tacacs+ questions - Page 1

Iggy

Asked: 2022-02-04 00:45:16 +0800 CST

Is it possible to setup tacacs+ for a group to have different levels of access on a different devices?

0

Is it possible to setup Tacacs+ for a group to have different levels of access on a different devices?

So for example a group would have:

on routers 1-5 lvl-15
on routers 7-15 lvl-10

Julian Rios

Asked: 2021-09-07 12:09:30 +0800 CST

Permit all commandos on Tacacs+ Configuration

0

I have one question regarding TACACS+ Setup. Is there any way I cant permit all commands? Something like:

cmd = * {
permit .*
}

Thank you!

patsand

Asked: 2021-09-04 04:03:03 +0800 CST

TACACS+ Ubuntu client vm authentication

0

I have a TACACS+ server and an Ubuntu 20.04 vm client. I downloaded the package libpam-tacplus and did steps 7 and 8 from this answer. If the user exists on the vm I can successfully use the TACACS+ server for authentication.

It is required that the users only exist on the TACACS+ server an not inside the vm. To achieve that I downloaded this and installed/configured it following the instructions from the readme.

I connect via ssh to the vm, but i can't log in. The server log says "pap login succeeded" but the ssh console says "Access denied".

I suspect something is wrong with my pam.d files but I'm not sure what.

Here the relevant files/logs:

pam.d/tacacs

#%PAM-1.0

auth      sufficient /usr/lib/security/pam_tacplus.so debug server=1.2.3.4 timeout=5 secret=secretkey
account   sufficient /usr/lib/security/pam_tacplus.so debug server=1.2.3.4 timeout=5 secret=secretkey service=shell protocol=ssh
session   sufficient /usr/lib/security/pam_tacplus.so debug server=1.2.3.4 timeout=5 secret=secretkey service=shell protocol=ssh

pam.d/sshd

#%PAM-1.0

auth [success=0 default=ignore] /usr/lib/security/pam_tacplus.so debug server=1.2.3.4 secret=secretkey
#auth      include      tacacs
account    include      tacacs
session    include      tacacs
#
#
#auth      required     pam_sepermit.so
#auth       substack     password-auth
#auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
#-auth      optional     pam_reauthorize.so prepare
#account    required     pam_nologin.so
#account    include      password-auth
#password   include      password-auth
# pam_selinux.so close should be the first session rule
#session    required     pam_selinux.so close
#session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
#session    required     pam_selinux.so open env_params
#session    required     pam_namespace.so
#session    optional     pam_keyinit.so force revoke
#session    include      password-auth
#session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
#-session   optional     pam_reauthorize.so prepare

/var/log/auth.log after entering the username

Sep  3 13:52:22 ubuntuvm sshd[18024]: tacacsSSH
Sep  3 13:52:22 ubuntuvm sshd[18024]: tacacs name is tacacs_user, pw_dir = /home/tacacs_user, pw_shell =
Sep  3 13:52:22 ubuntuvm sshd[18024]: tacacsSSH 102
Sep  3 13:52:22 ubuntuvm sshd[18024]: Name copied to passwd structure is testuser
Sep  3 13:52:22 ubuntuvm sshd[18024]: Password copied to passwd structure is a
Sep  3 13:52:22 ubuntuvm sshd[18024]: PAM pam_parse: expecting non-zero; [... default=ignore]
Sep  3 13:52:22 ubuntuvm sshd[18024]: PAM pam_parse: expecting return value; [...sufficent]

/var/log/auth.log after entering the password

Sep  3 13:52:29 ubuntuvm PAM-tacplus[18024]: 1 servers defined
Sep  3 13:52:29 ubuntuvm PAM-tacplus[18024]: server[0] { addr=1.2.3.4, key='********' }
Sep  3 13:52:29 ubuntuvm PAM-tacplus[18024]: tac_service=''
Sep  3 13:52:29 ubuntuvm PAM-tacplus[18024]: tac_protocol=''
Sep  3 13:52:29 ubuntuvm PAM-tacplus[18024]: tac_prompt=''
Sep  3 13:52:29 ubuntuvm PAM-tacplus[18024]: tac_login=''
Sep  3 13:52:29 ubuntuvm sshd[18024]: pam_sm_authenticate: called (pam_tacplus v1.3.8)
Sep  3 13:52:29 ubuntuvm sshd[18024]: pam_sm_authenticate: user [testuser] obtained
Sep  3 13:52:29 ubuntuvm sshd[18024]: tacacs_get_password: called
Sep  3 13:52:29 ubuntuvm sshd[18024]: tacacs_get_password: obtained password
Sep  3 13:52:29 ubuntuvm sshd[18024]: pam_sm_authenticate: password obtained
Sep  3 13:52:29 ubuntuvm sshd[18024]: pam_sm_authenticate: tty [ssh] obtained
Sep  3 13:52:29 ubuntuvm sshd[18024]: pam_sm_authenticate: rhost [1.2.3.5] obtained
Sep  3 13:52:29 ubuntuvm sshd[18024]: pam_sm_authenticate: trying srv 0
Sep  3 13:52:29 ubuntuvm sshd[18024]: pam_sm_authenticate: active srv 0
Sep  3 13:52:29 ubuntuvm sshd[18024]: pam_sm_authenticate: exit with pam status: 0
Sep  3 13:52:29 ubuntuvm sshd[18024]: Failed password for testuser from 1.2.3.5 port 49413 ssh2

As TACACS+ Server I use this one: https://tacacsgui.com/

frr

Asked: 2020-12-05 11:33:27 +0800 CST

PAM in Linux: any way to skip local auth if remote/external auth DB returns a negative response?

0

Dear fellow system tinkerers,

an admin friend has asked me the following question:

On a number of network elements and servers, he's using remote authentication against a TACACS+ server. On some such proprietary appliances, the authentication only asks a local auth DB if the remote method returns "auth server unavailable" (unreachable, timed out). If the remote auth server is available, and returns a negative response, the box in question takes that at face value and does not try to auth against a local user database.

Now... on a Linux-based box, he would like to achieve the same behavior. And he cannot seem to be able to. The Linux OS first tries the remote auth, but upon a clear negative response (server responds "authentication failure, those are not valid credentials") it goes ahead and just tries the local database too.

I've come to understand that the remote TACACS+ auth is arranged by a nice PAM module called pam_tacplus. Reading about PAM in general, it seems to dawn on me that pam_tacplus is not to blame. Rather, the observed behavior is just the way PAM as a whole works. If that's the case, a direct solution would probably have to involve adding a configurable global option to the PAM codebase, and maybe specific PAM config-file keywords/syntax, to modify the behavior in the desired direction.

Any further notes on this topic are welcome :-)

Pravin

Asked: 2016-06-07 20:38:18 +0800 CST

Authenticating any Linux distro with Tacacs and Active Directory

0

I have a set-up in my organisation where in, login to all network devices (Cisco, Juniper & ....) are authenticated using Windows AD and Cisco tacacs server. User's are pushed into AD via separate web portal.

Now, I have a requirement of integrating all Linux servers to above set up. How can I achieve above requirement?

I did bit of research from my end and found that it is possible to integrate Linux with TAC server but one needs to manually add all users to Linux in a tac config file. I don't want to do manual adding stuff and want AD to play that role. Is it possible to do?? Can anyone help me with the steps to do so????

Thanks in advance

Is it possible to setup tacacs+ for a group to have different levels of access on a different devices?

Permit all commandos on Tacacs+ Configuration

TACACS+ Ubuntu client vm authentication

PAM in Linux: any way to skip local auth if remote/external auth DB returns a negative response?

Authenticating any Linux distro with Tacacs and Active Directory

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?

Questions[tacacs+](server)