TACACS+ stuff » Cisco

do_auth & IOS-XR

helpdeskdan — Mon, 09 Nov 2009 19:56:27 +0000

ios-xr bug: sends blank ip in conf t. tac_plus really should send an “unknown” for this. I’d submit a patch, but I’m no good at C. job == networker, job != programmer. Heasley strongly disagrees with me on this though. Even though I’m obviously right, I suppose someday I’ll have fix the parsing to ignore any options not sent. Till then:

v1.4: (Removed)

Simple workaround: -i $address -fixcrsbug. I advise you use it even if you don’t use ios-xr.

Version 1.5 Feb 28 2011 Corrected a stupid mistake in the example. (python do_auth.py | less) Thanks to aojea. v1.5 (Also removed – scroll up for latest version)

Note: I haven’t done any work on this because, to the best of my knowledge, I’m the only one who uses it. If you find it useful, write a quick post!

Granular Tacacs Control (Yes, you can do multiple groups)

helpdeskdan — Fri, 08 May 2009 23:17:45 +0000

By using an authorization script, we can make tacplus to do very granular authentication, having different permissions granted to different switches defined by user, source IP and device IP. However, writing/editing a script to change access can be difficult. Hard coded authorization scripts are not very flexible, hence, I decided to implement a python program to facilitate flexibility. It is now included in the tacplus package.

Configuration is fairly simple; as an example, let’s say I wanted to have user Homer have full access to 192.168.1.1 and 10.1.1.0/24, but only do show commands for everything else in 10.0.0.0/8. For the heck of it, let’s say we only want Homer to connect from 192.168.1.0/24, but never 192.168.1.4, which host can only do the show commands. The config file would simply be as follows:

[users] homer = simpsongroup televisiongroup [simpsongroup] hostdeny = 192.168.1.4 hostallow = 192.168.1.* devicepermit = 192.168.1.1 10.1.1.* commandpermit = .* [televisiongroup] hostallow = 192.168.1.* devicepermit = 10.* command_permit = show.*

Example line to put in tacplus user or group: after authorization “/usr/bin/python /root/doauth.pyc -i $address -u $user -d $name -l /root/log.txt -f /root/do_auth.ini” (that’s all ONE line)

On my server, I set homer’s password file to /etc/passwd and enable cracklib. Homer can change his password any time he wants just by logging to Linux and typing passwd – he does not need root access. Homer is also forced to pick a secure password, and has different access based on different devices. Given these abilities, combined with the quick administration, tac_plus makes purchasing Cisco’s tacacs server seem like a waste of money.

In the future, I may alter the program to have the ability to send back additional av-pairs, and/or completely new av-pairs. However, currently I simply don’t need this feature as I pass these pairs back to tacplus. The source code is very simple and is GPL’ed for all to see at: http://pastie.org/506002 and is available in compiled/ready to use form here. For more instructions, you can download this compiled pyc and type “python doauth.pyc” If I ever get time, I may consider a gui or web interface.

Update: New version 1.2 Fixed pix. Also, apparently there is a bug in the pix that makes it necessary to add a 0.0.0.0 to your allowed hosts.

-Dan Schmidt

Cisco Wireless Control System

jpayne — Tue, 04 Nov 2008 18:55:27 +0000

Guy Morrell at the University of Oxford provides this snippet for Cisco WCS

service = ciscowlc {
role1 = ALL
}

Managing Cisco ACE (Application Control Engine) modules with TACACS+

jpayne — Thu, 16 Oct 2008 16:07:05 +0000

This snippet is tested against “recent” Shrubbery tac_plus daemons as of the date of the post. Searching for ACE and TACACS or similar gets confusing because of the RSA ACE server. Good job Cisco Cisco Application Control Engine modules are really separate devices from the “mother” switch, only suckling power and connectivity. These devices need their own authentication schemes. It’s pretty easy to turn on TACACS+ authentication and accounting (no authorization again. Why do vendors insist on only doing 1 or 2 As and not 3?). ACE modules needs a specific optional av-pair in the “exec” service in TACACS+ to authenticate. You can put this in a group or user stanza:

service = exec {
optional shell:Admin = "Admin default-domain"
}

The format is: shell: = “ ” I’m not all that into ACE modules yet, so I’ll assume that the reader knows what each of those should be set to in their environment. For us, we simply want the equivalent of priv-lvl = 15, and that’s what we get above. Note that without that av-pair, the defaults come through as Admin context, default-domain and “Network-Monitoring” role. Also note that excluding the “optional” keyword will render you unable to log in to any IOS devices that use your TACACS+ server for authorization. [ad#footer]