Some GNS3 appliance images are not configured to use the ttyS0 as the default output method, VNC and graphical are the only access methods available. Even after the appliance once booted in the GNS3 network topology, there hardly a way to change the boot optioons of its underlaying operating system. Nowadays in the year 2023, the underlaying OS is mostly linux. Linux is cheap, available and has everything on board needed for advanced IP networking.
Now, using linux NBD network block device it is possible to mount partitions and alter files without the necessity to boot the underlaying operating system.
This is how to re-configure a existing and shipped QEMU image, and add the ttyS0 serial output as the default output method.
The example QEMU image used in this article is a Huawei USG6000V1 virtual firewall appliance. The name of its QEMU image is hda.qcow2.
Preparation tasks
Verify the filesize and md5sum of the used image before changing anything. This will get important later.
user@host ~ % ls -lah hda.qcow2
-rw-r--r-- 1 user user 670M Feb 29 2016 hda.qcow2
user@host /tmp % md5sum hda.qcow2
270540eef614462a79ce1257e2c28238 hda.qcow2
This article is about the TAC_PLUS-NG server software. A free server implementation for the TACACS+ protocol. Availble for linux, and BSD/UNIX operating systems. Author is Marc Huber.
The TAC_PLUS-NG server server is ran using a simple configuration (for authenticacion only), and uses system availble cryptographic libraries:
- Blowfish
- SHA-512
- SHA-256
- MD5
- 3DES
Without the need for installation and configuration of additional cryptographic software, libraries, or any other software dependencies. It is achived using configuration options available in TAC_PLUS-NG and the standard OS options.
There are 2 existing open-source TACACS+ protocol server implementations available:
- TAC_PLUS- by Shrubbery Networks
- TAC_PLUS-NG by Pro-Bono-Publico Marc Huber
The Pro-Bono-Publico software offers 2 different TAC_PLUS daemon implementations out of the box. Mentioning this since perhaps while reading the documentation for the first time, it is easy overlooked and leads to confusion while working on TACACS+. No matter which implementation is used.
According to the manual official documentation, TAC_PLUS-NG is the more advanced of both implementations. Meaning, more features, and more recent code. TAC_PLUS implementation has been deprecated in favour of TAC_PLUS-NG.
Do NOT use TAC_PLUS for new installations. TAC_PLUS has been deprecated
Brief overview over the actual state of the TACACS+ protocol and its recent 25 years of history:
The TACACS+ protocol has never really been officially published and standardised. But it is the de facto standard for handling AAA requests from networking equipment. If you are interested in sound engineering, there is something very similar to the TACACS+ protocol. The Yamaha NS-10 speakers, black box with white membrane. These speakers, NS-10, are the de facto standard near-field speakers for professional audio editing engineering sound-mixing too.
The RFC8907 states, that the TACACS+ protocol has been widely deployed based mainly on a simple DRAFT document only. That TACACS+ draft document here is from 1997 called THE_DRAFT. It has never been officially "released". In September 2020 the first, real informational RFC appeared has been published. This literally means, all implementations out there are written based on a DRAFT only document.
Configuring TACACS+ PAP/CHAP authentication for the Aruba AOS-CX platform.
The documentation about this topic is hard to find. Much from HP(E), some ArubaOS, then AOS-CX versions configuration are described. Aruba has its own TACACS+ server product, called Clearpass, which probably uses RADIUS and TACACS+. It is not easy to find working configuration examples for the Aruba devices and additional TACACS+NG example setups, that are working.
AOS-CX uses PPP PAP/CHAP authentication method. Aruba community users reporting the issues with TACACS-GUI. TACACS-GUI uses TAC_PLUS implementation from Pro-Bono-Publico. The follow up user reports similar issue using Aruba's Clearpass.
TL;DR;
ARUBA CX SImulator Tacacs Integration doesn't Work ... From the TACACS GUI LOG, PAP Authentication has been successful but access to the switch is still denied, as folows: ... Did I miss something? Thank you very much for the help.
Sincerely,Gibs
This thread quesiton is still open.
This is about Authentication only. The Authorisation and Accounting parts are easy to setup once the Authentication part works. Read the official documentation of the used software.
Router
AOS-CX version used in this netlab:
ArubaOS-CX (c) Copyright Hewlett Packard Enterprise Development LP ------------------------------------------------------------------ Version : Virtual.10.07.0004 Build ID : ArubaOS-CX:Virtual.10.07.0004 Build SHA : 6d2cadb8b3acdc132b345544abfa023a9989d39e Active Image : _ Service OS Version : BIOS Version :
TACACS+ configuration using Huawei's (VRP) OS. This is about configuring authentication using the TACACS+ protocol. Authorization and Accounting are easy to set up once Authentication is working, but are not part of this netlab.
This is a configuration from scratch. VRP usage for the first time, no experience at all. TACACS+ VRP authentication.
IP addressing
The IP addressing used in this netlab. 3 appliances:
| Node | Function | IP address |
|---|---|---|
| R102 | VRP router | 10.100.100.102/24 |
| AAA-49 | TACACS+ server | 192.0.2.1 |
| node-10 | TACACS+ client | 10.100.100.10 |
Testing authentication is done from the node-10 to the router R102 using telnet protocol.
TACACS+
This netlab is using the TAC_PLUS-NG server project from Event-driven servers.
Version of TACACS+NG used in this netlab:
TACACS+ server IP settings:
| Setting | Value |
|---|---|
| IP | 192.0.2.1 |
| TCP port | 4949 |
| TACACS+ key | 123-my_tacacs_key |
Preconfigured tac_plus-ng.cfg settings for user authentication:
| Method | Option | User | Password |
|---|---|---|---|
| ASCII | login | cisco | cisco |
| PAP | pap | cisco | auth-pap |
| CHAP | chap | cisco | auth-chap |
The basic TACACS+NG configuration used in this netlab, has been explained in previous netlabs, read:
TACACS+ configuration using freeRtr. This is about configuring authentication using the TACACS+ protocol. Authorization and Accounting are easy to set up once Authentication is working, but are not part of this netlab.
This is a configuration from scratch. freeRtr usage for the first time, no experience at all. TACACS+ freeRtr authentication.
The official freeRtr appliance is available here, or can be simply installed using the GNS3 marketplace or the GNS-gui import appliance function.
IP addressing
The IP addressing used in this netlab. 3 appliances:
| Node | Function | IP address |
|---|---|---|
| R104 | freeRtr router | 10.100.100.104/24 |
| AAA-49 | TACACS+ daemon | 192.0.2.1 |
| node-10 | TACACS+ client | 10.100.100.10 |
Connections in the netlab from node-10 to R104 using telnet client.
TACACS+
This netlab is using the TAC_PLUS-NG server project from Event-driven servers.
Version of TACACS+NG:
TACACS daemon IP settings, this time the TACACS+ daemon is running on standard port 49. The reason behind is simple. The tac_plus client implemented on freeRtr has no AAA daemon TCP port configuration option, to test authentication the daemon runs on standard TCP port 49.
| Setting | Value |
|---|---|
| IP | 192.0.2.1 |
| TCP port | 49 |
| TACACS+ key | 123-my_tacacs_key |
Preconfigured tac_plus-ng.cfg settings for user authentication:
| Method | Option | User | Password |
|---|---|---|---|
| ASCII | login | cisco | cisco |
| PAP | pap | cisco | auth-pap |
| CHAP | chap | cisco | auth-chap |
The basic TACACS+NG configuration used in this example, has been explained in previous netlabs. For more details about the configuration read following articles: