MSR路由器与ACS对接无问题。
使用只读账号(aaa)登录无问题,使用读写账号(bbb)登录后弹出banner 后,出现login faied 情况后断开SSH连接。
测试新建其他账号,只读的账号可以登录,读写的账号不能登录。
*Oct 18 08:55:21:392 2022 DEVICE TACACS/7/send_packet:
version: 0xc0 type: ACCOUNT_REQUEST seq_no: 1
flag: ENCRYPTED_FLAG
session-id: 0x1******
length of payload: 66
flags: START
authen_method: NONE authen_service: LOGIN
user_len: 7 port_len: 4 rem_len:
11 arg_cnt: 3
arg0_len: 9 arg1_len:
10 arg2_len: 13
user: aaa
port: vty1
rem_addr: *.*.*.*
arg0: task_id=0 arg1: timezone=0
arg2: service=shell
*Oct 18 08:55:21:394 2022 DEVICE TACACS/7/EVENT: PAM_TACACS:
Reply SocketFd received EPOLLIN event.
*Oct 18 08:55:21:394 2022 DEVICE TACACS/7/EVENT: PAM_TACACS:
Received socket close event.
*Oct 18 08:55:21:394 2022 DEVICE TACACS/7/ERROR: PAM_TACACS: Failed
to get available server.
*Oct 18 08:55:21:394 2022 DEVICE TACACS/7/EVENT: PAM_TACACS:
Processed accounting-start reply message, resultCode: 5.
*Oct 18 08:55:21:396 2022 DEVICE TACACS/7/EVENT: PAM_TACACS:
Reply message successfully sent.
%Oct 18 08:55:21:644 2022
DEVICE SHELL/5/SHELL_LOGIN: aaa logged in from *.*.*.*
*Oct 18 08:55:41:836 2022 DEVICE TACACS/7/send_packet:
version: 0xc0 type: ACCOUNT_REQUEST seq_no: 1
flag: ENCRYPTED_FLAG
session-id: 0xe******
length of payload: 71
flags: START
authen_method: NONE authen_service: LOGIN
user_len: 12 port_len: 4 rem_len:
11 arg_cnt: 3
arg0_len: 9 arg1_len:
10 arg2_len: 13
user: bbb
port: vty1
rem_addr: *.*.*.*
arg0: task_id=0 arg1: timezone=0
arg2: service=shell
*Oct 18 08:55:41:839 2022 DEVICE TACACS/7/EVENT: PAM_TACACS:
Reply SocketFd received EPOLLIN event.
*Oct 18 08:55:41:839 2022 DEVICE TACACS/7/EVENT: PAM_TACACS:
Received socket close event.
*Oct 18 08:55:41:839 2022 DEVICE TACACS/7/ERROR: PAM_TACACS:
Failed to get available server.
*Oct 18 08:55:41:839 2022 DEVICE TACACS/7/EVENT: PAM_TACACS:
Processed accounting-start reply message, resultCode: 5.
*Oct 18 08:55:41:840 2022 DEVICE TACACS/7/EVENT: PAM_TACACS:
Reply message successfully sent.
%Oct 18 08:55:41:845 2022 DEVICE
LOGIN/5/LOGIN_FAILED: bbb failed to log in from *.*.*.*
domain acs
authentication login hwtacacs-scheme acs local
authorization login hwtacacs-scheme acs local
accounting login
hwtacacs-scheme acs
local
authorization command hwtacacs-scheme acs local
accounting command hwtacacs-scheme acs
local-user aaa
class manage
password hash ******
service-type ssh telnet terminal
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
两个用户实际是都是accounting-request发送后未收到正常的reply报文。
aaa能正常登录,是因为本地有local-user用户配置,所以tacacs流程处理失败后进入local处理了。
所以综上分析,怀疑是设备与tacacs+服务器的accounting报文交互有问题,原因有可能是两边accounting key不一致。
重新配置一下两边的accounting秘钥。
如果还有问题,抓一下tacacs交互报文,并提供配置的秘钥明文,尝试用wireshark解包确认一下报文是否可以解析,验证秘钥是否正确。
最后现场反馈重新配置了两边的accounting秘钥就可以了。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作