x83.net » tacacs

Juniper Tacacs & Rancid

Giany — Sun, 14 Jun 2009 06:36:03 +0000

Short howto on Configure Tacacs+ and Rancid on Juniper.

Download Tacacs from : ftp://ftp.shrubbery.net/pub/tac_plus/ also you will need tcp_wrappers for tac_plus to work.

Install tcp_wrappers and tacacs

yum install -y tcp_wrappers
yum install -y tcp_wrappers-devel
yum install -y tcp_wrappers-libs
Download ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.15.tar.gz
tar zxvf tacacs+-F4.0.4.15.tar.gz
cd tacacs+-F4.0.4.15
./configure
make
make install

Setup tacacs.conf

key = “secretkey”
accounting file = /var/log/tac_plus
acl = HomeNet {
permit = 10.2.2.1
}
user = rancid {
default service = permit
login = cleartext mypass
enable = cleartext mypass
service = junos-exec {
local-user-name = operations
}
}
user = giany {
default service = permit
login = cleartext mypass
enable = cleartext mypass
service = junos-exec {
local-user-name = operations
}

}

Configure Juniper Tacacs

set system authentication-order [ tacplus password ]

set system tacplus-server 10.2.2.1 secret secretkey
set system accounting events login
set system accounting events interactive-commands
set system accounting destination tacplus
set system login class network permissions network
set system login class network permissions view
set system login user operations full-name “Users with Full Access”
set system login user operations uid 9999
set system login user operations class super-user
set system login user operations authentication encrypted-password “xxx”
set system login user restricted full-name “Restricted”
set system login user restricted uid 2000
set system login user restricted class read-only
set system login user restricted authentication encrypted-password “xxx”

RANCID

# adduser rancid
Download ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.1.tar.gz
# tar zxvf rancid-2.3.1.tar.gz
# cd rancid-2.3.1
# ./configure –prefix=/home/rancid
# su – rancid
# set CVSROOT /home/rancid/var/CVS
# cvs init
# rancid-cvs

.cloginrc

add method 10.2.2.2 ssh

add method 10.100.100.1 ssh
add user olive rancid
add user cisco rancid
add password olive {mypass} {mypass}
add password cisco {mypass} {mypass}

Debug

[rancid@box ~]$ clogin cisco
cisco
spawn ssh -c 3des -x -l rancid cisco
rancid@cisco’s password:
Corp:2>enable
Password:
Corp:2#

[rancid@box ~]$ jlogin olive
olive
spawn ssh -c 3des -x -l rancid olive

WARNING: You are being watched.
rancid@olive’s password:
— JUNOS 7.4R2.6 built 2006-01-20 14:27:46 UTC
rancid@olive.x83.net>

# tail -f /var/log/tac_plus

Mon Aug 4 16:20:37 2008 10.2.2.2 rancid ttyp0 olive.x83.net stop task_id=1 service=shell elapsed_time=263 process*mgd[7038] cmd=logout
Mon Aug 4 16:26:15 2008 10.100.100.1 rancid tty2 10.100.100.100 start task_id=58 timezone=UTC service=shell
Mon Aug 4 16:26:43 2008 10.100.100.1 rancid tty2 10.100.100.100 stop task_id=58 timezone=UTC service=shell disc-cause=1 disc-cause-ext=1020 connect-progress=101 elapsed_time=28 nas-rx-speed=0 nas-tx-speed=0
Mon Aug 4 16:26:56 2008 10.2.2.2 rancid ttyp0 olive.x83.net start task_id=1 service=shell process*mgd[7045] cmd=login
Mon Aug 4 16:27:03 2008 10.2.2.2 rancid ttyp0 olive.x83.net stop task_id=1 service=shell elapsed_time=8 process*mgd[7045] cmd=logout
Mon Aug 4 16:27:15 2008 10.2.2.2 rancid ttyp0 olive.x83.net start task_id=1 service=shell process*mgd[7049] cmd=login

Set idle-timeout so after a while a user will get disconnect:

login
class admin {
idle-timeout 4;
permissions all;
}
user test {
class admin
}

On terminal you will get smth like that:

test@br0> Warning: session will be closed in 1 minute if there is no activity
Warning: session will be closed in 10 seconds if there is no activity
Idle timeout exceeded: closing session
Connection closed by foreign host.

First steps configuring Juniper Routers

Giany — Fri, 12 Jun 2009 03:34:34 +0000

Configure the router

Use the following commands to configure the router:


	root# cli
	root@>
	cli> configure
	[edit]
	root@# set system host-name olive.x83.net
	root@# set system domain-name x83.net
	root@# set interfaces fxp0 unit 0 family inet address 10.2.2.2/24
	root@# set system backup-router 10.2.2.1
	root@# set system name-server 10.2.2.1
	root@# set system root-authentication plain-text-password
	New password:
	Retype password:
	root@ show
	system {
	    host-name olive.x83.net;
	    domain-name x83.net;
	    backup-router 10.2.2.1;
	    root-authentication {
	         encrypted-password "$1$gNTKIVLL$nSw2LduQttCiGipspveEq."; ## SECRET-DATA
	    }
	    name-server {
	         10.2.2.1;
	}
	interfaces {
	    fxp0 {
	        unit 0 {
	            family inet {
	                address 10.2.2.2/24;
	            }
	        }
	    }
	}
	root@# commit
	root@olive.x83.net# exit
	root@olive.x83.net>

Other config params :

        root@olive.x83.net# set system ntp server  192.168.2.100
	root@olive.x83.net# set system time-zone Europe/Bucharest
	root@olive.x83.net# set system services ssh
	root@olive.x83.net# set interfaces lo0 unit 0 family inet address  10.200.200.1/32

root@olive.x83.net> configure  exclusive   //if several people login only you can use "configure"
root@olive.x83.net> status
root@olive.x83.net> request system logout user  john //kick someone out

The ””’show | display set””’ command is a handy way to reverse-engineer a router configuration when you are trying to duplicate portions of a configuration on many routers or when you need to write up configuration, monitoring, or troubleshooting procedures for your network operations staff. This command is especially useful if the configuration is complex and when setting it up involves many long commands and lots of typing.

Add comments


root@olive.x83.net# set area  0.0.0.0 interface fe-0/0/0
root@olive.x83.net# annotate area  0.0.0.0 "MESH routers"
root@olive.x83.net# show
	/* MESH routers */
	area 0.0.0.0 {
	     interface fe-0/0/0.0;
	}

To delete a comment, use the annotate command with an empty string:

root@olive.x83.net# annotate area  0.0.0.0 ""

Check syntax (commit)

After configuring issue ””’commit””’ command.


root@olive.x83.net# commit check

If there are no errors you recieve : ”configuration check succeeds”

To debug commit :


root@olive.x83.net# commit | display detail

To exit from a lower level to operational mode : ””exit configuration-mode””

Backing up configuration


root@olive.x83.net# file copy /config/juniper.conf.gz  box:/root/tmp
root@olive.x83.net# save box:configMay
root@olive.x83.net# save  configMay                     //copy to a localfile
root@olive.x83.net# run file show  configMay         //to view it
root@olive.x83.net# run show system storage       // view diskspace

To backup every time you ””’commit””’:


root@olive.x83.net# set archival configuration transfer-on-commit
root@olive.x83.net# set archival configuration archive-sites ftp: //giany:password@box:/m40configs

Rollback


root@olive.x83.net# rollback 1   //loads other config
root@olive.x83.net# show
root@olive.x83.net# commit
root@olive.x83.net# rollback ?  //view rollbacks

View logs

root@olive.x83.net# run show log
root@olive.x83.net# run show log messages

Install different jinstall

root@olive.x83.net# request system software add validate box:jinstall-8.4R2.6-domestic-signed.tgz

