Nokia SROS supports the use of AAA for a range of tasks, some of the more interesting and complicated are related to subscriber management when the Service Router is acting as a Broadband Network Gateway (BNG) however AAA is also useful for the network operations teams to provide centralised authentication for a fleet of routers where managing individual local accounts is not really something to contemplate.
SROS supports the use of RADIUS or TACACS+ for this management access control and today TACACS+ will be the method used with a linux daemon based on code from http://www.shrubbery.net/tac_plus/ which will be configured to support a Nokia Service Router (however this configuration would be quite Cisco IOS friendly) and the SROS router will use TACACS+ for authentication and identifying what access rights the user has my mapping using profiles.
As you can see above, R1 (instantiated service router in eve-ng) has port 1/1/3 bridged to the internal Ethernet of the computer running eve-ng so both the router interface and the internal Ethernet are on the same IP subnet allowing connectivity to the TACACS+ server that will be run on the laptop.
To install the TACACS+ software, as eve-ng is built on Ubuntu 16.04, installation is as simple as invoking:
root@m4600:~# apt-get install tacacs+
The config was then modified to look like below:
root@m4600:~# cat /etc/tacacs+/tac_plus.conf
# shared secret with TACACS client
key = "tac_secret"
# Set where to send accounting records
accounting syslog;
accounting file = /var/log/tac_plus/tac_plus.acct
acl = mgmt_acl {
# regex to allow access hosts from 192.168.1.0/24
permit = 192\.168\.1\.([1-9]|[1-9]\d|1\d{2}|2[0-4]\d|25[0-4])
}
# administrative group, priv-lvl 15 to be mapped to SROS administative profile
group = administrative {
default service = permit
expires = "Jan 1 2030"
acl = mgmt_acl
service = exec {
priv-lvl = 15
}
}
# limited group, priv-lvl 1 to be mapped to SROS limited profile
group = limited {
default service = permit
expires = "Jan 1 2030"
acl = mgmt_acl
service = exec {
priv-lvl = 1
}
}
# our tacacs test accounts
# des password is generated by running tac_pwd on the plaintext
user = testadmin {
member = administrative
login = des JZ1fHFoSp.v/E
# plaintext password = pass
}
user = testlimited {
member = limited
login = des O8ZepJOyIIuYo
# plaintext password = test
}
A couple of the key things here besides the key which is the shared secret between the TACACS+ server and the router is that there are two groups defined administrative and limited, where the only difference is the priv-lvl. With Cisco platforms, this is what is used for TACACS+ uses during the authorisation stage to tell IOS what access rights a user has. SROS is able to map this to a “profile”.
Out of the box, SROS has two built in profiles, administrative (used for most installation and commissioning activities) and default which is somewhat less capable, however it is possible to define specific profiles in line with the roles of your users. In the config above there is a group called limited which will be identified by priv-lvl 1.
On R1 we can define a custom profile in the system security configuration context:
A:R1# /configure system security profile "limited"
A:R1>config>system>security>profile# info
----------------------------------------------
default-action deny-all
entry 10
match "show router route-table"
action permit
exit
entry 20
match "show users"
action permit
exit
entry 30
match "show system security user"
action permit
exit
entry 40
match "logout"
action permit
exit
This example is certainly quite limited in what can be done due to the default-action deny-all, requiring specific white-listing of commands
To enable TACACS+ support on the router we first need to configure the TACACS server using the agreed shared secret (configuring the timeout is optional but it specifies how many seconds we shall wait for a response – if the server is down, this is effectively how long you will wait to fall back to local authentication)
A:R1>config>system>security>profile# /configure system security tacplus *A:R1>config>system>security>tacplus$ server 1 address 192.168.1.47 secret "tac_secret" *A:R1>config>system>security>tacplus$ timeout
Now to create the priv-lvl mapping to profiles:
*A:R1>config>system>security>tacplus$ priv-lvl-map *A:R1>config>system>security>tacplus>priv$ priv-lvl 1 "limited" *A:R1>config>system>security>tacplus>priv$ priv-lvl 15 "administrative"
We also need to enable authorization to be associated with these mappings:
*A:R1>config>system>security>tacplus>priv$ back *A:R1>config>system>security>tacplus$ authorization use-priv-lvl
Now to actually enable tacacs authentication, within the password context we specify the authentication order to include the methods we prefer.
