diff --git a/lab-topologies/aaa-tacacs-exploration/README.ios-nxos.md b/lab-topologies/aaa-tacacs-exploration/README.ios-nxos.md new file mode 100644 index 0000000..45f0125 --- /dev/null +++ b/lab-topologies/aaa-tacacs-exploration/README.ios-nxos.md @@ -0,0 +1,376 @@ +# Exploring AAA / TACACS Device Administration Configuration in IOS and NX-OS. +![](topology-ios-nxos.jpg) + +Verifying the identity of the people who log into network, what each person is allowed to do on a network device, and tracking what was done is a critical part of network operations. Collectively these are known as "Triple A Services", or Authentication, Authorization, and Accounting. Another name used is "Role Based Access Control", or RBAC. + +TACACS+ is a common protocol used for RBAC / AAA on network devices, and this lab explores how to configure AAA on both IOS and NX-OS devices. + +> RADIUS is another protocol that can be used for device administration with AAA. + +A TACACS server must be available on the network for devices to send AAA requests to for validation. This lab leverages an open source `tac_plus` server as a lightweight service that can be easily installed on an Ubuntu host within the topology. For more information on `tac_plus` see the documentation for [`tac_plus`](https://manpages.ubuntu.com/manpages/trusty/man8/tac_plus.8.html) and [`tac_plus.conf`](https://manpages.ubuntu.com/manpages/trusty/man5/tac_plus.conf.5.html). The starting config for `aaa-server` installs `tac_plus` and deploys a basic TACACS configuration to support IOS and NX-OS hosts connecting for user authentication, role based authorization (administrator and operator), and accounting. The configuration file `tac_plus.conf` is located at `/etc/tacacs/tac_plus.conf`. You can modify this configuraiton file and restart `tac_plus` (`sudo systemctl restart tac_plus`) as part of your own learning. + +> Command authorization is not part of this lab guide, and the `tac_plus` server is ***NOT*** configured for command authorization as part of the initial configuration. Though you can update the `tac_plus.conf` file and experiment with command authorization on your own. + +# Configuring an IOS device for TACACS device administration + +## Starting Configuration on `ios01` + +`ios01` has the following configuration applied as startup configuration to enable inbound SSH from `desktop` that is locally authenticated. + +``` +ip domain name lab.intra +crypto key generate rsa general-keys modulus 2048 +! +aaa new-model +! +username cisco priv 15 secret cisco +``` + + +## Ensuring the serial / console leverages local authentication +To provide safety and fallback access to devices, we will force the console line to only use local admin accounts. + +``` +aaa authentication login CONSOLE local +aaa authorization console +aaa authorization exec CONSOLE local +! +line con 0 + login authentication CONSOLE + authorization exec CONSOLE +! +``` + +## Configuring TACACS server as default AAA + +Start by identitying the interface that TACACS packets should be sourced from. This is often important because TACACS servers typically only respond to known hosts/addresses. + +``` +ip tacacs source-interface Ethernet0/0 +``` + +Now create the TACACS server entry for the server. Be sure to double check the "key" (secret) used for communications. + +> Note: Be careful to NOT add an extra "space" after the key. This can cause problems on some platforms. + +``` +tacacs server aaa-server + address ipv4 192.168.0.10 + key tacacs123 +! +``` + +Create a `aaa group` that includes the TACACS server. In a production environment, you would typically have at least 2 TACASC servers configured for fallback. + +``` +aaa group server tacacs+ AAA-TACACS + server name aaa-server +! +``` + +Test that the TACACS server is responding successfully. + +``` +test aaa group tacacs+ iosadmin admin123 legacy +``` + +Configure the authentication, authorization, and accounting policies. + +``` +aaa authentication login default group AAA-TACACS local +aaa authorization exec default group AAA-TACACS local +! +aaa accounting exec default start-stop group AAA-TACACS +aaa accounting commands 1 default start-stop group AAA-TACACS +aaa accounting commands 15 default start-stop group AAA-TACACS +! +``` + +## Testing the configuration + +Open the console for the `aaa-server` and monitor the service "journal" + +``` +journalctl -fu tac_plus +``` + +Open the console for the `desktop` and attempt to connect to `ios01` with SSH as the `iosadmin` user. + +``` +ssh iosadmin@192.168.0.1 +``` + +After you log in, run a command to verify access. + +``` +show ip interface brief +``` + +Check the output on the `aaa-server`. You should see messages for both the `authentication` and `authorization` + +``` +# Examples +Oct 07 21:30:36 aaa-server tac_plus[5704]: login query for 'iosadmin' port tty2 from 192.168.0.1 accepted +Oct 07 21:30:36 aaa-server tac_plus[5705]: connect from 192.168.0.1 [192.168.0.1] +Oct 07 21:30:36 aaa-server tac_plus[5705]: Start authorization request +Oct 07 21:30:36 aaa-server tac_plus[5705]: do_author: user='iosadmin' +Oct 07 21:30:36 aaa-server tac_plus[5705]: user 'iosadmin' found +Oct 07 21:30:36 aaa-server tac_plus[5705]: exec authorization request for iosadmin +Oct 07 21:30:36 aaa-server tac_plus[5705]: exec is explicitly permitted by line 4 +Oct 07 21:30:36 aaa-server tac_plus[5705]: nas:service=shell (passed thru) +Oct 07 21:30:36 aaa-server tac_plus[5705]: nas:cmd* (passed thru) +Oct 07 21:30:36 aaa-server tac_plus[5705]: nas:absent, server:priv-lvl=15 -> add priv-lvl=15 (k) +Oct 07 21:30:36 aaa-server tac_plus[5705]: added 1 args +Oct 07 21:30:36 aaa-server tac_plus[5705]: out_args[0] = service=shell input copy discarded +Oct 07 21:30:36 aaa-server tac_plus[5705]: out_args[1] = cmd* input copy discarded +Oct 07 21:30:36 aaa-server tac_plus[5705]: out_args[2] = priv-lvl=15 compacted to out_args[0] +Oct 07 21:30:36 aaa-server tac_plus[5705]: 1 output args +Oct 07 21:30:36 aaa-server tac_plus[5705]: authorization query for 'iosadmin' tty2 from 192.168.0.1 accepted +``` + +Stop the journalctl monitor (`Cntrl-c`), and open the accounting log. + +``` +tail -f /var/log/tac_plus.acct +``` + +> Note: If the command fails and the file isn't found, return to the SSH session to the router and run a couple commands. The file isn't created until an accounting message is sent to the server. + +Run some more commands on `ios01`. Try some that are `priv 15` as well as `priv 1` + +``` +! Priv 1 +show ip route +! Priv 15 +write mem +``` + +Verify the accounting logs were received. + +Logout from the router, and log in as `iosoper`. Verify through the same logs that the user is given the correct access. + +# Configuring an NX-OS device for TACACS device administration + +## Enabling and configuring TACACS for AAA on `nxos01` +The Nexus network operating system requires features to be `enabled` before they can become available for configuration. Start by enabling `tacacs+`. + +``` +feature tacacs+ +``` + +Next configured `aaa-server` as a tacacs-server. + +``` +tacacs-server host 192.168.0.10 key tacacs123 +``` + +Create a server group for TACACS servers. Like with IOS, typically you would configured at least 2 `tacacs-server` entries for redundancy. + +> Nexus switches typically leverage a dedicated management interface (`mgmt0`) that is in a dedicated `management` VRF. Be sure to configure the settings on the group, otherwise the switch will default to using the "global" or "default" VRF to reach the TACACS server, which may fail. + +``` +aaa group server tacacs+ AAA-TACACS + server 192.168.0.10 + use-vrf management + source-interface mgmt0 +``` + +Test that the TACACS server is responding successfully. + +> Be sure to use the correct username for NX-OS devices. + +``` +test aaa group AAA-TACACS nxosadmin admin123 +``` + +Now configure `aaa authentication login` to leverage the server. + +> NX-OS automatically falls back to try `local` authentication if the TACACS servers are unreachable. So it is ***not*** explicitly added like with IOS. + +``` +aaa authentication login default group AAA-TACACS +``` + +Unlike IOS, NX-OS automatically performs `exec` authorization as part of the `authentication login` process. So no `aaa authorization` command is required. + +> If you explore the configuration commands, you will see `aaa authorization commands` as an option. This would check for explicit per-command authorization from the TACACS server whenever a user attempts to run a command. Command authorization is also supported on IOS devices. +> +> Command authorization is not part of this lab guide, and the `tac_plus` server is ***NOT*** configured for command authorization as part of the initial configuration. Though you can update the `tac_plus.conf` file and experiment with command authorization on your own. + +Lastly, enable AAA accounting + +``` +! Track "enable" mode, and priv 15 and 1 commands +aaa accounting default group AAA-TACACS +``` + +## Testing the configuration + +Open the console for the `aaa-server` and monitor the service "journal" + +``` +journalctl -fu tac_plus +``` + +Open the console for the `desktop` and attempt to connect to `nxos01` with SSH as the `nxosadmin` user. + +``` +ssh nxosadmin@192.168.0.2 +``` + +After you log in, verify role assigment. + +``` +show user-account nxosadmin + +! Output +user:nxosadmin + roles:network-admin vdc-admin +account created through REMOTE authentication +Credentials such as ssh server key will be cached temporarily only for this user + account +Local login not possible +``` + +Check the output on the `aaa-server`. You should see messages for both the `authentication` and `authorization` + +``` +# Examples +Oct 14 17:37:45 aaa-server tac_plus[5888]: connect from 192.168.0.2 [192.168.0.2] +Oct 14 17:37:45 aaa-server tac_plus[5888]: pap-login query for 'nxosadmin' port 0 from 192.168.0.2 accepted +Oct 14 17:37:46 aaa-server tac_plus[5889]: connect from 192.168.0.2 [192.168.0.2] +Oct 14 17:37:46 aaa-server tac_plus[5889]: Start authorization request +Oct 14 17:37:46 aaa-server tac_plus[5889]: do_author: user='nxosadmin' +Oct 14 17:37:46 aaa-server tac_plus[5889]: user 'nxosadmin' found +Oct 14 17:37:46 aaa-server tac_plus[5889]: exec authorization request for nxosadmin +Oct 14 17:37:46 aaa-server tac_plus[5889]: exec is explicitly permitted by line 20 +Oct 14 17:37:46 aaa-server tac_plus[5889]: nas:service=shell (passed thru) +Oct 14 17:37:46 aaa-server tac_plus[5889]: nas:cmd= (passed thru) +Oct 14 17:37:46 aaa-server tac_plus[5889]: nas:cisco-av-pair* svr:absent/deny -> delete cisco-av-pair* (i) +Oct 14 17:37:46 aaa-server tac_plus[5889]: nas:shell:roles* svr:shell:roles="network-admin vdc-admin" -> replace with shell:roles="network-admin vdc-admin" (f) +Oct 14 17:37:46 aaa-server tac_plus[5889]: replaced 2 args +Oct 14 17:37:46 aaa-server tac_plus[5889]: authorization query for 'nxosadmin' 0 from 192.168.0.2 accepted +Oct 14 17:37:46 aaa-server tac_plus[5890]: connect from 192.168.0.2 [192.168.0.2] +``` + +Stop the journalctl monitor (`Cntrl-c`), and open the accounting log. + +``` +tail -f /var/log/tac_plus.acct +``` + +You should see a `start` message for when you logged into the switch. + +``` +Oct 