I am trying to use external authentication with confd. All the setting were passed ,
The TACACS server sucessfully authenticates. But Confd is not accepting though it was send in the right format.
<auth.6> taccli[26237]: accept admin 2000 2000 2000 /home/admin
<daemon.3> confd[25738]: - External auth program (user=shafath) ret bad output: Authenticating with serverip=1.2.3.4, Port=49, username=shafath
As confd manual states in 14.4.4. External authentication, The format is rightly send by tacclient, but still confd ignores.
Any hint, what should i expect out of it.
Previously when i want to ssh to my device, authentication would be carried out by TAC, the tacclient would be invoked by confd as part of external authentication.
Now by changing it to above, what should i expect in terms of behavior.
Current behavior after changing is.
ssh was not happening as like previous case, No myauth.log file created
The audit.log output is indicating that you have successfully logged in over ssh with admin group privilege. What didn’t work when you tried the auth.sh approach?
This log is when I used external authentication with auth.sh. but when I revert to my TAC server, issue remains. I am not able to login though right accept message is send.
i would suggest double checking what your tacclient is writing back to ConfD. Can you also write the same output to your terminal screen to compare? What do see you in audit.log when you use tacclient?
9-Jun-2016::02:15:17.251 confd[1744]: audit user: shafath/0 no such local user
9-Jun-2016::02:15:17.252 confd[1744]: audit user: shafath/0 Failed to login over ssh: No such local user
Now that External authentication is enabled via tacserver, why it is complaining about no such local user though the authentication has been passed by TACServer.?
What do you have authOrder configured in confd.conf? if localAuthentication is the last entry, the local AAA user table in CDB will be checked when external authentication has failed.
The log entry you showed describes exactly what the “bad output” is:
confd[25738]: - External auth program (user=shafath) ret bad output: Authenticating with serverip=1.2.3.4, Port=49, username=shafath
I.e. the “bad output” is what follows after “output:” in the message, i.e. “Authenticating with serverip=1.2.3.4, Port=49, username=shafath”. Probably some debug output from your authentication executable.