TACACS+ stuff

do_auth & IOS-XR

helpdeskdan — Mon, 09 Nov 2009 19:56:27 +0000

ios-xr bug: sends blank ip in conf t. tac_plus really should send an “unknown” for this. I’d submit a patch, but I’m no good at C. job == networker, job != programmer. Heasley strongly disagrees with me on this though. Even though I’m obviously right, I suppose someday I’ll have fix the parsing to ignore any options not sent. Till then:

v1.4:
http://www.pastie.org/685729

Simple workaround: -i $address -fix_crs_bug. I advise you use it even if you don’t use ios-xr.

Easier Tacacs Configurations with do_auth

helpdeskdan — Sat, 26 Sep 2009 23:05:52 +0000

We’ve gone over how you can make your tacacs configuration really secure but complicated. Let’s show how do_auth can actually make configuration easier. It’s much easier to edit the do_auth.ini file than the tac_plus.conf file. In fact, we can make adding a default user as easy as typing “adduser”.

First, the code has been updated:

http://www.pastie.org/631935

I would post the compiled code, but it’s too difficult to get a hold of John these days. (Something about a baby, I dunno) It’s trivial to compile:
dan@dan-desktop:~$ python Python 2.5.2 (r252:60911, Jul 22 2009, 15:35:03) [GCC 4.2.4 (Ubuntu 4.2.4-1ubuntu3)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import py_compile >>> py_compile.compile("do_auth.py") >>> quit()
First, a starting tac_plus.conf file. Which, we’ll never have to edit again:

# My simple tac_plus config that never needs to change key = my_key accounting file = /var/log/tac_plus.acct default authentication = file /etc/passwd user = DEFAULT { member = do_auth_access } group = do_auth_access { default service = permit service = exec { priv-lvl = 15 idletime = 10 } enable = file /etc/passwd after authorization "/usr/bin/python /root/do_auth.pyc -i $address -u $user -d $name -l /root/log.txt -f /root/do_auth.ini" }

Hum… some extra returns & tabs in there would make it more readable, but it doesn’t look right when I post it. Also, most important – after authorizaion line is one line, not two.

Now, we add homer and give him access to some show commands. Fist, we do a adduser homer on linux to add the user. This way, when the user wants to change is password, he can any time he wants to with passwd. Next, we edit the do_auth.ini file

[users] homer = few_commands [few_commands] host_allow = .* device_permit = .* command_permit = show users show int.* show ip int.* show controllers.*

And, you’re done. Well, I’d add some tabs to each command that got stripped above(blogs/wiki’s can be annoying), but that’s about it.

Let’s compare that to the tac_plus.conf config:

user = homer { member = limited_access } group = limited_access { default service = deny acl = limited_acl service = exec { priv-lvl = 15 idletime = 10 } cmd = show { permit "running-config.*" permit "ip int*" permit "inter.*" permit "controllers.*" }

In my small do_auth python program, we have no permits, no “”, and no {}. Much easier and the no need to restart the daemon. To add an admin user is even easier. Adduser admin in linux, then add:

admin = admin_user [admin_user] host_allow = .* device_permit = .* command_permit = .*

So, our final config is very easy:

[users] homer = few_commands admin = admin_user [few_commands] host_allow = .* device_permit = .* command_permit = show users show int.* show ip int.* show controllers.* [admin_user] host_allow = .* device_permit = .* command_permit = .*

As if this weren’t easy enough, let’s say 99% of your users are these limited access users. Wouldn’t it be nice to just do an adduser and be done without any config modification? All we need is a default user. In our example above we would change to this:

[users] default = few_commands [few_commands] host_allow = .* device_permit = .* command_permit = show users show int.* show ip int.* show controllers.*

Now, whenever we do an adduser, it automatically gets this level of access.

From here, we can make it as simple or as complicated as we want. Restrict them to certain device, make them connect from connect from certain IP’s, ect. We can maybe even begin to work on a web front end. (Maybe someday when I get time…..)

-Dan Schmidt

Granular Tacacs Control

helpdeskdan — Fri, 08 May 2009 23:17:45 +0000

By using an authorization script, we can make tac_plus to do very granular authentication, having different permissions granted to different switches defined by user, source IP and device IP. However, writing/editing a script to change access can be difficult. Hard coded authorization scripts are not very flexible, hence, I decided to implement a python program to facilitate flexibility. I believe it may be included in the next tac_plus.

