1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2011
    Strathmore, AB, Canada
    Rep Power

    Question Validating a TACACS+ username/password?

    My perl script accesses several devices through an SSH connection. The connection is verified by a Cisco ACS server using TACACS+. After three failed attempts by a user to connect via SSH the users account is locked out.

    I need to verify the users credentials against the TACACS server and warn the user if it fails, before my script starts accessing our devices.

    I'm trying to use the Authen::TacacsPlus module, but every attempt to validate results in an "Authentication Failed" error message.

    What I have verified:
    - I can manually SSH to one of our devices and authenticate properly.
    - The username/password combination is good. It's my own and I can connect to our devices.
    - The key matches the one found on our devices.
    - The server IP matches the one found on our devices.
    - The server running the perl script exists on the Cisco ACS server so the script should be allowed to authenticate via TACACS+.

    Below is the code I'm testing with... username/password changed of course. I'm running this via a web browser, as it's how my script will be working.

    use CGI::Carp qw( fatalsToBrowser );
    use Authen::TacacsPlus;
    $command= $];
    $title = "Perl Version";
    print "Content-type: text/html\n\n";
    print "<html><head><title>$title</title></head><body>";
    print "<h1>$title</h1>\n";
    print "Perl version : ".$command;
    print "<br/>\n";
    my $user='username';
    my $password='userpass';
    my $tac = new Authen::TacacsPlus(Host=>'', Key=>'us3r@@cc3ss');
    my $result = $tac->authen( "$user", "$pass" );
    print "Msg: " . Authen::TacacsPlus::errmsg() . " <br/>\n";
    print "Result: $result <br/>\n";
    print "</body></html>";
    The result always looks like this:

    Perl Version

    Perl version : 5.008008
    Msg: Authentication failed
    Result: 0
  2. #2
  3. Contributing User
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2003
    in da kitchen ...
    Rep Power
    You sure there's no dependencies for Authen::TacacsPlus you might be missing?
    What's the 'Key' field for, that's not a seed for a crypt function or similar, that would need to be the same on both sides?

    Just a thought
    without exception, there is no rule ...
    Handmade Irish Jewellery
    Targeted Advertising Cookie Optout (TACO) extension for Firefox
    The great thing about Object Oriented code is that it can make small, simple problems look like large, complex ones

    09 F9 11 02
    9D 74 E3 5B
    D8 41 56 C5
    63 56 88 C0
    Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems.
    -- Jamie Zawinski
    Detavil - the devil is in the detail, allegedly, and I use the term advisedly, allegedly ... oh, no, wait I did ...

IMN logo majestic logo threadwatch logo seochat tools logo