TACACS+ stuff

We’ve gone over how you can make your tacacs configuration really secure but complicated. Let’s show how do_auth can actually make configuration easier. It’s much easier to edit the do_auth.ini file than the tac_plus.conf file. In fact, we can make adding a default user as easy as typing “adduser”.

First, the code has been updated:

http://www.pastie.org/631935

I would post the compiled code, but it’s too difficult to get a hold of John these days. (Something about a baby, I dunno) It’s trivial to compile:
dan@dan-desktop:~$ python
Python 2.5.2 (r252:60911, Jul 22 2009, 15:35:03)
[GCC 4.2.4 (Ubuntu 4.2.4-1ubuntu3)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import py_compile
>>> py_compile.compile("do_auth.py")
>>> quit()
First, a starting tac_plus.conf file. Which, we’ll never have to edit again:

# My simple tac_plus config that never needs to change
key = my_key
accounting file = /var/log/tac_plus.acct
default authentication = file /etc/passwd
user = DEFAULT {
member = do_auth_access
}
group = do_auth_access {
default service = permit
service = exec { priv-lvl = 15
idletime = 10 }
enable = file /etc/passwd
after authorization "/usr/bin/python /root/do_auth.pyc -i $address -u $user -d $name -l /root/log.txt -f /root/do_auth.ini"
}

Hum… some extra returns & tabs in there would make it more readable, but it doesn’t look right when I post it. Also, most important – after authorizaion line is one line, not two.

Now, we add homer and give him access to some show commands. Fist, we do a adduser homer on linux to add the user. This way, when the user wants to change is password, he can any time he wants to with passwd. Next, we edit the do_auth.ini file

[users]
homer =
few_commands
[few_commands]
host_allow =
.*
device_permit =
.*
command_permit =
show users
show int.*
show ip int.*
show controllers.*

And, you’re done. Well, I’d add some tabs to each command that got stripped above(blogs/wiki’s can be annoying), but that’s about it.

Let’s compare that to the tac_plus.conf config:

user = homer {
member = limited_access
}
group = limited_access {
default service = deny
acl = limited_acl
service = exec {
priv-lvl = 15
idletime = 10
}
cmd = show {
permit "running-config.*"
permit "ip int*"
permit "inter.*"
permit "controllers.*"
}

In my small do_auth python program, we have no permits, no “”, and no {}. Much easier and the no need to restart the daemon. To add an admin user is even easier. Adduser admin in linux, then add:

admin =
admin_user
[admin_user]
host_allow =
.*
device_permit =
.*
command_permit =
.*

So, our final config is very easy:

[users]
homer =
few_commands
admin =
admin_user
[few_commands]
host_allow =
.*
device_permit =
.*
command_permit =
show users
show int.*
show ip int.*
show controllers.*
[admin_user]
host_allow =
.*
device_permit =
.*
command_permit =
.*

As if this weren’t easy enough, let’s say 99% of your users are these limited access users. Wouldn’t it be nice to just do an adduser and be done without any config modification? All we need is a default user. In our example above we would change to this:

[users]
default =
few_commands
[few_commands]
host_allow =
.*
device_permit =
.*
command_permit =
show users
show int.*
show ip int.*
show controllers.*

Now, whenever we do an adduser, it automatically gets this level of access.

From here, we can make it as simple or as complicated as we want. Restrict them to certain device, make them connect from connect from certain IP’s, ect. We can maybe even begin to work on a web front end. (Maybe someday when I get time…..)

-Dan Schmidt

By using an authorization script, we can make tac_plus to do very granular authentication, having different permissions granted to different switches defined by user, source IP and device IP.  However, writing/editing a script to change access can be difficult.  Hard coded authorization scripts are not very flexible, hence, I decided to implement a python program to facilitate flexibility.  I believe it may be included in the next tac_plus.

Configuration is fairly simple; as an example, let’s say I wanted to have user Homer have full access to 192.168.1.1 and 10.1.1.0/24, but only do show commands for everything else in 10.0.0.0/8.  For the heck of it, let’s say we only want Homer to connect from 192.168.1.0/24, but never 192.168.1.4, which host can only do the show commands.   The config file would simply be as follows:

[users]
homer =
simpson_group
television_group
[simpson_group]
host_deny =
192.168.1.4
host_allow =
192.168.1.*
device_permit =
192.168.1.1
10.1.1.*
command_permit =
.*
[television_group]
host_allow =
192.168.1.*
device_permit =
10.*
command_permit =
show.*

Example line to put in tac_plus user or group:
after authorization “/usr/bin/python /root/do_auth.pyc -i $address -u $user -d $name -l /root/log.txt -f /root/do_auth.ini”
(that’s all ONE line)

On my server, I set homer’s password file to /etc/passwd and enable cracklib.  Homer can change his password any time he wants just by logging to Linux and typing passwd – he does not need root access.  Homer is also forced to pick a secure password, and has different access based on different devices.  Given these abilities, combined with the quick administration, tac_plus makes purchasing Cisco’s tacacs server seem like a waste of money.

In the future, I may alter the program to have the ability to send back additional av-pairs, and/or completely new av-pairs.   However, currently I simply don’t need this feature as I pass these pairs back to tac_plus.  The source code is very simple and is GPL’ed for all to see at: http://pastie.org/506002 and is available in compiled/ready to use form here.   For more instructions, you can download this compiled pyc and type “python do_auth.pyc” If I ever get time, I may consider a gui or web interface.

Update: New version 1.2
Fixed pix. Also, apparently there is a bug in the pix that makes it necessary to add a 0.0.0.0 to your allowed hosts.

-Dan Schmidt