blog/ posts/ Configuring TACACS+NG authentication for VRP
Configuring TACACS+NG authentication for freeRtr | posts | Configuring PAP-CHAP authentication on TACACS+NG for AOS-CX
  1. IP addressing
  2. TACACS+
  3. TACACS+NG configuration
  4. VRP configuration
    1. IP addressing
    2. local account
    3. Verify local authentication
    4. VRP TACACS+ configuration
      1. AAA default
      2. AAA router
      3. AAA switch
    5. local account (mandatory)
    6. VRP TACACS+NG configuration
    7. Verify
      1. TACACS+NG debug
  5. Summary
  6. References

TACACS+ configuration using Huawei's (VRP) OS. This is about configuring authentication using the TACACS+ protocol. Authorization and Accounting are easy to set up once Authentication is working, but are not part of this netlab.

This is a configuration from scratch. VRP usage for the first time, no experience at all. TACACS+ VRP authentication.

IP addressing

The IP addressing used in this netlab. 3 appliances:

Node Function IP address
R102 VRP router 10.100.100.102/24
AAA-49 TACACS+ server 192.0.2.1
node-10 TACACS+ client 10.100.100.10

Testing authentication is done from the node-10 to the router R102 using telnet protocol.

TACACS+

This netlab is using the TAC_PLUS-NG server project from Event-driven servers.

Version of TACACS+NG used in this netlab:

user % tac_plus-ng -v tac_plus-ng version f4325f4dfa8b12e9a419af0eee909f2cf13a9c4e/PCRE2

TACACS+ server IP settings:

Setting Value
IP 192.0.2.1
TCP port 4949
TACACS+ key 123-my_tacacs_key

Preconfigured tac_plus-ng.cfg settings for user authentication:

Method Option User Password
ASCII login cisco cisco
PAP pap cisco auth-pap
CHAP chap cisco auth-chap

The basic TACACS+NG configuration used in this netlab, has been explained in previous netlabs, read:

TACACS+NG configuration

Pre-configured tac_plus-ng.cfg file for this netlab. AAA server configuration ready to use:

#!/usr/sbin/tac_plus-ng
id = spawnd {
    listen = { address = 0.0.0.0 port = 4949 }
}

id = tac_plus-ng {

        host IPv4only {
            address = 0.0.0.0/0
            welcome banner = "\n Welcome to TACACS+NG\n\n"
            key = 123-my_tacacs_key
    }

    profile netadmin {
            script {
                    if (service == shell) {
                            if (cmd == "") {
                                    set priv-lvl = 15
                                    permit
                            }
                    }
            }
    }

    group admin

    user cisco {
    password {
        login = crypt $2a$10$34.ioPXaLJDD.PdEk.4Mle3g0cQw8e16thH1g0nQEC1.jW.sEHi1S
        pap   = crypt $2y$10$NtwT2Cp/fjezs109gGsVdeyU4Am4q2j1IJ219/mMy.k29xNd9XXU2
        chap  = clear auth-chap

    }
        member = admin
    }

    ruleset {
                rule {
                        script {
                            if (member == admin) { profile = netadmin permit }
                        }
                }
        }
}

This is still the same tac_plus-ng configuration used in previous netlabs.

VRP configuration

IP addressing

  • Hostname R102
  • Address 10.100.100.102/24
  • Gateway 10.100.100.1

Configuration lines for the VRP router:

system-view
sysname R102
interface Ethernet1/0/1
 undo shutdown
 ip address 10.100.100.102 255.255.255.0
exit
ip route-static 0.0.0.0 0.0.0.0 10.100.100.1

local account

Add a new local user named huawei, set password to 123@admin This is optional if you want to fiddle around with SSH additionally on top:

system-view
aaa
 local-user huawei password cipher 123@admin
 local-user huawei level 3
 local-user huawei service-type telnet
 user-interface vty 0 4
  authentication-mode aaa
quit

local used configuration finished.

Verify local authentication

Using the TACACS+ client, telnet to the router, and authenticate using the previously configured credentials:

user % telnet 10.100.100.102

Verfiy the current user settings:

<R102>display access-user self

 ----------------------------------------------------------------- User access index : 4 State : Used User name : huawei User IP address : 10.100.100.10 User access type : Telnet User authentication type : Administrator authentication Current authen method : Local authentication Authen result : Success Current author method : - Author result : Success Action flag : Idle Authen state : Success Author state : Success Current accounting method : None accounting Access start time : 2023-07-29 03:59:27 Accounting start time : 2023-07-29 03:59:27 Accounting state : Start accounting idle User level : 0 Current author cmd method : Local  -----------------------------------------------------------------

Notice, current user is the local-user huawei, the authentication method Local authentication. Everything works.

Verify IP connectivity with the TACACS+ server, from the router:

<R102>ping 192.0.2.1

! output omitted for brevity --- 192.0.2.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/3 ms

The TACACS+ server is reachable via IP.

VRP TACACS+ configuration

The VRP TACACS+ configuration, using here the Protocol name, not the vendor specific hwtacacs. The configuration:

VRP authentication only configuration consist of following parts:

  • local user config (optional)
  • hwtacacs server template AAA-1
  • aaa authentication scheme default
  • aaa domain default and default_admin
  • user-interface vty

This results in following configuration for the authenticating users:

system-view
#
hwtacacs enable
#
hwtacacs-server template AAA-1
 hwtacacs-server authentication 192.0.2.1 4949
 hwtacacs-server shared-key cipher 123-my_tacacs_key
 quit
#
aaa
 authentication-scheme default
 authentication-mode hwtacacs local
 quit
#
domain default_admin
 authentication-scheme default
 hwtacacs-server AAA-1
 quit
#
domain default
 authentication-scheme default
 hwtacacs-server AAA-1
 quit
#
user-interface vty 0 4
 authentication-mode aaa
 quit
#
commit

This is the most basic authentication configuration for VRP. This should work everywhere.

AAA default

Using the shown configuration applied to the router will result in following.

VRP sends the username username@domain.ltd as the default username. This is the AAA server authentication debug:

user % tac_plus-ng -f tac_plus-ng.cfg -d 4

10392: 02:02:55.786 0/00000000: - Version f4325f4dfa8b12e9a419af0eee909f2cf13a9c4e initialized 21838: 20:16:43.179 0/5ae6a927: 10.100.100.112 authen: hdr->seq_no: 1 21838: 20:16:43.179 0/5ae6a927: 10.100.100.112 looking for user cisco@default_admin realm default 21838: 20:16:43.179 0/5ae6a927: 10.100.100.112 user lookup failed 21838: 20:16:43.181 0/5ae6a927: 10.100.100.112 authen: hdr->seq_no: 3 21838: 20:16:43.181 0/5ae6a927: 10.100.100.112 looking for user cisco@default_admin realm default 21838: 20:16:43.181 0/5ae6a927: 10.100.100.112 user lookup failed 21838: 20:16:43.181 0/5ae6a927: 10.100.100.112 shell login for 'cisco@default_admin' from 10.100.100.10 on vty0 failed (no such user)

The NAS, here the VRP router, sends the username as cisco@default_admin. The TACACS+ server can not find this username and this results, in no such user, and failed authentication.

VRP has a hwtacacs server configuration option to adjust the sent NAS sent username. Both configurations explained below, result in identical behaviour, sending username without the default suffix shown in above debug output.

AAA router

Using NE40E:

[R102]display version

Huawei Versatile Routing Platform Software VRP (R) software, Version 8.180 (NE40E V800R011C00SPC607B607) Copyright (C) 2012-2018 Huawei Technologies Co., Ltd. HUAWEI NE40E uptime is 0 day, 12 hours, 25 minutes SVRP Platform Version 1.0

Set the hwtacacs user-name original option:

system-view
#
hwtacacs enable
#
hwtacacs-server template AAA-1
 hwtacacs-server authentication 192.0.2.1 4949
 hwtacacs-server shared-key cipher 123-my_tacacs_key 
 hwtacacs user-name original
#
return

AAA switch

Virutal VRP appliance tested. Huawei CE12800E:

[R102]display version

Huawei Versatile Routing Platform Software VRP (R) software, Version 8.180 (CE12800 V200R005C10SPC607B607) Copyright (C) 2012-2018 Huawei Technologies Co., Ltd. HUAWEI CE12800 uptime is 0 day, 5 hours, 46 minutes SVRP Platform Version 1.0

Use the hwtacacs server user-name domain-excluded option.

Configuration example

system-view
#
hwtacacs server template AAA-1
 hwtacacs-server authentication 192.0.2.1 4949
 hwtacacs-server shared-key cipher 123-my_tacacs_key
 hwtacacs-server user-name domain-excluded
#
return
y

However on the (NAS), here the CE12800 switch shows following:

user % telnet 10.100.100.112

Trying 10.100.100.112... Connected to 10.100.100.112. Escape character is '^]'.   Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet.   Username:cisco Password: Error: Username or password error.   Username: Error: The username times out.   Username:

Resulting in an authentication error.

AAA server debug output:

user % tac_plus -f tac_plus-ng.cfg -d4

21838: 22:05:00.318 6/40e8780e: 10.100.100.112 looking for user cisco realm default 21838: 22:05:00.318 6/40e8780e: 10.100.100.112 user lookup succeded 21838: 22:05:00.320 6/40e8780e: 10.100.100.112 authen: hdr->seq_no: 3 21838: 22:05:00.320 6/40e8780e: 10.100.100.112 looking for user cisco realm default 21838: 22:05:00.320 6/40e8780e: 10.100.100.112 user lookup succeded 21838: 22:05:00.320 6/40e8780e: 10.100.100.112 shell login for 'cisco' from 10.100.100.10 on vty0 succeeded (profile=netadmin

  • AAA server reports, lookup succeeded. Everything go.
  • NAS authentication results in an error. Full stop.

The solution to this, partially explained on the mailing list. Looks like there are platform and implementation specific differences. I did not look into this further here for VRP switch platforms.

UPDATE:

The resolution to this is mentioned already above. The switch needs a user in its local user database to authenticate successfully to TACACS+.

local account (mandatory)

Add a new local user named huawei, set password to Admin@123! This is optional if you want to fiddle around with SSH additionally on top:

system-view
aaa
 local-user huawei password cipher Admin@123!
 local-user huawei level 3
 local-user huawei service-type telnet
 user-interface vty 0 4
  authentication-mode aaa
quit

Once a local-user is added everything works using CE12800 switch appliance.

VRP TACACS+NG configuration

VRP configuration for TACACS+NG user authentication. This is specifically for a VRP router platforms. This should work using following GNS3 virtual router appliance NE40E:

system-view
#
hwtacacs enable
#
hwtacacs-server template AAA-1
 hwtacacs-server authentication 192.0.2.1 4949
 hwtacacs-server shared-key cipher 123-my_tacacs_key
 hwtacacs-server user-name original
 quit
#
aaa
 authentication-scheme default
 authentication-mode hwtacacs local
 quit
#
domain default_admin
 authentication-scheme default
 hwtacacs-server AAA-1
 quit
#
domain default
 authentication-scheme default
 hwtacacs-server AAA-1
 quit
#
user-interface vty 0 4
 authentication-mode aaa
 quit
#
quit
#
commit

Verify

Using the TACACS+ client, telnet to the router, and authenticate using the previously configured credentials:

user % telnet 10.100.100.102

After successful authentication, the only command that worksdisplay access-user self command:

<R102>display access-user self

 ------------------------------------------------------------------------ User access index : 50 State : Used User name : cisco User IP address : 10.100.100.10 User access type : Telnet User authentication type : Administrator authentication Current authen method : HWTACACS authentication Authen result : Success Current author method : - Author result : Success Action flag : Idle Authen state : Success Author state : Success Current accounting method : None accounting Access start time : 2023-07-29 18:23:37+02:00 Accounting start time : 2023-07-29 18:23:37+02:00 Accounting state : Start accounting idle User level : 0 Current author cmd method : Local  ------------------------------------------------------------------------

The user has level 0. The authentication type is HWTACACS.

TACACS+NG debug

Authentication debug output from authenticates on the NAS. VRP uses the ASCII method, now correctly shown authenticating user is cisco, without the domain part, resulting in a succeeding authentication:

user % tac_plus-ng -f tac_plus-ng.cfg -d 4

6772: 01:45:38.219 0/00000000: - Version e4cb4a9e95338f44ade6fb36569890bd80df6295 initialized 6771: 01:45:59.899 0/f08b1244: 10.100.100.102 authen: hdr->seq_no: 1 6771: 01:45:59.899 0/f08b1244: 10.100.100.102 looking for user cisco realm default 6771: 01:45:59.899 0/f08b1244: 10.100.100.102 user lookup succeded 6771: 01:45:59.900 0/f08b1244: 10.100.100.102 authen: hdr->seq_no: 3 6771: 01:45:59.900 0/f08b1244: 10.100.100.102 looking for user cisco realm default 6771: 01:45:59.900 0/f08b1244: 10.100.100.102 user lookup succeded 6771: 01:45:59.900 0/f08b1244: 10.100.100.102 shell login for 'cisco' from 10.100.100.10 on telnet25 succeeded (profile=netadmin)

Now that is all folks! Now you can and configure authorisation and accounting to have all the A's configured and working.

The authentication succeeds, but is not that very easy to setup I must admit if done from scratch. At the end VRP AAA works using TACACS+NG.

Summary

The VRP AAA configuration is serious business. I am glad I could barely manage 1/3-rd of it, the authentication part. From scratch. Never dealt with VRP TACACS+ at that level.

So in case anyone wants a very basic VRP router tac_plus-ng.cfg. Here you go. The VRP switch part behaves differently to the router configuration. Switches need corresponding local users in the VRP configuration, routers need the TACACS+ configuration only, without local-users.

References

Related TACACS+NG posts: