TACACS+ configuration using ExtremeXOS (EXOS). This is about configuring authentication using the TACACS+ protocol. Authorization and Accounting are easy to set up once Authentication is working, but are not part of this netlab.
This is a configuration from scratch. EXOS usage for the first time, no experience at all. TACACS+ EXOS authentication.
The official EXOS appliance is available here, or can be simply installed using the GNS3 marketplace or the GNS-gui import appliance function.
IP addressing
The IP addressing used in this netlab. 3 appliances:
Node | Function | IP address |
---|---|---|
R103 | EXOS router | 10.100.100.103/24 |
AAA-49 | TACACS+ server | 192.0.2.1 |
node-10 | TACACS+ client | 10.100.100.10 |
Connections in the netlab from node-10
to R103
using telnet and SSH protocol.
TACACS+
This netlab is using the TAC_PLUS-NG server project from Event-driven servers.
Version of TACACS+NG:
TACACS server IP settings:
Setting | Value |
---|---|
IP | 192.0.2.1 |
TCP port | 4949 |
TACACS+ key | 123-my_tacacs_key |
Preconfigured tac_plus-ng.cfg
settings for user authentication:
Method | Option | User | Password |
---|---|---|---|
ASCII | login | cisco | cisco |
PAP | pap | cisco | auth-pap |
CHAP | chap | cisco | auth-chap |
There is no option to use PAP authentication in EXOS in TACACS+. PAP authentication works using RADIUS only. CHAP authentication for RADIUS is not implemented yet in EXOS.
The basic TACACS+NG configuration used in this netlab, has been set up in
TACACS+NG configuration
Preconfigured tac_plus-ng.cfg
file. Ready to use:
#!/usr/sbin/tac_plus-ng
id = spawnd {
listen = { address = 0.0.0.0 port = 4949 }
}
id = tac_plus-ng {
host IPv4only {
address = 0.0.0.0/0
welcome banner = "\n Welcome to TACACS+NG\n\n"
key = 123-my_tacacs_key
}
profile netadmin {
script {
if (service == shell) {
if (cmd == "") {
set priv-lvl = 15
permit
}
}
}
}
group admin
user cisco {
password {
login = crypt $2a$10$34.ioPXaLJDD.PdEk.4Mle3g0cQw8e16thH1g0nQEC1.jW.sEHi1S
pap = crypt $2y$10$NtwT2Cp/fjezs109gGsVdeyU4Am4q2j1IJ219/mMy.k29xNd9XXU2
chap = clear auth-chap
}
member = admin
}
ruleset {
rule {
script {
if (member == admin) { profile = netadmin permit }
}
}
}
}
EXOS configuration
- Download Vitrual-EXOS from the official Extremenetworks github repository, and install and configure the
.gns3a
appliance manually or using GNS3-client.
local account
Set local admin password to ExtremeXOS
configure account admin
Configure banner to display local EXOS password. Since we all are forgetful, and this is only a netlab, setting this commands to not forget the local credentials:
configure banner
user: admin
pass: ExtremeXOS
[ENTER]
IP addressing
- Hostname R103
- Address 10.100.100.102/24
- Gateway 10.100.100.1
Configuration lines for the EXOS router:
configure snmp sysname R103
configure vlan default ipaddress 10.100.100.103/24
configure iproute add default 10.100.100.1
configure timezone name CEST 60 autodst name CEST begins every last sunday march at 2 0 ends every last sunday october at 3 0
These optional EXOS configuration commands. The resulting CLI output is more fluent and usable for automation. Disable paging
and cli refresh
:
disable cli paging
disable cli refresh
Equivalent cisco IOS command to disable paging term lenth 0
, for the current running session.
Verify configuration
Show the ip configuration of the router using the show ipconfig default
. Default refers to the Default
routing table:
Router Interface on Default is enabled and up. inet 10.100.100.103/24 broadcast 10.100.100.255 Mtu 1500 Flags: BOOTP Host NO DirBcstHwFwd NO Fwd Bcast NO IgnoreBcast YES IP Fwding NO IPmc Fwd NO Multinetted VLAN NO IRDP Advert NO Send Redir YES VRRP NO TCP Adjust MSS OFF
Show the IP routing table of the router using the show iproute
command:
Ori Destination Gateway Mtr Flags VLAN Duration s Default Route 10.100.100.1 1 UG---S-um--f- Default 0d:0h:18m:54s d 10.100.100.0/24 10.100.100.103 1 U------um--f- Default 0d:0h:31m:38s
Verify IP connectivity with the TACACS+ server, from the router:
! output omitted for brevity --- 192.0.2.1 ping statistics --- 4 packets transmitted, 4 packets received, 0% loss round-trip min/avg/max = 1/1/1 ms
Everything is set up and verified.