Or copy the file to /var/tmp

root@olive.x83.net# file copy box:jinstall-8.4R2.6-domestic-signed.tgz /var/tmp
root@olive.x83.net# request system software add validate /var/tmp/jinstall-8.4R2.6-domestic-signed.tgz //and reboot here

and then reboot:

root@olive.x83.net# request system reboot

Gather system informations

root@olive.x83.net# show version
root@olive.x83.net# show version detail
root@olive.x83.net# show system processes
root@olive.x83.net# run show system processes | match /syslogd
root@olive.x83.net# run request support information
root@olive.x83.net# run file list detail /var/tmp //look for cores


root@olive.x83.net# run show system users 

 2:40PM  up 10:12, 1 user, load averages: 0.01, 0.06, 0.07
USER     TTY      FROM                              LOGIN@  IDLE WHAT
root     p1       10.2.2.1                         2:28PM      - cli


root@olive.x83.net# run show system uptime
Current time: 2008-05-24 13:52:15 EEST
System booted: 2008-05-24 04:29:05 EEST (09:23:10 ago)
Protocols started: 2008-05-24 04:34:42 EEST (09:17:33 ago)
Last configured: 2008-05-24 13:38:28 EEST (00:13:47 ago) by root
 1:52PM  up 9:23, 1 user, load averages: 0.00, 0.02, 0.00

Accounts


root@olive.x83.net# set system login user giany full-name Giany
root@olive.x83.net# set system login user giany uid 1000
root@olive.x83.net# set system login user giany class super-user
root@olive.x83.net# set system login user giany authentication encrypted-password "$1$gNTKIVLL$nSw2LduQttCiGipspveE3."


root@olive.x83.net# set system login password password maximum-length 18   // max length
root@olive.x83.net# set system login password password minimum-length 8   // min lenght
root@olive.x83.net# set system login password password minimum-changes 3   // 3 case changes

Tacacs

To allow authentification of users :

root@olive.x83.net# set login user operations class super-user
root@olive.x83.net# set login user operations full-name “Operations Account”
root@olive.x83.net# set login user operations uid 9999
root@olive.x83.net# set system authentication-order [ tacplus password ];
root@olive.x83.net# set tacacs-server 10.2.2.1 secret aaaaa

SSH/Telnet Filter

You want to filter incoming ssh/telnet connections to a set of ips. First create a prefix-list with allowed ips then create a policer that will discard all incoming connections. After that create the policer that will allow your prefix-list. In the end create the filters for discard/accept and apply the filter to the specified interface.


set policy-options prefix-list telnet-ssh-sessions 10.2.2.1/32
set firewall policer 1m-bw-limit if-exceeding bandwidth-limit 1m
set firewall policer 1m-bw-limit if-exceeding burst-size-limit 15k
set firewall policer 1m-bw-limit then discard
set firewall policer 20m-bw-limit if-exceeding bandwidth-limit 20m
set firewall policer 20m-bw-limit if-exceeding burst-size-limit 1m
set firewall policer 20m-bw-limit then discard
set firewall filter re-filter term police-ssh from source-prefix-list telnet-ssh-sessions
set firewall filter re-filter term police-ssh from protocol tcp
set firewall filter re-filter term police-ssh from port ssh
set firewall filter re-filter term police-ssh from port telnet
set firewall filter re-filter term police-ssh from tcp-initial
set firewall filter re-filter term police-ssh then policer 1m-bw-limit
set firewall filter re-filter term police-ssh then accept
set firewall filter re-filter term ssh-telnet from source-prefix-list telnet-ssh-sessions
set firewall filter re-filter term ssh-telnet from protocol tcp
set firewall filter re-filter term ssh-telnet from port ssh
set firewall filter re-filter term ssh-telnet from port telnet
set firewall filter re-filter term ssh-telnet then policer 20m-bw-limit
set firewall filter re-filter term ssh-telnet then accept

set interfaces fxp0 unit 0 family inet filter input re-filter         //apply filter

Sending messages


request message all message "Log out immediately"
request system logout terminal p0
request system logout user giany
request message user giany message "Log out immediately"

Cisco Tacacs configuration

Giany — Fri, 12 Jun 2009 02:35:36 +0000

aaa new-model
aaa authentication login default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

tacacs-server host 10.100.100.100 timeout 5
no tacacs-server directed-request
tacacs-server key 7 key

Also check :