Frequently Asked Questions about xtacacs

This FAQ on xtacacs is written by Vikas Aggarwal and is relevant mostly to the version of xtacacsd maintained at www.netplex-tech.com (also at ftp.navya.com). It does not attempt to be a complete faq on the protocol, just answers the commonly asked questions on my version of the software.

1. General
   • How do I troubleshoot XYZ problem ?
   • What is TACACS/XTACACS ?
   • How is this version of xtacacsd different from Cisco's ?
   • I have different users on different systems (multiple Unix servers)!
2. Running xtacacsd
   • Should the server be run out of inetd or standalone ?
   • Server exits with socket operation on a non-socket when run.
   • Server exits with address already in use!
   • Server keeps exiting after some time.
3. WTMP & UTMP files
   • What are UTMP & WTMP files ?
   • What are the fields in the wtmp file?
   • How do I roll over my WTMP files
   • How do I create a new wtmp file at the end of the month?
   • What are 'inaccurate' entries in taclast ?
   • The wtmp file does not seem to be updating regularly.
4. Password file
   • What is maximum lengths of the usernames in the password files ?
   • What are alternate password files ?
   • How do I create and manipulate alternate password files ?
   • Specifying the password expiry in the password file.
   • Format of the password file on System V vs. BSD machines.
5. Performance
   • I have a large number of users and response's time out!
   • I get 'Overwriting UTMP' msg and continous denials for all users
6. Miscellanous
   • How do I test (or ping) the server
   • How do I setup Dialback ?
   • How do I log the bytes transferred by my users ?
   • How do I send back an 'autocommand' from the xtacacsd daemon ?
   • What is DCE ?
   • Where can I get xtacacsd for Windows

How do I troubleshoot XYZ problem ?

You MUST look at your syslog output .
xtacacsd writes extensive debugging output to the local6 syslog facility (unless changed while compiling). Each stage of the process is traced in this debug output. Just change the log level in your /etc/syslog.conf file (or equivalent) so that it logs messages at local6.debug to a file and send a HUP signal to your syslogd daemon. Then increase the debug level in your xtacacsd-confg file and send a TERM signal to xtacacsd. If the debug syslog messages are not obvious, you can email the messages to vikas@navya.com. Remember however, that this is an unsupported free software product.

What is TACACS/XTACACS ?

Originally defined in RFC-xxx, TACACS is a protocol where a user dials into a terminal server, and enters a username and password on the terminal server. The terminal server then sends this username and password to a Unix host, which sends back an OKAY or DENY based on whatever tests (normally password check) it needs to do.

XTACACS is an extension to the TACACS protocol (developed by Cisco) which permits sending and authenticating SLIP/PPP requests, CHAP/ARAP authentication etc. also.

How is this version of xtacacsd different from Cisco's ?

This version of xtacacsd has been maintained and developed by Vikas Aggarwal (vikas@navya.com) along with support from many others. It is an enhanced version of the original software from Cisco, and supports a lot of additional features that are desirable in such a package (see FEATURES for the list of additional features.

I have different users on different systems (multiple Unix servers)!

If you have multiple Unix hosts and different password files on each Unix system, then you can do one of the following:

1. List all the Unix tacacs servers on the Cisco configuration. The Cisco will query the next server in its list if the first xtacacsd server does not respond in the "timeout" interval (3 seconds by default). Then run the xtacacsd server on each of the Unix hosts. You should use QUIETNOUSER in the config file so that the first xtacacsd server does not respond if the user does not exist. The disadvantage is that the user will see long delays before the server asks the next Unix host in its list.
2. List all the xtacacsd hosts, and do as listed above. However, tell all your users to use directed xtacacsd requests (by specifying user@host instead of only the user at the Username prompt).
3. Copy over the password file from the other Unix systems periodically and specify the alternate password files in the xtacacsd config file (this will work only if the password encryption scheme is the same on all the Unix hosts whether DES or otherwise. This is the most preferred method.

Should the server be run out of inetd or standalone ?

Use the inetd mode always except for testing purposes. Since you cannot specify too many command line arguments in the inetd.conf file, you must specify only the location of the xtacacsd config file and list all the options here.

Server exits with socket operation on a non-socket when run.

xtacacsd normally assumes that it is running out of inetd, and you are probably running it from your Unix shell without the -s option. Either run from the command line with the -s option for standalone mode, or else run out of inetd.

Server exits with address already in use when run.

You already have an entry in inetd.conf for xtacacsd and are trying to run it from the command line also. Either comment out the line in inetd.conf and restart inetd or else dont try running it from the command line.

Server keeps exiting after some time

Look in the log files for any error messages. Unless you see any error message, the 'dying' of the server is normal. The server exits after a period of inactivity (if nobody logs in or logs out for more than 15 minutes) and will restart automatically when a new request comes in while running out of inetd.

What are UTMP & WTMP files ?

The utmp file on Unix systems keeps track of the users currently logged on the system, as opposed to the wtmp file which lists all the logins and logouts in the life of the current file. xtacacsd maintains its own wtmp and utmp files distinct from the Unix system's files (which are usually in /etc/).

What are the fields in the wtmp file ?

The wtmp file in xtacacsd uses an extended utmp structure which has a comment field in addition to the typical system's utmp structure. In v4.1 of xtacacsd, this comment field contains one of the following (in order of availability):

Primary Password file group ID
Logout reason
SLIP logout hostname
Transaction ID


How do I roll over my WTMP files (or how do I create a new wtmp file at the end of the month) ?

You can use the provided tacupd program to «rollover» your wtmp files (this will close out all current sessions in the current wtmp file and re-open them in the new wtmp file). Note the backquotes and NOT reqular quotes used in the example below:

kill -HUP `cat /etc/xtacacsd.pid` # flush out wtmp file
mv wtmp.ascii wtmp.`date+%m%y` # rename current file
tacupd -A -R -w wtmp.`date+%m%y` -u utmp > wtmp.ascii
kill -HUP `cat /etc/xtacacsd.pid`


What are 'inaccurate' entries in taclast

The normal sequence of login and slip entries from a Cisco router if a user logs in and issues a PPP command are as follows:

Login-TTYnn
SlipOn-SLInn # when the user goes into SLIP mode
Logout-TTYnn # note this is AFTER SlipOn, and almost immediately
SlipOff-SLInn # when user logs off (disconnects)

If any of the corresponding entries for Login or Logoff is lost due to the server being down or due to heavy load, then an inaccurate entry is generated. In such cases, the way taclast accounts for the missing entry is as follows:

Login-A Logout-A Login-B Logout-B # normal
Login-A _ Login-B Logout-B # assume Logout-A just before Login-B
Login-A Logout-A _ Logout-B # assume Login-B right after Logout-A

The inaccurate entries are indicated along with the accurate data, so if the percentage of inaccurate entries is minor, it can be disregarded.

The wtmp file does not seem to be updating regularly.

The Unix file system typically buffers 'writes' to the disk for efficiency. The program does a 'sync' every 20 entries so that a 'bunch' of entries are written to the wtmp file every time. A kill -HUP signal will flush all the entries to disk before the server exits.

What is maximum lengths of the usernames in the password files ?

The length of the username as defined in Unix is typically restricted to 8 characters. Even though it is possible to increase this length in the tacutmp.h file for xtacacsd (UT_NAMELEN), this increase will ONLY work on the alternate password files for xtacacsd and not if the usernames are stored in the system's /etc/passwd file.
For consistency, it is recommended to leave this at 8 unless you are NOT using the system password file at all. Also, remember to save your previous wtmp files since they will be incompatible with the new version of the taclast and other tools.

What are alternate password files ?

This version of xtacacsd can look in alternate password files in addition to the standard Unix /etc/passwd file. Upto five alternate password files can be specified in the configuration file. This allows creating a redundant backup server so that in case the primary machine is down, the alternate machine can act like a backup server. Simply 'rcp' the tacacs password file over from the primary server to the backup server.

