Does Cumulus support TACACS integration .If yes can you share the steps/Document for the same.


Can you share the Document to integrate Cumulus with TACACS server .
Thanks in Advance.

9 replies

Userlevel 4
Hey Athimoolam,

If you own a Cumulus Linux liense feel free to open a support case if you get stuck but here are the official documents:

https://docs.cumulusnetworks.com/pages/viewpage.action?pageId=5118449
Thank you so Much sean for your help.
Userlevel 3
Athimoolam, I'd be very interested in any feedback on your use of this TACACS+ client code, since it's an EA (Early Access) feature in CL 3.1. I'm the engineer working on AAA code. Just to be sure you see it, this is "AA", not "AAA", because per-command authorization is not implemented.

Dave Olson wrote:

Athimoolam, I'd be very interested in any feedback on your use of this TACACS+ client code, since...

Do you have the config setup for the server side using shrubbery's tac_plus? The daemon seems to keep getting tripped up on authorization, even at Auth 15
Userlevel 3
Dave Olson wrote:

Athimoolam, I'd be very interested in any feedback on your use of this TACACS+ client code, since...

I've not yet heard from anybody using the shrubbery tacacs server. If you are on CL 3.2, though (or can move to it), the CL tacplus-client set of packages may make it easier to debug connection issues. See https://docs.cumulusnetworks.com/display/DOCS/TACACS+Plus especially the troubleshooting section.

If you can't figure it out with that, I can try to help you debug, since I'd like to hear about yet another server that works (or if it doesn't work, why not, and how to fix it).

I have seen a few messages that the generic libpam-tacplus code does work with the shrubbery server.
Dave Olson wrote:

Athimoolam, I'd be very interested in any feedback on your use of this TACACS+ client code, since...

I keep getting
"user/group tacacs15/tacacs does not have permission to make networking changes"

Using Auth and NSS. The server gives me

Start authorization request
do_author: user='xxxx'
user 'xxxx' found
authorize_cmd: user=xxxx, cmd=net
cmd net does not exist, permitted by default
After authorization call: /bin/bash /app/tacacs/etc/pc_do-auth.sh $name /app/tacacs/etc/allow.qa_net
input
input task_id=7763
input protocol=ssh
input service=shell
input cmd=net
input cmd-arg=add
input cmd-arg=bgp
input cmd-arg=neighbor
input cmd-arg=xxxx.xxxx.xxxx.xxxx
input cmd-arg=remote-as
input cmd-arg=1010
pid 18223d child exited status 0d
cmd /bin/bash /app/tacacs/etc/pc_do-auth.sh $name /app/tacacs/etc/allow.qa_net returns 0 (no change)
authorization query for 'xxxx' /dev/pts/2 from xxxx.xxxx.xxxx.xxxx accepted

So it seems to say the command was allowed, but the switch disagrees.
Userlevel 3
Dave Olson wrote:

Athimoolam, I'd be very interested in any feedback on your use of this TACACS+ client code, since...

If (on the switch), you do
export TACACSAUTHDEBUG=1
net show version
what output do you get? I'm assuming you've used tacplus-restrict to do the setup, so that for this tacacs user, "net" exists as a link to tacplus-auth

I'm also assuming that since you are using net, you have editted /etc/netd.conf to allow your tacacs user id or group to run net commands.
Dave Olson wrote:

Athimoolam, I'd be very interested in any feedback on your use of this TACACS+ client code, since...

Here is the output

xxxx@fn1-mgmt:~$ net show version
tacplus-auth: found matching command (/usr/bin/net) request authorization
tacplus-auth: xxx.xxx.xxx.xxx:49 authorized command net
tacplus-auth: net authorized, executing
user/group tacacs15/tacacs does not have permission to run show commands

I used the tacplus-restrict -i -u tacacs15 -a ip net command

After restarting netd, the username matched the actual user, versus the user permissions level.  I expected the restrict command to limit use, or do I need to add the tacacs group to edit as well, and let the restrict command do the restriction.
Userlevel 3
Dave Olson wrote:

Athimoolam, I'd be very interested in any feedback on your use of this TACACS+ client code, since...

TACACS is all working just fine. That error message is from 'net'. You need to add either (or both, for different things) the tacacs group and/or tacacs15 user to /etc/netd.conf, and then 'sudo systemctl reload netd'.

Reply