Frequently Asked Questions about xtacacs
Last updated Jan 5, 1998
This FAQ on xtacacs is written by
Vikas Aggarwal and is relevant mostly to the version of
xtacacsd maintained at
www.netplex-tech.com (also at ftp.navya.com).
It does not attempt to be a complete faq on the protocol, just answers
the commonly asked questions on my version of the software.
- Running xtacacsd
- WTMP & UTMP files
- Password file
- How do I troubleshoot XYZ problem ?
- You MUST look at your syslog output
xtacacsd writes extensive debugging output to the local6
syslog facility (unless changed while compiling). Each stage of
the process is traced in this debug output. Just change the
log level in your /etc/syslog.conf file (or equivalent) so that
it logs messages at local6.debug to a file and send
a HUP signal to your syslogd daemon. Then increase the debug
level in your xtacacsd-confg file and send a TERM signal
to xtacacsd. If the debug syslog messages are not obvious, you
can email the messages to
email@example.com. Remember however, that this is an
unsupported free software product.
- What is TACACS/XTACACS ?
- Originally defined in RFC-xxx, TACACS is a protocol where
a user dials into a terminal server, and enters a username and
password on the terminal server. The terminal server then sends
this username and password to a Unix host, which sends back an
OKAY or DENY based on whatever tests (normally password check)
it needs to do.
XTACACS is an extension to the TACACS protocol (developed by
Cisco) which permits sending and authenticating SLIP/PPP
requests, CHAP/ARAP authentication etc. also.
- How is this version of xtacacsd different from
- This version of xtacacsd has been maintained and developed
by Vikas Aggarwal (firstname.lastname@example.org) along with support from
many others. It is an enhanced version of the original software
from Cisco, and supports a lot of additional features that are
desirable in such a package (see FEATURES
for the list of additional features.
- I have different users on different systems
(multiple Unix servers)!
- If you have multiple Unix hosts and different password files on
each Unix system, then you can do one of the following:
- List all the Unix tacacs servers on the Cisco configuration.
The Cisco will query the next server in its list if the first
xtacacsd server does not respond in the "timeout" interval
(3 seconds by default). Then run the xtacacsd server on each of
the Unix hosts. You should use QUIETNOUSER in the
config file so that the first xtacacsd server does not respond
if the user does not exist. The disadvantage is that the user
will see long delays before the server asks the next Unix host
in its list.
- List all the xtacacsd hosts, and do as listed above. However,
tell all your users to use directed xtacacsd requests (by
specifying user@host instead of only the user
at the Username prompt).
- Copy over the password file from the other Unix systems
periodically and specify the alternate password files in the
xtacacsd config file (this will work only if the password
encryption scheme is the same on all the Unix hosts whether DES
or otherwise. This is the most preferred method.
- Should the server be run out of inetd or
Use the inetd mode always except for testing purposes. Since
you cannot specify too many command line arguments in the
inetd.conf file, you must specify only the location of the
xtacacsd config file and list all the options here.
- Server exits with socket operation on a
non-socket when run.
xtacacsd normally assumes that it is running out of inetd, and
you are probably running it from your Unix shell without the
-s option. Either run from the command line with the
-s option for standalone mode, or else run out of inetd.
- Server exits with address already in use
You already have an entry in inetd.conf for xtacacsd and are
trying to run it from the command line also. Either comment
out the line in inetd.conf and restart inetd or else dont try
running it from the command line.
- Server keeps exiting after some time
- Look in the log files for any error messages. Unless you see
any error message, the 'dying' of the server is normal.
The server exits after a period of inactivity (if nobody logs in
or logs out for more than 15 minutes) and will restart
automatically when a new request comes in while running out of inetd.
- What are UTMP & WTMP files ?
- The utmp file on Unix systems keeps track of the users
currently logged on the system, as opposed to the wtmp
file which lists all the logins and logouts in the life
of the current file. xtacacsd maintains its own wtmp and utmp files
distinct from the Unix system's files (which are usually in /etc/).
- What are the fields in the wtmp file ?
- The wtmp file in xtacacsd uses an extended utmp structure
which has a comment field in addition to the typical system's
utmp structure. In v4.1 of xtacacsd, this comment field contains
one of the following (in order of availability):
Primary Password file group ID
SLIP logout hostname
- How do I roll over my WTMP files (or how do I
create a new wtmp file at the end of the month) ?
- You can use the provided tacupd program to
your wtmp files (this will close out all current sessions
in the current wtmp file and re-open them in the new wtmp file).
Note the backquotes and NOT reqular quotes used in the
kill -HUP `cat /etc/xtacacsd.pid` # flush out wtmp file
mv wtmp.ascii wtmp.`date+%m%y` # rename current file
tacupd -A -R -w wtmp.`date+%m%y` -u utmp > wtmp.ascii
kill -HUP `cat /etc/xtacacsd.pid`
- What are 'inaccurate' entries in taclast
- The normal sequence of login and slip entries from a Cisco router
if a user logs in and issues a PPP command are as follows:
SlipOn-SLInn # when the user goes into SLIP mode
Logout-TTYnn # note this is AFTER SlipOn, and almost
SlipOff-SLInn # when user logs off (disconnects)
If any of the corresponding entries for Login or Logoff is lost
due to the server being down or due to heavy load, then an
inaccurate entry is generated. In such cases, the way taclast
accounts for the missing entry is as follows:
Login-A Logout-A Login-B Logout-B # normal
Login-A _ Login-B Logout-B # assume Logout-A just
Login-A Logout-A _ Logout-B # assume Login-B right
The inaccurate entries are indicated along with the accurate data,
so if the percentage of inaccurate entries is minor, it can be
- The wtmp file does not seem to be
- The Unix file system typically buffers 'writes' to the disk for
efficiency. The program does a 'sync' every 20 entries so that
a 'bunch' of entries are written to the wtmp file every time. A
kill -HUP signal will flush all the entries to disk before
the server exits.
