TACACS+ configuration using Huawei's (VRP) OS. This is about configuring authentication using the TACACS+ protocol. Authorization and Accounting are easy to set up once Authentication is working, but are not part of this netlab.
This is a configuration from scratch. VRP usage for the first time, no experience at all. TACACS+ VRP authentication.
IP addressing
The IP addressing used in this netlab. 3 appliances:
Node | Function | IP address |
---|---|---|
R102 | VRP router | 10.100.100.102/24 |
AAA-49 | TACACS+ server | 192.0.2.1 |
node-10 | TACACS+ client | 10.100.100.10 |
Testing authentication is done from the node-10
to the router R102
using telnet protocol.
TACACS+
This netlab is using the TAC_PLUS-NG server project from Event-driven servers.
Version of TACACS+NG used in this netlab:
TACACS+ server IP settings:
Setting | Value |
---|---|
IP | 192.0.2.1 |
TCP port | 4949 |
TACACS+ key | 123-my_tacacs_key |
Preconfigured tac_plus-ng.cfg
settings for user authentication:
Method | Option | User | Password |
---|---|---|---|
ASCII | login | cisco | cisco |
PAP | pap | cisco | auth-pap |
CHAP | chap | cisco | auth-chap |
The basic TACACS+NG configuration used in this netlab, has been explained in previous netlabs, read:
- 01 - TAC PLUS-NG-Configuring basic authentication
- 02 - TACACS+NG PAP-CHAP authentication for AOS-CX
- 03 - Configuring TACACS+NG authentication for EXOS
TACACS+NG configuration
Pre-configured tac_plus-ng.cfg
file for this netlab. AAA server configuration ready to use:
#!/usr/sbin/tac_plus-ng
id = spawnd {
listen = { address = 0.0.0.0 port = 4949 }
}
id = tac_plus-ng {
host IPv4only {
address = 0.0.0.0/0
welcome banner = "\n Welcome to TACACS+NG\n\n"
key = 123-my_tacacs_key
}
profile netadmin {
script {
if (service == shell) {
if (cmd == "") {
set priv-lvl = 15
permit
}
}
}
}
group admin
user cisco {
password {
login = crypt $2a$10$34.ioPXaLJDD.PdEk.4Mle3g0cQw8e16thH1g0nQEC1.jW.sEHi1S
pap = crypt $2y$10$NtwT2Cp/fjezs109gGsVdeyU4Am4q2j1IJ219/mMy.k29xNd9XXU2
chap = clear auth-chap
}
member = admin
}
ruleset {
rule {
script {
if (member == admin) { profile = netadmin permit }
}
}
}
}
This is still the same tac_plus-ng configuration used in previous netlabs.
VRP configuration
IP addressing
- Hostname R102
- Address 10.100.100.102/24
- Gateway 10.100.100.1
Configuration lines for the VRP router:
system-view
sysname R102
interface Ethernet1/0/1
undo shutdown
ip address 10.100.100.102 255.255.255.0
exit
ip route-static 0.0.0.0 0.0.0.0 10.100.100.1
local account
Add a new local user named huawei
, set password to 123@admin
This is optional if you want to fiddle around with SSH additionally on top:
system-view
aaa
local-user huawei password cipher 123@admin
local-user huawei level 3
local-user huawei service-type telnet
user-interface vty 0 4
authentication-mode aaa
quit
local used configuration finished.
Verify local authentication
Using the TACACS+ client, telnet to the router, and authenticate using the previously configured credentials:
Verfiy the current user settings:
----------------------------------------------------------------- User access index : 4 State : Used User name : huawei User IP address : 10.100.100.10 User access type : Telnet User authentication type : Administrator authentication Current authen method : Local authentication Authen result : Success Current author method : - Author result : Success Action flag : Idle Authen state : Success Author state : Success Current accounting method : None accounting Access start time : 2023-07-29 03:59:27 Accounting start time : 2023-07-29 03:59:27 Accounting state : Start accounting idle User level : 0 Current author cmd method : Local -----------------------------------------------------------------
Notice, current user is the local-user huawei
, the authentication method Local authentication
. Everything works.
Verify IP connectivity with the TACACS+ server, from the router:
! output omitted for brevity --- 192.0.2.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/3 ms
The TACACS+ server is reachable via IP.
VRP TACACS+ configuration
The VRP TACACS+ configuration, using here the Protocol name, not the vendor specific hwtacacs. The configuration:
VRP authentication only configuration consist of following parts:
- local user config (optional)
- hwtacacs server template
AAA-1
- aaa authentication scheme
default
- aaa domain
default
anddefault_admin
- user-interface
vty
This results in following configuration for the authenticating users:
system-view
#
hwtacacs enable
#
hwtacacs-server template AAA-1
hwtacacs-server authentication 192.0.2.1 4949
hwtacacs-server shared-key cipher 123-my_tacacs_key
quit
#
aaa
authentication-scheme default
authentication-mode hwtacacs local
quit
#
domain default_admin
authentication-scheme default
hwtacacs-server AAA-1
quit
#
domain default
authentication-scheme default
hwtacacs-server AAA-1
quit
#
user-interface vty 0 4
authentication-mode aaa
quit
#
commit
This is the most basic authentication configuration for VRP. This should work everywhere.
AAA default
Using the shown configuration applied to the router will result in following.
VRP sends the username username@domain.ltd
as the default username
. This is the AAA server authentication debug:
10392: 02:02:55.786 0/00000000: - Version f4325f4dfa8b12e9a419af0eee909f2cf13a9c4e initialized 21838: 20:16:43.179 0/5ae6a927: 10.100.100.112 authen: hdr->seq_no: 1 21838: 20:16:43.179 0/5ae6a927: 10.100.100.112 looking for user cisco@default_admin realm default 21838: 20:16:43.179 0/5ae6a927: 10.100.100.112 user lookup failed 21838: 20:16:43.181 0/5ae6a927: 10.100.100.112 authen: hdr->seq_no: 3 21838: 20:16:43.181 0/5ae6a927: 10.100.100.112 looking for user cisco@default_admin realm default 21838: 20:16:43.181 0/5ae6a927: 10.100.100.112 user lookup failed 21838: 20:16:43.181 0/5ae6a927: 10.100.100.112 shell login for 'cisco@default_admin' from 10.100.100.10 on vty0 failed (no such user)
The NAS, here the VRP router, sends the username as cisco@default_admin
.
The TACACS+ server can not find this username and this results, in no such user
, and failed authentication.
VRP has a hwtacacs server configuration option to adjust the sent NAS sent username. Both configurations explained below, result in identical behaviour, sending username
without the default suffix shown in above debug output.
AAA router
Using NE40E:
Huawei Versatile Routing Platform Software VRP (R) software, Version 8.180 (NE40E V800R011C00SPC607B607) Copyright (C) 2012-2018 Huawei Technologies Co., Ltd. HUAWEI NE40E uptime is 0 day, 12 hours, 25 minutes SVRP Platform Version 1.0
Set the hwtacacs user-name original
option:
system-view
#
hwtacacs enable
#
hwtacacs-server template AAA-1
hwtacacs-server authentication 192.0.2.1 4949
hwtacacs-server shared-key cipher 123-my_tacacs_key
hwtacacs user-name original
#
return
AAA switch
Virutal VRP appliance tested. Huawei CE12800E:
Huawei Versatile Routing Platform Software VRP (R) software, Version 8.180 (CE12800 V200R005C10SPC607B607) Copyright (C) 2012-2018 Huawei Technologies Co., Ltd. HUAWEI CE12800 uptime is 0 day, 5 hours, 46 minutes SVRP Platform Version 1.0
Use the hwtacacs server user-name domain-excluded
option.
system-view
#
hwtacacs server template AAA-1
hwtacacs-server authentication 192.0.2.1 4949
hwtacacs-server shared-key cipher 123-my_tacacs_key
hwtacacs-server user-name domain-excluded
#
return
y
However on the (NAS), here the CE12800 switch shows following:
Trying 10.100.100.112... Connected to 10.100.100.112. Escape character is '^]'. Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet. Username:cisco Password: Error: Username or password error. Username: Error: The username times out. Username:
Resulting in an authentication error.
AAA server debug output:
21838: 22:05:00.318 6/40e8780e: 10.100.100.112 looking for user cisco realm default 21838: 22:05:00.318 6/40e8780e: 10.100.100.112 user lookup succeded 21838: 22:05:00.320 6/40e8780e: 10.100.100.112 authen: hdr->seq_no: 3 21838: 22:05:00.320 6/40e8780e: 10.100.100.112 looking for user cisco realm default 21838: 22:05:00.320 6/40e8780e: 10.100.100.112 user lookup succeded 21838: 22:05:00.320 6/40e8780e: 10.100.100.112 shell login for 'cisco' from 10.100.100.10 on vty0 succeeded (profile=netadmin
- AAA server reports, lookup succeeded. Everything go.
