Skip to content

Latest commit

 

History

History
180 lines (129 loc) · 7.33 KB

TACACS+ Test Plan.md

File metadata and controls

180 lines (129 loc) · 7.33 KB

TACACS+ Test Plan

Related documents

Document Name Link
AAA_with_SONiC_v2 https://github.com/Azure/SONiC/blob/gh-pages/doc/AAA_with_SONiC_v2.docx
pam_tacplus https://github.com/jeroennijhof/pam_tacplus/blob/master/README.md
tacacs+ daemon http://manpages.ubuntu.com/manpages/xenial/man8/tac_plus.8.html

Overview

TACACS+ (Terminal Access Controller Access Control System Plus) provides Authentication, Authorization and Accounting services, used most commonly for administration access to network devices like routers, switches and terminal servers.

The purpose is to test functionality of TACACS+ authentication on the SONIC switch DUT. Each test covers a basic functionality of TACACS+ authentication feature, and ensures the switch works as expected under production scenarios. The test assumes that there is a TACACS+ server has connected to the switch DUT and installed TACACS+ daemon(tac_plus).

Scope

The test is targeting on SSH login via TACACS+ authentication. Console login is also supported for TACACS+ authentication, its configuartion and process are the same as SSH login. But the test focus on ssh login which is the major procduction scenario.

NOTE: Authorization will be implemented after CLI shell is OK. Accounting is not in the development plan.

Scale / Performance

No scale/performance test involved in this test plan

Related DUT CLI commands

Manual TACACS+ configuration can be done using config command in switch DUT.

Command Comment
Configuration commands
config aaa authentication login { local / tacacs+ } Authentication login policy
config aaa authentication failthrough enable Enable authentication fail-through
config tacacs timeout < 1 – 60 > TACACS+ server connection timeout
config tacacs authtype [ pap / chap ] TACACS+ authentication service
config tacacs passkey < TEXT > Secret key used to encrypt/decrypt packets
config tacacs src_ip < ADDRESS > Set source ip address for outgoing packets
config tacacs add < ADDRESS > --port < 1 – 65535 >
--timeout < 1 – 60 >
--key < TEXT >
--type [ pap / chap ]
--pri < 1 - 64 >
Specify a TACACS+ server
config tacacs delete < ADDRESS > Delete a TACACS+ server
Show commands
show aaa Show AAA configuration
show tacacs Show TACACS+ configuration

Related DUT configuration files

The TACACS+ configuration is not supported for the minigrah. All configurations are saved in config_db.json, and loaded by the host config enforcer. The configuration in config_db.json can be generated by config command, or modified manually.

Configuration sample in config_db.json

    "TACPLUS": {
        "global": {
            "auth_type": "pap", 
            "src_ip": "100.1.1.1", 
            "timeout": "3", 
            "passkey": "test123"
        }
    }, 
    "TACPLUS_SERVER": {
        "10.65.254.248": {
            "priority": "20", 
            "tcp_port": "49"
        }, 
        "10.65.254.222": {
            "priority": "30", 
            "tcp_port": "49"
        }
    }, 
	"AAA": {
        "authentication": {
            "login": "local,tacacs+", 
            "failthrough": "True"
        }
    }

Related SAI APIs

N/A

Test structure

Setup configuration

TACACS+_testbed.png

  • TACACS+ server is connected to the management network.

Configuration scripts

TACACS+ related minigrah data

All TACACS+ configurations are saved in config_db.json, not in minigraph. To avoid misunderstanding user, the information about TACACS+ server in ansible/templates/topo/dev_metadata.j2 should be deleted.

TACACS+ server address

The TACACS+ server address is defined in group_vars/lab/lab.yml. The test only use the first server.

TACACS+ server configuration

The TACACS+ passkey, user account and password are stored in the /etc/tacacs/tac_plus.conf for the TACACS+ daemon. They should be deployed in TACACS+ server.

Configuration sample for passkey in tac_plus.conf

# Encryption key
key = "test123"

Configuration sample for user account and password in tac_plus.conf

group = network_admin {
default service = permit
service = exec {
priv-lvl = 15
}
cmd = show {
permit .*
}
}

user = test
{
login = des teWtwbeIm3BdA
pap = des teWtwbeIm3BdA
member = network_admin
}

Note: tac_pwd is a utility supplied with tac_plus to assist in performing the encryption.

Ansible scripts to setup and run test

tacacs.yml includes three parts

  • tacacs_configure.yml: apply TACACS+ configuration.
  • tacacs_test.yml: run TACACS+ authentication test.
  • tacacs_cleanup.yml: clear TACACS+ configuration from the switch.

Test cases

TACACS+ authentication Test

Test objective

Verify TACACS+ authentication via ssh works.

Test description

  • Enable TACACS+ authentication by config command.
  • Verfiy the PAM configuration includes TACACS+ authenticaiton. All PAM configurations for SONIC authentication are saved in /etc/pam.d/common-auth-sonic. This file can be checked to verify if the command is configured correctly.
  • Verify TACACS+ user login via ssh is successful, and login username is equal with TACACS+ username. The command "sshpass" can be used to login with password, and the command "whoami" can be used to check the current user name.

Failthrough mechanism Test

Test objective

Verify failthrough mechanism works. Failthrough is enabled by default. If failthrough mechanism is disabled, authentication won't pass when any one of the pam modules return fail.

Test description

  • Config local authentication is prior to TACACS+.
  • Disable authentication failthrough by config command.
  • Verify TACACS+ user login via ssh fails. When local authentication fails, it will return error directly and not go to the TACACS+ authentication.
  • Enable authentication failthrough by config command.
  • Verify TACACS+ user login succeeds.

Source address Test

Test objective

Verify TACACS+ source address configuration works. In the procduction scenario, the TACACS+ source address is configured as the loopback address. This test will verify this configuration.

Test description

  • Config ip address for the loopback interface in switch DUT.
  • Config the loopback address as TACACS+ source address.
  • Check no route for the loopback address in TACACS+ server.
  • Verfiy TACACS+ user login via ssh fails.
  • Create a route for the loopback address in TACACS+ server.
  • Verfiy TACACS+ user login via ssh succeeds.