- What is maximum lengths of the usernames in
the password files ?
The length of the username as defined in Unix is typically restricted
to 8 characters. Even though it is possible to increase this length
in the tacutmp.h file for xtacacsd (UT_NAMELEN), this
increase will ONLY work on the alternate password files for xtacacsd
and not if the usernames are stored in the system's /etc/passwd
For consistency, it is recommended to leave this at 8 unless you
are NOT using the system password file at all.
Also, remember to save your previous wtmp files since they
will be incompatible with the new version of the taclast and
- What are alternate password files ?
- This version of xtacacsd can look in alternate password
files in addition to the standard Unix /etc/passwd file.
Upto five alternate password files can be specified in the
configuration file. This allows creating a redundant backup
server so that in case the primary machine is down, the alternate
machine can act like a backup server. Simply 'rcp' the tacacs
password file over from the primary server to the backup server.
You can place the alternate password files in any separate
directory. Since the xtacacsd daemon runs as root, you should
set the permissions on the alternate password files to root
- How do I create and manipulate alternate
password files ?
- How you create alternate password files varies from
system to system. Start by copying over your standard
system password file from /etc/passwd to a directory
for xtacacs purposes. Edit and remove all entries that are
not desired. For adding a new user, simply edit this password
file and change the username. Change the password in the alternate
password file using the supplied xpasswd program.
- Specifying the password expiry in the password
- On SysV based machines, the password age (expiry date)
is stored in the «age» field of the password file. In
other systems, the password expiry is stored in the
«shell» field of the password file. The format of this
expiry date is: Dec 22 1995.
- Format of the password file on System V vs. BSD
- System V based machines expect 2 extra fields in their
password files after the GID field- the age and the
comment field (followed by the gecos, dir and shell).
On non-SysV BSD-based machines:
user : passwd : uid : gid : gecos : dir : shell
On sysV based machines:
user : passwd : uid : gid : age : comment : gecos : dir : shell
If using shadow passwords, the expiry time is in the shadow
password file as a number which is the number of days since
Jan 1, 1970. xtacacsd first uses the value in the shadow
password file, then the age on SysV and finally checks in
the shell field. (how even the Unix OS developers figure out
which one to use is well beyond me).
- I have a large number of users and response's
- Use the following tips for improving response times and speeding
- Run Getpw -c on your
alternate password files every
time that you make a change so that you get fast DBM style
access to the usernames. Do not do this on your /etc/passwd
- Run a nameserver on the same machine on which you have
xtacacsd (even a cacheing server will help) OR run with the
-n option to not use the nameserver at all.
This is to avoid any delays in translating IP addresses to
names during logging.
- Increase the retry & timeout period on the Cisco (5-7
secs) from the default of 3 seconds.
- 'Overwriting UTMP' msg and continous
denials for all users
- If the daemon starts giving error messages about
overwriting existing entry in utmp file,
and then denies access for all users (only a reboot seems to fix
the problem), this indicates timeouts with the nameserver
resolution. To fix this, see the performance tips
- How do I test (or ping) the server
- You can use the included tacping.pl to send and test
packets to the xtacacsd daemon. This program is written by
Craig A. Finseth and is
provided here just for completeness.
- How do I setup Dialback ?
- Note that xtacacsd itself does not do any dialback. It can only
run an external script which 'pings' the remote site dialing in
which in turn causes the Cisco to call the number associated with
the IP address being pinged.
You have to configure the dialback script on the Cisco (associate a
different IP address for each user). The Cisco should dial out to
the remote user when it gets a ping from the xtacacsd host.
Then write a simple perl or shell script which pings the IP address
associated with the user when the user dials in. Enter an
execdeny configuration line for that particular dialback
group. Remember to run the ping command with an '&' so that you can
return control to xtacacsd right away. Perhaps the person dialing in
should hangup after getting the denial so that their line is free
- How do I log the bytes/packets transferred by
a login user ?
- You cannot log the bytes or packets transferred by your users
since the TACACS protocol does not support it. Use Radius or
tacacs_plus instead of Extended TACACS if you want to do this.
- How do I send back an 'autocommand' to the
CommServer when a user logs in ?
- You cannot send back an autocommand from xtacacsd since the
TACACS protocol does not support it. Use Radius or Tacacs_plus
instead of Extended TACACS if you want to do this.
- What is DCE ?
- DCE stands for Distributed Computing Environment and is an
Open Software Foundation standard written for single image view of
It is middleware that provides distributed computing layers.
One such vendor providing DCE clients is Transarc. It replaces the
/bin/login for Unix systems with a separate authentication module
which verifies users against a centralized DCE registry and sets the
UNIX uid/gid structures accordingly.
- Where can I get xtacacsd for NT?
- You can get a shareware version of xtacacsd for Windows NT from
Copyright © 1994-1998