cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
438
Views
1
Helpful
10
Replies
Highlighted
Cisco Employee

NSO Tacacs package

 

Hi Team ,

 

 

Believe we need a  tacacs_auth-*.tar.gz’ package for Tacacs configuration and integration on NSO.One of the last file used by one of our team member on an earlier TACACS integration with NSO was 'tacacs_auth-v1-08212015.tar.gz’

 

 

We want to do the TACACS integration with NSO at the moment for a customer.

 

 

Can anyone point out the location to find this tacacs package?

 

 

Thanks,

 

Vineet

 

10 REPLIES 10
Highlighted
Cisco Employee

 

Hi Vineet,

 

 

Please see attached with a readme.

 

 

Sincerely,

Michel P 

Highlighted
Cisco Employee

 

Hi Michel,

 

 

Appreciate sharing the package and the steps.Thank you!

 

 

We are going to try this out tomorrow.Will keep you posted.

 

 

Regards,

 

Vineet

 

Highlighted
Cisco Employee

 

Hi All,

 

 

     Coming back to this topic, the package I got is tacacs_auth-v2-09012015.tar.gz and tacacs_auth.readme.txt.

 

    Has any one tried this integration and can share the full (steps) experience here? My NSO server is not connected to internet, though having trouble to run cpan -i Authen::TacacsPlus… etc.

 

 

    Appreciated any hints, idea and help.

 

 

Regards

 

Mengbin

 

Highlighted
Cisco Employee

 

Hi Vineet,

 

 

Please see attached with a readme.

 

Highlighted
Cisco Employee

 

Hi All,

 

 

     Coming back to this topic, the package I got is tacacs_auth-v2-09012015.tar.gz and tacacs_auth.readme.txt.

 

    Has any one tried this integration and can share the full (steps) experience here? My NSO server is not connected to internet, though having trouble to run cpan -i Authen::TacacsPlus… etc.

 

 

    Appreciated any hints, idea and help.

 

 

Regards

 

Mengbin

 

Highlighted
Cisco Employee

 

Hi Mengbin,

 

 

You should be able to download the Authen::TacacsPlus module and install it manually on the server without cpan.

 

 

The module can be found here:

 

 

http://search.cpan.org/~mshoyher/TacacsPlus-0.16/TacacsPlus.pm

 

 

And I’ve listed below some steps I found online:

 

 

root@user-VirtualBox:/tmp# tar xzf TacacsPlus-0.16.tar.gz

 

root@user-VirtualBox:/tmp# cd TacacsPlus-0.16/

 

root@user-VirtualBox:/tmp/TacacsPlus-0.16# perl Makefile.PL

 

Configuring for linux ...

 

Checking if your kit is complete...

 

Looks good

 

MakeMaker (v6.66)

 

Writing Makefile for Authen::TacacsPlus::tacplus

 

Writing MYMETA.yml and MYMETA.json

 

Writing Makefile for Authen::TacacsPlus

 

Writing MYMETA.yml and MYMETA.json

 

root@user-VirtualBox:/tmp/TacacsPlus-0.16# make

 

cp TacacsPlus.pm blib/lib/Authen/TacacsPlus.pm

 

cd tacpluslib && make -e

 

make[1]: Entering directory `/tmp/TacacsPlus-0.16/tacpluslib'

 

cc -c   -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fstack-protector -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -g   -DVERSION=\"\" -DXS_VERSION=\"\" -fPIC "-I/usr/lib/perl/5.18/CORE"  -DLINUX encrypt.c

 

encrypt.c: In function ‘create_md5_hash’:

 

 

 

 

 

root@user-VirtualBox:/tmp/TacacsPlus-0.16# make install

 

make[1]: Entering directory `/tmp/TacacsPlus-0.16/tacpluslib'

 

make[1]: Nothing to be done for `all'.

 

make[1]: Leaving directory `/tmp/TacacsPlus-0.16/tacpluslib'

 

Files found in blib/arch: installing files in blib/lib into architecture dependent library tree

 

Installing /usr/local/lib/perl/5.18.2/auto/Authen/TacacsPlus/TacacsPlus.bs

 

Installing /usr/local/lib/perl/5.18.2/auto/Authen/TacacsPlus/TacacsPlus.so

 

Installing /usr/local/lib/perl/5.18.2/Authen/TacacsPlus.pm

 

Installing /usr/local/man/man3/Authen::TacacsPlus.3pm

 

Appending installation info to /usr/local/lib/perl/5.18.2/perllocal.pod

 

Highlighted
Cisco Employee

 

Hi Michel,

 

 

    Thank you very much for this. I will give it a try.

 

 

Regards

 

Mengbin

 

Highlighted
Cisco Employee

 

Hi Michel;

Considering this in the “readme file”:

6. Edit /var/opt/ncs/tacacs_auth.properties to include the TACACS server's communication details and the defaults for authenticated users.

 

SERVER=192.168.1.1

 

SECRET_KEY=cisco

 

USERS_GROUP=oper

 

USERS_HOMEDIR=/home/

Users that authenticate using external authentication can be assigned to a group by modifying the value of USERS_GROUP in tacacs_auth.properties. Note that all users


How can we assign users to different groups using TACACS external authentication?
(not always to the same one, like
oper  in this example)

 

Best Regards
Paulo Oliveira

 

Highlighted
Cisco Employee

 

Hi Paulo,

 

 

The TACACS protocol does not support group queries, there is a concept of privilege-level which is a 4bit numerical value of 0-15, still the library we use in that script does not support it.

 

 

You can implement your own logic in the script to set different groups for different users but you’ll have to use other means to determine to which group a user belongs.

 

 

Best Regards,

 

.:|:.:|:. Michel Papiashvili

 

Highlighted
Cisco Employee

 

View previous thread on this topic here, on how to trick TACACS to do group authorisation with fake commands. TACACS can match commands and block/authorise them.

 

Stefano

 

Content for Community-Ad
Cisco Community August2020 Spotlight Award Winners
This widget could not be displayed.