14 17:40:41 192.168.0.2 nxosadmin 0 192.168.0.11 start task_id=192.168.0.11@pts/3 start_time=1728927636 timezone=UTC service=none +``` + +Run the command `show version`. You will ***NOT*** see accounting messages on the server. NX-OS only supports command accounting for "admin" commands. + +Run the command `copy run start`. You should see a message such as: + +``` +Oct 14 17:51:51 192.168.0.2 nxosadmin 0 192.168.0.11 stop task_id=192.168.0.11@pts/3 start_time=1728928303 timezone=UTC cmd=copy running-config startup-config (SUCCESS) service=none +``` + +Try to configure a loopback interface. + +``` +config t +interface loop1 +``` + +You should see an accounting message. + +``` +Oct 14 17:51:04 192.168.0.2 nxosadmin 0 192.168.0.11 stop task_id=192.168.0.11@pts/3 start_time=1728928256 timezone=UTC cmd=configure terminal ; interface loopback1 (SUCCESS) service=none +``` + +Disconnect from the SSH session to `nxos01`. You should see a `stop` message in the accounting log. + +``` +Oct 14 17:40:44 192.168.0.2 nxosadmin 0 192.168.0.11 stop task_id=192.168.0.11@pts/3 start_time=1728927638 timezone=UTC stop_time=1728927638 service=none +``` + +Logout from the router, and log in as `tacoper`. Verify through the same logs that the user is given the correct access. + +# Other useful commands and references + +### Network Device Debug commands + +***IOS:*** + +``` +debug aaa authentication +debug aaa authorization +debug aaa accounting + +debug tacacs authentication +debug tacacs authorization +debug tacacs accounting +``` + +***NX-OS:*** + + +``` +debug aaa aaa-requests +debug tacacs aaa-requests +``` + +### Network Device Show commands + +**IOS:*** + + +``` +show tacacs +show aaa sessions +``` + +***NX-OS:*** + + +``` +show tacacs-server +show user-account +``` + +### Test AAA + +**IOS:*** + + +``` +test aaa group tacacs+ iosadmin admin123 legacy +``` + +**NX-OS:*** + + +``` +test aaa group AAA-TACACS nxosadmin admin123 +``` + + +### aaa-server logs + +***tac_plus logs:*** + + +``` +journalctl -fu tac_plus +tail -f /var/log/tac_plus.acct +tail -f /var/log/tac_plus.log +``` + +### tac_plus server maintenance + +***tac_plus srevice:*** + + +``` +systemctl status tac_plus +sudo systemctl stop tac_plus +sudo systemctl start tac_plus +``` \ No newline at end of file diff --git a/lab-topologies/aaa-tacacs-exploration/README.md b/lab-topologies/aaa-tacacs-exploration/README.md index bede228..2fd4936 100644 --- a/lab-topologies/aaa-tacacs-exploration/README.md +++ b/lab-topologies/aaa-tacacs-exploration/README.md @@ -1,8 +1,18 @@ # Exploring AAA / TACACS Configuration for IOS -Simple topology for practicing AAA TACACS configuration in IOS. +> Note: An alternative topology file [aaa-exploration-ios-nxos.yaml](aaa-exploration-ios-nxos.yaml) is available that adds a NX-OS switch to the topology and walks through configuring TACACS on this data center platform as well. ![](topology.jpg) +Verifying the identity of the people who log into network, what each person is allowed to do on a network device, and tracking what was done is a critical part of network operations. Collectively these are known as "Triple A Services", or Authentication, Authorization, and Accounting. Another name used is "Role Based Access Control", or RBAC. + +TACACS+ is a common protocol used for RBAC / AAA on network devices, and this lab explores how to configure AAA on both IOS and NX-OS devices. + +> RADIUS is another protocol that can be used for device administration with AAA. + +A TACACS server must be available on the network for devices to send AAA requests to for validation. This lab leverages an open source `tac_plus` server as a lightweight service that can be easily installed on an Ubuntu host within the topology. For more information on `tac_plus` see the documentation for [`tac_plus`](https://manpages.ubuntu.com/manpages/trusty/man8/tac_plus.8.html) and [`tac_plus.conf`](https://manpages.ubuntu.com/manpages/trusty/man5/tac_plus.conf.5.html). The starting config for `aaa-server` installs `tac_plus` and deploys a basic TACACS configuration to support IOS and NX-OS hosts connecting for user authentication, role based authorization (administrator and operator), and accounting. The configuration file `tac_plus.conf` is located at `/etc/tacacs/tac_plus.conf`. You can modify this configuraiton file and restart `tac_plus` (`sudo systemctl restart tac_plus`) as part of your own learning. + +> Command authorization is not part of this lab guide, and the `tac_plus` server is ***NOT*** configured for command authorization as part of the initial configuration. Though you can update the `tac_plus.conf` file and experiment with command authorization on your own. + ## Starting Configuration `rtr1` has the following configuration applied as startup configuration to enable inbound SSH from `desktop` that is locally authenticated. diff --git a/lab-topologies/aaa-tacacs-exploration/Snack_Minute_AAA_TACACS_Exploration.yaml b/lab-topologies/aaa-tacacs-exploration/Snack_Minute_AAA_TACACS_Exploration.yaml index 9b50a45..0348c05 100644 --- a/lab-topologies/aaa-tacacs-exploration/Snack_Minute_AAA_TACACS_Exploration.yaml +++ b/lab-topologies/aaa-tacacs-exploration/Snack_Minute_AAA_TACACS_Exploration.yaml @@ -481,6 +481,16 @@ lab: notes: |- # Exploring AAA / TACACS Configuration for IOS + Verifying the identity of the people who log into network, what each person is allowed to do on a network device, and tracking what was done is a critical part of network operations. Collectively these are known as "Triple A Services", or Authentication, Authorization, and Accounting. Another