TACACS+ authentikáció otthoni Cisco routerre…

Tudom, hogy ez már beteges, de beállítottam az itthoni routeremre a TACACS+ authentikálást. Nincs semmi értelme, de jó játék volt.  Innen tölthető le egy ingyenes TACACS+ server:

Home

A telepítés lépései:

tacacs1

tacacs2

tacacs3

tacacs4

tacacs5

tacacs6

Nézzük meg, hogy figyel -e a 49-es porton (well-known TACACS+). Ott van, eddig jó.

tacacs7

Az authentication.xml-be állítsunk be példaként egy usert, fecogee/cisco.

tacacs8

A routeren a konfig viszonylag egyszerű, azért meghagyjuk a local authentikációt ha gáz lenne a TACACS+-szal:

tacacs9

Próba:

tacacs10

Működik!

Be volt kapcsolva a routeren a TACACS+ debug, nézzük, mi van benne:

CISCO-1841#debug tacacs even
TACACS+ events debugging is on
CISCO-1841#debug tacacs
TACACS access control debugging is on
CISCO-1841#debug tacacs authen
TACACS+ authentication debugging is on
CISCO-1841#
Dec 1 22:09:56: %SEC-6-IPACCESSLOGP: list SSH permitted tcp 192.168.1.2(3172) -> 0.0.0.0(22), 1 packet
CISCO-1841#
Dec 1 22:09:58: TPLUS: Queuing AAA Authentication request 117 for processing
Dec 1 22:09:58: TPLUS: processing authentication start request id 117
Dec 1 22:09:58: TPLUS: Authentication start packet created for 117(fecogee)
Dec 1 22:09:58: TPLUS: Using server 192.168.1.2
Dec 1 22:09:58: TPLUS(00000075)/0/NB_WAIT/68B9DF64: Started 5 sec timeout
Dec 1 22:09:58: TPLUS(00000075)/0/NB_WAIT: socket event 2
Dec 1 22:09:58: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Dec 1 22:09:58: T+: session_id 3073676043 (0xB734930B), dlen 32 (0x20)
Dec 1 22:09:58: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
CISCO-1841#
Dec 1 22:09:58: T+: svc:LOGIN user_len:7 port_len:6 (0x6) raddr_len:11 (0xB) data_len:0
Dec 1 22:09:58: T+: user: fecogee
Dec 1 22:09:58: T+: port: tty195
Dec 1 22:09:58: T+: rem_addr: 192.168.1.2
Dec 1 22:09:58: T+: data:
Dec 1 22:09:58: T+: End Packet
Dec 1 22:09:58: TPLUS(00000075)/0/NB_WAIT: wrote entire 44 bytes request
Dec 1 22:09:58: TPLUS(00000075)/0/READ: socket event 1
Dec 1 22:09:58: TPLUS(00000075)/0/READ: Would block while reading
Dec 1 22:09:59: TPLUS(00000075)/0/READ: socket event 1
Dec 1 22:09:59: TPLUS(00000075)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Dec 1 22:09:59: TPLUS(00000075)/0/READ: socket event 1
CISCO-1841#
Dec 1 22:09:59: TPLUS(00000075)/0/READ: read entire 28 bytes response
Dec 1 22:09:59: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Dec 1 22:09:59: T+: session_id 3073676043 (0xB734930B), dlen 16 (0x10)
Dec 1 22:09:59: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
Dec 1 22:09:59: T+: msg: Password:
Dec 1 22:09:59: T+: data:
Dec 1 22:09:59: T+: End Packet
Dec 1 22:09:59: TPLUS(00000075)/0/68B9DF64: Processing the reply packet
Dec 1 22:09:59: TPLUS: Received authen response status GET_PASSWORD (8)
CISCO-1841#
Dec 1 22:10:01: TPLUS: Queuing AAA Authentication request 117 for processing
Dec 1 22:10:01: TPLUS: processing authentication continue request id 117
Dec 1 22:10:01: TPLUS: Authentication continue packet generated for 117
Dec 1 22:10:01: TPLUS(00000075)/0/WRITE/68B9DF64: Started 5 sec timeout
