By using an authorization script, we can make tac\_plus to do very granular authentication, having different permissions granted to different switches defined by user, source IP and device IP. However, writing/editing a script to change access can be difficult. Hard coded authorization scripts are not very flexible, hence, I decided to implement a python program to facilitate flexibility. It is now included in the tac\_plus package.
Configuration is fairly simple; as an example, let's say I wanted to have user Homer have full access to 192.168.1.1 and 10.1.1.0/24, but only do show commands for everything else in 10.0.0.0/8. For the heck of it, let's say we only want Homer to connect from 192.168.1.0/24, but never 192.168.1.4, which host can only do the show commands. The config file would simply be as follows:
Example line to put in tac\_plus user or group:
after authorization "/usr/bin/python /root/do\_auth.pyc -i $address -u $user -d $name -l /root/log.txt -f /root/do\_auth.ini"
(that's all ONE line)
On my server, I set homer's password file to /etc/passwd and enable cracklib. Homer can change his password any time he wants just by logging to Linux and typing passwd – he does not need root access. Homer is also forced to pick a secure password, and has different access based on different devices. Given these abilities, combined with the quick administration, tac\_plus makes purchasing Cisco's tacacs server seem like a waste of money.
In the future, I may alter the program to have the ability to send back additional av-pairs, and/or completely new av-pairs. However, currently I simply don't need this feature as I pass these pairs back to tac\_plus. The source code is very simple and is GPL'ed for all to see at: http://pastie.org/506002 and is available in compiled/ready to use form here. For more instructions, you can download this compiled pyc and type “python do\_auth.pyc” If I ever get time, I may consider a gui or web interface.
Update: New version 1.2
Fixed pix. Also, apparently there is a bug in the pix that makes it necessary to add a 0.0.0.0 to your allowed hosts.