EXOS TACACS+ configuration
This results in following configuration for the EXOS router:
configure tacacs primary server 192.0.2.1 4949 client-ip 10.100.100.103 vr VR-Default
configure tacacs primary shared-secret 123-my_tacacs_key
configure tacacs fallback local
enable tacacs
The user admin
is the local fallback account in case TACACS+ authentication with the AAA server fails. The router will fall back to using the locally configured users.
Show the AAA configuration. This shown command works almost the same using cisco's IOS:
! ! Module aaa configuration. ! configure tacacs primary server 192.0.2.1 4949 client-ip 10.100.100.103 vr VR-Default configure tacacs primary shared-secret 123-my_tacacs_key enable tacacs configure account admin encrypted $5$9eQqng$FPdRZf1D8Z9kgefUSs5F7DRxjPcIF5sSfGryMtUJuu4
Verify
Using the TACACS+ client, telnet to the router, and authenticate using the previously configured credentials:
After successful authentication, verify the TACACS statistics using the show tacacs
command:
TACACS+ Configuration Admin Status : enabled Authorization : disabled Authorization priv-lvl : optional Fallback Authentication : local Accounting : disabled Server Connect Timeout : 3 sec Primary Server : Server name : IP address : 192.0.2.1 Server IP Port: 4949 Client address: 10.100.100.103 (VR-Default) Shared secret : #$dGY5a8TCpwSvG0rAhyYsUF+1HaDQPev6lSTrN7OF7MzxZxYOz3A= Authentication: Requests : 1 Responses : 1 Password : 1 Passed : 1 Failed : 0 Authorization: Requests : 1 Responses : 1 Passed : 1 Failed : 0 Secondary Server : none Acct Server Connect Timeout : 3 sec Primary Accounting Server : none Secondary Accounting Server : none
TACACS+NG debug
Authentication debug output from AAA server while the user authenticates on the NAS. EXOS uses the ASCII method:
6772: 01:45:38.219 0/00000000: - Version e4cb4a9e95338f44ade6fb36569890bd80df6295 initialized 6771: 01:45:59.899 0/f08b1244: 10.100.100.103 authen: hdr->seq_no: 1 6771: 01:45:59.899 0/f08b1244: 10.100.100.103 looking for user cisco realm default 6771: 01:45:59.899 0/f08b1244: 10.100.100.103 user lookup succeded 6771: 01:45:59.900 0/f08b1244: 10.100.100.103 authen: hdr->seq_no: 3 6771: 01:45:59.900 0/f08b1244: 10.100.100.103 looking for user cisco realm default 6771: 01:45:59.900 0/f08b1244: 10.100.100.103 user lookup succeded 6771: 01:45:59.900 0/f08b1244: 10.100.100.103 shell login for 'cisco' from 10.100.100.10 on telnet25 succeeded (profile=netadmin)
The ASCII method is the default method for cisco routers.
Now that is all folks! Now you can and configure authorisation and accounting to have all the A's configured and working.
The authentication succeeds and is easy to setup. During testing using this particular EXOS version following issues have been spotted:
EXOS bug 1
After successful authentication, notice the CLI greeting you:
ExtremeXOS ! ! Output omitted for brevity ! There have been 0 successful logins since last reboot and 0 failed logins since last successful login No prior logins by this user since last reboot
Compare the authentication greeting, especially the the successful
with the output of show tacacs
, and here the Passed
and Failed
:
! ! Output omitted for brevity ! Authentication: Requests : 11 Responses : 11 Password : 11 Passed : 9 Failed : 2
This issue is annoying and dangerous. If this happens using real gear, then you should contact your networking vendor and open a bug report.
EXOS bug 2 - TACACS+
Now, if the TACACS+ client on EXOS would have been fully implemented, then the TACACS+ welcome banner
would show up. I did not show up at all. Tested both telnet and SSH.
If you have real EXOS gear and the opportunity to test both bugs described above. Then check this out and if you are not a lazy NOC bastard operator from hell, then most probably will open a bug report at the GTAC, in case you can reproduce this.
Summary
I like that Extreme provides free images for netlabs and testing for usage in GNS3, EVE-NG or whatever network simulator is in use. And hopefully this helps someone in the future looking for Cisco-ISE or ClearPass appliance replacement, setting up first test and netlabs for tiny AAA appliance replacement, compared to the commercial products.
TACACS+NG is amazingly flexible and very much like configuring a router from CLI in that regard.
... and while you still wait for your AAA commerical GNS3 appliance to finally start the boot sequence, I already finished running my CLI automation, and reconfigured all running TACACS+NG netlab nodes, thrice... ...
References
- Event-driven servers - TAC_PLUS-NG server project
- Download official Vitrual-EXOS
- EXOS 32.1 Command Refernce Guide Version 32.1.
- GTAC Knowledge Home, just like Cisco Learning Network.
- How To: Identify TACACS Issues
- Connecting to an Extreme switch
- Gajanan Parwar - Understanding extreme command line interface
Related TACACS+NG posts: