blog/ posts/ Configuring TACACS+NG authentication for freeRtr
IOS interactive AAA configuration testing | posts | Configuring TACACS+NG authentication for VRP
  1. IP addressing
  2. TACACS+
  3. TACACS+NG configuration
  4. freeRtr configuration
    1. IP addressing
    2. freeRtr TACACS+ configuration
    3. Verify
      1. TACACS+NG debug
    4. freeRtr full config
  5. Summary
  6. References

TACACS+ configuration using freeRtr. This is about configuring authentication using the TACACS+ protocol. Authorization and Accounting are easy to set up once Authentication is working, but are not part of this netlab.

This is a configuration from scratch. freeRtr usage for the first time, no experience at all. TACACS+ freeRtr authentication.

The official freeRtr appliance is available here, or can be simply installed using the GNS3 marketplace or the GNS-gui import appliance function.

IP addressing

The IP addressing used in this netlab. 3 appliances:

Node Function IP address
R104 freeRtr router 10.100.100.104/24
AAA-49 TACACS+ daemon 192.0.2.1
node-10 TACACS+ client 10.100.100.10

Connections in the netlab from node-10 to R104 using telnet client.

TACACS+

This netlab is using the TAC_PLUS-NG server project from Event-driven servers.

Version of TACACS+NG:

user % tac_plus-ng -v tac_plus-ng version f4325f4dfa8b12e9a419af0eee909f2cf13a9c4e/PCRE2

TACACS daemon IP settings, this time the TACACS+ daemon is running on standard port 49. The reason behind is simple. The tac_plus client implemented on freeRtr has no AAA daemon TCP port configuration option, to test authentication the daemon runs on standard TCP port 49.

Setting Value
IP 192.0.2.1
TCP port 49
TACACS+ key 123-my_tacacs_key

Preconfigured tac_plus-ng.cfg settings for user authentication:

Method Option User Password
ASCII login cisco cisco
PAP pap cisco auth-pap
CHAP chap cisco auth-chap

The basic TACACS+NG configuration used in this example, has been explained in previous netlabs. For more details about the configuration read following articles:

TACACS+NG configuration

Pre-configured tac_plus-ng.cfg file for this netlab. AAA daemon configuration ready to use:

#!/usr/sbin/tac_plus-ng
id = spawnd {
    listen = { address = 0.0.0.0 port = 49 }
}

id = tac_plus-ng {

        host IPv4only {
            address = 0.0.0.0/0
            welcome banner = "\n Welcome to TACACS+NG\n\n"
            key = 123-my_tacacs_key
    }

    profile netadmin {
            script {
                    if (service == shell) {
                            if (cmd == "") {
                                    set priv-lvl = 15
                                    permit
                            }
                    }
            }
    }

    group admin

    user cisco {
    password {
        login = crypt $2a$10$34.ioPXaLJDD.PdEk.4Mle3g0cQw8e16thH1g0nQEC1.jW.sEHi1S
        pap   = crypt $2y$10$NtwT2Cp/fjezs109gGsVdeyU4Am4q2j1IJ219/mMy.k29xNd9XXU2
        chap  = clear auth-chap

    }
        member = admin
    }

    ruleset {
                rule {
                        script {
                            if (member == admin) { profile = netadmin permit }
                        }
                }
        }
}

freeRtr configuration

The configuration is taken from the standard tests performed by the freeRtr project:

Both test examples have TACACS+ protocol configured. The latter of both examples, looks like freeRtr is has simple Authentication implemented. There is also a 3-rd test listed which deals with PPP and PAP authentication. I have taken both as a configuration example to construct this router configuration here explained. The freeRtr documentation is really not to find. The selftest are the only full available collection of particlular protocol configuration examples for freeRtr. It is the best of documentation at the moment you can gat. This all steps described below are based on the 2 upper test scenarios.

freeRtr version used in this netlab

R104#show version brief
freeRouter-rare v23.6.27-cur, done by sprscc13@mr.nobody.

