[Edgecore SONiC] TACACS+ for user authentication Follow

Restriction:

• If the user sets the authentication priority "local" and then to "tacacs+", the user must retry with the TACACS + account three times. Users can add "fallthrough" to avoid this behavior.

• admin@sonic:~$ sudo config aaa authentication failthrough enable

• AAA only supports authentication.
• Known issue: In tacacs+ environment, you will face the following warning message when you run command by sudo group.(This issue is fixed in 202006.1)

• admin@sonic:~$ sudo su
  usermod: Permission denied.
  usermod: cannot lock /etc/passwd; try again later.
  usermod: Permission denied.

• Default Setting:

• admin@sonic:~$ show tacacs
  TACPLUS global auth_type pap (default)
  TACPLUS global timeout 5 (default)
  TACPLUS global passkey  (default)
  admin@sonic:~$ show aaa
  AAA authentication login local (default)
  AAA authentication failthrough False (default)
  

TACACS setting on Switch

Topology:

Procedure:

Step 1. Set the management IP on the switch ( [Edgecore SONiC] Management and front port IPv4/IPv6 Address)

Step 2. Add the TACACS Server host to the switch

admin@sonic:~$ sudo config tacacs add 192.168.1.10

Step 3. Set the TACACS authentication key (testing123 as example)

admin@sonic:~$ sudo config tacacs passkey testing123

Step 4. Use tacacs+ database for user authentication

admin@sonic:~$ sudo config aaa authentication login tacacs+ local

Result:

• Check the TACACS server settings

• admin@sonic:~$ show tacacs
  TACPLUS global auth_type pap (default)
  TACPLUS global timeout 5 (default)
  TACPLUS global passkey testing123
  
  TACPLUS_SERVER address 192.168.1.10
   priority 1
   tcp_port 49
   

• Check aaa settings

• admin@sonic:~$ show aaa
  AAA authentication login tacacs+ local
  AAA authentication failthrough False (default)
  

• Login with the tacacs+ account and check the privilege of the account.

• TS@HOST1 ~ % ssh ts@192.168.1.1
  ts@192.168.1.1's password:ecsupport
  Linux sonic 4.19.0-6-2-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64
  You are on
  ____ ___ _ _ _ ____
  / ___| / _ \| \ | (_)/ ___|
  \___ \| | | | \| | | |
  ___) | |_| | |\ | | |___
  |____/ \___/|_| \_|_|\____|
  
  -- Software for Open Networking in the Cloud --
  Unauthorized access and/or use are prohibited.
  All access and/or use are subject to monitoring.
  Help: http://azure.github.io/SONiC/
  Last login: Thu Feb 17 03:14:09 2022 from 192.168.1.22
  ts@sonic:~$ id
  uid=1001(ts) gid=1000(admin) groups=1000(admin),27(sudo),999(docker)
  ts@sonic:~$ exit
  
  TS@HOST1 ~ % ssh admin@192.168.1.1
  admin@192.168.1.1's password: admin123
  
  Linux sonic 4.19.0-6-2-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64
  You are on
  ____ ___ _ _ _ ____
  / ___| / _ \| \ | (_)/ ___|
  \___ \| | | | \| | | |
  ___) | |_| | |\ | | |___
  |____/ \___/|_| \_|_|\____|
  
  -- Software for Open Networking in the Cloud --
  
  Unauthorized access and/or use are prohibited.
  All access and/or use are subject to monitoring.
  
  Help: http://azure.github.io/SONiC/
  
  Last login: Thu Feb 17 03:13:52 2022 from 192.168.1.22
  admin@sonic:~$ id
  uid=1000(admin) gid=1000(admin) groups=1000(admin),27(sudo),999(docker)

Appendix:

TACACS_SERVER# tac_pwd               
Password to be encrypted: admin123              
3BEERLwx7qhFE                

TACACS_SERVER# apt list tacacs+
Listing... Done
tacacs+/bionic,now 4.0.4.27a-3 amd64 [installed]

TACACS_SERVER# cat /etc/tacacas+/tac_plus.cfg
accounting file = /var/log/tac_plus.acct
key = testing123
user = admin {
    login = des 3BEERLwx7qhFE
    pap = des 3BEERLwx7qhFE
    service = exec {
    priv-lvl=15
    }
}
user = ts {
    login = cleartext "ecsupport"
    pap = cleartext "ecsupport"
    service = exec {
    priv-lvl=15
    }
}