Authentication Failure with TACACS
I am attempting to set up TACACS for authentication for my network devices on RHEL 8. I now get the following errors in /var/log/secure whenever I try and log in:
tac_plus: pam_unix(tac_plus:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=exadmin
krb5_child: Pre-authentication failed: Cannot read password
tac_plus: pam_sss(tac_plus:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=exadmin
tac_plus: pam_sss(tac_plus:account):Access denied for user exadmin: 6 (Permission Denied)
tac_plus: login failure: user=exadmin device=switches IP ip=switches IP port=tty1 client=Machine I am sshing from
tac_plus.conf
Define where to log accounting data, this is the default.
accounting file = /var/log/tac_plus.acct
This is the key that clients have to use to access Tacacs+
key = "**********"
Use /etc/passwd file to do authentication
default authentication = file /etc/passwd
user= exadmin {
login = PAM
pap = PAM
member = admin
service = ppp protocol = ip {
shell:roles = sysadmin
shell:roles="network-admin" }
}
group = admin {
default service = permit
service = exec {
default attribute = permit
priv-lvl = 15
}
}
user = DEFAULT {
login = PAM
service = ppp protocol = ip {}
}
Here is my tac_plus pam
auth include system-auth
account required pam_nologin.so
account include system-auth
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
session include system-auth
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session required pam_limits.so
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
password include password-auth