[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: tacacs+ / Too many iterations for choose_authen
On Sat, 7 Feb 1998, Evgeny Stambulchik wrote:
>
> On 06-Feb-98 Alexander Indenbaum wrote:
> > Hi!
> >
> > We just started to use cisco dial up terminal servers with tacacs+
> > to provide callback services for win95/nt clients.
> >
> > Anyway, everything seems to be OK except to strange tacacs+ server
> > behaviour which runs on RH4.2 Linux box.
> >
> > Here what I see in tacacs+ logs:
> > Sun Feb 1 13:17:36 1998 [16206]: exit status=0
> > Sun Feb 1 13:17:49 1998 [27787]: forked 16225
> > Sun Feb 1 13:19:50 1998 [16225]: Error ts.abirnet.co.il: Too many
> > iterations for choose_authen
> > Sun Feb 1 13:19:50 1998 [16225]: exit status=0
> > Sun Feb 1 13:20:03 1998 [27787]: forked 16466
> > Sun Feb 1 13:22:06 1998 [16466]: Error ts.abirnet.co.il: Too many
> > iterations for choose_authen
>
> Makesure Cisco is properly configured to use tacacs+:
>
> !
> tacacs-server host <ip of tacacs+ server>
> !
> aaa new-model
> aaa authentication login default tacacs+ enable
> aaa accounting exec start-stop tacacs+
> aaa accounting network start-stop tacacs+
> !
After I checked tacacs sources and thought a little bit I came to a
conclidion that it is configuration problem and not a tacacs bug.
Terminal server continues to send packets to tacacs ( every two minutes or
so for hours after last login attempt ) and not as I thought
that tacacs is enering infinite loop.
I have more lines of configuration for aaa and tacacs :
!
tacacs-server host 194.90.211.10
tacacs-server attempts 1
tacacs-server timeout 8
!
aaa new-model
aaa authentication login default tacacs+ enable
aaa authentication login telnet line
aaa authentication login managers line
aaa authentication ppp default if-needed tacacs+
aaa authorization exec tacacs+
aaa authorization network tacacs+ none
aaa accounting exec start-stop tacacs+
aaa accounting network start-stop tacacs+
Anyway, it is pretty standart configuration except for two things:
1. Call back - microsoft uses non-standart call back negotiation, so
configuration of Win95/NT clients is pretty ugly.
2. it also does netbios ( in addition to ip ) over ppp so dial up
users will be able to use microsoft network via dial up
>
> It works for me for a year with no problems. Did you compile the tacacs
> yourself?
Well of cause I compiled tacacs myself :{)
The only change that I made, thought, was log files paths.
>
> Regards,
>
> Evgeny
>
> ____________________________________________________________
> / Evgeny Stambulchik <fnevgeny@plasma-gate.weizmann.ac.il> \
> / Plasma Laboratory, Weizmann Institute of Science, Israel \ \
> | Phone : (972)8-934-3610 == | == FAX : (972)8-934-3491 | |
> | URL : http://plasma-gate.weizmann.ac.il/~fnevgeny/ | |
> | Finger for PGP key >=====================================+ |
> |______________________________________________________________|
>
Alexander Indenbaum
baum@actcom.co.il