[Edgecore SONiC] TACACS+ for user authentication Follow

TACACS + (Terminal Access Controller Access-Control System Plus) Correct input route Yuuki, network visit router Clothes sum О Separate mutual calculation terminal processing One or many input Yes Clothes reception visit compliant interventions. TACACS + Approval of payment, bookkeeping service.

• TACACS setting on Switch

• Switch model name:

  AS7726-32X, AS7326-56X, AS7816-64X, AS5835-54X(T), AS4630-54PE, AS9716-32D, AS8000(Minipack), Wedge100BF-32X

• Edgecore SONiC version:

  • Edgecore-SONiC_20201123_130028_ec202006_74

  • Edgecore-SONiC_20201229_070315_ec202006_101

  • Edgecore-SONiC_20201229_070315_ec202006_bfn_65(Wedge100BF-32X)

• AAA only supports authentication.
• Known issue: In tacacs+ environment, you will face the following warning message when you run command by sudo group.

admin@sonic:~$ sudo su
usermod: Permission denied.
usermod: cannot lock /etc/passwd; try again later.
usermod: Permission denied. 

This issue is fixed in SONiC.Edgecore-SONiC_20201229_070315_ec202006_101. - Default Setting:

admin@sonic:~$ show tacacs
TACPLUS global auth_type pap (default)
TACPLUS global timeout 5 (default)
TACPLUS global passkey  (default)

• By default, AAA users local database for authentication.

admin@sonic:~$ show aaa
AAA authentication login local (default)
AAA authentication failthrough False (default)

Step 1. Set the management IP on the switch (Refer to this article)

Step 2. Add the TACACS Server host to the switch

admin@sonic:~$ sudo config tacacs add 192.168.1.10

Step 3. Set the TACACS authentication key (testing123 as example)

admin@sonic:~$ sudo config tacacs passkey testing123

Step 4. Use tacacs+ database for user authentication

admin@sonic:~$ sudo config aaa authentication login tacacs+

• Check the TACACS server settings

admin@sonic:~$ show tacacs
TACPLUS global auth_type pap (default)
TACPLUS global timeout 5 (default)
TACPLUS global passkey testing123

TACPLUS_SERVER address 192.168.1.10
 priority 1
 tcp_port 49
 

• Check aaa settings

admin@sonic:~$ show aaa
AAA authentication login tacacs+
AAA authentication failthrough False (default)

TACACS+ server configuration

Step 1: Generate the login password by “tac_pwd”

      
Server:~# tac_pwd               
Password to be encrypted: test              
BKe8b/ZgWAQ92                
Server:~# tac_pwd            
Password to be encrypted: admin         
9HYczqUTI2Aoo

Step 2: TACACS Server configuration.

Server:~# vi /etc/tacacs+/tac_plus.conf             
accounting file = /var/log/tac_plus.acct
key = testing123     
user = DEFAULT {
login = PAM
service = ppp protocol = ip {}
}
group = network_admin {
    default service = permit
    service = exec {
        priv-lvl = 15
    }
    cmd = show {
        permit .*
    }
}
user = test {
    login = des BKe8b/ZgWAQ92
    pap = des BKe8b/ZgWAQ92
    member = network_admin
}
user = admin {
    login = des 9HYczqUTI2Aoo
    pap = des 9HYczqUTI2Aoo
    member = network_admin
}