Dec 1 22:10:01: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
Dec 1 22:10:01: T+: session_id 3073676043 (0xB734930B), dlen 10 (0xA)
Dec 1 22:10:01: T+: AUTHEN/CONT msg_len:5 (0x5), data_len:0 (0x0) flags:0x0
Dec 1 22:10:01: T+: User msg: <elided>
Dec 1 22:10:01: T+: User data:
Dec 1 22:10:01: T+: End Packet
CISCO-1841#
Dec 1 22:10:01: TPLUS(00000075)/0/WRITE: wrote entire 22 bytes request
Dec 1 22:10:02: TPLUS(00000075)/0/READ: socket event 1
Dec 1 22:10:02: TPLUS(00000075)/0/READ: read entire 12 header bytes (expect 6 bytes data)
Dec 1 22:10:02: TPLUS(00000075)/0/READ: socket event 1
Dec 1 22:10:02: TPLUS(00000075)/0/READ: read entire 18 bytes response
Dec 1 22:10:02: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
Dec 1 22:10:02: T+: session_id 3073676043 (0xB734930B), dlen 6 (0x6)
Dec 1 22:10:02: T+: AUTHEN/REPLY status:1 flags:0x0 msg_len:0, data_len:0
Dec 1 22:10:02: T+: msg:
Dec 1 22:10:02: T+: data:
Dec 1 22:10:02: T+: End Packet
Dec 1 22:10:02: TPLUS(00000075)/0/68B9DF64: Processing the reply packet
Dec 1 22:10:02: TPLUS: Received authen response status PASS (2)
Dec 1 22:10:02: TPLUS: Queuing AAA Authorization request 117 for processing
Dec 1 22:10:02: TPLUS: processing authorization request id 117
Dec 1 22:10:02: TPLUS: Protocol set to None …..Skipping
Dec 1 22:10:02: TPLUS: Sending AV service=shell
Dec 1 22:10:02: TPLUS: Sending AV cmd*
Dec 1 22:10:02: TPLUS: Authorization request created for 117(fecogee)
Dec 1 22:10:02: TPLUS: using previously set server 192.168.1.2 from group tacacs+
Dec 1 22:10:02: TPLUS(00000075)/0/NB_WAIT/68B9DF64: Started 5 sec timeout
Dec 1 22:10:02: TPLUS(00000075)/0/NB_WAIT: socket event 2
Dec 1 22:10:02: T+: Version 192 (0xC0), type 2, seq 1, encryption 1
Dec 1 22:10:02: T+: session_id 4073760745 (0xF2D0A7E9), dlen 51 (0x33)
Dec 1 22:10:02: T+: AUTHOR, priv_lvl:1, authen:1 method:tacacs+
Dec 1 22:10:02: T+: svc:1 user_len:7 port_len:6 rem_addr_len:11 arg_cnt:2
Dec 1 22:10:02: T+: user: fecogee
Dec 1 22:10:02: T+: port: tty195
Dec 1 22:10:02: T+: rem_addr: 192.168.1.2
Dec 1 22:10:02: T+: arg[0]: size:13 service=shell
Dec 1 22:10:02: T+: arg[1]: size:4 cmd*
Dec 1 22:10:02: T+: End Packet
Dec 1 22:10:02: TPLUS(00000075)/0/NB_WAIT: wrote entire 63 bytes request
CISCO-1841#
Dec 1 22:10:02: TPLUS(00000075)/0/READ: socket event 1
Dec 1 22:10:02: TPLUS(00000075)/0/READ: Would block while reading
Dec 1 22:10:02: TPLUS(00000075)/0/READ: socket event 1
Dec 1 22:10:02: TPLUS(00000075)/0/READ: read entire 12 header bytes (expect 6 bytes data)
Dec 1 22:10:02: TPLUS(00000075)/0/READ: socket event 1
Dec 1 22:10:02: TPLUS(00000075)/0/READ: read entire 18 bytes response
Dec 1 22:10:02: T+: Version 192 (0xC0), type 2, seq 2, encryption 1
Dec 1 22:10:02: T+: session_id 4073760745 (0xF2D0A7E9), dlen 6 (0x6)
Dec 1 22:10:02: T+: AUTHOR/REPLY status:1 msg_len:0, data_len:0 arg_cnt:0
Dec 1 22:10:02: T+: msg:
Dec 1 22:10:02: T+: data:
Dec 1 22:10:02: T+: End Packet
Dec 1 22:10:02: TPLUS(00000075)/0/68B9DF64: Processing the reply packet
Dec 1 22:10:02: TPLUS: received authorization response for 117: PASS
CISCO-1841#

És a TACACS+ szerver logja:

<87> 2012-12-01 22:10:03 [192.168.1.1:11667] Trying to authenticate user-fecogee
<87> 2012-12-01 22:10:03 [192.168.1.1:11667] Trying to authenticate user against group Network Engineering
<87> 2012-12-01 22:10:03 [192.168.1.1:11667] Local file Authentication result: user-fecogee specified in group Network Engineering=Passed
<87> 2012-12-01 22:10:03 [192.168.1.1:11667] Authentication for user fecogee passed against group Network Engineering – Passed
<87> 2012-12-01 22:10:03 [192.168.1.1:11667] Received 4 packets on connection
<87> 2012-12-01 22:10:03 [192.168.1.1:11667]
Sending:
MajorVersion=12
MinorVersion=0
Type=TAC_PLUS_AUTHEN
SeqNum=4
IsEncrypted=True
IsSingleConnect=False
SessionID=-1221291253
DataLength=6
Authentication AuthReply:
Status=TAC_PLUS_AUTHEN_STATUS_PASS
Flags=TAC_PLUS_REPLY_FLAG_NONE
UserMsg=
Data=
<87> 2012-12-01 22:10:03 [192.168.1.1:11667] Removing session -1221291253
<87> 2012-12-01 22:10:03 [192.168.1.1:11667] Device 192.168.1.1:12832 is allowed to connect based on settings for group INTERNAL
<94> 2012-12-01 22:10:03 [192.168.1.1:11667] New client connection opened for 192.168.1.1:12832 TID:6
<87> 2012-12-01 22:10:03 [192.168.1.1:11667] TOTAL connections: 2
<87> 2012-12-01 22:10:04 [192.168.1.1:12832] Received 1 packets on connection
<87> 2012-12-01 22:10:04 [192.168.1.1:12832]
Received:
MajorVersion=12
MinorVersion=0
Type=TAC_PLUS_AUTHOR
SeqNum=1
IsEncrypted=True
IsSingleConnect=False
SessionID=-221206551
DataLength=51
Authorization Method=AUTHEN_METH_TACACSPLUS
Priv lvl=1
Auth Type=TAC_PLUS_AUTHEN_TYPE_ASCII
Service=TAC_PLUS_AUTHEN_SVC_LOGIN
User=fecogee
Port=tty195
Rem Addr=192.168.1.2
Args: service=shell cmd*

<87> 2012-12-01 22:10:04 [192.168.1.1:12832] Authorization Entry #1 is being applied based on Client configuration
<87> 2012-12-01 22:10:04 [192.168.1.1:12832] Client asked for AutoExec pairs. Returning PassAdd
<87> 2012-12-01 22:10:04 [192.168.1.1:12832] Received 2 packets on connection
<87> 2012-12-01 22:10:04 [192.168.1.1:12832]
Sending:
MajorVersion=12
MinorVersion=0
Type=TAC_PLUS_AUTHOR
SeqNum=2
IsEncrypted=True
IsSingleConnect=False
SessionID=-221206551
DataLength=6
Authorization Status=TAC_PLUS_AUTHOR_STATUS_PASS_ADD
User=
Port=
Args: