Related documents
| Document Name | Link |
|---|---|
| AAA_with_SONiC_v2 | https://github.com/sonic-net/SONiC/blob/gh-pages/doc/aaa/AAA_with_SONiC_v2.docx |
| pam_tacplus | https://github.com/jeroennijhof/pam_tacplus/blob/master/README.md |
| tacacs+ daemon | http://manpages.ubuntu.com/manpages/xenial/man8/tac_plus.8.html |
TACACS+ (Terminal Access Controller Access Control System Plus) provides Authentication, Authorization and Accounting services, used most commonly for administration access to network devices like routers, switches and terminal servers.
The purpose is to test functionality of TACACS+ authentication on the SONIC switch DUT. Each test covers a basic functionality of TACACS+ authentication feature, and ensures the switch works as expected under production scenarios. The test assumes that there is a TACACS+ server has connected to the switch DUT and installed TACACS+ daemon(tac_plus).
The test is targeting on SSH login via TACACS+ authentication. Console login is also supported for TACACS+ authentication, its configuartion and process are the same as SSH login. But the test focus on ssh login which is the major procduction scenario.
NOTE: Authorization will be implemented after CLI shell is OK. Accounting is not in the development plan.
No scale/performance test involved in this test plan
Manual TACACS+ configuration can be done using config command in switch DUT.
| Command | Comment |
|---|---|
| Configuration commands | |
| config aaa authentication login { local / tacacs+ } | Authentication login policy |
| config aaa authentication failthrough enable | Enable authentication fail-through |
| config tacacs timeout < 1 – 60 > | TACACS+ server connection timeout |
| config tacacs authtype [ pap / chap ] | TACACS+ authentication service |
| config tacacs passkey < TEXT > | Secret key used to encrypt/decrypt packets |
| config tacacs src_ip < ADDRESS > | Set source ip address for outgoing packets |
| config tacacs add < ADDRESS > --port < 1 – 65535 > --timeout < 1 – 60 > --key < TEXT > --type [ pap / chap ] --pri < 1 - 64 > |
Specify a TACACS+ server |
| config tacacs delete < ADDRESS > | Delete a TACACS+ server |
| Show commands | |
| show aaa | Show AAA configuration |
| show tacacs | Show TACACS+ configuration |
The TACACS+ configuration is not supported for the minigrah. All configurations are saved in config_db.json, and loaded by the host config enforcer. The configuration in config_db.json can be generated by config command, or modified manually.
Configuration sample in config_db.json
"TACPLUS": {
"global": {
"auth_type": "pap",
"src_ip": "100.1.1.1",
"timeout": "3",
"passkey": "test123"
}
},
"TACPLUS_SERVER": {
"10.65.254.248": {
"priority": "20",
"tcp_port": "49"
},
"10.65.254.222": {
"priority": "30",
"tcp_port": "49"
}
},
"AAA": {
"authentication": {
"login": "local,tacacs+",
"failthrough": "True"
}
}
N/A
- TACACS+ server is connected to the management network.
All TACACS+ configurations are saved in config_db.json, not in minigraph. To avoid misunderstanding user, the information about TACACS+ server in ansible/templates/topo/dev_metadata.j2 should be deleted.
The TACACS+ server address is defined in group_vars/lab/lab.yml. The test only use the first server.
The TACACS+ passkey, user account and password are stored in the /etc/tacacs/tac_plus.conf for the TACACS+ daemon. They should be deployed in TACACS+ server.
Configuration sample for passkey in tac_plus.conf
# Encryption key
key = "test123"
Configuration sample for user account and password in tac_plus.conf
group = network_admin {
default service = permit
service = exec {
priv-lvl = 15
}
cmd = show {
permit .*
}
}
user = test
{
login = des teWtwbeIm3BdA
pap = des teWtwbeIm3BdA
member = network_admin
}
Note: tac_pwd is a utility supplied with tac_plus to assist in performing the encryption.
tacacs.yml includes three parts
- tacacs_configure.yml: apply TACACS+ configuration.
- tacacs_test.yml: run TACACS+ authentication test.
- tacacs_cleanup.yml: clear TACACS+ configuration from the switch.
Verify TACACS+ authentication via ssh works.
- Enable TACACS+ authentication by config command.
- Verfiy the PAM configuration includes TACACS+ authenticaiton. All PAM configurations for SONIC authentication are saved in /etc/pam.d/common-auth-sonic. This file can be checked to verify if the command is configured correctly.
- Verify TACACS+ user login via ssh is successful, and login username is equal with TACACS+ username. The command "sshpass" can be used to login with password, and the command "whoami" can be used to check the current user name.
Verify failthrough mechanism works. Failthrough is enabled by default. If failthrough mechanism is disabled, authentication won't pass when any one of the pam modules return fail.
- Config local authentication is prior to TACACS+.
- Disable authentication failthrough by config command.
- Verify TACACS+ user login via ssh fails. When local authentication fails, it will return error directly and not go to the TACACS+ authentication.
- Enable authentication failthrough by config command.
- Verify TACACS+ user login succeeds.
Verify TACACS+ source address configuration works. In the procduction scenario, the TACACS+ source address is configured as the loopback address. This test will verify this configuration.
- Config ip address for the loopback interface in switch DUT.
- Config the loopback address as TACACS+ source address.
- Check no route for the loopback address in TACACS+ server.
- Verfiy TACACS+ user login via ssh fails.
- Create a route for the loopback address in TACACS+ server.
- Verfiy TACACS+ user login via ssh succeeds.