Top

Menu

[Edgecore SONiC] TACACS+ for user authentication Follow

Avatar
shark_huang 黃昭穎
  • Updated

Reference model:

  • Switch model name:

- AS7726-32X

- AS7326-56X

- AS7816-64X

- AS5835-54X(T)

- AS4630-54PE

- AS9716-32D

- AS8000(Minipack)

- Wedge100BF-32X

  • Edgecore SONiC version: 

- Edgecore-SONiC_20201123_130028_ec202006_74

- Edgecore-SONiC_20201229_070315_ec202006_101

- Edgecore-SONiC_20201229_070315_ec202006_bfn_65(Wedge100BF-32X)

Restriction:

  1. AAA only supports authentication.
  2. Known issue: In tacacs+ enviornment,you will face following warming message when you run command by sudo group.
admin@sonic:~$ sudo su
usermod: Permission denied.
usermod: cannot lock /etc/passwd; try again later.
usermod: Permission denied.

This issue is fixed in SONiC.Edgecore-SONiC_20201229_070315_ec202006_101.

Default Setting:

admin@sonic:~$ show tacacs
TACPLUS global auth_type pap (default)
TACPLUS global timeout 5 (default)
TACPLUS global passkey <EMPTY_STRING> (default)

By default, AAA users local database for authentication.

admin@sonic:~$ show aaa
AAA authentication login local (default)
AAA authentication failthrough False (default)

Procedure :

Step 1. Set the management IP on the switch (Refer to this article)

Step 2. Add the TACACS Server host to the switch

admin@sonic:~$ sudo config tacacs add 192.168.1.10

Step 3. Set the TACACS authentication key (testing123 as example)

admin@sonic:~$ sudo config tacacs passkey testing123

Step 4. check the TACACS server settings

admin@sonic:~$ show tacacs
TACPLUS global auth_type pap (default)
TACPLUS global timeout 5 (default)
TACPLUS global passkey testing123

TACPLUS_SERVER address 192.168.1.10
 priority 1
 tcp_port 49

Step 5. Use tacacs+ database for user authentication

admin@sonic:~$ sudo config aaa authentication login tacacs+

Step 6. check aaa settings

admin@sonic:~$ show aaa
AAA authentication login tacacs+
AAA authentication failthrough False (default)

Step 7. Save the setting to config_db.json

admin@sonic:~$ sudo config save -y

Result: User named "test" login to the SONiC by TACACS authentication

mceclip0.png 

 

Appendix:  TACACS+ server configuration

 

Step 1: Generate the login password by "tac_pwd"

[ Server Setting ] :          
Steps 1. Generate the login password by "tac_pwd"       
Server:~# tac_pwd               
Password to be encrypted: test              
BKe8b/ZgWAQ92                
Server:~# tac_pwd            
Password to be encrypted: admin         
9HYczqUTI2Aoo

 Step 2: TACACS Server configuration.

Server:~# vi /etc/tacacs+/tac_plus.conf             
accounting file = /var/log/tac_plus.acct
key = testing123     
user = DEFAULT {
login = PAM
service = ppp protocol = ip {}
}
group = network_admin {
    default service = permit
    service = exec {
        priv-lvl = 15
    }
    cmd = show {
        permit .*
    }
}
user = test {
    login = des BKe8b/ZgWAQ92
    pap = des BKe8b/ZgWAQ92
    member = network_admin
}
user = admin {
    login = des 9HYczqUTI2Aoo
    pap = des 9HYczqUTI2Aoo
    member = network_admin
}

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

Articles in this section

See more