Rhel 7 accounting errors

Question

Rhel 7 accounting errors

tgreaser opened this issue 7 years ago · 6 comments

Ive tried a bunch of rpms / tars on rhel 7 .. Everything compiles just fine..
I have issues with accounting payload and thus get no command accounting logs..

Error 10.3.254.15: acct minimum payload: 191, got: 127

I know my tac config is good as i have an older version running on Rhel 6 , and when i have my
switch point to it all is well..

Also , I ran a capture and i can see the accounting info in the pcap being sent to the tac_plus server.

Id be thankful for any help / direction on this.

Answer 1 · 2018-08-10T21:09:35.000Z

Hi,

What version are you running on your rhel 6 box? Is that error from tacacs log or your network devices?

I'd personally tcpdump full packets and compare the two exchanges and see whats different on the wire - https://github.com/isginf/pcap-diff or there are a few others (I've never used this one).

I believe our accounting all works with this version and over IPv6.

Answer 2 · 2018-08-13T18:01:15.000Z

We run Rhel 7.5 ..
I will push this code to fedora 28 , and RHEL 6.10 and test.
And thanks for the pcap-diff will be interesting to check out..

Answer 3 · 2018-08-13T18:45:12.000Z

PS running old version on rhel 6
tac_plus version 4.4rc2-3 (Extended Tac_plus)

Answer 4 · 2018-08-13T19:57:43.000Z

Having same issues with Fedora 27 and Fedora 28**
ACCT, flags=0x6a method=192 priv_lvl=160
type=126 svc=79
AUTHOR data length (416) exceeds packet length 118
10.10.10.15: acct minimum payload: 263, got: 127

Need a little help on telling fedora 28 to tell it to compile without wrappers as its depreciated

Ive tried a super basic .cfg .. same results. I see the accounting packets with the data payload in pcap but the process throws the data lenght every time.. I will try a deb box tomorrow..

Answer 5 · 2018-08-15T19:08:52.000Z

cooperlees
Thanks for taking the time to look @ my post.. Please note this was my issue as I screwed up the secrete on the account statement on my Juniper gear, but had the tacplus-server secret right.
Once i seen a Cisco accounting log come through I know tac was 100%..
I went back and re did all my tac and accounting on juniper gear that I had pointed to the new tacac plus server..

I feel lame but hope this post makes someone revisit their account config and their tacplus-server config .

Juniper posts that if you don't have a account server set it will use what you used in tacplus-server..

Answer 6 · 2018-08-15T19:10:04.000Z

Awesome. Glad you worked it out and took some time to debug it! Good luck.