Configuration is fairly simple; as an example, let’s say I wanted to have user Homer have full access to 192.168.1.1 and 10.1.1.0/24, but only do show commands for everything else in 10.0.0.0/8. For the heck of it, let’s say we only want Homer to connect from 192.168.1.0/24, but never 192.168.1.4, which host can only do the show commands. The config file would simply be as follows:

[users]
homer =
simpson_group
television_group
[simpson_group]
host_deny =
192.168.1.4
host_allow =
192.168.1.*
device_permit =
192.168.1.1
10.1.1.*
command_permit =
.*
[television_group]
host_allow =
192.168.1.*
device_permit =
10.*
command_permit =
show.*

Example line to put in tac_plus user or group:
after authorization “/usr/bin/python /root/do_auth.pyc -i $address -u $user -d $name -l /root/log.txt -f /root/do_auth.ini”
(that’s all ONE line)

On my server, I set homer’s password file to /etc/passwd and enable cracklib. Homer can change his password any time he wants just by logging to Linux and typing passwd – he does not need root access. Homer is also forced to pick a secure password, and has different access based on different devices. Given these abilities, combined with the quick administration, tac_plus makes purchasing Cisco’s tacacs server seem like a waste of money.

In the future, I may alter the program to have the ability to send back additional av-pairs, and/or completely new av-pairs. However, currently I simply don’t need this feature as I pass these pairs back to tac_plus. The source code is very simple and is GPL’ed for all to see at: http://pastie.org/506002 and is available in compiled/ready to use form here. For more instructions, you can download this compiled pyc and type “python do_auth.pyc” If I ever get time, I may consider a gui or web interface.

Update: New version 1.2
Fixed pix. Also, apparently there is a bug in the pix that makes it necessary to add a 0.0.0.0 to your allowed hosts.

-Dan Schmidt

Aruba Airwave Management Platform

jpayne — Wed, 05 Nov 2008 12:51:53 +0000

Yet another new service definition (in a group or user stanza). role should be set to the role definition name you created on the AMP.

service = AMP {
role = "AMP Administration"
}

Cisco Wireless Control System

jpayne — Tue, 04 Nov 2008 18:55:27 +0000

Guy Morrell at the University of Oxford provides this snippet for Cisco WCS

service = ciscowlc {
role1 = ALL
}

Managing Cisco ACE (Application Control Engine) modules with TACACS+

jpayne — Thu, 16 Oct 2008 16:07:05 +0000

This snippet is tested against “recent” Shrubbery tac_plus daemons as of the date of the post. Searching for ACE and TACACS or similar gets confusing because of the RSA ACE server. Good job Cisco Cisco Application Control Engine modules are really separate devices from the “mother” switch, only suckling power and connectivity. These devices need their own authentication schemes. It’s pretty easy to turn on TACACS+ authentication and accounting (no authorization again. Why do vendors insist on only doing 1 or 2 As and not 3?). ACE modules needs a specific optional av-pair in the “exec” service in TACACS+ to authenticate. You can put this in a group or user stanza:

service = exec {
optional shell:Admin = "Admin default-domain"
}

The format is: shell: = “ ” I’m not all that into ACE modules yet, so I’ll assume that the reader knows what each of those should be set to in their environment. For us, we simply want the equivalent of priv-lvl = 15, and that’s what we get above. Note that without that av-pair, the defaults come through as Admin context, default-domain and “Network-Monitoring” role. Also note that excluding the “optional” keyword will render you unable to log in to any IOS devices that use your TACACS+ server for authorization. [ad#footer]

Managing ScreenOS firewalls with TACACS+

jpayne — Thu, 16 Oct 2008 15:25:44 +0000

This snippet is tested against “recent” Shrubbery tac_plus daemons as of the date of the post.

ScreenOS 6.0+ users may have noticed that you can now configure TACACS+ servers to authenticate admin users. I’ll skip over the details, except to say that as of 6.1.0r3, failover isn’t working to either of the backup servers that you can configure, so use with care.
Also note that this is authentication only, no accounting or authorization (except for privilege levels).

ScreenOS needs a specific service in TACACS+ to authenticate. You can put this in a group or user stanza:

service = netscreen {
vsys = root
privilege = read-write
}

The vsys specifies which vsys that user is allowed to. If you only have one, it’s “root”.
privilege can be read-write, read-only or root. As far as I can tell, root allows you to manage local users and mess with nsrp. Otherwise read-write gets most things done. If you’re specifying a non-root vsys, you can also assign vsys-read-write or vsys-read-only as privileges.

[ad#footer]