TACACS+ stuff

My first time putting tacacs on a Brocade. Pretty similar to cisco, the tac pairs that cisco use seem to work just fine. Worked great with do_auth. Keep in mind, although they honor priv-15, they map it to 0, just to be different. I used the following:

username admin password yer_password_here
ip tacacs source-interface loopback 1
tacacs-server retransmit 2
tacacs-server timeout 2
tacacs-server host yer_host_here
tacacs-server key yer_key_here
enable super-user-password again_password_here
aaa authentication login default tacacs+ enable
aaa authentication login privilege-mode
aaa authentication enable default tacacs+ enable
aaa authorization commands 0 default tacacs+ none
aaa authorization exec default tacacs+
aaa accounting commands 0 default start-stop tacacs+
aaa accounting exec default start-stop tacacs+
enable aaa console

John McManus has put together a nice walkthrough of authenticating Citrix Branch Receiver via Cisco TACACS+ over on My Etherealmind. Should be fairly straight forward to port to tac_plus with the information provided by John.

Rancid can be made much more secure by using do_auth. A quick example of the do_auth.ini file is as follows:

[users]
rancid =
     rancid_access
[rancid_access]
host_allow =
     10.0.0.1
device_permit =
     .*
command_permit =
     show.*
     dir.*
     more.*
     write t.*


Now, rancid can only login from 10.0.0.1, and only type commands that match those regular expressions. Technically, you could limit the commands in tac_plus.conf without do_auth. Might take longer, but you could do it. However, you could not limit it to 10.0.0.1 without an after authorization script such as do_auth.

NOTE: This assumes you only authorize config/Level 15 commands. I never authorize level 1 commands or, heaven forbid, level 0 commands as these commands can not change anything on the router, nor allow you to see the configuration. Now, if YOU choose to do so, the above example will still probably work. A quick look at log.txt will tell you any additional commands you will need to add.

ios-xr bug: sends blank ip in conf t. tac_plus really should send an “unknown” for this. I’d submit a patch, but I’m no good at C. job == networker, job != programmer. Heasley strongly disagrees with me on this though. Even though I’m obviously right, I suppose someday I’ll have fix the parsing to ignore any options not sent. Till then:

v1.4:
(Removed)

Simple workaround: -i $address -fix_crs_bug. I advise you use it even if you don’t use ios-xr.

http://www.pastie.org/1618995

Version 1.5 Feb 28 2011
Corrected a stupid mistake in the example. (python do_auth.py | less) Thanks to aojea.
v1.5
http://www.pastie.org/1618995

Note: I haven’t done any work on this because, to the best of my knowledge, I’m the only one who uses it. If you find it useful, write a quick post!

We’ve gone over how you can make your tacacs configuration really secure but complicated. Let’s show how do_auth can actually make configuration easier. It’s much easier to edit the do_auth.ini file than the tac_plus.conf file. In fact, we can make adding a default user as easy as typing “adduser”.

First, the code has been updated:

http://www.pastie.org/631935

I would post the compiled code, but it’s too difficult to get a hold of John these days. (Something about a baby, I dunno) It’s trivial to compile:
dan@dan-desktop:~$ python
Python 2.5.2 (r252:60911, Jul 22 2009, 15:35:03)
[GCC 4.2.4 (Ubuntu 4.2.4-1ubuntu3)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import py_compile
>>> py_compile.compile("do_auth.py")
>>> quit()
First, a starting tac_plus.conf file. Which, we’ll never have to edit again:

# My simple tac_plus config that never needs to change
key = my_key
accounting file = /var/log/tac_plus.acct
default authentication = file /etc/passwd
user = DEFAULT {
     member = do_auth_access
}
group = do_auth_access {
     default service = permit
     service = exec { priv-lvl = 15
          idletime = 10 }
     enable = file /etc/passwd
     after authorization "/usr/bin/python /root/do_auth.pyc -i $address -u $user -d $name -l /root/log.txt -f /root/do_auth.ini"
}

Most important – after authorizaion line is one line, not two.

Now, we add homer and give him access to some show commands. Fist, we do a adduser homer on linux to add the user. This way, when the user wants to change is password, he can any time he wants to with passwd. Next, we edit the do_auth.ini file

[users]
homer =
     few_commands
[few_commands]
host_allow =
     .*
device_permit =
     .*
command_permit =
     show users
     show int.*
     show ip int.*
     show controllers.*

And, you’re done. Well, I’d add some tabs to each command that got stripped above(blogs/wiki’s can be annoying), but that’s about it.

Let’s compare that to the tac_plus.conf config:

user = homer {
     member = limited_access
}
group = limited_access {
     default service = deny
     acl = limited_acl
     service = exec {
          priv-lvl = 15
          idletime = 10
     }
     cmd = show {
          permit "running-config.*"
          permit "ip int*"
          permit "inter.*"
          permit "controllers.*"
     }

In my small do_auth python program, we have no permits, no “”, and no {}. Much easier and the no need to restart the daemon. To add an admin user is even easier. Adduser admin in linux, then add:

admin =
     admin_user
[admin_user]
host_allow =
     .*
device_permit =
     .*
command_permit =
     .*

So, our final config is very easy:

[users]
homer =
     few_commands
admin =
     admin_user
[few_commands]
host_allow =
     .*
device_permit =
     .*
command_permit =
     show users
     show int.*
     show ip int.*
     show controllers.*
[admin_user]
host_allow =
     .*
device_permit =
     .*
command_permit =
     .*

As if this weren’t easy enough, let’s say 99% of your users are these limited access users. Wouldn’t it be nice to just do an adduser and be done without any config modification? All we need is a default user. In our example above we would change to this:

[users]
default =
     few_commands
[few_commands]
host_allow =
     .*
device_permit =
     .*
command_permit =
     show users
     show int.*
     show ip int.*
     show controllers.*

Now, whenever we do an adduser, it automatically gets this level of access.

From here, we can make it as simple or as complicated as we want. Restrict them to certain device, make them connect from connect from certain IP’s, ect. We can maybe even begin to work on a web front end. (Maybe someday when I get time…..)

-Dan Schmidt

By using an authorization script, we can make tac_plus to do very granular authentication, having different permissions granted to different switches defined by user, source IP and device IP.  However, writing/editing a script to change access can be difficult.  Hard coded authorization scripts are not very flexible, hence, I decided to implement a python program to facilitate flexibility.  It is now included in the tac_plus package.

Configuration is fairly simple; as an example, let’s say I wanted to have user Homer have full access to 192.168.1.1 and 10.1.1.0/24, but only do show commands for everything else in 10.0.0.0/8.  For the heck of it, let’s say we only want Homer to connect from 192.168.1.0/24, but never 192.168.1.4, which host can only do the show commands.   The config file would simply be as follows:

[users]
homer =
     simpson_group
     television_group
[simpson_group]
host_deny =
     192.168.1.4
host_allow =
     192.168.1.*
device_permit =
     192.168.1.1
     10.1.1.*
command_permit =
     .*
[television_group]
host_allow =
     192.168.1.*
device_permit =
     10.*
command_permit =
     show.*

Example line to put in tac_plus user or group:
after authorization “/usr/bin/python /root/do_auth.pyc -i $address -u $user -d $name -l /root/log.txt -f /root/do_auth.ini”
(that’s all ONE line)

On my server, I set homer’s password file to /etc/passwd and enable cracklib.  Homer can change his password any time he wants just by logging to Linux and typing passwd – he does not need root access.  Homer is also forced to pick a secure password, and has different access based on different devices.  Given these abilities, combined with the quick administration, tac_plus makes purchasing Cisco’s tacacs server seem like a waste of money.

In the future, I may alter the program to have the ability to send back additional av-pairs, and/or completely new av-pairs.   However, currently I simply don’t need this feature as I pass these pairs back to tac_plus.  The source code is very simple and is GPL’ed for all to see at: http://pastie.org/506002 and is available in compiled/ready to use form here.   For more instructions, you can download this compiled pyc and type “python do_auth.pyc” If I ever get time, I may consider a gui or web interface.

Update: New version 1.2
Fixed pix. Also, apparently there is a bug in the pix that makes it necessary to add a 0.0.0.0 to your allowed hosts.

-Dan Schmidt

Yet another new service definition (in a group or user stanza). role should be set to the role definition name you created on the AMP.

service = AMP {
role = "AMP Administration"
}

Guy Morrell at the University of Oxford provides this snippet for Cisco WCS

service = ciscowlc {
role1 = ALL
}

This snippet is tested against “recent” Shrubbery tac_plus daemons as of the date of the post.

ScreenOS 6.0+ users may have noticed that you can now configure TACACS+ servers to authenticate admin users. I’ll skip over the details, except to say that as of 6.1.0r3, failover isn’t working to either of the backup servers that you can configure, so use with care.
Also note that this is authentication only, no accounting or authorization (except for privilege levels).

ScreenOS needs a specific service in TACACS+ to authenticate. You can put this in a group or user stanza:

service = netscreen {
vsys = root
privilege = read-write
}

The vsys specifies which vsys that user is allowed to. If you only have one, it’s “root”.
privilege can be read-write, read-only or root. As far as I can tell, root allows you to manage local users and mess with nsrp. Otherwise read-write gets most things done. If you’re specifying a non-root vsys, you can also assign vsys-read-write or vsys-read-only as privileges.