You can place the alternate password files in any separate directory. Since the xtacacsd daemon runs as root, you should set the permissions on the alternate password files to root readable only.

How do I create and manipulate alternate password files ?

How you create alternate password files varies from system to system. Start by copying over your standard system password file from /etc/passwd to a directory for xtacacs purposes. Edit and remove all entries that are not desired. For adding a new user, simply edit this password file and change the username. Change the password in the alternate password file using the supplied xpasswd program.

Specifying the password expiry in the password file.

On SysV based machines, the password age (expiry date) is stored in the «age» field of the password file. In other systems, the password expiry is stored in the «shell» field of the password file. The format of this expiry date is: Dec 22 1995.

Format of the password file on System V vs. BSD machines.

System V based machines expect 2 extra fields in their password files after the GID field- the age and the comment field (followed by the gecos, dir and shell). On non-SysV BSD-based machines: user : passwd : uid : gid : gecos : dir : shell On sysV based machines: user : passwd : uid : gid : age : comment : gecos : dir : shell If using shadow passwords, the expiry time is in the shadow password file as a number which is the number of days since Jan 1, 1970. xtacacsd first uses the value in the shadow password file, then the age on SysV and finally checks in the shell field. (how even the Unix OS developers figure out which one to use is well beyond me).

I have a large number of users and response's time out.

Use the following tips for improving response times and speeding up xtacacsd:

1. Run Getpw -c on your alternate password files every time that you make a change so that you get fast DBM style access to the usernames. Do not do this on your /etc/passwd file.
2. Run a nameserver on the same machine on which you have xtacacsd (even a cacheing server will help) OR run with the -n option to not use the nameserver at all. This is to avoid any delays in translating IP addresses to names during logging.
3. Increase the retry & timeout period on the Cisco (5-7 secs) from the default of 3 seconds.

'Overwriting UTMP' msg and continous denials for all users

If the daemon starts giving error messages about overwriting existing entry in utmp file, and then denies access for all users (only a reboot seems to fix the problem), this indicates timeouts with the nameserver resolution. To fix this, see the performance tips listed above.

How do I test (or ping) the server

You can use the included tacping.pl to send and test packets to the xtacacsd daemon. This program is written by Craig A. Finseth and is provided here just for completeness.

How do I setup Dialback ?

Note that xtacacsd itself does not do any dialback. It can only run an external script which 'pings' the remote site dialing in which in turn causes the Cisco to call the number associated with the IP address being pinged.
You have to configure the dialback script on the Cisco (associate a different IP address for each user). The Cisco should dial out to the remote user when it gets a ping from the xtacacsd host. Then write a simple perl or shell script which pings the IP address associated with the user when the user dials in. Enter an execdeny configuration line for that particular dialback group. Remember to run the ping command with an '&' so that you can return control to xtacacsd right away. Perhaps the person dialing in should hangup after getting the denial so that their line is free for dialback.

How do I log the bytes/packets transferred by a login user ?

You cannot log the bytes or packets transferred by your users since the TACACS protocol does not support it. Use Radius or tacacs_plus instead of Extended TACACS if you want to do this.

How do I send back an 'autocommand' to the CommServer when a user logs in ?

You cannot send back an autocommand from xtacacsd since the TACACS protocol does not support it. Use Radius or Tacacs_plus instead of Extended TACACS if you want to do this.

What is DCE ?

DCE stands for Distributed Computing Environment and is an Open Software Foundation standard written for single image view of heterogenous environments. It is middleware that provides distributed computing layers. One such vendor providing DCE clients is Transarc. It replaces the /bin/login for Unix systems with a separate authentication module which verifies users against a centralized DCE registry and sets the UNIX uid/gid structures accordingly.

Where can I get xtacacsd for NT?

You can get a shareware version of xtacacsd for Windows NT from www.hkstar.com/~unet/.