August 22nd, 2012, 12:23 AM
Validating a TACACS+ username/password?
My perl script accesses several devices through an SSH connection. The connection is verified by a Cisco ACS server using TACACS+. After three failed attempts by a user to connect via SSH the users account is locked out.
I need to verify the users credentials against the TACACS server and warn the user if it fails, before my script starts accessing our devices.
I'm trying to use the Authen::TacacsPlus module, but every attempt to validate results in an "Authentication Failed" error message.
What I have verified:
- I can manually SSH to one of our devices and authenticate properly.
- The username/password combination is good. It's my own and I can connect to our devices.
- The key matches the one found on our devices.
- The server IP matches the one found on our devices.
- The server running the perl script exists on the Cisco ACS server so the script should be allowed to authenticate via TACACS+.
Below is the code I'm testing with... username/password changed of course. I'm running this via a web browser, as it's how my script will be working.
The result always looks like this:
use CGI::Carp qw( fatalsToBrowser );
$title = "Perl Version";
print "Content-type: text/html\n\n";
print "Perl version : ".$command;
my $tac = new Authen::TacacsPlus(Host=>'10.0.0.16', Key=>'us3r@@cc3ss');
my $result = $tac->authen( "$user", "$pass" );
print "Msg: " . Authen::TacacsPlus::errmsg() . " <br/>\n";
print "Result: $result <br/>\n";
Perl version : 5.008008
Msg: Authentication failed
August 23rd, 2012, 06:23 PM
You sure there's no dependencies for Authen::TacacsPlus you might be missing?
What's the 'Key' field for, that's not a seed for a crypt function or similar, that would need to be the same on both sides?
Just a thought
without exception, there is no rule ...
Handmade Irish Jewellery
Targeted Advertising Cookie Optout (TACO) extension for Firefox
The great thing about Object Oriented code is that it can make small, simple problems look like large, complex ones
09 F9 11 02
9D 74 E3 5B
D8 41 56 C5
63 56 88 C0
Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems.
-- Jamie Zawinski
- the devil is in the detail, allegedly, and I use the term advisedly, allegedly ... oh, no, wait I did ...
BIT COINS ANYONE