Sunday, June 22, 2014

Open linux shell in QFabric

I personally like Linux Operating System, such as Debian, Ubuntu, Fedora and others. One of the reasons is the Linux Shell, or originally called Unix Shell, the most common are Bourne shell (sh), Bourne-Again shell (bash) and C shell (csh). Now, could you imagine what a better tool in Qfabric that a linux-type shell with a whole bunch of linux tools in it? Well the good thing is that's possible and in this article I show you how to open it up.

First, log in to network node group and issue start shell command. Once there issue su command and enter root password (that is if you want to get full access to it). Below you can find out how this great tool looks like:

root@qfabric> request component login NW-NG-0
Warning: Permanently added 'dcfnode-default---nw-ine-0,169.254.192.34' (RSA) to the list of known hosts.
Password:
--- JUNOS 13.1X50-D15.1 built 2013-10-31 14:06:44 UTC
{master}
qfabric-admin@NW-NG-0> start shell
% su
Password:
root@NW-NG-0%
root@NW-NG-0% pwd
/var/home/qfabric-admin

You can also log-in to any redundant server node group such as RSNG1 from the following example:

root@qfabric> request component login RSNG1
Warning: Permanently added 'dcfnode-default-rsng1,169.254.193.10' (RSA) to the list of known hosts.
Password:
--- JUNOS 13.1X50-D15.1 built 2013-10-31 14:06:52 UTC
{master}
qfabric-admin@RSNG1> start shell
% su
Password:
root@RSNG1%
root@RSNG1% pwd
/var/home/qfabric-admin

From that point, either you are logged in one or other group, you'll get access to issue linux commands. For instance, I wanted to check system processes with CPU and memory consumption.

% ps -auxw | awk -F' ' '{print $1,$2,$3,$4}' | sed -n -e 1,4p
USER PID %CPU %MEM
root 31 93.9 0.0
root 32 93.9 0.0
root 33 93.9 0.0

I encourage all QFabric Admins to get the habit of using the shell as a troubleshooting tool. You'll never regret.
No comments :

Monday, June 2, 2014

Configure QFabric with TACACS+ Authentication

AAA (authentication, authorization and accounting) for this particular scenary will be deployed using popular protocol TACACS+ between QFabric and Unix Server.
Common case of AAA

Authentication and Authorization in QFabric Side

 set system authentication-order tacplus
set system authentication-order password
set system tacplus-server x.x.x.x port 49
set system tacplus-server x.x.x.x secret "$$$$$"
set system tacplus-server x.x.x.x source-address y.y.y.y
set system tacplus-options service-name junos-exec

Authentication and Authorization in Server Side

 group = juniper_users {
          service = junos-exec {
          allow-commands = "(^show+)|(^[/.])|(^ping)|(^telnet)|(^traceroute)|(^quit)|(^monitor)"
          deny-commands = " *"
        }
}

 user = juniper170 {
        member = juniper_users

}

User juniper170 already exists in TACACS and belongs to juniper_users group, that is why it will be accepted by TACACS Server:

login as: juniper170
juniper170@y.y.y.y's password:
Last login: Wed May 21 09:40:16 2014 from 172.172.1.2
Juniper QFabric Director 13.1.8347 2013-11-05 04:54:03 UTC

 juniper170@qfabric>

Capturing Communication

We do want to make sure communication flow between QFabric y TACACS Server is working properly in both directions. For testing purposes, enable tcpdump on server side and open packet capture with Wireshark.
Encrypted tacplus packet

In order to understand TACACS+ protocol check out a simple trick to decrypt packets because they will be encrypted by default.

 Click on Edit and then Preferences:
Search for TACACS+ protocol and enter Encryption Key, which is nothing but your secret key:


Filter only tacplus protocol:

Now you will see Decrypted Request that contains username and so on:

Accounting in QFabric Side

 set system accounting destination tacplus server x.x.x.x secret "$$$$$"
set system accounting destination tacplus server x.x.x.x single-connection
set system accounting destination tacplus server x.x.x.x source-address y.y.y.y

Accounting feauture allows the admin to always know what users are doing in remote sessions:

 tail -f /var/log/tac.log | grep juniper170


 Final Configuration in QFabric Side

 After all the work done abow, we would end up with a final configuration that looks like these lines below:

 set system authentication-order tacplus
set system authentication-order password
set system tacplus-server x.x.x.x port 49
set system tacplus-server x.x.x.x secret "$$$$$"
set system tacplus-server x.x.x.x source-address y.y.y.y
set system tacplus-options service-name junos-exec
set system accounting destination tacplus server x.x.x.x secret "$$$$$"
set system accounting destination tacplus server x.x.x.x single-connection
set system accounting destination tacplus server x.x.x.x source-address y.y.y.y
No comments :
Subscribe to: Posts ( Atom )