Known BUGS

Please report new bugs and fixes to vikas@navya.com. Please look in the TROUBLESHOOTING section of this documentation also.

1. Sending fake logout entries
2. Mixed case Usernames
3. taclast instead of 'last'
4. Duplicate WTMP entries
5. Multiple xtacacsd hosts
6. Inconsistent UID's in logouts
7. ISDN 65535 Line Numbers

Sending fake logout entries

It is possible to send a fake logout entry to the xtacacs server since there is no secret key shared between the Cisco terminal server and the xtacacsd daemon. To prevent this, you will need to block all packets originating from your customer networks that dont belong to the customer's IP address (which is a good thing anyway).

Mixed case Usernames

If IGNORECASE is specified and if searching in the system's password files (shadow, SIA, DCE, etc.), the program converts the username to all lowercase and calls getpwnam(). However, a true case insensitive search is not possible since the system calls do not permit it. It is recommended that the password files for xtacacs be kept separate and listed as alternate password files in the config file or else keep all the usernames lowercase in the system password file.

taclast instead of 'last'

Due to vagaries in the utmp.h file on various platforms, your system's last or ac utilities might not be able to parse the wtmp and utmp files produced by this daemon. Use the supplied taclast program instead, and process the times using awk/perl for accounting.

Duplicate WTMP entries

The daemon tries to avoid duplicate entries in the UTMP and the WTMP files, but duplicates/anomalies can show up if a terminal-server was unreachable or crashed without sending out a `xreload' message. It would help to have a tool to periodically query all terminal servers and ensure that the UTMP file is up to date.

Multiple xtacacsd hosts

If there are multiple redundant servers and the primary goes down, the wtmp & utmp files will get out of sync on the alternate and primary xtacacs server hosts. In this case, you should use the accompanying tacupd program to extract the records and merge them into a single file. You will need to use the binary mode in tacupd for updating the UTMP file, and the ascii mode for the ascii WTMP file.

Inconsistent UID's in logouts

There have been reports of the UID field being inconsistent/wrong in the logs when a user logs out (this is because the UID is sent by the Cisco and is not extracted from the password file upon logout, etc.). As such, the line number and the username should be used for accounting purposes and NOT the UID in logout records.

ISDN 65535 Line Numbers

Cisco IOS v10 (and v11 ?) send line numbers set to 65535 when a user logs into ISDN lines. Thus, there is no way to distinguish between 2 sessions if the same user logs into the same terminal server twice. This will give erroneous accounting records.