*A:R1>config>system>security>tacplus$ /configure system security password *A:R1>config>system>security>password# authentication-order tacplus local exit-on-reject
If TACACS+ is unavailable, we fall back to local authentication accounts – if we hadn’t include “exit-on-reject”, a failed authentication attempt with TACACS+ (reject) would move onto the next authentication mechanisms (local)
SROS performs a AAA server health check by sending dummy authentication requests to a server and determines if the server is alive based on obtaining a response, this can end up with the authentication logs getting a lot of failed access attempts, however it can be disabled if desired:
*A:R1>config>system>security>password# no health-check
For this testing, I’ll be using telnet, so I need to enable the telnet-server (outside of a lab, I would not suggest this at all!)
*A:R1>config>system>security>password# back *A:R1>config>system>security# telnet-server
So to recap the router configuration:
*A:R1>config>system>security# info
----------------------------------------------
telnet-server
profile "limited"
default-action deny-all
entry 10
match "show router route-table"
action permit
exit
entry 20
match "show users"
action permit
exit
entry 30
match "show system security user"
action permit
exit
entry 40
match "logout"
action permit
exit
exit
password
authentication-order tacplus local exit-on-reject
no health-check
exit
tacplus
authorization use-priv-lvl
priv-lvl-map
priv-lvl 1 "limited"
priv-lvl 15 "administrative"
exit
timeout 5
server 1 address 192.168.1.47 secret "1mSYRiobfhHAdFA9cZH3wBviQtXKFDld" hash2
exit
Time to test if this works. Start the tacacs service on (m4600 has the IP of 192.168.1.47 which is what R1 will be communicating with)
root@m4600:~# tac_plus -d 16 -L -C /etc/tacacs+/tac_plus.conf
And start viewing syslog
root@m4600:~# tail -f /var/log/syslog May 14 14:39:14 m4600 tac_plus[28164]: Reading config May 14 14:39:14 m4600 tac_plus[28164]: Version F4.0.4.27a Initialized 1 May 14 14:39:14 m4600 tac_plus[28164]: tac_plus server F4.0.4.27a starting May 14 14:39:14 m4600 tac_plus[28165]: Backgrounded May 14 14:39:14 m4600 tac_plus[28166]: socket FD 0 AF 2 May 14 14:39:14 m4600 tac_plus[28166]: socket FD 2 AF 10 May 14 14:39:14 m4600 tac_plus[28166]: uid=0 euid=0 gid=0 egid=0 s=-1637085952
Open up another session on m4600 and telnet to 192.168.1.123 using the credentials of testadmin/pass:
May 14 14:39:23 m4600 tac_plus[28201]: connect from 192.168.1.123 [192.168.1.123]
May 14 14:39:23 m4600 tac_plus[28201]: cfg_acl_check(mgmt_acl, 192.168.1.123)
May 14 14:39:23 m4600 tac_plus[28201]: ip 192.168.1.123 matched permit regex 192\.168\.1\.([1-9]|[1-9]\d|1\d{2}|2[0-4]\d|25[0-4]) of acl filter mgmt_acl
May 14 14:39:23 m4600 tac_plus[28201]: host ACLs for user 'testadmin' permit
May 14 14:39:23 m4600 tac_plus[28201]: login query for 'testadmin' port console from 192.168.1.123 accepted
May 14 14:39:23 m4600 tac_plus[28202]: connect from 192.168.1.123 [192.168.1.123]
May 14 14:39:23 m4600 tac_plus[28202]: cfg_acl_check(mgmt_acl, 192.168.1.123)
May 14 14:39:23 m4600 tac_plus[28202]: ip 192.168.1.123 matched permit regex 192\.168\.1\.([1-9]|[1-9]\d|1\d{2}|2[0-4]\d|25[0-4]) of acl filter mgmt_acl
May 14 14:39:23 m4600 tac_plus[28202]: host ACLs for user 'testadmin' permit
May 14 14:39:23 m4600 tac_plus[28202]: authorization query for 'testadmin' console from 192.168.1.123 accepted
Lets go back to the telnet session and check who we are and our access rights:
*A:R1# show users =============================================================================== User Type Login time Idle time From =============================================================================== Console -- 0d 00:00:21 -- testadmin Telnet 14MAY2017 04:41:41 0d 00:00:00 192.168.1.47 ------------------------------------------------------------------------------- Number of users : 1 =============================================================================== *A:R1>config>system>security# show system security user testadmin detail =============================================================================== Users =============================================================================== User ID New User Permissions Password Login Failed Local Pwd console ftp li snmp netconf Expires Attempts Logins Conf ------------------------------------------------------------------------------- testadmin n y n n n n never 1 0 n ------------------------------------------------------------------------------- Number of users : 1 =============================================================================== =============================================================================== Temporary User Configuration Detail =============================================================================== =============================================================================== user id : testadmin ------------------------------------------------------------------------------- console parameters ------------------------------------------------------------------------------- new pw required : n/a cannot change pw : n/a home directory : restricted to home : no login exec file : profile : administrative locked-out : no ===============================================================================
We can see that the testadmin user is associated with profile administrative, so that’s good. Lets log out and log back in R1 using the credentials of testlimited/test:
May 14 14:43:37 m4600 tac_plus[29058]: connect from 192.168.1.123 [192.168.1.123]
May 14 14:43:37 m4600 tac_plus[29058]: cfg_acl_check(mgmt_acl, 192.168.1.123)
May 14 14:43:37 m4600 tac_plus[29058]: ip 192.168.1.123 matched permit regex 192\.168\.1\.([1-9]|[1-9]\d|1\d{2}|2[0-4]\d|25[0-4]) of acl filter mgmt_acl
May 14 14:43:37 m4600 tac_plus[29058]: host ACLs for user 'testlimited' permit
May 14 14:43:37 m4600 tac_plus[29058]: login query for 'testlimited' port telnet from 192.168.1.123 accepted
May 14 14:43:37 m4600 tac_plus[29059]: connect from 192.168.1.123 [192.168.1.123]
May 14 14:43:37 m4600 tac_plus[29059]: cfg_acl_check(mgmt_acl, 192.168.1.123)
May 14 14:43:37 m4600 tac_plus[29059]: ip 192.168.1.123 matched permit regex 192\.168\.1\.([1-9]|[1-9]\d|1\d{2}|2[0-4]\d|25[0-4]) of acl filter mgmt_acl
May 14 14:43:37 m4600 tac_plus[29059]: host ACLs for user 'testlimited' permit
May 14 14:43:37 m4600 tac_plus[29059]: authorization query for 'testlimited' telnet from 192.168.1.123 accepted
Looks promising from the TACACS server, lets go back to the telnet session and check who we are and our access rights:
*A:R1# show users =============================================================================== User Type Login time Idle time From =============================================================================== Console -- 0d 00:04:55 -- testlimited Telnet 14MAY2017 04:43:36 0d 00:00:00 192.168.1.47 ------------------------------------------------------------------------------- Number of users : 1 =============================================================================== *A:R1# show router route-table =============================================================================== Route Table (Router: Base) =============================================================================== Dest Prefix[Flags] Type Proto Age Pref Next Hop[Interface Name] Metric ------------------------------------------------------------------------------- 192.168.1.0/24 Local Local 01h07m25s 0 TACACS 0 ------------------------------------------------------------------------------- No. of Routes: 1 Flags: n = Number of times nexthop is repeated B = BGP backup route available L = LFA nexthop available S = Sticky ECMP requested =============================================================================== *A:R1# admin display-config MINOR: CLI Command not allowed for this user.
Not being able to show the configure certainly suggests that this is a limited user,
*A:R1# show system security user testlimited detail =============================================================================== Users =============================================================================== User ID New User Permissions Password Login Failed Local Pwd console ftp li snmp netconf Expires Attempts Logins Conf ------------------------------------------------------------------------------- testlimited n y n n n n never 1 0 n ------------------------------------------------------------------------------- Number of users : 1 =============================================================================== =============================================================================== Temporary User Configuration Detail =============================================================================== =============================================================================== user id : testlimited ------------------------------------------------------------------------------- console parameters ------------------------------------------------------------------------------- new pw required : n/a cannot change pw : n/a home directory : restricted to home : no login exec file : profile : limited locked-out : no ===============================================================================
Okay, so we’re correctly associated with the limited profile account.
Role based access control is a good idea for managing your network and being able to leverage your existing AAA infrastructure helps make operating a heterogeneous network that little bit easier.
Recent Comments