← Crypto hash linux generation tools | posts | EXOS enable tacacs-authorization command →

IP addressing
TACACS+
TACACS+NG configuration
EXOS configuration
Summary
References

TACACS+ configuration using ExtremeXOS (EXOS). This is about configuring authentication using the TACACS+ protocol. Authorization and Accounting are easy to set up once Authentication is working, but are not part of this netlab.

This is a configuration from scratch. EXOS usage for the first time, no experience at all. TACACS+ EXOS authentication.

The official EXOS appliance is available here, or can be simply installed using the GNS3 marketplace or the GNS-gui import appliance function.

IP addressing

The IP addressing used in this netlab. 3 appliances:

Node	Function	IP address
R103	EXOS router	10.100.100.103/24
AAA-49	TACACS+ server	192.0.2.1
node-10	TACACS+ client	10.100.100.10

Connections in the netlab from node-10 to R103 using telnet and SSH protocol.

TACACS+

This netlab is using the TAC_PLUS-NG server project from Event-driven servers.

Version of TACACS+NG:

user % tac_plus-ng -v tac_plus-ng version e4cb4a9e95338f44ade6fb36569890bd80df6295/PCRE2

TACACS server IP settings:

Setting	Value
IP	192.0.2.1
TCP port	4949
TACACS+ key	123-my_tacacs_key

Preconfigured tac_plus-ng.cfg settings for user authentication:

Method	Option	User	Password
ASCII	login	cisco	cisco
PAP	pap	cisco	auth-pap
CHAP	chap	cisco	auth-chap

There is no option to use PAP authentication in EXOS in TACACS+. PAP authentication works using RADIUS only. CHAP authentication for RADIUS is not implemented yet in EXOS.

The basic TACACS+NG configuration used in this netlab, has been set up in

TACACS+NG configuration

Preconfigured tac_plus-ng.cfg file. Ready to use:

#!/usr/sbin/tac_plus-ng
id = spawnd {
    listen = { address = 0.0.0.0 port = 4949 }
}

id = tac_plus-ng {

        host IPv4only {
            address = 0.0.0.0/0
            welcome banner = "\n Welcome to TACACS+NG\n\n"
            key = 123-my_tacacs_key
    }

    profile netadmin {
            script {
                    if (service == shell) {
                            if (cmd == "") {
                                    set priv-lvl = 15
                                    permit
                            }
                    }
            }
    }

    group admin

    user cisco {
    password {
        login = crypt $2a$10$34.ioPXaLJDD.PdEk.4Mle3g0cQw8e16thH1g0nQEC1.jW.sEHi1S
        pap   = crypt $2y$10$NtwT2Cp/fjezs109gGsVdeyU4Am4q2j1IJ219/mMy.k29xNd9XXU2
        chap  = clear auth-chap

    }
        member = admin
    }

    ruleset {
                rule {
                        script {
                            if (member == admin) { profile = netadmin permit }
                        }
                }
        }
}

EXOS configuration

Download Vitrual-EXOS from the official Extremenetworks github repository, and install and configure the .gns3a appliance manually or using GNS3-client.

local account

Set local admin password to ExtremeXOS

configure account admin

Configure banner to display local EXOS password. Since we all are forgetful, and this is only a netlab, setting this commands to not forget the local credentials:

configure banner
user: admin
pass: ExtremeXOS
[ENTER]

IP addressing

Hostname R103
Address 10.100.100.102/24
Gateway 10.100.100.1

Configuration lines for the EXOS router:

configure snmp sysname R103
configure vlan default ipaddress 10.100.100.103/24
configure iproute add default 10.100.100.1
configure timezone name CEST 60 autodst name CEST begins every last sunday march at 2 0 ends every last sunday october at 3 0

These optional EXOS configuration commands. The resulting CLI output is more fluent and usable for automation. Disable paging and cli refresh:

disable cli paging
disable cli refresh

Equivalent cisco IOS command to disable paging term lenth 0, for the current running session.

Verify configuration

Show the ip configuration of the router using the show ipconfig default. Default refers to the Defaultrouting table:

R103.13 # show ipconfig default

Router Interface on Default is enabled and up. inet 10.100.100.103/24 broadcast 10.100.100.255 Mtu 1500 Flags: BOOTP Host NO DirBcstHwFwd NO Fwd Bcast NO IgnoreBcast YES IP Fwding NO IPmc Fwd NO Multinetted VLAN NO IRDP Advert NO Send Redir YES VRRP NO TCP Adjust MSS OFF

Show the IP routing table of the router using the show iproute command:

R103.21 # show iproute

Ori Destination Gateway Mtr Flags VLAN Duration s Default Route 10.100.100.1 1 UG---S-um--f- Default 0d:0h:18m:54s d 10.100.100.0/24 10.100.100.103 1 U------um--f- Default 0d:0h:31m:38s

Verify IP connectivity with the TACACS+ server, from the router:

R103.34 # ping 192.0.2.1

! output omitted for brevity --- 192.0.2.1 ping statistics --- 4 packets transmitted, 4 packets received, 0% loss round-trip min/avg/max = 1/1/1 ms

Everything is set up and verified.

