_login: Switching to DB verification
    db_verify: verify user dncctr to mysql database
    db_verify: Empty database userid or password
    verify: login access for user 'dncctr' to port tty6 on 10.37.5.2 from
    203.199.178.113/
    cfg_check_host_group_access: checking login access to host '10.37.5.2'
    for user 'dncctr'
    cfg_check_host_group_access: access permitted because host not defined
    verify: using default auth parameters
    verify: Using auth_method db(44) with data
    mysql://root:mad:localhost/tacacs/user?uid&password
    db_verify: verify user dncctr to mysql database
    db_verify: Empty database userid or password
    verify: login db authentication unsuccessful
    db_access: inserting record is successfull
    login query for 'dncctr' tty6 from 10.37.5.2 rejected
    db_get_host: getting hkey from nas(10.37.5.2)
    db_get_host: getting hkey from nas(10.37.5.2)
    Peer address from TACACS is 10.37.5.2
    NAC address from TACACS is 203.199.178.113/
    db_get_host: getting prompt from nas(10.37.5.2)
    db_get_host: getting hkey from nas(10.37.5.2)
    authen: sent (
    User Access Verification (4.4beta2)
    Username: )
    db_get_host: getting hkey from nas(10.37.5.2)
    db_get_host: getting hkey from nas(10.37.5.2)
    db_get_host: getting hkey from nas(10.37.5.2)
    tac_login: Switching to DB verification
    db_verify: verify user apswan to mysql database
    db_verify: Empty database userid or password
    verify: login access for user 'apswan' to port tty6 on 10.37.5.2 from
    203.199.178.113/
    cfg_check_host_group_access: checking login access to host '10.37.5.2'
    for user 'apswan'
    cfg_check_host_group_access: access permitted because host not defined
    verify: using default auth parameters
    verify: Using auth_method db(44) with data
    mysql://root:mad:localhost/tacacs/user?uid&password
    db_verify: verify user apswan to mysql database
    db_verify: Empty database userid or password
    verify: login db authentication unsuccessful
    db_access: inserting record is successfull
    login query for 'apswan' tty6 from 10.37.5.2 rejected
    db_get_host: getting hkey from nas(10.37.5.2)
    db_get_host: getting hkey from nas(10.37.5.2)
    Peer address from TACACS is 10.37.5.2
    NAC address from TACACS is 203.199.178.113/
    db_get_host: getting prompt from nas(10.37.5.2)
    db_get_host: getting hkey from nas(10.37.5.2)
    authen: sent (
    User Access Verification (4.4beta2)
    Username: )
    db_get_host: getting hkey from nas(10.37.5.2)
    db_get_host: getting prompt from nas(10.37.5.2)
    db_get_host: getting hkey from nas(10.37.5.2)
    authen: sent (
    User Access Verification (4.4beta2)
    Username: )
    db_get_host: getting hkey from nas(10.37.5.2)
    db_get_host: getting hkey from nas(10.37.5.2)
    sockread: 10.37.5.2 tty6: fd 7 eof (connection closed)
    read_packet: Read -1 bytes from 10.37.5.2 tty6, expecting 12
    10.37.5.2 tty6: Null reply packet, expecting CONTINUE
    db_get_host: getting hkey from nas(10.37.5.2)
    Start accounting request
    'Thu Oct 16 16:43:06 2003 10.37.5.2 apswan tty6 203.199.178.5/ stop
    task_id=253 timezone=IST service=shell start_time=1066302599
    elapsed_time=0 disc-cause=17
    '
    db_acct: log accounting record to database
    db_acct: Empty database userid or password
    db_get_host: getting hkey from nas(10.37.5.2)


    this is the result i am getting. leave accounting part, as i have not
    enabled it for the moment.


    can anybody help me solve this problem. ur help is much appreciated.

    thank you very much.

    bye
    Manoj Kumar
    Manoj Kumar Reddy, Oct 16, 2003
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Brian Whiting
    Replies:
    2
    Views:
    662
    Brian Whiting
    Dec 29, 2005
  2. Oliver Schlosser

    tacacs+ snmp accouning

    Oliver Schlosser, Jul 6, 2003, in forum: Cisco
    Replies:
    1
    Views:
    2,712
  3. Tommy
    Replies:
    1
    Views:
    1,726
    Mr. Arnold
    Nov 29, 2007
  4. Vicky
    Replies:
    0
    Views:
    652
    Vicky
    Apr 6, 2007
  5. Replies:
    0
    Views:
    1,410
Loading...

Share This Page