WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

RUTXR1: tacacs+ not working

0 votes
542 views 9 comments
by anonymous

Platform: RUTXR1 with 

  • firmware version RUTX_R_00.07.03
  • package PAM installed version 2022-01 03-2
I configured our corporate tacacs+ server wit key on the Administration/Access Control/PAM tab sheet and enabled it:
  • service:  WEBUI
  • module: TACACS+
  • type: required
When I try to login remotely through the WEBUI my tacacs+ account does not work and even the local account cannot used anymore. It seems the tacacs+ service is not trigged. I ran a tcpdump on the RUTXR1 but did not see any sent/received packets to/from the tacacs-server. Do we have to configure/do some additional steps?
by anonymous
Tacacs server is reachable on port 49 from the teltonika router: routing and firewall access rules are ok.

However when I try to do a test it looks like the tacacs-process is not triggered or perhaps is not running

although I enabled in the PAM tabs sheet the tacacs server (10.15.13.56) See output below.

The tcpdump-command do not generate any packet on all interfaces...

--------------------------------

root@Y-WANOOB-HA1-RT01:~# ping 10.15.13.56 PING 10.15.13.56 (10.15.13.56): 56 data bytes

64 bytes from 10.15.13.56: seq=0 ttl=57 time=2.226 ms

64 bytes from 10.15.13.56: seq=1 ttl=57 time=1.838 ms

64 bytes from 10.15.13.56: seq=2 ttl=57 time=1.746 ms ^C

--- 10.15.13.56 ping statistics ---

3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 1.746/1.936/2.226 ms

-------------------------------

root@Y-WANOOB-HA1-RT01:~# telnet 10.15.13.56 49

Connected to 10.15.13.56

---------------------

root@Y-WANOOB-HA1-RT01:~# logread -f

Thu Jan  5 15:07:14 2023 kern.notice kernel: pam configuration has been changed Thu Jan  5 15:07:14 2023 kern.notice kernel: rpcd configuration has been changed Thu Jan  5 15:08:08 2023 kern.notice

Authentication was not successful from HTTPS 10.0.84.6 Thu Jan  5 15:08:08 2023 kern.notice IP (10.0.84.6) to (10.168.158.13) attempt 1/10.

Thu Jan  5 15:08:08 2023 daemon.err uhttpd[12722]: vuci: failed login for pve from 10.0.84.6

--------------------------

root@Y-WANOOB-HA1-RT01:~# tcpdump port 49 -w /tmp/capture.pcap

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

^C0 packets captured

0 packets received by filter

0 packets dropped by kernel

------------------------

root@Y-WANOOB-HA1-RT01:~# tcpdump -i any port 49 -w /tmp/capture.pcap

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
by anonymous

The issue might be related to the way your user is configured. 

Could you instead of using pve, try admin as username in the WebUI?

Could you share your configuration file in a private message, or try something similar, as in this configuration example, for basic troubleshooting? 

3 Answers

0 votes
by anonymous

Hello,

Configuration from Teltonika device side is quite simple and does not involve more options than what you have provided. It is all explained in this example.

Could you check if your firewall is not blocking traffic on TCP port 49? 

You could login to the router via SSH, execute logread -f command and check, what messages does the router generate, when you try to login to the WebUI.

TCP dump can be used to perform packet capture on port 49 over the CLI to check the communication between the router and your server with the following command:

  • tcpdump port 49

The capture can be saved to a file with a modified command:

  • tcpdump port 49 -w /tmp/capture.pcap

Then extracted with scp/WinSCP and analyzed with Wireshark.

Best regards,

0 votes
by anonymous
Navigate to WebUI → Administration → Access control → General
Switch Enable PAM support to ON in the SSH section, click save and apply.

-> Where can I find this on the General Tab Sheet? There is nothing to enable on this page ??
0 votes
by anonymous

screenshot enclosed

by anonymous

@pve Look at the second tab which says "PAM". 

I'm in the same boat. I've configured Radius for the Webui, but when I capture "any" interface for port 1812 packets, I don't see any radius traffic (while I try to login onto the Webui interface with valid credentials).

Here's my /etc/config/pam file:

config pam

        option enabled '0'

        option service 'sshd'

        option type 'optional'

        option module 'unix'

config pam

        option service 'rpcd'

        option enabled '1'

        option module 'radius_auth'

        option server '10.20.4.15'

        option secret 'xxxxxxxxxxxxxx'

        option port '1812'

        option timeout '3'

        option type 'required'

by anonymous

I know that you need to configure the PAM-tab sheet and I also did it. I even tried to edit the /etc/pam files directly but none of the methods is working.
 is referring to a wiki page https://wiki.teltonika-networks.com/view/TACACS%2B.
On this page it turns out that you you need to enable the pam-service on the General Tab sheet but I do not see anything on the General tab sheet that can be enabled...Is it simply missing or bug in the current RUTOS version (and previous versions) or is the wiki page not correct?

by anonymous

It is a mistake in the web page. All configuration is done in System -> Administration -> Access control -> PAM tab.

Config file for WebUI access from the router looks the following:

config pam
        option service 'rpcd'
        option module 'tacplus'
        option type 'required'
        option server '192.168.1.113'
        option secret 'tac_plus_key'
        option enabled '1'
by anonymous

I tried the user 'admin' in the WEBUI. The tacacs service is triggered now. I tried another user but as mentioned yet it does not trigger the service at all. As the user 'admin' user is not configured on our tacacs-servers I was not logged in but I could trace the activity:

tcpdump -i any port 49

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes

14:05:48.230704 IP 192.168.0.23.42106 > 10.15.13.56.49: Flags [S], seq 2906401710, win 64620, options [mss 1436,sackOK,TS val 1884355110 ecr 0,nop,wscale 5], length 0

14:05:48.274391 IP 10.15.13.56.49 > 192.168.0.23.42106: Flags [S.], seq 151795552, ack 2906401711, win 28960, options [mss 1460,sackOK,TS val 4056467022 ecr 1884355110,nop,wscale 7], length 0

14:05:48.274835 IP 192.168.0.23.42106 > 10.15.13.56.49: Flags [.], ack 1, win 2020, options [nop,nop,TS val 1884355155 ecr 4056467022], length 0

14:05:48.275045 IP 192.168.0.23.42106 > 10.15.13.56.49: Flags [P.], seq 1:13, ack 1, win 2020, options [nop,nop,TS val 1884355155 ecr 4056467022], length 12

14:05:48.317364 IP 10.15.13.56.49 > 192.168.0.23.42106: Flags [.], ack 13, win 227, options [nop,nop,TS val 4056467065 ecr 1884355155], length 0

14:05:48.317620 IP 192.168.0.23.42106 > 10.15.13.56.49: Flags [P.], seq 13:46, ack 1, win 2020, options [nop,nop,TS val 1884355197 ecr 4056467065], length 33

14:05:48.360379 IP 10.15.13.56.49 > 192.168.0.23.42106: Flags [.], ack 46, win 227, options [nop,nop,TS val 4056467108 ecr 1884355197], length 0

14:05:48.408403 IP 10.15.13.56.49 > 192.168.0.23.42106: Flags [P.], seq 1:33, ack 46, win 227, options [nop,nop,TS val 4056467156 ecr 1884355197], length 32

14:05:48.408412 IP 10.15.13.56.49 > 192.168.0.23.42106: Flags [F.], seq 33, ack 46, win 227, options [nop,nop,TS val 4056467156 ecr 1884355197], length 0

14:05:48.408652 IP 192.168.0.23.42106 > 10.15.13.56.49: Flags [.], ack 33, win 2019, options [nop,nop,TS val 1884355289 ecr 4056467156], length 0

14:05:48.409021 IP 192.168.0.23.42106 > 10.15.13.56.49: Flags [F.], seq 46, ack 34, win 2019, options [nop,nop,TS val 1884355289 ecr 4056467156], length 0

14:05:48.455382 IP 10.15.13.56.49 > 192.168.0.23.42106: Flags [.], ack 47, win 227, options [nop,nop,TS val 4056467203 ecr 1884355289], length 0

14:06:00.755044 IP 192.168.0.23.60504 > 10.15.13.56.49: Flags [S], seq 3406943260, win 64620, options [mss 1436,sackOK,TS val 1884367635 ecr 0,nop,wscale 5], length 0

14:06:00.791433 IP 10.15.13.56.49 > 192.168.0.23.60504: Flags [S.], seq 1106505115, ack 3406943261, win 28960, options [mss 1460,sackOK,TS val 4056479539 ecr 1884367635,nop,wscale 7], length 0

14:06:00.791795 IP 192.168.0.23.60504 > 10.15.13.56.49: Flags [.], ack 1, win 2020, options [nop,nop,TS val 1884367672 ecr 4056479539], length 0

14:06:00.792365 IP 192.168.0.23.60504 > 10.15.13.56.49: Flags [P.], seq 1:13, ack 1, win 2020, options [nop,nop,TS val 1884367672 ecr 4056479539], length 12

14:06:00.835483 IP 10.15.13.56.49 > 192.168.0.23.60504: Flags [.], ack 13, win 227, options [nop,nop,TS val 4056479583 ecr 1884367672], length 0

14:06:00.835723 IP 192.168.0.23.60504 > 10.15.13.56.49: Flags [P.], seq 13:46, ack 1, win 2020, options [nop,nop,TS val 1884367716 ecr 4056479583], length 33

14:06:00.878489 IP 10.15.13.56.49 > 192.168.0.23.60504: Flags [.], ack 46, win 227, options [nop,nop,TS val 4056479626 ecr 1884367716], length 0

14:06:00.885522 IP 10.15.13.56.49 > 192.168.0.23.60504: Flags [P.], seq 1:33, ack 46, win 227, options [nop,nop,TS val 4056479633 ecr 1884367716], length 32

14:06:00.885721 IP 192.168.0.23.60504 > 10.15.13.56.49: Flags [.], ack 33, win 2019, options [nop,nop,TS val 1884367766 ecr 4056479633], length 0

14:06:00.886346 IP 192.168.0.23.60504 > 10.15.13.56.49: Flags [F.], seq 46, ack 33, win 2019, options [nop,nop,TS val 1884367766 ecr 4056479633], length 0

14:06:00.886366 IP 10.15.13.56.49 > 192.168.0.23.60504: Flags [F.], seq 33, ack 46, win 227, options [nop,nop,TS val 4056479633 ecr 1884367716], length 0

14:06:00.886700 IP 192.168.0.23.60504 > 10.15.13.56.49: Flags [.], ack 34, win 2019, options [nop,nop,TS val 1884367766 ecr 4056479633], length 0

14:06:00.936530 IP 10.15.13.56.49 > 192.168.0.23.60504: Flags [.], ack 47, win 227, options [nop,nop,TS val 4056479684 ecr 1884367766], length 0

by anonymous
Ok, I've done some more testing, but decided to drop the remote authentication/pam feature. In order for Tacacs/LDAP to work, you need to create the username locally. But I run into the issue, that the username is limited to 8 characters. That is unworkable since our LDAP admin username all have a adm_ prefix, which we are not going to change. So we run out of characters in 9 out of 10 occasions. For anyone still trying to get it working. The Tacacs/LDAP backend only does authentication, not authorisation (i.e. based on group membership within LDAP/Tacacs).
by anonymous
Tried a last time. Don't get it working with any other user except the predefined 'admin' user. I created even another local user and assigned it to the admin group but the pam/tacacs module is never triggered. Doesn't work at all and is completely worthless.

Anyone from Teltonika that can advise?
by anonymous
Thank you for your feedback.

I have gathered your observations and forwarded them to the developers to provide additional details and explanations. Once there are updates, I will post them here.

Best regards,