EXOS TACACS+ configuration

This results in following configuration for the EXOS router:

configure tacacs primary server 192.0.2.1 4949 client-ip 10.100.100.103 vr VR-Default
configure tacacs primary shared-secret 123-my_tacacs_key
configure tacacs fallback local
enable tacacs

The user admin is the local fallback account in case TACACS+ authentication with the AAA server fails. The router will fall back to using the locally configured users.

Show the AAA configuration. This shown command works almost the same using cisco's IOS:

R103.55 # show configuration aaa

! ! Module aaa configuration. ! configure tacacs primary server 192.0.2.1 4949 client-ip 10.100.100.103 vr VR-Default configure tacacs primary shared-secret 123-my_tacacs_key enable tacacs configure account admin encrypted $5$9eQqng$FPdRZf1D8Z9kgefUSs5F7DRxjPcIF5sSfGryMtUJuu4

Verify

Using the TACACS+ client, telnet to the router, and authenticate using the previously configured credentials:

user % telnet 10.100.100.103

After successful authentication, verify the TACACS statistics using the show tacacs command:

R103.89 # show tacacs

TACACS+ Configuration Admin Status : enabled Authorization : disabled Authorization priv-lvl : optional Fallback Authentication : local Accounting : disabled Server Connect Timeout : 3 sec Primary Server : Server name : IP address : 192.0.2.1 Server IP Port: 4949 Client address: 10.100.100.103 (VR-Default) Shared secret : #$dGY5a8TCpwSvG0rAhyYsUF+1HaDQPev6lSTrN7OF7MzxZxYOz3A= Authentication: Requests : 1 Responses : 1 Password : 1 Passed : 1 Failed : 0 Authorization: Requests : 1 Responses : 1 Passed : 1 Failed : 0 Secondary Server : none Acct Server Connect Timeout : 3 sec Primary Accounting Server : none Secondary Accounting Server : none

TACACS+NG debug

Authentication debug output from AAA server while the user authenticates on the NAS. EXOS uses the ASCII method:

user % tac_plus-ng -f tac_plus-ng.cfg -d 4

6772: 01:45:38.219 0/00000000: - Version e4cb4a9e95338f44ade6fb36569890bd80df6295 initialized 6771: 01:45:59.899 0/f08b1244: 10.100.100.103 authen: hdr->seq_no: 1 6771: 01:45:59.899 0/f08b1244: 10.100.100.103 looking for user cisco realm default 6771: 01:45:59.899 0/f08b1244: 10.100.100.103 user lookup succeded 6771: 01:45:59.900 0/f08b1244: 10.100.100.103 authen: hdr->seq_no: 3 6771: 01:45:59.900 0/f08b1244: 10.100.100.103 looking for user cisco realm default 6771: 01:45:59.900 0/f08b1244: 10.100.100.103 user lookup succeded 6771: 01:45:59.900 0/f08b1244: 10.100.100.103 shell login for 'cisco' from 10.100.100.10 on telnet25 succeeded (profile=netadmin)

The ASCII method is the default method for cisco routers.

Now that is all folks! Now you can and configure authorisation and accounting to have all the A's configured and working.

The authentication succeeds and is easy to setup. During testing using this particular EXOS version following issues have been spotted:

EXOS bug 1

After successful authentication, notice the CLI greeting you:

R103.144 # ! this is the screen appearing immidiatelly after logon:

ExtremeXOS ! ! Output omitted for brevity ! There have been 0 successful logins since last reboot and 0 failed logins since last successful login No prior logins by this user since last reboot

Compare the authentication greeting, especially the the successful with the output of show tacacs, and here the Passed and Failed:

R103.233 # show tacacs

! ! Output omitted for brevity ! Authentication: Requests : 11 Responses : 11 Password : 11 Passed : 9 Failed : 2

This issue is annoying and dangerous. If this happens using real gear, then you should contact your networking vendor and open a bug report.

EXOS bug 2 - TACACS+

Now, if the TACACS+ client on EXOS would have been fully implemented, then the TACACS+ welcome banner would show up. I did not show up at all. Tested both telnet and SSH.

📘 Note
If you have real EXOS gear and the opportunity to test both bugs described above. Then check this out and if you are not a lazy NOC bastard operator from hell, then most probably will open a bug report at the GTAC, in case you can reproduce this.

Summary

I like that Extreme provides free images for netlabs and testing for usage in GNS3, EVE-NG or whatever network simulator is in use. And hopefully this helps someone in the future looking for Cisco-ISE or ClearPass appliance replacement, setting up first test and netlabs for tiny AAA appliance replacement, compared to the commercial products.

TACACS+NG is amazingly flexible and very much like configuring a router from CLI in that regard.

... and while you still wait for your AAA commerical GNS3 appliance to finally start the boot sequence, I already finished running my CLI automation, and reconfigured all running TACACS+NG netlab nodes, thrice... ...

References

Event-driven servers - TAC_PLUS-NG server project
Download official Vitrual-EXOS
EXOS 32.1 Command Refernce Guide Version 32.1.
GTAC Knowledge Home, just like Cisco Learning Network.
How To: Identify TACACS Issues
Connecting to an Extreme switch
Gajanan Parwar - Understanding extreme command line interface

Related TACACS+NG posts: