Granular Tacacs Control (Yes, you can do multiple groups)

in , , ,

By using an authorization script, we can make tac\_plus to do very granular authentication, having different permissions granted to different switches defined by user, source IP and device IP. However, writing/editing a script to change access can be difficult. Hard coded authorization scripts are not very flexible, hence, I decided to implement a python program to facilitate flexibility. It is now included in the tac\_plus package. Configuration is fairly simple; as an example, let's say I wanted to have user Homer have full access to 192.168.1.1 and 10.1.1.0/24, but only do show commands for everything else in 10.0.0.0/8. For the heck of it, let's say we only want Homer to connect from 192.168.1.0/24, but never 192.168.1.4, which host can only do the show commands. The config file would simply be as follows:

[users]
homer =
     simpson\_group
     television\_group
[simpson\_group]
host\_deny =
     192.168.1.4
host\_allow =
     192.168.1.*
device\_permit =
     192.168.1.1
     10.1.1.*
command\_permit =
     .*
[television\_group]
host\_allow =
     192.168.1.*
device\_permit =
     10.*
command\_permit =
     show.*

Example line to put in tac\_plus user or group: after authorization "/usr/bin/python /root/do\_auth.pyc -i $address -u $user -d $name -l /root/log.txt -f /root/do\_auth.ini" (that's all ONE line)

On my server, I set homer's password file to /etc/passwd and enable cracklib. Homer can change his password any time he wants just by logging to Linux and typing passwd – he does not need root access. Homer is also forced to pick a secure password, and has different access based on different devices. Given these abilities, combined with the quick administration, tac\_plus makes purchasing Cisco's tacacs server seem like a waste of money.

In the future, I may alter the program to have the ability to send back additional av-pairs, and/or completely new av-pairs. However, currently I simply don't need this feature as I pass these pairs back to tac\_plus. The source code is very simple and is GPL'ed for all to see at: http://pastie.org/506002 and is available in compiled/ready to use form here. For more instructions, you can download this compiled pyc and type “python do\_auth.pyc” If I ever get time, I may consider a gui or web interface.

Update: New version 1.2 Fixed pix. Also, apparently there is a bug in the pix that makes it necessary to add a 0.0.0.0 to your allowed hosts.

-Dan Schmidt