Configuring cisco aaa + tac_plus (tacacs +)
The idea to write an article about the example of implementing cisco + tac_plus spontaneously arose when looking at the tac_plus config I realized that I no longer remember what, and most importantly, why I wrote there a few years ago. Combine the accumulated experience, stuffed cones, sleepless nights and shamanic dances into some mini-howto, which can be improved to a working instruction mandatory for a new employee to read and may be useful to someone else (in my opinion, it’s possible to step on the described rake interest, or being in a deep depression / fit of masochism). Well, in order to diversify the number of articles in the Russian part of the Internet. But the most important thing is to understand that the chosen direction leads / does not lead to a dead end, or a respected community can suggest other solutions and back them up with their own examples.
This material does not pretend to complete the consideration of the tacacs + protocol (in this article it is not considered at all, but exclusively exploited) and the only correct way to configure aaa-new model, designed for people with experience in configuring and operating cisco ios devices.
When the network device fleet is calculated in units, it is still possible to maintain a local database of administrators / users / auditors with setting up individual view lists and specifying a set of commands for each privilege-level. When their number approaches several dozens - it is tiring, it passes over a hundred - ... to say the least uncomfortable. In csico ios devices, the implementation of aaa (authentication, authorization and accounting) is possible either using a local user base, or using radius or tacacs + protocols, which greatly expands the possibilities. Software implementations of servers of the radius-protocol are great, as the protocol itself is open. With tacacs +, the situation is different - this is a proprietary implementation of the tacacs cisco protocol itself, but (and this is an exceptional case!) Its source code is officially available, as mentioned in the Habr . Naturally, it is necessary to note the decision from the most cisco - ACS , only the cost of this remarkable, but not very free product from all sides, did not allow to persuade the authorities to purchase it. As a result, I had to choose from the "free" implementations of radius and tacacs +: freeradius and tac_plus (there is in the ports of freebsd, there is a version for windows , from the source you can build under the required platform). Freeradius liked everything (especially authentication speed, all the same tcp introduces microsecond delays, which becomes more noticeable on the remote device, unlike udp transport or I was not so lucky?) Especially since it was already used in the company, but I absolutely did not like Sat, because he didn’t know how (I don’t know how it is now) to receive accounting input commands, did not fully support command authorization (thanks to Rel1cto ) and encrypt the data in the package, but for SAT these moments are fundamental. And all my efforts to merge accounting just to the syslog server (the blessing of this functionality, cisco without any aaa can) were stopped by the bosses: “Nizya!”.
As a result, the tasks of authentication (determining whether the user is really the one for whom he claims to be), authorization (whether this user can execute this command) and accounting (all significant user actions are recorded) on the network equipment were assigned to tac_plus.
')
Here are some commands for setting aaa with comments (I will not in any way try to compete with the command reference for your release, therefore, if there is a discrepancy, do not judge strictly, but refer to the original source)
The author is not responsible for the consequences of the actions of persons who read the article. When making configuration changes on running equipment, take precautions (as an option, use deferred reload).
In the sample configuration, two groups are created: admin and service. The main difference in the policy applied by default. Permit means that the user will be allowed all the commands of his privilege level if the command is not explicitly prohibited, and deny, respectively, all commands are prohibited, unless otherwise specified. This allows very flexible configuration of permissions to use commands. In this example, there is a user auditor. Despite the fact that he has privilege level 15, he is prohibited from executing obviously destructive commands. For all attempts to enter them, he will receive, for example:
Another application is the event_manager user. Ios has a built-in mechanism that allows you to perform certain actions, respond to changes, etc. These actions are performed on the assigned user name (in this example, the event_manager in the ios configuration (config) #event manager session cli username event_manager) and this virtual user has exactly the same rights to execute their commands. One of the options to control what is happening is to put this user into a group (service in this example) with a default ban and allow only certain commands.
The tac_plus package also comes with a great tac_pwd utility that allows you to encrypt the password and use it in the config file in an encrypted form. That certainly does not give the right to publish "combat" configs in the internet, but at least makes it not human-readable.
But all this magic will begin to work only with the appropriate configuration of the client device.
Here, I believe, it is necessary to make an explanation of the syntax: 4 aaa lists with the same name admin were created (the names can be arbitrary, but because of belonging to the same uh ... process, I call them the same), authentication login tells our the device authenticate the user in the tac-int group, and if its servers are unavailable locally. The same construction is used for the other sheets, except for accounting.
If you have users with other privilege level, you will need to create the appropriate sheets and rules for them.
In operation, this bunch has been working for quite a long time. From the point of view of the stability of the work, there were no complaints, the Security Council, I suppose, is generally quietly blissful with happiness.
tac_plus is raised on two servers located in different data centers, the only inconvenience is the need to synchronize the server configuration manually. By the way, what are the suggestions? Prerequisite: the configuration file should be stored locally on each of the servers, and only the changes should be synchronized.
This material does not pretend to complete the consideration of the tacacs + protocol (in this article it is not considered at all, but exclusively exploited) and the only correct way to configure aaa-new model, designed for people with experience in configuring and operating cisco ios devices.
