In previous VyOS post Using freeRtr AAA daemon for VyOS the TACACS+ support has been added at that time, middle of the year 2023. The netlab explains the VyOS RADIUS Authentication and Authorisation method. The RADIUS service runs on a freeRtr appliance. A year later the rolling releases of VyOS include a working TACACS+ prototype.
Knowing that the VyOS TACACS+ support has been added a year ago, suspecting there is not much yet there. But for simple authentication and most simple authorization the building block should be already there.
Terms
Using term server in this context is problematic and leads to misunderstanding. These are the technical terms used here. The AAA TACACS+ server will be referred as AAA daemon:
| Term | Function |
|---|---|
| daemon | AAA TACACS+NG server (tac_plus-ng) |
| NAC | Client or NAC (SSH client) |
| NAS | Device or NAS or NAD (VyOS) |
Since a NAS is sometimes referred to as a server, and a daemon is also often referred to as a server, the term server has been avoided here in favor of the less ambiguous terms NAS and Daemon.
IP addressing
Basic setup. One broadcast domain, network topology with following IP addressing:
| Node | Function | Term | IP address |
|---|---|---|---|
| node-10 | SSH client | NAC | 10.100.100.10 |
| AAA-1 | TACACS+ daemon | daemon | 192.0.2.1 |
| R180 | VyOS firewall | NAS | 10.100.100.180/24 |
VyOS configuration
This is the image used in the configration process, latest release.
R180 login: vyos Password: Welcome to VyOS! ┌── ┐ . VyOS 1.5-rolling-202406060020 └ ──┘ current vyos@R180:~$ show ver Version: VyOS 1.5-rolling-202406060020 Release train: current Release flavor: generic Built by: autobuild@vyos.net Built on: Thu 06 Jun 2024 03:11 UTC ...
IP setup
Basic configration to have reachability and make VyOS managable using SSH:
config
set system host-name R180
set interfaces ethernet eth1 address 10.100.100.180/24
set protocols static route 0.0.0.0/0 next-hop 10.100.100.1
set service ssh
commit
save
Reachability established.
TACACS+ configuration
The TACACS+ configuration is short and simple
- daemon IP and key
- daemon TCP/IP port
- NAS source interface
Configurations commands to get TACACS+ support working:
config
set system login tacacs server 192.0.2.1 key '123-my_tacacs_key'
set system login tacacs server 192.0.2.1 port '49'
set system login tacacs source-address '10.100.100.180'
commit
save
tac_plus-ng
Using tac_plus-ng since the tac_plus version is not developed anymore actively. The cool stuff is now in tac_plus-ng:
The software version used in this netlab:
Authorisation
For the authorisation that is in place and can be used on VyOS using this version. VyOS has 2 user groups the admin and the users group:
- admin (priv-lvl15)
- users (priv-lvl0 - priv-lvl-14)
For the beginning and a simple setup that is everything that is needed.
Full configuration
tac_plus-ng.cfg configuration based on TAC PLUS-NG-Configuring basic authentication blog article. The tac_plus-ng daemon ports 4949 run using regular system user priviledges. Port 49 will run only using privileged system user or rights.
#!/usr/sbin/tac_plus-ng
id = spawnd {
listen = { address = 0.0.0.0 port = 49 }
listen = { address = 0.0.0.0 port = 4949 }
}
id = tac_plus-ng {
# devices
device IPv4only {
address = 0.0.0.0/0
welcome banner = "\n Welcome to TACACS+NG\n\n"
key = 123-my_tacacs_key
}
# This is 3-rd level support. Everything works out of the box.
profile 3rd-level {
script {
if (service == shell) {
if (cmd == "") {
set priv-lvl=15
permit
}
permit
}
}
}
# This is the 1-st level support. Only explicit listed commands work here
profile 1st-level {
script {
if (service == shell) {
if (cmd == "") {
set priv-lvl=14
permit
}
if (cmd =~ /^ping/) permit
if (cmd =~ /^traceroute/) permit
if (cmd =~ /^test/) permit
if (cmd =~ /^exit/) permit
deny
}
}
}
# 2 different groups
group NET-exp
group NET-ent
# 2 users - cisco can do everything, dos can do nothing.
user cisco {
password {
# pw: cisco
login = crypt $2a$10$34.ioPXaLJDD.PdEk.4Mle3g0cQw8e16thH1g0nQEC1.jW.sEHi1S
}
member = NET-exp
}
user dos {
password {
# pw: dos
login = crypt $2y$10$6PDonNyRrHqlXp.k9lxAXO77H2PrjWm9KxvODaCBc/RwGK.OUjA7m
}
member = NET-ent
}
# ruleset
ruleset {
rule {
script {
if (member == NET-exp) { profile = 3rd-level permit }
}
}
rule {
script {
if (member == NET-ent) { profile = 1st-level permit }
}
}
}
}
The priv-lvl assignment is located in the profile section. The if statements after the priv-lvl has been set, work on the TACACS+ daemon side:
...
if (cmd =~ /^ping/) permit
....
On the VyOS side they do not work at current time, since VyOS TACACS+ aaa authorisation command functions is not implemented. But this is not a problem, basic profile assignment works and is usable.
Verify
Verification commands to show the privilege level:
show login level
Show the currently logged-in user(s) overview:
show login
Authentication
The authentication works correctly. The user cisco logged in successfully:
login : cisco pts/0 2024-07-15 16:46 (10.100.100.10) level : admin user : cisco groups : tacacs adm disk sudo dip users vyattacfg _kea frrvty frr
Authorisation
The authorisation works. The AAA deamon assigns the priv-lvl14 to the user dos. The user is put into users group:
The full output:
login : dos pts/0 2024-07-15 16:47 (10.100.100.10) level : users user : dos groups : tacacs adm dip operator users vyattaop frrvty
There is no difference between priv-lvl0 and priv-lvl14 using VyOS. All priv-lvl end up in the VyOS group users.
The VyOS priv level is also show by the prompt after login
user- >admin- :~$
While the user's prompt looks like using professional network operating system, the admin's prompt looks like a default bash terminal profile. This is the default state after authentication.
The prompt of the admin user changes to # after entering the global configuration mode using the config command
Accounting
AAA accounting is not implemented yet. Available tacacs configuration options on vyos for tacacs at current time:
Possible completions: security-mode Security mode for TACACS+ authentication (default: optional) +> server TACACS+ server configuration source-address IPv4 source address used to initiate connection timeout Session timeout (default: 2) vrf VRF instance name
These are the hidden TACACS+ daemon options
Possible completions: > x.x.x.x TACACS+ server IPv4 address > 192.0.2.1
Summary
Comparing RADIUS and TACACS+ AAA both configuration options offer exactly the same amount of possibilities, the authorization part is based on assiging the priv-lvl to the shell. Using TACACS+ for AAA is still a better choice than RADIUS. The communication between NAS and AAA daemon is encrypted. Good to see VyOS took first steps into the implementing basic functionality. The authorization and accounting parts are still not implemented.
AAA command authorization would be a great move. Commands are already part of the tested tac_plus-ng.cfg config if you payed attention. These are assigned to the priv-lvl-14 profile which user linux uses. There is no counter-part on the VyOS side yet that would make use of the authorisation.
At current moment vendors are more using the RBAC based approach. Where predefined roles for most generic use-cases are already in place on NAS. The tac_plus only sets the RBAC role on the profile. I would be a good move for VyOS maybe chose the RBAC approach when it comes to authorization and usage of predefined commands sets for VyOS.
Having a look at the currently open TACACS+ related VyOS bugs . When this particular bug (command logging - local and remote) is solved then there is also TACACS+ authorisation implemented on VyOS. I believe.
See also
The AAA RADIUS result is exactly the same as with TACACS+ here in this blog entry.