RollerMatic
commented
6 months ago @iyyapa As I mentioned in the previous issue, it's hard for us to debug this problem without some information
- tacacs server and the client AAA configuration
- packet captures for both the multi-login and single-login flows from the server side and the client side (multi-login: user enters wrong credentials and then follows it up with correct credentials and is unauthorized. single-login: user logs in the first time with correct credentials and is authorized)
- clear separate client and server side debug logs for the correct flow (single-login) and the incorrect flow(multi-login). I am not sure the pdf attached above contains both the flows, and I am guessing at this point.
Coming to the logs attached above: I can see that all the authorization queries were accepted
authorization query for 'gcom' ssh from 192.168.0.233 accepted
the next log line which points to connection close
192.168.0.233 ssh: fd 5 eof (connection closed)
comes from https://github.com/mkouhei/tacacs-plus/blob/master/packet.c#L462. This denotes that the server tried to read from the TCP connection object but found that the connection had been closed by the remote end (the peer, in this case the extreme switch). This is expected behaviour from the server
Have you reached out to CISCO TAC for ISE and have them run debugs on the AAA side ? Why do we suspect a problem with the code ?
Please find the below topology..
The user wants to login with tacacs server, First two times user enters wrong credentials for that the server rejects the request and this expected.
Next user enters with correct credentials and could see that during authorization the connection got closed.
We could see this issue when we enter first wrong credentials and then correct credentials. I have attached the debug logs collected from tacacs server. 240212_083536_tacplus_debug_240213.pdf