- NAS authentication results in an error. Full stop.
The solution to this, partially explained on the mailing list. Looks like there are platform and implementation specific differences. I did not look into this further here for VRP switch platforms.
UPDATE:
The resolution to this is mentioned already above. The switch needs a user in its local user database to authenticate successfully to TACACS+.
local account (mandatory)
Add a new local user named huawei
, set password to Admin@123!
This is optional if you want to fiddle around with SSH additionally on top:
system-view
aaa
local-user huawei password cipher Admin@123!
local-user huawei level 3
local-user huawei service-type telnet
user-interface vty 0 4
authentication-mode aaa
quit
Once a local-user is added everything works using CE12800 switch appliance.
VRP TACACS+NG configuration
VRP configuration for TACACS+NG user authentication. This is specifically for a VRP router platforms. This should work using following GNS3 virtual router appliance NE40E:
system-view
#
hwtacacs enable
#
hwtacacs-server template AAA-1
hwtacacs-server authentication 192.0.2.1 4949
hwtacacs-server shared-key cipher 123-my_tacacs_key
hwtacacs-server user-name original
quit
#
aaa
authentication-scheme default
authentication-mode hwtacacs local
quit
#
domain default_admin
authentication-scheme default
hwtacacs-server AAA-1
quit
#
domain default
authentication-scheme default
hwtacacs-server AAA-1
quit
#
user-interface vty 0 4
authentication-mode aaa
quit
#
quit
#
commit
Verify
Using the TACACS+ client, telnet to the router, and authenticate using the previously configured credentials:
After successful authentication, the only command that worksdisplay access-user self
command:
------------------------------------------------------------------------ User access index : 50 State : Used User name : cisco User IP address : 10.100.100.10 User access type : Telnet User authentication type : Administrator authentication Current authen method : HWTACACS authentication Authen result : Success Current author method : - Author result : Success Action flag : Idle Authen state : Success Author state : Success Current accounting method : None accounting Access start time : 2023-07-29 18:23:37+02:00 Accounting start time : 2023-07-29 18:23:37+02:00 Accounting state : Start accounting idle User level : 0 Current author cmd method : Local ------------------------------------------------------------------------
The user has level 0
. The authentication type is HWTACACS
.
TACACS+NG debug
Authentication debug output from authenticates on the NAS. VRP uses the ASCII method, now correctly shown authenticating user is cisco, without the domain part, resulting in a succeeding authentication:
6772: 01:45:38.219 0/00000000: - Version e4cb4a9e95338f44ade6fb36569890bd80df6295 initialized 6771: 01:45:59.899 0/f08b1244: 10.100.100.102 authen: hdr->seq_no: 1 6771: 01:45:59.899 0/f08b1244: 10.100.100.102 looking for user cisco realm default 6771: 01:45:59.899 0/f08b1244: 10.100.100.102 user lookup succeded 6771: 01:45:59.900 0/f08b1244: 10.100.100.102 authen: hdr->seq_no: 3 6771: 01:45:59.900 0/f08b1244: 10.100.100.102 looking for user cisco realm default 6771: 01:45:59.900 0/f08b1244: 10.100.100.102 user lookup succeded 6771: 01:45:59.900 0/f08b1244: 10.100.100.102 shell login for 'cisco' from 10.100.100.10 on telnet25 succeeded (profile=netadmin)
Now that is all folks! Now you can and configure authorisation and accounting to have all the A's configured and working.
The authentication succeeds, but is not that very easy to setup I must admit if done from scratch. At the end VRP AAA works using TACACS+NG.
Summary
The VRP AAA configuration is serious business. I am glad I could barely manage 1/3-rd of it, the authentication part. From scratch. Never dealt with VRP TACACS+ at that level.
So in case anyone wants a very basic VRP router tac_plus-ng.cfg. Here you go. The VRP switch part behaves differently to the router configuration. Switches need corresponding local users in the VRP configuration, routers need the TACACS+ configuration only, without local-users.
References
- VRP local-user privilege level
- Event-driven servers - TAC_PLUS-NG server project
- Configuring TACACS+ Server With A Simple GUI
- VRP hash - Cipher Decipher
Related TACACS+NG posts: