Troubleshooting TACACS Authentication Issues on FlexVNF : Versa Support

You can troubleshoot TACACS authentication issues on the Versa FlexVNF device from the device's CLI.

Check TACACS Configuration on the FlexVNF Device

To ensure that TACACS is configured properly on the Versa FlexVNF device, display the TACACS configuration on the FlexVNF device:

admin@B4-H1-cli> show configuration | display set | match aaa
set system external-aaa auth-order remote-then-local
set system external-aaa tacacs-plus
set system external-aaa tacacs-plus server 10.192.148.1 key versa123
set system external-aaa tacacs-plus action [ authentication accounting ]

Check TACACS Server Configuration

Ensure that the configuration on the TACACS server is correct. A typical TACACS server configuration looks like this:

$ vi /etc/tacacs+/tac_plus.conf
accounting file = /var/log/tac_plus.acct
key = versa123
##############Versa FlexVNF AAA Users###################
user = flex_oper {
member = flex_oper
login = cleartext "versa123"
pap = cleartext "versa123"
global = cleartext "versa123"
}
user = Test {
member = flex_admin
login = cleartext "versa123"
pap = cleartext "versa123"
global = cleartext "versa123"
}
#####################Versa-Flex_VNF Groups######################
group = flex_admin {
default service = permit
expires = "Jan 1 2020"
service = versa {
Versa-User-Group = "admin"
}
}
group = flex_oper {
default service = permit
expires = "Jan 1 2020"
service = versa {
Versa-User-Group = "oper"
}
}
user = DEFAULT {
login = PAM
service = ppp protocol = ip {}
}

Verify Connectivity between Versa FlexVNF and TACACS Server

To check the connection between the Versa FlexVNF device and the TACACS server, ping the TACACS server's IP address:

admin@B4-H1-cli> ping 10.192.148.1
PING 10.192.148.1 (10.192.148.1) 56(84) bytes of data.
64 bytes from 10.192.148.1: icmp_seq=1 ttl=64 time=0.484 ms
64 bytes from 10.192.148.1: icmp_seq=2 ttl=64 time=0.302 ms

On the FlexVNF device, check that port 49 (TACACS port) is open and is reachable from the FlexVNF device:

[admin@B4-H1: ~] # telnet 10.192.148.1 49
Trying 10.192.148.1...
Connected to 10.192.148.1.
Escape character is '^]'.

Check Log Files

You can check log files to track the sequence of events that occurred when the Versa FlexVNF device logged in to the TACACS server.

Release 16.1R1

/var/log/versa/confd/audit.log contains the logs related to TACACS login:

# tail -f audit.log
<INFO> 25-Apr-2019::03:59:40.906 B4-H1 confd[1412]: audit user: Test/193086 assigned to groups: admin
<INFO> 25-Apr-2019::03:59:40.933 B4-H1 confd[1412]: audit user: Test/193087 assigned to groups: admin
<INFO> 25-Apr-2019::03:59:40.939 B4-H1 confd[1412]: audit user: Test/193087 CLI 'startup'
<INFO> 25-Apr-2019::03:59:40.948 B4-H1 confd[1412]: audit user: Test/193087 CLI done

Releases 16.1R2 and later

/var/log/syslog contains the logs related to TACACS login:

# sudo tail -f syslog
2019-04-30 19:28:29 B4-H1 sshd[25716]: Did not receive identification string from 192.168.10.1
2019-04-30 00:12:10 B4-H1 sshd[25716]: Args cnt 1
2019-04-30 00:12:10 B4-H1 sshd[25716]: Adding buf/value pair (Versa-User-Group,admin)
2019-04-30 00:12:10 B4-H1 sshd[25716]: Accepted password for Test1 from 10.160.0.5 port 50075 ssh2
2019-04-30 00:12:10 B4-H1 sshd[25716]: pam_unix(sshd:session): session opened for user Test1 by (uid=0)
2019-04-30 04:29:55 B4-H1 sshd[25723]: message repeated 4 times: [ Did not receive identification string from 192.168.10.1]
2019-04-30 00:12:12 B4-H1 sshd[25723]: Args cnt 1
2019-04-30 00:12:12 B4-H1 sshd[25723]: Adding buf/value pair (Versa-User-Group,admin)
2019-04-30 00:12:12 B4-H1 sshd[25723]: Accepted password for Test1 from 10.160.0.5 port 50079 ssh2
2019-04-30 00:12:12 B4-H1 sshd[25723]: pam_unix(sshd:session): session opened for user Test1 by (uid=0)

Capture Packets When You Cannot Log In to the TACACS Server

When you are unable to log in to the TACACS server, you can capture packets on the Ethernet interface on which the TACACS server is reachable. For example, if you reach the TACACS server on the eth0 interface, capture packets as follows. The output shows the Request (Q) and Response (R) packets from the TACACS server.

# sudo tcpdump -i eth0 port 49

Note: that you have to capture packets on the interface on which the TACACS server is reachable, regardless of whether this interface connects to a transport network or LAN VR. You cannot use the tcpdump utility if the TACACS server is reachable is over the overlay network.

Unable To Execute a Command after Logging In to Versa FlexVN Device

If the CLI indicates that there no commands, this means that an incorrect attribute-value pair (AVP) value is configured on the TACACS server. Here is an example of the CLI output:

Test@B4-H1> ?
Possible completions:
exit - Exit the management session --------------> No other command is available to execute

To fix this issue, configure the correct AVP value on the TACACS server.

In Release 16.1R1, the key value should be "Versa-Group", and in Releases 16.1R2 and later it should be "Versa-User-Group". If you upgrade the software on the Versa FlexVNF device from Release16.1R1 to Release16.1R2 or later, you must change the AVP on TACACS server.

Check If User Is Locked Out Because of Too Many Unsuccessful Login Attempts

A user is locked out and cannot log in after 10 unsuccessful login attempts.

Check the number of times that a user a tried to log in:

[admin@BR3: ~] $ /opt/versa/util/priv_run uattempts <username>
59

If the number is greater than 10, unlock the user's account:

[admin@BR3: cli> request system unlock-user <User-Name>