TACACS+ stuff

By using an authorization script, we can make tac_plus to do very granular authentication, having different permissions granted to different switches defined by user, source IP and device IP.  However, writing/editing a script to change access can be difficult.  Hard coded authorization scripts are not very flexible, hence, I decided to implement a python program to facilitate flexibility.  I believe it may be included in the next tac_plus.

Configuration is fairly simple; as an example, let’s say I wanted to have user Homer have full access to 192.168.1.1 and 10.1.1.0/24, but only do show commands for everything else in 10.0.0.0/8.  For the heck of it, let’s say we only want Homer to connect from 192.168.1.0/24, but never 192.168.1.4, which host can only do the show commands.   The config file would simply be as follows:

[users]
homer =
simpson_group
television_group
[simpson_group]
host_deny =
192.168.1.4
host_allow =
192.168.1.*
device_permit =
192.168.1.1
10.1.1.*
command_permit =
.*
[television_group]
host_allow =
192.168.1.*
device_permit =
10.*
command_permit =
show.*

Example line to put in tac_plus user or group:
after authorization “/usr/bin/python /root/do_auth.pyc -i $address -u $user -d $name -l /root/log.txt -f /root/do_auth.ini”
(that’s all ONE line)

On my server, I set homer’s password file to /etc/passwd and enable cracklib.  Homer can change his password any time he wants just by logging to Linux and typing passwd – he does not need root access.  Homer is also forced to pick a secure password, and has different access based on different devices.  Given these abilities, combined with the quick administration, tac_plus makes purchasing Cisco’s tacacs server seem like a waste of money.

In the future, I may alter the program to have the ability to send back additional av-pairs, and/or completely new av-pairs.   However, currently I simply don’t need this feature as I pass these pairs back to tac_plus.  The source code is very simple and is GPL’ed for all to see at: http://pastie.org/506002 and is available in compiled/ready to use form here.   For more instructions, you can download this compiled pyc and type “python do_auth.pyc” If I ever get time, I may consider a gui or web interface.

Update: New version 1.2
Fixed pix. Also, apparently there is a bug in the pix that makes it necessary to add a 0.0.0.0 to your allowed hosts.

-Dan Schmidt

Yet another new service definition (in a group or user stanza). role should be set to the role definition name you created on the AMP.

service = AMP {
role = "AMP Administration"
}

Guy Morrell at the University of Oxford provides this snippet for Cisco WCS

service = ciscowlc {
role1 = ALL
}

This snippet is tested against “recent” Shrubbery tac_plus daemons as of the date of the post.

ScreenOS 6.0+ users may have noticed that you can now configure TACACS+ servers to authenticate admin users. I’ll skip over the details, except to say that as of 6.1.0r3, failover isn’t working to either of the backup servers that you can configure, so use with care.
Also note that this is authentication only, no accounting or authorization (except for privilege levels).

ScreenOS needs a specific service in TACACS+ to authenticate. You can put this in a group or user stanza:

service = netscreen {
vsys = root
privilege = read-write
}

The vsys specifies which vsys that user is allowed to. If you only have one, it’s “root”.
privilege can be read-write, read-only or root. As far as I can tell, root allows you to manage local users and mess with nsrp. Otherwise read-write gets most things done. If you’re specifying a non-root vsys, you can also assign vsys-read-write or vsys-read-only as privileges.