name used is "Role Based Access Control", or RBAC. + + TACACS+ is a common protocol used for RBAC / AAA on network devices, and this lab explores how to configure AAA on both IOS and NX-OS devices. + + > RADIUS is another protocol that can be used for device administration with AAA. + + A TACACS server must be available on the network for devices to send AAA requests to for validation. This lab leverages an open source `tac_plus` server as a lightweight service that can be easily installed on an Ubuntu host within the topology. For more information on `tac_plus` see the documentation for [`tac_plus`](https://manpages.ubuntu.com/manpages/trusty/man8/tac_plus.8.html) and [`tac_plus.conf`](https://manpages.ubuntu.com/manpages/trusty/man5/tac_plus.conf.5.html). The starting config for `aaa-server` installs `tac_plus` and deploys a basic TACACS configuration to support IOS and NX-OS hosts connecting for user authentication, role based authorization (administrator and operator), and accounting. The configuration file `tac_plus.conf` is located at `/etc/tacacs/tac_plus.conf`. You can modify this configuraiton file and restart `tac_plus` (`sudo systemctl restart tac_plus`) as part of your own learning. + + > Command authorization is not part of this lab guide, and the `tac_plus` server is ***NOT*** configured for command authorization as part of the initial configuration. Though you can update the `tac_plus.conf` file and experiment with command authorization on your own. + ## Starting Configuration `rtr1` has the following configuration applied as startup configuration to enable inbound SSH from `desktop` that is locally authenticated. diff --git a/lab-topologies/aaa-tacacs-exploration/aaa-exploration-ios-nxos.yaml b/lab-topologies/aaa-tacacs-exploration/aaa-exploration-ios-nxos.yaml new file mode 100644 index 0000000..ad92062 --- /dev/null +++ b/lab-topologies/aaa-tacacs-exploration/aaa-exploration-ios-nxos.yaml @@ -0,0 +1,1007 @@ +annotations: + - border_color: '#00000000' + border_style: '' + color: '#808080FF' + rotation: 0 + text_bold: false + text_content: 192.168.0.10 + text_font: monospace + text_italic: false + text_size: 10 + text_unit: pt + thickness: 1 + type: text + x1: -605.0 + y1: -74.0 + z_index: 0 + - border_color: '#00000000' + border_style: '' + color: '#808080FF' + rotation: 0 + text_bold: false + text_content: 192.168.0.11 + text_font: monospace + text_italic: false + text_size: 10 + text_unit: pt + thickness: 1 + type: text + x1: -285.0 + y1: -73.0 + z_index: 0 + - border_color: '#00000000' + border_style: '' + color: '#808080FF' + rotation: 0 + text_bold: false + text_content: 192.168.0.1 + text_font: monospace + text_italic: false + text_size: 10 + text_unit: pt + thickness: 1 + type: text + x1: -446.3066108896985 + y1: 47.653305444849266 + z_index: 0 + - border_color: '#00000000' + border_style: '' + color: '#808080FF' + rotation: 0 + text_bold: false + text_content: cisco / cisco + text_font: monospace + text_italic: false + text_size: 8 + text_unit: pt + thickness: 1 + type: text + x1: -599.75 + y1: -55.5 + z_index: 1 + - border_color: '#00000000' + border_style: '' + color: '#808080FF' + rotation: 0 + text_bold: false + text_content: cisco / cisco + text_font: monospace + text_italic: false + text_size: 8 + text_unit: pt + thickness: 1 + type: text + x1: -278.75 + y1: -53.5 + z_index: 1 + - border_color: '#00000000' + border_style: '' + color: '#808080FF' + rotation: 0 + text_bold: false + text_content: |- + User Accounts: + IOS Devices: (ios01) + iosadmin / admin123 (priv 15) + iosoper / oper123 (priv 1) + NX-OS Devices: (nxos01) + nxosadmin / admin123 (role network-admin) + nxosoper / oper123 (role network-oper) + + Secret / Key: tacacs123 + + Log Files + Authentication / Authorization: journalctl -fu tac_plus + Accounting: tail -f /var/log/tac_plus.acct + text_font: monospace + text_italic: false + text_size: 10 + text_unit: pt + thickness: 1 + type: text + x1: -160.43785341324337 + y1: -244.7193548844158 + z_index: 2 + - border_color: '#00000000' + border_style: '' + color: '#808080FF' + rotation: 0 + text_bold: false + text_content: cisco / cisco + text_font: monospace + text_italic: false + text_size: 8 + text_unit: pt + thickness: 1 + type: text + x1: -443.7290720829766 + y1: 67.39536041488296 + z_index: 1 + - border_color: '#00000000' + border_style: '' + color: '#0C0C0C' + rotation: 0 + text_bold: true + text_content: Exploring AAA / TACACS Configuration for Device Administration in + IOS and NX-OS + text_font: monospace + text_italic: false + text_size: 13 + text_unit: pt + thickness: 1 + type: text + x1: -682.0997946295324 + y1: -332.6838112360871 + z_index: 3 + - border_color: '#00000000' + border_style: '' + color: '#808080FF' + rotation: 0 + text_bold: false + text_content: 192.168.0.2 + text_font: monospace + text_italic: false + text_size: 10 + text_unit: pt + thickness: 1 + type: text + x1: -325.0 + y1: 47.0 + z_index: 0 + - border_color: '#00000000' + border_style: '' + color: '#525151' + rotation: 0 + text_bold: true + text_content: TACACS Server Information + text_font: monospace + text_italic: false + text_size: 12 + text_unit: pt + thickness: 1 + type: text + x1: -160.0 + y1: -280.0 + z_index: 4 + - border_color: '#00000000' + border_style: '' + color: '#525151' + rotation: 0 + text_bold: true + text_content: _________________________ + text_font: monospace + text_italic: false + text_size: 12 + text_unit: pt + thickness: 1 + type: text + x1: -160.0 + y1: -280.0 + z_index: 0 + - border_color: '#00000000' + border_style: '' + color: '#808080FF' + rotation: 0 + text_bold: false + text_content: cisco / cisco + text_font: monospace + text_italic: false + text_size: 8 + text_unit: pt + thickness: 1 + type: text + x1: -323.7290720829766 + y1: 67.39536041488296 + z_index: 1 +nodes: + - boot_disk_size: null + configuration: [] + cpu_limit: null + cpus: null + data_volume: null + hide_links: false + id: n0 + image_definition: null + label: internet + node_definition: external_connector + parameters: {} + ram: null + tags: [] + x: -680 + y: -240 + interfaces: + - id: i0 + label: port + slot: 0 + type: physical + - boot_disk_size: null + configuration: [] + cpu_limit: null + cpus: null + data_volume: null + hide_links: false + id: n1 + image_definition: null + label: internet-sw + node_definition: unmanaged_switch + parameters: {} + ram: null + tags: [] + x: -680 + y: -120 + interfaces: + - id: i0 + label: port0 + slot: 0 + type: physical + - id: i1 + label: port1 + slot: 1 + type: physical + - id: i2 + label: port2 + slot: 2 + type: physical + - id: i3 + label: port3 + slot: 3 + type: physical + - id: i4 + label: port4 + slot: 4 + type: physical + - id: i5 + label: port5 + slot: 5 + type: physical + - id: i6 + label: port6 + slot: 6 + type: physical + - id: i7 + label: port7 + slot: 7 + type: physical + - boot_disk_size: null + configuration: [] + cpu_limit: null + cpus: null + data_volume: null + hide_links: false + id: n2 + image_definition: null + label: lab-sw + node_definition: unmanaged_switch + parameters: {} + ram: null + tags: [] + x: -400 + y: -120 + interfaces: + - id: i0 + label: port0 + slot: 0 + type: physical + - id: i1 + label: port1 + slot: 1 + type: physical + - id: i2 + label: port2 + slot: 2 + type: physical + - id: i3 + label: port3 + slot: 3 + type: physical + - id: i4 + label: port4 + slot: 4 + type: physical + - id: i5 + label: port5 + slot: 5 + type: physical + - id: i6 + label: port6 + slot: 6 + type: physical + - id: i7 + label: port7 + slot: 7 + type: physical + - boot_disk_size: null + configuration: + - name: ios_config.txt + content: |- + hostname ios01 + ! + ! In order to avoid entering a configuration dialog + ! on boot, please ensure that all ethernet interfaces + ! have some ip configuration present here such as the + ! example below: + ! + interface range Ethernet 0/0 - 3 + no ip address + shutdown + ! + no ip domain lookup + ip domain name lab.intra + crypto key generate rsa general-keys modulus 2048 + ! + aaa new-model + ! + username cisco priv 15 secret cisco + ! + interface Eth0/0 + no shutdown + ip address 192.168.0.1 255.255.255.0 + exit + ! + end + cpu_limit: null + cpus: null + data_volume: null + hide_links: false + id: n3 + image_definition: null + label: ios01 + node_definition: iol-xe + parameters: {} + ram: null + tags: [] + x: -400 + y: 0 + interfaces: + - id: i0 + label: Loopback0 + type: loopback + - id: i1 + label: Ethernet0/0 + slot: 0 + type: physical + - id: i2 + label: Ethernet0/1 + slot: 1 + type: physical + - id: i3 + label: Ethernet0/2 + slot: 2 + type: physical + - id: i4 + label: Ethernet0/3 + slot: 3 + type: physical + - boot_disk_size: null + configuration: + - name: node.cfg + content: |- + # this is a shell script which will be sourced at boot + hostname desktop + # configurable user account + USERNAME=cisco + PASSWORD=cisco + # Network Settings + ip address add 192.168.0.11/24 dev eth0 + cpu_limit: null + cpus: null + data_volume: null + hide_links: false + id: n4 + image_definition: null + label: desktop + node_definition: desktop + parameters: {} + ram: null + tags: [] + x: -240 + y: -120 + interfaces: + - id: i0 + label: eth0 + slot: 0 + type: physical + - id: i1 + label: eth1 + slot: 1 + type: physical + - boot_disk_size: null + configuration: + - name: nxos_config.txt + content: |- + hostname nxos01 + # workaround for booting to loader> prompt + echo 'from cli import cli' > set_boot.py + echo 'import json' >> set_boot.py + echo 'import os' >> set_boot.py + echo 'import time' >> set_boot.py + echo 'bootimage = json.loads(cli("show version | json"))["nxos_file_name"]' >> set_boot.py + echo 'set_boot = cli("conf t ; boot nxos {} ; no event manager applet BOOTCONFIG".format(bootimage))' >> set_boot.py + echo 'i = 0' >> set_boot.py + echo 'while i < 10:' >> set_boot.py + echo ' try:' >> set_boot.py + echo ' save_config = cli("copy running-config startup-config")' >> set_boot.py + echo ' break' >> set_boot.py + echo ' except Exception:' >> set_boot.py + echo ' i += 1' >> set_boot.py + echo ' time.sleep(1)' >> set_boot.py + echo 'os.remove("/bootflash/set_boot.py")' >> set_boot.py + event manager applet BOOTCONFIG + event syslog pattern "Configured from vty" + action 1.0 cli python bootflash:set_boot.py + # minimum needed config to login + no password strength-check + username admin role network-admin + username admin password cisco role network-admin + username cisco role network-admin + username cisco password cisco role network-admin + ! + interface mgmt0 + ip address 192.168.0.2/24 + no shutdown + ! + cpu_limit: null + cpus: null + data_volume: null + hide_links: false + id: n5 + image_definition: null + label: nxos01 + node_definition: nxosv9000 + parameters: {} + ram: null + tags: [] + x: -280 + y: 0 + interfaces: + - id: i0 + label: Loopback0 + type: loopback + - id: i1 + label: mgmt0 + slot: 0 + type: physical + - id: i2 + label: Ethernet1/1 + slot: 1 + type: physical + - id: i3 + label: Ethernet1/2 + slot: 2 + type: physical + - id: i4 + label: Ethernet1/3 + slot: 3 + type: physical + - boot_disk_size: null + configuration: + - name: user-data + content: |- + #cloud-config + hostname: aaa-server + manage_etc_hosts: True + system_info: + default_user: + name: cisco + password: cisco + chpasswd: { expire: False } + ssh_pwauth: True + ssh_authorized_keys: + - your-ssh-pubkey-line-goes-here + + # Install requirements for tac_plus + package_update: true + packages: + - wget + - make + - gcc + - flex + - bison + - libwrap0-dev + - python3.10-venv + + write_files: + # Create the tac_plus configuration file + - path: /etc/tacacs/tac_plus.conf + content: | + key = tacacs123 + + # IOS Users - Exec Authorization done by priv level + user = iosadmin { + login = cleartext admin123 + service = exec { + priv-lvl = 15 + } + } + user = iosoper { + login = cleartext oper123 + service = exec { + priv-lvl = 1 + } + } + + # NX-OS Users - Exec Authorization done by roles + user = nxosadmin { + pap = cleartext admin123 + service = exec { + shell:roles="\"network-admin vdc-admin\"" + } + } + user = nxosoper { + pap = cleartext oper123 + service = exec { + shell:roles="\"network-operator vdc-operator\"" + } + } + + # Create a systemd service to manage tac_plus + - path: /etc/systemd/system/tac_plus.service + content: | + [Unit] + Description=tac_plus Service + After=network.target + [Service] + Type=simple + ExecStart=/tacacs/sbin/tac_plus -G -C /etc/tacacs/tac_plus.conf -d 8 -d 16 -l /var/log/tac_plus.log + [Install] + WantedBy=multi-user.target + + runcmd: + # Download tac_plus source code and un-tar it + - wget https://shrubbery.net/pub/tac_plus/tacacs-F4.0.4.28.tar.gz -O /opt/tacacs-F4.0.4.28.tar.gz + - cd /opt && tar -xzf tacacs-F4.0.4.28.tar.gz + # Compile and install tac_plus + - cd /opt/tacacs-F4.0.4.28 && ./configure --prefix=/tacacs && make && make install + # Enable and start the systemd service + - systemctl enable tac_plus + - systemctl start tac_plus + # Configure "inside" network adapter + # Note: ens2 is connected to internet through NAT ext-con and + # required to download the software + - ip address add 192.168.0.10/24 dev ens3 + - ip link set up dev ens3 + cpu_limit: null + cpus: null + data_volume: null + hide_links: false + id: n6 + image_definition: ubuntu-22-04-20240126 + label: aaa-server + node_definition: ubuntu + parameters: {} + ram: null + tags: [] + x: -560 + y: -120 + interfaces: + - id: i0 + label: ens2 + slot: 0 + type: physical + - id: i1 + label: ens3 + slot: 1 + type: physical +links: + - id: l0 + n1: n1 + n2: n0 + i1: i0 + i2: i0 + conditioning: {} + label: internet-sw-port0<->internet-port + - id: l1 + n1: n3 + n2: n2 + i1: i1 + i2: i1 + conditioning: {} + label: rtr1-Ethernet0/0<->lab-sw-port1 + - id: l2 + n1: n4 + n2: n2 + i1: i0 + i2: i2 + conditioning: {} + label: desktop-eth0<->lab-sw-port2 + - id: l3 + n1: n5 + n2: n2 + i1: i1 + i2: i3 + conditioning: {} + label: nexus1-mgmt0<->lab-sw-port3 + - id: l4 + n1: n6 + n2: n1 + i1: i0 + i2: i1 + conditioning: {} + label: aaa-server-ens2<->internet-sw-port1 + - id: l5 + n1: n6 + n2: n2 + i1: i1 + i2: i4 + conditioning: {} + label: aaa-server-ens3<->lab-sw-port4 +lab: + description: Simple topology for practicing AAA TACACS device administration configuration + in IOS and NX-OS + notes: |- + # Exploring AAA / TACACS Device Administration Configuration + Verifying the identity of the people who log into network, what each person is allowed to do on a network device, and tracking what was done is a critical part of network operations. Collectively these are known as "Triple A Services", or Authentication, Authorization, and Accounting. Another name used is "Role Based Access Control", or RBAC. + + TACACS+ is a common protocol used for RBAC / AAA on network devices, and this lab explores how to configure AAA on both IOS and NX-OS devices. + + > RADIUS is another protocol that can be used for device administration with AAA. + + A TACACS server must be available on the network for devices to send AAA requests to for validation. This lab leverages an open source `tac_plus` server as a lightweight service that can be easily installed on an Ubuntu host within the topology. For more information on `tac_plus` see the documentation for [`tac_plus`](https://manpages.ubuntu.com/manpages/trusty/man8/tac_plus.8.html) and [`tac_plus.conf`](https://manpages.ubuntu.com/manpages/trusty/man5/tac_plus.conf.5.html). The starting config for `aaa-server` installs `tac_plus` and deploys a basic TACACS configuration to support IOS and NX-OS hosts connecting for user authentication, role based authorization (administrator and operator), and accounting. The configuration file `tac_plus.conf` is located at `/etc/tacacs/tac_plus.conf`. You can modify this configuraiton file and restart `tac_plus` (`sudo systemctl restart tac_plus`) as part of your own learning. + + > Command authorization is not part of this lab guide, and the `tac_plus` server is ***NOT*** configured for command authorization as part of the initial configuration. Though you can update the `tac_plus.conf` file and experiment with command authorization on your own. + + # Configuring an IOS device for TACACS device administration + + ## Starting Configuration on `ios01` + + `ios01` has the following configuration applied as startup configuration to enable inbound SSH from `desktop` that is locally authenticated. + + ``` + ip domain name lab.intra + crypto key generate rsa general-keys modulus 2048 + ! + aaa new-model + ! + username cisco priv 15 secret cisco + ``` + + + ## Ensuring the serial / console leverages local authentication + To provide safety and fallback access to devices, we will force the console line to only use local admin accounts. + + ``` + aaa authentication login CONSOLE local + aaa authorization console + aaa authorization exec CONSOLE local + ! + line con 0 + login authentication CONSOLE + authorization exec CONSOLE + ! + ``` + + ## Configuring TACACS server as default AAA + + Start by identitying the interface that TACACS packets should be sourced from. This is often important because TACACS servers typically only respond to known hosts/addresses. + + ``` + ip tacacs source-interface Ethernet0/0 + ``` + + Now create the TACACS server entry for the server. Be sure to double check the "key" (secret) used for communications. + + > Note: Be careful to NOT add an extra "space" after the key. This can cause problems on some platforms. + + ``` + tacacs server aaa-server + address ipv4 192.168.0.10 + key tacacs123 + ! + ``` + + Create a `aaa group` that includes the TACACS server. In a production environment, you would typically have at least 2 TACASC servers configured for fallback. + + ``` + aaa group server tacacs+ AAA-TACACS + server name aaa-server + ! + ``` + + Test that the TACACS server is responding successfully. + + ``` + test aaa group tacacs+ iosadmin admin123 legacy + ``` + + Configure the authentication, authorization, and accounting policies. + + ``` + aaa authentication login default group AAA-TACACS local + aaa authorization exec default group AAA-TACACS local + ! + aaa accounting exec default start-stop group AAA-TACACS + aaa accounting commands 1 default start-stop group AAA-TACACS + aaa accounting commands 15 default start-stop group AAA-TACACS + ! + ``` + + ## Testing the configuration + + Open the console for the `aaa-server` and monitor the service "journal" + + ``` + journalctl -fu tac_plus + ``` + + Open the console for the `desktop` and attempt to connect to `ios01` with SSH as the `iosadmin` user. + + ``` + ssh iosadmin@192.168.0.1 + ``` + + After you log in, run a command to verify access. + + ``` + show ip interface brief + ``` + + Check the output on the `aaa-server`. You should see messages for both the `authentication` and `authorization` + + ``` + # Examples + Oct 07 21:30:36 aaa-server tac_plus[5704]: login query for 'iosadmin' port tty2 from 192.168.0.1 accepted + Oct 07 21:30:36 aaa-server tac_plus[5705]: connect from 192.168.0.1 [192.168.0.1] + Oct 07 21:30:36 aaa-server tac_plus[5705]: Start authorization request + Oct 07 21:30:36 aaa-server tac_plus[5705]: do_author: user='iosadmin' + Oct 07 21:30:36 aaa-server tac_plus[5705]: user 'iosadmin' found + Oct 07 21:30:36 aaa-server tac_plus[5705]: exec authorization request for iosadmin + Oct 07 21:30:36 aaa-server tac_plus[5705]: exec is explicitly permitted by line 4 + Oct 07 21:30:36 aaa-server tac_plus[5705]: nas:service=shell (passed thru) + Oct 07 21:30:36 aaa-server tac_plus[5705]: nas:cmd* (passed thru) + Oct 07 21:30:36 aaa-server tac_plus[5705]: nas:absent, server:priv-lvl=15 -> add priv-lvl=15 (k) + Oct 07 21:30:36 aaa-server tac_plus[5705]: added 1 args + Oct 07 21:30:36 aaa-server tac_plus[5705]: out_args[0] = service=shell input copy discarded + Oct 07 21:30:36 aaa-server tac_plus[5705]: out_args[1] = cmd* input copy discarded + Oct 07 21:30:36 aaa-server tac_plus[5705]: out_args[2] = priv-lvl=15 compacted to out_args[0] + Oct 07 21:30:36 aaa-server tac_plus[5705]: 1 output args + Oct 07 21:30:36 aaa-server tac_plus[5705]: authorization query for 'iosadmin' tty2 from 192.168.0.1 accepted + ``` + + Stop the journalctl monitor (`Cntrl-c`), and open the accounting log. + + ``` + tail -f /var/log/tac_plus.acct + ``` + + > Note: If the command fails and the file isn't found, return to the SSH session to the router and run a couple commands. The file isn't created until an accounting message is sent to the server. + + Run some more commands on `ios01`. Try some that are `priv 15` as well as `priv 1` + + ``` + ! Priv 1 + show ip route + ! Priv 15 + write mem + ``` + + Verify the accounting logs were received. + + Logout from the router, and log in as `iosoper`. Verify through the same logs that the user is given the correct access. + + # Configuring an NX-OS device for TACACS device administration + + ## Enabling and configuring TACACS for AAA on `nxos01` + The Nexus network operating system requires features to be `enabled` before they can become available for configuration. Start by enabling `tacacs+`. + + ``` + feature tacacs+ + ``` + + Next configured `aaa-server` as a tacacs-server. + + ``` + tacacs-server host 192.168.0.10 key tacacs123 + ``` + + Create a server group for TACACS servers. Like with IOS, typically you would configured at least 2 `tacacs-server` entries for redundancy. + + > Nexus switches typically leverage a dedicated management interface (`mgmt0`) that is in a dedicated `management` VRF. Be sure to configure the settings on the group, otherwise the switch will default to using the "global" or "default" VRF to reach the TACACS server, which may fail. + + ``` + aaa group server tacacs+ AAA-TACACS + server 192.168.0.10 + use-vrf management + source-interface mgmt0 + ``` + + Test that the TACACS server is responding successfully. + + > Be sure to use the correct username for NX-OS devices. + + ``` + test aaa group AAA-TACACS nxosadmin admin123 + ``` + + Now configure `aaa authentication login` to leverage the server. + + > NX-OS automatically falls back to try `local` authentication if the TACACS servers are unreachable. So it is ***not*** explicitly added like with IOS. + + ``` + aaa authentication login default group AAA-TACACS + ``` + + Unlike IOS, NX-OS automatically performs `exec` authorization as part of the `authentication login` process. So no `aaa authorization` command is required. + + > If you explore the configuration commands, you will see `aaa authorization commands` as an option. This would check for explicit per-command authorization from the TACACS server whenever a user attempts to run a command. Command authorization is also supported on IOS devices. + > + > Command authorization is not part of this lab guide, and the `tac_plus` server is ***NOT*** configured for command authorization as part of the initial configuration. Though you can update the `tac_plus.conf` file and experiment with command authorization on your own. + + Lastly, enable AAA accounting + + ``` + ! Track "enable" mode, and priv 15 and 1 commands + aaa accounting default group AAA-TACACS + ``` + + ## Testing the configuration + + Open the console for the `aaa-server` and monitor the service "journal" + + ``` + journalctl -fu tac_plus + ``` + + Open the console for the `desktop` and attempt to connect to `nxos01` with SSH as the `nxosadmin` user. + + ``` + ssh nxosadmin@192.168.0.2 + ``` + + After you log in, verify role assigment. + + ``` + show user-account nxosadmin + + ! Output + user:nxosadmin + roles:network-admin vdc-admin + account created through REMOTE authentication + Credentials such as ssh server key will be cached temporarily only for this user + account + Local login not possible + ``` + + Check the output on the `aaa-server`. You should see messages for both the `authentication` and `authorization` + + ``` + # Examples + Oct 14 17:37:45 aaa-server tac_plus[5888]: connect from 192.168.0.2 [192.168.0.2] + Oct 14 17:37:45 aaa-server tac_plus[5888]: pap-login query for 'nxosadmin' port 0 from 192.168.0.2 accepted + Oct 14 17:37:46 aaa-server tac_plus[5889]: connect from 192.168.0.2 [192.168.0.2] + Oct 14 17:37:46 aaa-server tac_plus[5889]: Start authorization request + Oct 14 17:37:46 aaa-server tac_plus[5889]: do_author: user='nxosadmin' + Oct 14 17:37:46 aaa-server tac_plus[5889]: user 'nxosadmin' found + Oct 14 17:37:46 aaa-server tac_plus[5889]: exec authorization request for nxosadmin + Oct 14 17:37:46 aaa-server tac_plus[5889]: exec is explicitly permitted by line 20 + Oct 14 17:37:46 aaa-server tac_plus[5889]: nas:service=shell (passed thru) + Oct 14 17:37:46 aaa-server tac_plus[5889]: nas:cmd= (passed thru) + Oct 14 17:37:46 aaa-server tac_plus[5889]: nas:cisco-av-pair* svr:absent/deny -> delete cisco-av-pair* (i) + Oct 14 17:37:46 aaa-server tac_plus[5889]: nas:shell:roles* svr:shell:roles="network-admin vdc-admin" -> replace with shell:roles="network-admin vdc-admin" (f) + Oct 14 17:37:46 aaa-server tac_plus[5889]: replaced 2 args + Oct 14 17:37:46 aaa-server tac_plus[5889]: authorization query for 'nxosadmin' 0 from 192.168.0.2 accepted + Oct 14 17:37:46 aaa-server tac_plus[5890]: connect from 192.168.0.2 [192.168.0.2] + ``` + + Stop the journalctl monitor (`Cntrl-c`), and open the accounting log. + + ``` + tail -f /var/log/tac_plus.acct + ``` + + You should see a `start` message for when you logged into the switch. + + ``` + Oct 14 17:40:41 192.168.0.2 nxosadmin 0 192.168.0.11 start task_id=192.168.0.11@pts/3 start_time=1728927636 timezone=UTC service=none + ``` + + Run the command `show version`. You will ***NOT*** see accounting messages on the server. NX-OS only supports command accounting for "admin" commands. + + Run the command `copy run start`. You should see a message such as: + + ``` + Oct 14 17:51:51 192.168.0.2 nxosadmin 0 192.168.0.11 stop task_id=192.168.0.11@pts/3 start_time=1728928303 timezone=UTC cmd=copy running-config startup-config (SUCCESS) service=none + ``` + + Try to configure a loopback interface. + + ``` + config t + interface loop1 + ``` + + You should see an accounting message. + + ``` + Oct 14 17:51:04 192.168.0.2 nxosadmin 0 192.168.0.11 stop task_id=192.168.0.11@pts/3 start_time=1728928256 timezone=UTC cmd=configure terminal ; interface loopback1 (SUCCESS) service=none + ``` + + Disconnect from the SSH session to `nxos01`. You should see a `stop` message in the accounting log. + + ``` + Oct 14 17:40:44 192.168.0.2 nxosadmin 0 192.168.0.11 stop task_id=192.168.0.11@pts/3 start_time=1728927638 timezone=UTC stop_time=1728927638 service=none + ``` + + Logout from the router, and log in as `tacoper`. Verify through the same logs that the user is given the correct access. + + # Other useful commands and references + + ### Network Device Debug commands + + ***IOS:*** + + ``` + debug aaa authentication + debug aaa authorization + debug aaa accounting + + debug tacacs authentication + debug tacacs authorization + debug tacacs accounting + ``` + + ***NX-OS:*** + + + ``` + debug aaa aaa-requests + debug tacacs aaa-requests + ``` + + ### Network Device Show commands + + **IOS:*** + + + ``` + show tacacs + show aaa sessions + ``` + + ***NX-OS:*** + + + ``` + show tacacs-server + show user-account + ``` + + ### Test AAA + + **IOS:*** + + + ``` + test aaa group tacacs+ iosadmin admin123 legacy + ``` + + **NX-OS:*** + + + ``` + test aaa group AAA-TACACS nxosadmin admin123 + ``` + + + ### aaa-server logs + + ***tac_plus logs:*** + + + ``` + journalctl -fu tac_plus + tail -f /var/log/tac_plus.acct + tail -f /var/log/tac_plus.log + ``` + + ### tac_plus server maintenance + + ***tac_plus srevice:*** + + + ``` + systemctl status tac_plus + sudo systemctl stop tac_plus + sudo systemctl start tac_plus + ``` + title: 'AAA TACACS IOS and NX-OS Exploration ' + version: 0.2.2 diff --git a/lab-topologies/aaa-tacacs-exploration/topology-ios-nxos.jpg b/lab-topologies/aaa-tacacs-exploration/topology-ios-nxos.jpg new file mode 100644 index 0000000..a2faf9d Binary files /dev/null and b/lab-topologies/aaa-tacacs-exploration/topology-ios-nxos.jpg differ