[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: tacacs+ / Too many iterations for choose_authen



On Sat, 7 Feb 1998, Evgeny Stambulchik wrote:

> 
> On 06-Feb-98 Alexander Indenbaum wrote:
> >  Hi!
> >  
> >  We just started to use cisco dial up terminal servers with tacacs+
> >  to provide callback services for win95/nt clients.
> >  
> >  Anyway, everything seems to be OK except to strange tacacs+ server
> >  behaviour which runs on RH4.2 Linux box.
> >  
> >  Here what I see in tacacs+ logs:
> >  Sun Feb  1 13:17:36 1998 [16206]: exit status=0
> >  Sun Feb  1 13:17:49 1998 [27787]: forked 16225
> >  Sun Feb  1 13:19:50 1998 [16225]: Error ts.abirnet.co.il: Too many
> >  iterations for choose_authen
> >  Sun Feb  1 13:19:50 1998 [16225]: exit status=0
> >  Sun Feb  1 13:20:03 1998 [27787]: forked 16466
> >  Sun Feb  1 13:22:06 1998 [16466]: Error ts.abirnet.co.il: Too many
> >  iterations for choose_authen
> 
> Makesure Cisco is properly configured to use tacacs+:
> 
> !
> tacacs-server host <ip of tacacs+ server>
> !
> aaa new-model
> aaa authentication login default tacacs+ enable
> aaa accounting exec start-stop tacacs+
> aaa accounting network start-stop tacacs+
> !

After I checked tacacs sources and thought a little bit I came to a
conclidion that it is configuration problem and not a tacacs bug.
Terminal server continues to send packets to tacacs ( every two minutes or
so for hours after last login attempt )  and not as I thought
that tacacs is enering infinite loop.

I have more lines of configuration for aaa and tacacs :
!
tacacs-server host 194.90.211.10
tacacs-server attempts 1
tacacs-server timeout 8
!
aaa new-model
aaa authentication login default tacacs+ enable
aaa authentication login telnet line
aaa authentication login managers line
aaa authentication ppp default if-needed tacacs+
aaa authorization exec tacacs+
aaa authorization network tacacs+ none
aaa accounting exec start-stop tacacs+
aaa accounting network start-stop tacacs+


Anyway, it is pretty standart configuration except for two things:
1. Call back - microsoft uses non-standart call back negotiation, so
   configuration of Win95/NT clients is pretty ugly.
2. it also does netbios ( in addition to  ip ) over ppp so dial up
   users will be able to use microsoft network via dial up

> 
> It works for me for a year with no problems. Did you compile the tacacs 
> yourself?

Well of cause I compiled tacacs myself :{)
The only change that I made, thought,  was log files paths.

> 
> Regards,
> 
> Evgeny
> 
>  ____________________________________________________________
> / Evgeny Stambulchik  <fnevgeny@plasma-gate.weizmann.ac.il>  \
> /  Plasma Laboratory, Weizmann Institute of Science, Israel \  \
> |  Phone : (972)8-934-3610  == | == FAX   : (972)8-934-3491 |  |
> |  URL   :    http://plasma-gate.weizmann.ac.il/~fnevgeny/  |  |
> |  Finger for PGP key >=====================================+  |
> |______________________________________________________________|
> 

  Alexander Indenbaum
  baum@actcom.co.il