Aravind Prabhakar

Systems Engineer | Networking | Security | PreSales | Cloud | Devops | AIOps

View on GitHub Linkedin Blogs Tags
23 August 2023

Junos and Tacacs+

By Aravind

Spinning up tacacs+ server on ubuntu

Tacacs+ is an open standard protocol over TCP and is available for linux systems where we can setup so that all the routers and firewalls can refer to this for any AAA purposes. In addition to logging, it allows to perform ACL and detailed logging. I followed an https://github.com/llima3000/tacplus_image to spin up something super quick on docker and get it to work.

Install docker

Follow https://ard92.github.io/2022/04/23/setting-up-k8s-in-ubuntu.html for installation of docker. It has kuberentes along with it which can be ignored.

Clone the above

git clone https://github.com/ARD92/tacplus_image.git
cd tacplus_image
docker build --no-cache -t tacplus .

Edit the config file.

Here is an example for the config file which we will use to start the tacacs+ server

root@ubuntu20-04:~/tacconf# more tac_plus.conf
key = tacacs123
accounting file = /var/log/tac_plus.acct
accounting syslog;

group = admin {
    default service = permit
	service = exec {
		priv-lvl = 15
	}
    service = junos-exec {
	local-user-name = admin
    }
}

user = admin_user {
	member = admin
	login = cleartext "admin123"
}

user = aprabh {
	member = admin
	login = cleartext "juniper123"
	name = "aprabh, aprabh@juniper.net"
}

Start the tacacs+ server

This would expose port 49 for connectivity from the clients . The key configured here should match on the clients as well to establish connectivity

docker run -itd --name tacplus -p 49:49 -v ./tac_plus.conf:/etc/tacacs+/tac_plus.conf tacplus:latest

Verify process

root@ubuntu20-04:~/tacconf# docker ps
CONTAINER ID   IMAGE            COMMAND                  CREATED          STATUS          PORTS                               NAMES
1c7415960cb3   tacplus:latest   "/bin/sh -c '/usr/sb…"   32 minutes ago   Up 32 minutes   0.0.0.0:49->49/tcp, :::49->49/tcp   tacplus

Configure Junos device

root@r1_re0# show | display set
set groups TACACS+ system login class tacacs idle-timeout 30
set groups TACACS+ system login class netadmin idle-timeout 30
set groups TACACS+ system login class admin idle-timeout 30
set groups TACACS+ system login class admin permissions all
set groups TACACS+ system login user aprabh uid 2001
set groups TACACS+ system login user aprabh class admin
set groups TACACS+ system login user admin full-name Admin
set groups TACACS+ system login user admin uid 2002
set groups TACACS+ system login user admin class admin
set groups TACACS+ system services ssh connection-limit 10
set groups TACACS+ system services telnet connection-limit 4
set groups TACACS+ system services telnet rate-limit 100
set groups TACACS+ system authentication-order tacplus
set groups TACACS+ system authentication-order password
set groups TACACS+ system tacplus-server 10.49.162.119 port 49
set groups TACACS+ system tacplus-server 10.49.162.119 secret "$9$UBD.5Qz6AtOaZjqf5/9lKv8Nds24"
set groups TACACS+ system tacplus-server 10.49.162.119 timeout 2
set groups TACACS+ system tacplus-server 10.49.162.119 source-address 10.49.185.83
set groups TACACS+ system tacplus-options service-name netadmin
set groups TACACS+ system tacplus-options strict-authorization
set groups TACACS+ system accounting events login
set groups TACACS+ system accounting events change-log
set groups TACACS+ system accounting events interactive-commands
set groups TACACS+ system accounting destination tacplus server 10.49.162.119 port 49
set groups TACACS+ system accounting destination tacplus server 10.49.162.119 secret "$9$FO4O3A0B1hrlM5QnCu0cSbsY4GDk.P"
set groups TACACS+ system accounting destination tacplus server 10.49.162.119 timeout 4
set groups TACACS+ system accounting destination tacplus server 10.49.162.119 source-address 10.49.185.83
set apply-groups TACACS+

Here secret matches the key defined on the server . Notice that the user uses classes which are same as the ones defined on the tac_plus.conf file and the source address from which the router can reach the tacacs+ server. Here this address belongs to fxp0 interface

verify login using tacacs

qnc-css-lnx03:~> ssh aprabh@10.49.170.137
Password:
Last login: Fri Aug 25 10:28:57 2023 from 10.32.192.48
--- JUNOS 23.2R1.9 Kernel 64-bit  JNPR-12.1-20230518.aa6e35c_buil
aprabh@r1_re0> exit

Tacacs+ logs

connect from 10.49.170.137 [10.49.170.137]
verify daemon juniper123 == NAS juniper123
Password is correct
Password has not expired <no expiry date set>
login query for 'aprabh' port unknown-port from 10.49.170.137 accepted
connect from 10.49.170.137 [10.49.170.137]
authorization query for 'aprabh' unknown from 10.49.170.137 accepted
connect from 10.49.170.137 [10.49.170.137]

Tacacs+ accounting

root@ubuntu20-04:~/tacconf# docker exec -it tacplus bash
root@1c7415960cb3:/# more /var/log/tac_plus.acct
Aug 25 17:46:51	10.49.189.4	root	non-tty	Unknown host - non-tty	stop	task_id=1	service=shell	session_pid = 30829	elapsed_time=0	cmd=logout
Aug 25 17:46:52	10.49.185.83	aprabh	1	10.32.192.48	stop	task_id=2	service=shell	session_pid = 8559	cmd=exit <cr>
Aug 25 17:46:52	10.49.185.83	aprabh	1	10.32.192.48	stop	task_id=1	service=shell	session_pid = 8559	elapsed_time=1073	cmd=logout
Aug 25 17:47:17	10.49.170.137	aprabh	1	10.32.192.48	start	task_id=1	service=shell	session_pid = 61879	cmd=login
Aug 25 17:47:27	10.49.170.137	aprabh	1	10.32.192.48	stop	task_id=2	service=shell	session_pid = 61879	cmd=show bgp summary <cr>
Aug 25 17:47:52	10.49.170.137	aprabh	1	10.32.192.48	stop	task_id=3	service=shell	session_pid = 61879	cmd=exit <cr>
Aug 25 17:47:52	10.49.170.137	aprabh	1	10.32.192.48	stop	task_id=1	service=shell	session_pid = 61879	elapsed_time=35	cmd=logout
Aug 25 18:03:43	10.49.185.83	root	0	10.32.192.48	stop	task_id=6	service=shell	session_pid = 85795	cmd=set: [groups TACACS+ system login user aprabh authentication] unconfigured -- "plain-text-password"<cr>
Aug 25 18:03:43	10.49.185.83	root	0	10.32.192.48	stop	task_id=7	service=shell	session_pid = 85795	cmd=set system login user aprabh authentication plain-text-password <cr>
Aug 25 18:03:48	10.49.185.83	root	0	10.32.192.48	stop	task_id=8	service=shell	session_pid = 85795	cmd=commit <cr>
Aug 25 18:03:53	10.49.185.83	aprabh	1	10.32.192.48	start	task_id=1	service=shell	session_pid = 11428	cmd=login
Aug 25 18:04:08	10.49.185.83	root	0	10.32.192.48	stop	task_id=9	service=shell	session_pid = 85795	cmd=run show log messages | last <cr>
Aug 25 18:04:18	10.49.185.83	aprabh	1	10.32.192.48	stop	task_id=2	service=shell	session_pid = 11428	cmd=exit <cr>
Aug 25 18:04:18	10.49.185.83	aprabh	1	10.32.192.48	stop	task_id=1	service=shell	session_pid = 11428	elapsed_time=26	cmd=logout
Aug 25 18:04:33	10.49.170.137	aprabh	1	10.32.192.48	start	task_id=1	service=shell	session_pid = 62970	cmd=login
[ junos  linux  ] tags: junos - linux