MSR路由器 对接思科ACS服务器TACACS+认证读写账号登录失败

MSR路由器与ACS对接无问题。

使用只读账号(aaa)登录无问题，使用读写账号(bbb)登录后弹出banner 后，出现login faied 情况后断开SSH连接。

测试新建其他账号，只读的账号可以登录，读写的账号不能登录。

*Oct 18 08:55:21:392 2022 DEVICE TACACS/7/send_packet:

version: 0xc0  type: ACCOUNT_REQUEST  seq_no: 1  flag: ENCRYPTED_FLAG

session-id: 0x1******

length of payload: 66

flags: START

authen_method: NONE  authen_service: LOGIN

user_len: 7   port_len: 4   rem_len: 11   arg_cnt: 3

arg0_len: 9     arg1_len: 10    arg2_len: 13

user: aaa

port: vty1

rem_addr: *.*.*.*

arg0: task_id=0  arg1: timezone=0

arg2: service=shell 

*Oct 18 08:55:21:394 2022 DEVICE TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.

*Oct 18 08:55:21:394 2022 DEVICE TACACS/7/EVENT: PAM_TACACS: Received socket close event.

*Oct 18 08:55:21:394 2022 DEVICE TACACS/7/ERROR: PAM_TACACS: Failed to get available server.

*Oct 18 08:55:21:394 2022 DEVICE TACACS/7/EVENT: PAM_TACACS: Processed accounting-start reply message, resultCode: 5.

*Oct 18 08:55:21:396 2022 DEVICE TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.

%Oct 18 08:55:21:644 2022 DEVICE SHELL/5/SHELL_LOGIN: aaa logged in from *.*.*.*

*Oct 18 08:55:41:836 2022 DEVICE TACACS/7/send_packet:

version: 0xc0  type: ACCOUNT_REQUEST  seq_no: 1  flag: ENCRYPTED_FLAG

session-id: 0xe******

length of payload: 71

flags: START

authen_method: NONE  authen_service: LOGIN

user_len: 12   port_len: 4   rem_len: 11   arg_cnt: 3

arg0_len: 9     arg1_len: 10    arg2_len: 13

user: bbb

port: vty1

rem_addr: *.*.*.*

arg0: task_id=0  arg1: timezone=0

arg2: service=shell 

*Oct 18 08:55:41:839 2022 DEVICE TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.

*Oct 18 08:55:41:839 2022 DEVICE TACACS/7/EVENT: PAM_TACACS: Received socket close event.

*Oct 18 08:55:41:839 2022 DEVICE TACACS/7/ERROR: PAM_TACACS: Failed to get available server.

*Oct 18 08:55:41:839 2022 DEVICE TACACS/7/EVENT: PAM_TACACS: Processed accounting-start reply message, resultCode: 5.

*Oct 18 08:55:41:840 2022 DEVICE TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.

%Oct 18 08:55:41:845 2022 DEVICE LOGIN/5/LOGIN_FAILED: bbb failed to log in from *.*.*.*

domain acs

authentication login hwtacacs-scheme acs local

authorization login hwtacacs-scheme acs local

accounting login hwtacacs-scheme acs local

authorization command hwtacacs-scheme acs local

accounting command hwtacacs-scheme acs

local-user aaa class manage

password hash ******

service-type ssh telnet terminal

authorization-attribute user-role network-admin

authorization-attribute user-role network-operator

两个用户实际是都是accounting-request发送后未收到正常的reply报文。 

aaa能正常登录，是因为本地有local-user用户配置，所以tacacs流程处理失败后进入local处理了。 

所以综上分析，怀疑是设备与tacacs+服务器的accounting报文交互有问题，原因有可能是两边accounting key不一致。 

重新配置一下两边的accounting秘钥。

如果还有问题，抓一下tacacs交互报文，并提供配置的秘钥明文，尝试用wireshark解包确认一下报文是否可以解析，验证秘钥是否正确。

最后现场反馈重新配置了两边的accounting秘钥就可以了。