Monday, June 2, 2014

Configure QFabric with TACACS+ Authentication

AAA (authentication, authorization and accounting) for this particular scenary will be deployed using popular protocol TACACS+ between QFabric and Unix Server.
Common case of AAA

Authentication and Authorization in QFabric Side

 set system authentication-order tacplus
set system authentication-order password
set system tacplus-server x.x.x.x port 49
set system tacplus-server x.x.x.x secret "$$$$$"
set system tacplus-server x.x.x.x source-address y.y.y.y
set system tacplus-options service-name junos-exec

Authentication and Authorization in Server Side

 group = juniper_users {
          service = junos-exec {
          allow-commands = "(^show+)|(^[/.])|(^ping)|(^telnet)|(^traceroute)|(^quit)|(^monitor)"
          deny-commands = " *"
        }
}

 user = juniper170 {
        member = juniper_users

}

User juniper170 already exists in TACACS and belongs to juniper_users group, that is why it will be accepted by TACACS Server:

login as: juniper170
juniper170@y.y.y.y's password:
Last login: Wed May 21 09:40:16 2014 from 172.172.1.2
Juniper QFabric Director 13.1.8347 2013-11-05 04:54:03 UTC

 juniper170@qfabric>

Capturing Communication

We do want to make sure communication flow between QFabric y TACACS Server is working properly in both directions. For testing purposes, enable tcpdump on server side and open packet capture with Wireshark.
Encrypted tacplus packet

In order to understand TACACS+ protocol check out a simple trick to decrypt packets because they will be encrypted by default.

 Click on Edit and then Preferences:
Search for TACACS+ protocol and enter Encryption Key, which is nothing but your secret key:


Filter only tacplus protocol:

Now you will see Decrypted Request that contains username and so on:

Accounting in QFabric Side

 set system accounting destination tacplus server x.x.x.x secret "$$$$$"
set system accounting destination tacplus server x.x.x.x single-connection
set system accounting destination tacplus server x.x.x.x source-address y.y.y.y

Accounting feauture allows the admin to always know what users are doing in remote sessions:

 tail -f /var/log/tac.log | grep juniper170


 Final Configuration in QFabric Side

 After all the work done abow, we would end up with a final configuration that looks like these lines below:

 set system authentication-order tacplus
set system authentication-order password
set system tacplus-server x.x.x.x port 49
set system tacplus-server x.x.x.x secret "$$$$$"
set system tacplus-server x.x.x.x source-address y.y.y.y
set system tacplus-options service-name junos-exec
set system accounting destination tacplus server x.x.x.x secret "$$$$$"
set system accounting destination tacplus server x.x.x.x single-connection
set system accounting destination tacplus server x.x.x.x source-address y.y.y.y

No comments :

Post a Comment

Subscribe to: Post Comments ( Atom )