do_auth gits with the times

27 03 2013

Jathan has been doing some work on do_auth and has fixed some of the cobbled code technical details of the code including a python 2.4 fix. (must be an older 2.4 than I have) I’d like to thank him for picking up the slack, as I have limited time these days.
Please visit his page at github.



Procurves

6 02 2012

I have only messed around (recently) with a few old Procurves, so I will not promise that the following is valid for all devices. Their tacacs implementation appears to be quite poor. If you use exclusively Procurves, do not use do_auth as procurves don’t properly support authorization.

Some Procurves do not have the “aaa authentication login privilege-mode “ command. Hence, do_auth is not even called. If you have these, you will have to do all your security in tac_plus.conf. Beware, any security defined in your do_auth.ini is void on these.

Other (newer?) Procurves did call an after-authentication script, but did not work right. In English, you can’t modify any pairs as you have to tell it to kludge a response as 0. Do_auth will do this for you if you add the following to your Procurve group: exit_val =
    0

This is the wrong exit value, but will make everything work with “aaa authentication login privilege-mode “ (Again, which is flat out wrong – do not send that to Cisco/Brocade/Anybody else as it voids everything done in do_auth) You can’t modify the privilege level, but you can at least deny a person access to a switch. If you have a mixed environment, I would highly suggest having a separate group exclusively for your Procurves. One last thing, the -fix-crs-bug also fixes the Procurves and is mandatory as it doesn’t send $address.



Disable account on Brocade

6 02 2012

Brocade has a brocade-privlvl which I like. It maps priv-lvl to brocade-privlvl, but the result is an account that has some privileges. Here is an example of how to map brocade-privlvl = 5 which has no modification rights. Unfortunately, it does require you to put in the IP’s of your gear. (Nexus and Cisco pairs were different enough to distinguish between them, but Brocade pairs mimic Cisco pairs) It also requires v1.91 or greater.

The following group would go before other groups and assumes you define a priv-vlv (of any number) in your tac_plus config: [brocade_readonly]
host_allow =
    .*
device_permit =
    192.168.1.*
command_permit =
    .*
av_pairs =
    priv-lvl,brocade-privlvl=5



Brute Force Protection

6 02 2012

Mark Ellzey Thomas has written a patch to tac_plus that prevents the brute force hacking of passwords. It works quite well in all my tests.

The following example would watch for 10 authentication failures within 60 seconds and, if triggered, disable user for 120 seconds. auth-fail-lock 10 60 120 More info here: https://github.com/ellzey/tac_plus_AFL



Cisco Nexus – HowTo *Updated*

27 10 2011

The nexus seems to asks for pap authentication. I have no clue why, but adding a simple “pap = des -hash-” to your tac_plus makes it work. (doesn’t seem to be necessary if you are setting a default authentication)

Tacacs on Nexus is different. However, you can still continue to use tacacs the way you always have. Example configuration is as such:

tacacs-server key -key-
tacacs-server host -host-
aaa group server tacacs+ private
    server -host, yes again-
    use-vrf management
    source-interface mgmt0
aaa authentication login default group private
aaa authorization config-commands default group private
aaa authorization commands default group private
aaa accounting default group private

Many of you may be wondering why I did not add a “local” on the end of the aaa authorization commands. In short: It wouldn’t let me – Cisco says it’s a bug. Hence, till that is fixed, I recommend you use roles instead of authorization or you’ll be locked out when the tacacs server is down. To enable roles, simple take out the two authorization lines above. You can read more on roles than I have to time explain on cisco’s website, and you can even create your own. You can even create users that can only operate inside of their own vdc. However, for my examples, we’ll just focus on how to use tac_plus and do_auth.

Nexus and Cisco just don’t play well together. Or, rather the Nexus plays OK, but the Cisco gets confused when it gets a Nexus role. Without do_auth, you are forced to do things like run two separate tac_plus servers. However, with do_auth, you can run a single server. For instance, consider the following snippet:

    service = exec {
        priv-lvl = 15
        shell:roles="\"network-admin\""
        idletime = 3
        timeout = 15
    }

The roles will confuse your switches, and you’ll end up having to use enable passwords. However, add do_auth as an after-authentication script, and do_auth will strip the shell:roles from the Cisco. Hence, it works like it should.

I’ve improved the add/replacement of tac_pairs. For example:

av_pairs =
    priv-lvl=1
    shell:roles="network-operator"

Add this to a do_auth group, and you’ve created a safe little read_only group to give helpdesk operators. More information is available on key replacement – do_auth.py | less.

In short, you need do_auth to make roles work correctly with other Cisco gear. But, this is NOT to imply a shortcoming of tac_plus – this kluge in do_auth was written to fix vendor problems, NOT tac_plus problems.

Of course, these changes required changes to do_auth.

v1.91 http://pastie.org/3284098



do_auth – av_pairs

7 09 2011

One of the long promised features has finally been added, the ability to modify av pairs. Let’s say you have a group which you simply want a user to have disable access to. Simply add this to the group:

av_pairs =
    priv-lvl=1

This assumes you have priv-lvl in your tac_plus.conf. (Like examples in other posts) Note, of course, you’ll also need to add a command_deny for enable or they’ll just type ‘en’ if they have an enable password. Better yet, just don’t give them an enable password!

In addition, we can replace one pair with something completely different, like for a brocade device. priv-lvl,brocade-privlvl=5 will replace any priv-lvl with that brocade-privlv. Think of it as a find/replace function.
Some devices do not like to have their tac_pairs messed with. They don’t accept AUTHOR_STATUS_PASS_REPL and I’ll spare the rest of the details for lack of time. These include the procurves and the Cisco WLC. Attempts to make these devices work have resulted in much “code sprawl” in do_auth and are the reason that any service other than shell return 0 unless you explicitly modify a tac_pair. For these devices, you will have to do all your config in tac_plus.conf.

One last thing, don’t use v1.6 – it had a bug. Also sorry if you’re comments don’t get approved, apparently I don’t have rights to do that.



Password Hash CGI

26 08 2011

I threw this cgi together quick so users could send me a SHA-512 hashed password generated from a webpage instead of command line. (For use in tac_plus) Suggestions welcome.

http://pastie.org/2433995



New do_auth (again)

23 08 2011

I finally got a chance to play with some tac pairs that weren’t exec=shell when I needed to put tacacs on the cisco wireless controller. (See post below, it uses the concept of “roles” which can be looked up) Had to make adjustments to make sure the keys set in tac_plus.conf worked. New code here:

V 1.6 – removed



Misc TACACS+ questions

6 07 2011

I’ve received a couple of comments posing questions, but they’ve been hiding out on the “About” page.   I’m going to move them to this post so others can see and answer.

This is hopefully where new questions can be posed.



Brocade

16 03 2011

My first time putting tacacs on a Brocade. Pretty similar to cisco, the tac pairs that cisco use seem to work just fine. Worked great with do_auth. Keep in mind, although they honor priv-15, they map it to 0, just to be different. I used the following:

username admin password yerpasswordhere
ip tacacs source-interface loopback 1
tacacs-server retransmit 2
tacacs-server timeout 2
tacacs-server host yerhosthere
tacacs-server key yerkeyhere
enable super-user-password againpasswordhere
aaa authentication login default tacacs+ enable
aaa authentication login privilege-mode
aaa authentication enable default tacacs+ enable
aaa authorization commands 0 default tacacs+ none
aaa authorization exec default tacacs+
aaa accounting commands 0 default start-stop tacacs+
aaa accounting exec default start-stop tacacs+
enable aaa console