Thinking out loud
When the network device fleet is calculated in units, it is still possible to maintain a local database of administrators / users / auditors with setting up individual view lists and specifying a set of commands for each privilege-level. When their number approaches several dozens - it is tiring, it passes over a hundred - ... to say the least uncomfortable. In csico ios devices, the implementation of aaa (authentication, authorization and accounting) is possible either using a local user base, or using radius or tacacs + protocols, which greatly expands the possibilities. Software implementations of servers of the radius-protocol are great, as the protocol itself is open. With tacacs +, the situation is different - this is a proprietary implementation of the tacacs cisco protocol itself, but (and this is an exceptional case!) Its source code is officially available, as mentioned in the Habr . Naturally, it is necessary to note the decision from the most cisco - ACS , only the cost of this remarkable, but not very free product from all sides, did not allow to persuade the authorities to purchase it. As a result, I had to choose from the "free" implementations of radius and tacacs +: freeradius and tac_plus (there is in the ports of freebsd, there is a version for windows , from the source you can build under the required platform). Freeradius liked everything (especially authentication speed, all the same tcp introduces microsecond delays, which becomes more noticeable on the remote device, unlike udp transport or I was not so lucky?) Especially since it was already used in the company, but I absolutely did not like Sat, because he didn’t know how (I don’t know how it is now) to receive accounting input commands, did not fully support command authorization (thanks to Rel1cto ) and encrypt the data in the package, but for SAT these moments are fundamental. And all my efforts to merge accounting just to the syslog server (the blessing of this functionality, cisco without any aaa can) were stopped by the bosses: “Nizya!”.
As a result, the tasks of authentication (determining whether the user is really the one for whom he claims to be), authorization (whether this user can execute this command) and accounting (all significant user actions are recorded) on the network equipment were assigned to tac_plus.
')
Here are some commands for setting aaa with comments (I will not in any way try to compete with the command reference for your release, therefore, if there is a discrepancy, do not judge strictly, but refer to the original source)
The author is not responsible for the consequences of the actions of persons who read the article. When making configuration changes on running equipment, take precautions (as an option, use deferred reload).
Configuration Example tac_plus.conf
# ENCYPTION KEY accounting file = /var/log/tac_plus.acct key = VeryLongANDSecureKey # Groups group = admin { default service = permit service = exec { priv-lvl = 15 } } group = service { default service = deny service = exec { priv-lvl = 15 } } # Users user = art0m { member = admin login = des S451H82iNlwqQ } user = auditor { member = admin cmd = configure { deny .* } cmd = enable { deny .* } cmd = clear { deny .* } cmd = reload { deny .* } cmd = write { deny .* } cmd = copy { deny .* } cmd = erase { deny .* } cmd = delete { deny .* } cmd = archive { deny .* } login = cleartext secret } user = event_manager { member = service cmd = clear { permit .* } cmd = tclsh { permit .* } cmd = squeeze { permit .* } cmd = event { permit .* } cmd = more { permit .* } cmd = show { permit version } cmd = delete { permit .* } cmd = "delete /force" { permit .* } cmd = "enable" { permit .* } login = des nUKsTKiXQ7G16 } In the sample configuration, two groups are created: admin and service. The main difference in the policy applied by default. Permit means that the user will be allowed all the commands of his privilege level if the command is not explicitly prohibited, and deny, respectively, all commands are prohibited, unless otherwise specified. This allows very flexible configuration of permissions to use commands. In this example, there is a user auditor. Despite the fact that he has privilege level 15, he is prohibited from executing obviously destructive commands. For all attempts to enter them, he will receive, for example:
#delete flash:*.* Command authorization failed. Another application is the event_manager user. Ios has a built-in mechanism that allows you to perform certain actions, respond to changes, etc. These actions are performed on the assigned user name (in this example, the event_manager in the ios configuration (config) #event manager session cli username event_manager) and this virtual user has exactly the same rights to execute their commands. One of the options to control what is happening is to put this user into a group (service in this example) with a default ban and allow only certain commands.
accounting file = /var/log/tac_plus.acct – , : Mon Oct 04 15:37:57 2011 172.18.146.2 art0m tty1 172.16.247.25 stop task_id=823 start_time=1319450277 timezone=msk service=shell priv-lvl=15 cmd=traceroute mac 0050.dead.dead 0050.dead.dead key = VeryLongANDSecurityKey – , .
The tac_plus package also comes with a great tac_pwd utility that allows you to encrypt the password and use it in the config file in an encrypted form. That certainly does not give the right to publish "combat" configs in the internet, but at least makes it not human-readable.
But all this magic will begin to work only with the appropriate configuration of the client device.
Configuration example for cisco ios
! aaa aaa new-model ! tacacs ( 15 will be deprecated soon) ! tacacs-server host 172.16.247.200 key 0 VeryLongANDSecureKey tacacs-server host 172.18.146.43 key 0 VeryLongANDSecureKey tacacs-server timeout 2 tacacs-server directed-request ! 2 ( ), aaa group server tacacs+ tac-int server 172.16.247.200 server 172.18.146.43 ! authentication, authorization and accounting aaa authentication login admin group tac-int local aaa authorization exec admin group tac-int local aaa authorization commands 15 admin group tac-int local aaa accounting update newinfo aaa accounting commands 15 admin start-stop group tac-int Here, I believe, it is necessary to make an explanation of the syntax: 4 aaa lists with the same name admin were created (the names can be arbitrary, but because of belonging to the same uh ... process, I call them the same), authentication login tells our the device authenticate the user in the tac-int group, and if its servers are unavailable locally. The same construction is used for the other sheets, except for accounting.
! vty- . authentication, authorization and accounting tacacs- line vty 0 4 authorization commands 15 admin authorization exec admin accounting commands 15 admin login authentication admin If you have users with other privilege level, you will need to create the appropriate sheets and rules for them.
Total
In operation, this bunch has been working for quite a long time. From the point of view of the stability of the work, there were no complaints, the Security Council, I suppose, is generally quietly blissful with happiness.
tac_plus is raised on two servers located in different data centers, the only inconvenience is the need to synchronize the server configuration manually. By the way, what are the suggestions? Prerequisite: the configuration file should be stored locally on each of the servers, and only the changes should be synchronized.
Source: https://habr.com/ru/post/131113/
All Articles