IP addressing

This is the freeRtr IP adressing setup:

  • Hostname R104
  • Address 10.100.100.104/24
  • Gateway 10.100.100.1

Basic router IP configuration:

configure
!
hostname R104
!
vrf def v1
 rd 1:1
 exit
int eth1
 vrf for v1
 ipv4 addr 10.100.100.104 255.255.255.0
 exit
ipv4 route v1 0.0.0.0 0.0.0.0 10.100.100.1
!
exit
wr

Verify IP connectivity with the TACACS+ daemon, from the router:

R104#ping 192.0.2.1 vrf v1

pinging 192.0.2.1, src=null, vrf=v1, cnt=5, len=64, df=false, tim=1000, gap=0, ttl=255, tos=0, sgt=0, flow=0, fill=0, alrt=-1, sweep=false, multi=false !!!!! result=100.0%, recv/sent/lost/err=5/5/0/0, took 9, min/avg/max/dev rtt=0/1.4/5/3.4, ttl 63/63.0/63/0.0, tos 0/0.0/0/0.0

IP connectivity is established. Note the usage of the vrf v1 in example.

freeRtr does not have a concept of a default IP routing table. Out of the box, freeRtr it does not have any IP routing tables at all, apart from the default host vrf table which is for out-of-band management purpose. IP packets sourced from the router, like the ICMP in shown example above, need to be set to a distinct local IP routing table. The only routing table created in shown example and assigned to interfaces is the vrf v1 routing table. Every working IP interface is using this particular IP routing table.

To define a default IP routing table configure following. Create a proxy-profile named p1, assing a routing table to the proxy-profile vrf v1.

configure
proxy-profile p1
 vrf v1
end

Finally configure the router to send all client IP requests, or all localhost sourced client requests using the proxy p1 profile:

configure
client proxy p1
end

This way a symlink is defined to a default to be used, target IP routing table. This is a global configuration setting setting shown client proxy p1. The configuration example shown is the most generic way of configuring this. In case someone in future, searching for freeRtr examples, reads this and is in search for a generic working solution for IP packets sourced from this router.

Note. It is possible configure the proxy p1 symlink directly in the AAA-1service in the freeRtr configuration, skipping the global configuration shown. This is not used here, to make the freeRtr configuration example simple as it can get. Without special treatment.

Verify IP connectivity. Now note there is no vrf option added. All IP packets use the vrf v1 as the default IP routing table:

R104#ping 192.0.2.1

pinging 192.0.2.1, src=null, vrf=v1, cnt=5, len=64, df=false, tim=1000, gap=0, ttl=255, tos=0, sgt=0, flow=0, fill=0, alrt=-1, sweep=false, multi=false !!!!! result=100.0%, recv/sent/lost/err=5/5/0/0, took 19, min/avg/max/dev rtt=1/2.0/3/0.8, ttl 63/63.0/63/0.0, tos 0/0.0/0/0.0

freeRtr TACACS+ configuration

The freeRtr TACACS+ configuration. freeRtr authentication configuration consist of following configuration parts:

  • AAA daemon template AAA-1
  • Telnet service R104-T
    • login authentication AAA-1
    • IP table binding vrf v1

This results in following configuration for the authenticating users:

configure
!
aaa tacacs AAA-1
 secret 123-my_tacacs_key
 server 192.0.2.1
exit
!
server telnet R104-T
 login authentication AAA-1
 vrf v1
 exit
end
wr

This is the most basic authentication configuration for freeRtr. As noted already at the beginning, the TACACS+ client requests target the TCP port 49 per default. The implemented client here has no configuration option to change the TACACS+ daemon running TCP port.

Now the authentication can be tested.

Verify

Using the TACACS+ client, telnet to the router, and authenticate using the previously configured credentials:

user % telnet 10.100.100.104

Trying 10.100.100.104... Connected to 10.100.100.104. Escape character is '^]'. welcome username:cisco password: line ready R104#

After successful authentication, show the configured AAA service and its statistics:

R104#show aaa AAA-1

reply times ago last ok 3 00:00:06 2023-07-30 21:41:31 fail 0 never 1970-01-01 00:00:00 error 0 never 1970-01-01 00:00:00

The authentication is bound to AAA-1. 3 times OK. The show users output displays the authenticated users, connection related data and the time:

R104#show users

user from since [nobody] tty1 00:01:12 cisco telnet ethernet1 23 -> 10.100.100.10 40326 00:00:55

And while the test from the client succeeds, the freeRtr line tty1 shown above on the freeRtr will print following:

This is when a authenticated telnet session starts:

R104#! console notification event when session starts

  info prtTcp.connectionRcvd:prtTcp.java:907 got future acknowledge number tacacs ethernet1 42843 -> 192.0.2.1 49   ! console notification event when session ends   info prtTcp.connectionRcvd:prtTcp.java:907 got future acknowledge number telnet ethernet1 23 -> 10.100.100.10 32922  

A universal command showing protocols and connections on freeRtr, without the need for CLI specific commands to list services:

R104#show ipv4 sockets v1

lower name state iface local remote address hit ipPrt icmp on v1:4 n/a null 1 1 null 0 ipPrt igmp on v1:4 n/a null 2 2 null 0 ipPrt tcp on v1:4 n/a null 6 6 null 259 ipPrt udp on v1:4 n/a null 17 17 null 0 ipPrt dccp on v1:4 n/a null 33 33 null 0 ipPrt sctp on v1:4 n/a null 132 132 null 0 ipPrt ludp on v1:4 n/a null 136 136 null 0 tcpSrv telnet n/a null 23 0 null 1 tcpCln telnet estab ethernet1 23 50366 10.100.100.10 250

TACACS+NG debug

Authentication debug output from authenticates on the NAS. freeRtr uses the ASCII method, now correctly shown authenticating user is cisco, without the domain part, resulting in a succeeding authentication:

root # tac_plus-ng -f /etc/tac_plus/netlab-05/tac_plus-ng.cfg -d 4

4773: 21:55:14.019 0/00000000: - Version f4325f4dfa8b12e9a419af0eee909f2cf13a9c4e initialized 4772: 21:55:19.168 0/02b34d66: 10.100.100.104 authen: hdr->seq_no: 1 4772: 21:55:19.170 0/02b34d66: 10.100.100.104 authen: hdr->seq_no: 3 4772: 21:55:19.170 0/02b34d66: 10.100.100.104 looking for user cisco realm default 4772: 21:55:19.170 0/02b34d66: 10.100.100.104 user lookup succeded 4772: 21:55:19.171 0/02b34d66: 10.100.100.104 authen: hdr->seq_no: 5 4772: 21:55:19.171 0/02b34d66: 10.100.100.104 looking for user cisco realm default 4772: 21:55:19.171 0/02b34d66: 10.100.100.104 user lookup succeded 4772: 21:55:19.171 0/02b34d66: 10.100.100.104 shell login for 'cisco' succeeded (profile=netadmin)

Now that is all folks! Now you can and configure authorisation and accounting to have all the A's configured and working.

The authentication succeeds and it is easy to setup

freeRtr full config

Full working router configuration used in this netlab.

!freeRouter-rare v23.6.27-cur
!   
configure
hostname R104
!
vrf definition v1
 rd 1:1
 exit
!
aaa tacacs AAA-1
 secret 123-my_tacacs_key
 server 192.0.2.1
 exit
!
interface ethernet1
 vrf forwarding v1
 ipv4 address 10.100.100.104 255.255.255.0
 no shutdown
 no log-link-change
 exit
!
proxy-profile p1
 vrf v1
 exit
!
ipv4 route v1 0.0.0.0 0.0.0.0 10.100.100.1
!
server telnet R104-T
 security protocol telnet
 login authentication AAA-1
 vrf v1
 exit
!
client proxy p1
!
end

The router has no local users defined. All authenticating users on this router are requested at the AAA-1 TACACS+NG server.

Summary

The freeRtr TACACS+ authentication works, and is easy to setup too. At least the authentication part. 5 different tac_plus clients have been tested, and all work using TACPLUS-NG. This is great.

I must admit there is hardly documentation out there to find. And if you are not experienced in networking protocols and configuration, freeRtr is not easy to setup at first as a GNS3 appliance.

So in a case anyone wants a very basic freeRtr router authentication example, here it is. All components used in this particular AAA netlab here, are free software.

Finally, this is the first netlab, where a freeRtr GNS3 appliance is used. A specific use case, or more a test scenario is given, and it is interesting to find out which parts of the TACACS+ AAA protocol are actually implemented and working in freeRtr. You will not find any documentation about this specific topic, potentially somewhere on some mailing-list. The 3212 working freeRtr tests scenarios selftests are the only way to find something useful about this router.

There is also one official documentation source RARE/freeRtr documentation pages The self-test are depicted there with, the website is a bit sluggish and to over-engineered IMHO, maybe having to few ressources to depict the topology visualisation, or maybe this is only my browser here. Here the positive and more important topics, this website is a valuable source of documentation and the 1-st place to search about freeRtr related topics.

  • Network topology
  • Router configuration
  • Test result

4 picked examples:

The list is big and reviewing this list, there is not much more to add to, when judging by the protocols usage. freeRtr requires much CPU/MEM ressources to run, but compared with all other GNS3 appliances, it boots blazingly fast, and is usable within 10 seconds after start. It is the fastest booting GNS appliance used here, and most flexible. FreeRtr can be turned from CLI only into: RADIUS server, TACACS+ daemon, PPP termination device, IRC server, Authentication server, Authorization server, Syslog server... the list is long. Protocol centric server appliance. Check it out, maybe it is something you never thought of it is.

References

Related TACACS+NG posts: