OpenBSD Journal

OpenBSD, Cisco, and Tacacs+

Contributed by jose on from the centralized-authentication dept.

Steve Rue writes:
" I come from a pretty decent networking background, including a lot of Cisco work. Given that, and the usefulness I've found from OpenBSD at home (apache, bind, pf, etc...), I've been looking for ways to integrate at least one OpenBSD box in my latest job. What I've come up with is sort of a catch all for miscellaneous services I'd like on my network, including: I.T. web server, ntp server, tftp, and last but not least, a tacacs+ server. For those of you who are unfamiliar with tacacs+, it is a centralized authentication database for Cisco products - routers, switches, etc. I was already thinking I wanted an OpenBSD box somewhere on my network, before I even realized there was a tacacs+ port (~/ports/net/tacacs+). My network only has about 15 routers currently, each previously running its own local authentication database. I hate this, btw. Anytime you can have a centralized authentication scheme set up, I say go for it. "
Steve's sent us an entire document, keep reading!

" First, let me start by saying I began with a routine installaltion of OpenBSD 3.2, via ftp - I chose to install everything, including X, well, just because I felt like it. After this, I of course applied all of the latest patches, and recompiled the kernel. Onto the good stuff...

I installed tacacs+ from the ports tree. You can also download tacacs+ from Cisco's ftp site, but installing is much easier from the ports tree.

    cd ~/ports/net/tacacs+
    make install
I know there are other ways to install ports, this is just the method I most often choose. This installs the tac_plus daemon under /usr/local/sbin/tac_plus. It is upto you where you want the configuration file to go.
  mkdir /usr/local/tac
  cd /usr/local/tac
  vi tac.conf
Choose whatever location/filename you're comfortable with. The guide is installed in /usr/local/share/doc/tacacs+/users_guide. This is a really good, and extensive guide, which covers both the router side configuration, as well as the tacacs+ configuration file. I chose to print it out, which came out to just over 40 pages. There is also a man page for tac_plus - 'man tac_plus'. Before you go on, note that you should have a working tacacs+ daemon running BEFORE you configure anything on the router.

I kept the tacacs config file very simple, as right now, only one person needs access to the routers - me.

#/usr/local/tac/tac.conf
user = myname
 {
  global = cleartext password_here
 )

user = $enab15$
{
  login = cleartext enable_passwd_here
}
This was the extent of my config file. Like I said, mine is pretty simple, since it is just me who needs access to the router. There are many more options, with great examples in the users_guide. It also provides for functionality that what is shown here. You can also only give persons access to only certain commands. Anyone needing this kind of functionality, it's here. You can also authenticate off of the /etc/passwd file. Before you start/test the tacacs daemon, add this to your /etc/services file:
tacacs          49/tcp

What follows is the configuration on the routers needed to support tacacs+ authorization.

enable secret local_enable_password
aaa new-model
tacacs-server host XX.XX.XX.XX
aaa authentication login default tacacs+
aaa authentication login default tacacs+ enable
aaa authentication enable default tacacs+
To start the tacacs+ daemon, simply run:
/usr/local/sbin/tac_plus -C /usr/local/tac/tac.conf     
again, there are plenty more options available if you need them.

After doing this, I set up a tftp server on my OpenBSD box also, as most people know who have worked with Cisco products, they love to use tftp servers. Uncomment the following line in /etc/inetd.conf -

#tftp           dgram   udp     wait    root    /usr/libexec/tftpd      tftpd -s -c /tftpboot
Then send a sighup to inetd. I used the '-c' option because it allows files to be copied via tftp, if they aren't already created. Why this isn't the default, I dont know. Make sure the directory '/tftpboot' or whatever you choose has the proper permissions. For laziness sake, I do a chmod 777 /tftpboot. I use my tftp server to keep stored copies of the router configs incase I need them, as well as IOS'es for each router model on my network.

btw, here's the Cisco license on tacacs+:

Copyright (c) 1995-2000 by Cisco systems, Inc.

Permission to use, copy, modify, and distribute modified and unmodified copies of this software for any purpose and without fee is hereby granted, provided that (a) this copyright and permission notice appear on all copies of the software and supporting documentation, (b) the name of Cisco Systems, Inc. not be used in advertising or publicity pertaining to distribution of the program without specific prior permission, and (c) notice be given in supporting documentation that use, modification, copying and distribution is by permission of Cisco Systems, Inc.

Cisco Systems, Inc. makes no representations about the suitability of this software for any purpose. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. I know this article will probably raise more questions than it answered, but hopefully it gets some of you started in the right direction. For tac_plus questions, refer to the users_guide. For Cisco config questions, refer to the proper IOS help pages.

- Steve"

(Comments are closed)


Comments
  1. By Anonymous Coward () on

    > as most people know who have worked with Cisco
    > products, they love to use tftp servers

    No kidding. Not only do they love tftp, they also love telnet.
    Cisco doesn't exactly a legacy of security going for them and their products.

    After far too much experience with Cisco products, I'd much rather use OpenBSD on something like a blade server. Security, performace, flexibility, easy administration, etc.

    Comments
    1. By miro () on

      snip-- After far too much experience with Cisco products, I'd much rather use OpenBSD on something like a blade server. Security, performace , flexibility, easy administration, etc. --snip

      Does an OBSD blade server have better performance than a Cisco?

      Comments
      1. By Anonymous Coward () on

        Has anyone tried to run OpenBSD on the new Dell 1665MMC blade servers? That looks like a really cool product.

      2. By Anonymous Coward () on

        yeah i'd like to see some sort of real world performance comparison. I'm a huge openbsd fan of course (why else would i be here), but i find it hard to believe that obsd can beat out a dedicated hardware solution from cisco.

        i'm sure the obsd box is more flexible than a cisco device, but we're talking performance here.

        Comments
        1. By Anonymous Coward () on

          I find it hard to believe also. You're actually not only talking about performance but *capability*. Cisco routers handle a very large and time tested catalogue of protocols (and thousounds of protocol options) that I don't believe OpenBSD is mature enough to compete with. You could surely measure performance just passing IP, but comparisons with routing protocol compatibility (EIGRP, OSPF, BGP, etc.), or even IPX would probably come up short (in the case of the routing protocols, you'd be depending on third-party software to beat out what a cisco series router can do in it's sleep). This is all pretty much true for any OS platform you'd compare to a cisco product. Regardless, it would be interesting to see.

          Comments
          1. By RC () on

            There is GNU Zebra, and MRTD to support most of the routing protocols... I don't know why you would expect EIGRP, Cisco's own propritary protocol, to work with OpenBSD.

            OpenBSD does have IPX support, as well as AppleTalk support, you just need to compile a new kernel with them uncommented. OpenBSD doesn't include the IPX RIP software, but FreeBSD does, so that would be a possibility as well.

            So tell me again what OpenBSD is seriously lacking.

            Comments
            1. By Anonymous Coward () on

              Here's a few:

              - 24 hour top-notch software and hardware support, even 24x7x2-hour hardware replacement if you can afford it
              - Modular, hot-swap components, including network interfaces, power supplies and even processor modules
              - Layer 3 switching (yes, in hardware)
              - Extremely simple-to-configure failover systems for firewalls
              - Integrated routing and bridging that works correctly
              - DECNet and Vines. Yes, people still use them. I'm sure. Somewhere.
              - Frame Relay
              - DLSW/DLSW+
              - iSCSI
              - IPX/DECNet/Vines/etc packet filtering


              Oh, and you can have two different LAN interfaces in the same subnet. Try that with an OpenBSD box sometime.

              I'm all for OpenBSD, it's great, but fer cryin' out loud, choose the right tool for the job!

              Comments
              1. By RC () on

                Your list isn't impressive.

                > Modular, hot-swap components, including network
                > interfaces, power supplies and even processor modules

                Yeah, I'm sure computers can't do hot-swapping.

                > Layer 3 switching (yes, in hardware)

                Like it or not, even the highest-end router does a good deal of switching in software. If it didn't, you wouldn't be able to set an IP address or routing/ACL rules, it would be hard-coded. The only way to determine the performance difference would be to test them both.

                > Frame Relay

                Well, from a quick google, it appears that FreeBSD supports Frame Relay

                > - DLSW/DLSW+
                > - iSCSI
                > - IPX/DECNet/Vines/etc packet filtering

                I see... Just because a Cisco router can do a good job with traffic that 99% of routers won't ever see, everyone should use Cisco routers for everything. Gee, here's a thought... On the rare occasion that someone needs to work with that traffic... THEN they could use a Cisco router.

                > Oh, and you can have two different LAN
                > interfaces in the same subnet. Try that with an
                > OpenBSD box sometime.

                I'd be willing to bet that I could do that.

                > but fer cryin' out loud, choose the right tool for the job!

                Sounds to me that you've mentally locked yourself into Cisco. Likely because you read something that told you they were better, and you haven't questioned it. No doubt it was Cisco's own material.

                When you have a job where you need to drill billions of holes, and occasionally need to hammer a nail, do you buy the incredibly expensive drill that doubles as a hammer, and is harder to repair/upgrade, or do you just get the better, cheaper drill, and occasionally pick up a hammer when you need it?

                It's not that I like OpenBSD too much, and it's not that I hate Cisco hardware... What I hate is having a crippled, bundled piece of software that I can't extend any way I choose to. Before Cisco embrased SSH, there was no way for you to get SSH onto a Cisco router. Meanwhile, if your Operating system was some normal Unix system, you could put anything on there that you want. That is invaluable, ESPECIALLY from a security standpoint.

                Say you don't like Cisco's ACL software, you don't have any choice. Say you don't like their SSH implimentation, you don't have a choice. Now, on OpenBSD, you would have all the choice in the world.

              2. By Lars Hansson () lars@unet.net.ph on mailto:lars@unet.net.ph

                >- 24 hour top-notch software and hardware >support, even 24x7x2-hour hardware replacement if >you can afford it

                Exactly. The keywords are "can afford it". i'll bet you can get that kind of support from MS too if you cough up enough money.
                This is usually not justifiable though.

                >- Modular, hot-swap components, including network >interfaces, power supplies and even processor >modules

                That must be the reason the Cisco's tech's here always bring our rotuers down when they do something. Ahum. Tnen again, maybe they're just clueless.

                > - DECNet and Vines. Yes, people still use them. > I'm sure. Somewhere.
                Yeah, and some people still use Betamax.

                >- Frame Relay
                Sure, the few times you need.

                >- DLSW/DLSW+
                >- iSCSI
                >- IPX/DECNet/Vines/etc packet filtering

                Since 95% of the routers never see or have anything to do with this kind of traffic I dont think this is a very compelling reason for Cisco.

                >I'm all for OpenBSD, it's great, but fer cryin' >out loud, choose the right tool for the job!

                Yeah, and that means to sometimes go with Cisco but many times something else. Ask Henning what he thinks about Cisco's performance.

      3. By RC () on

        Processor-wise, I have very little doubt that a blade server would be faster. That would make a VERY big difference for things like IPSec and IPv6.

        As for pure network throughput, I'll go out on a limb and say that I believe the price/performance would certainly be better.

        Network throughput depends a great deal on network card being used. It's quite possible that a blade server, with a very fast bus, and with hi-quality NICs COULD out-perform Cisco routers.

        Despite the other comments I read here, a Cisco router is really no more hardware-based than a blade server with OpenBSD would be. Hardware can be made to do most of the processing, but the software still has to do the processing of the ACLs (pf rules), routing decisions, etc.

        Comments
        1. By Anonymous Coward () on

          "Hardware can be made to do most of the processing, but the software still has to do the processing of the ACLs (pf rules), routing decisions, etc."

          There are ASICs for ACLs, QoS etc.
          Come to think of it, even routing decisions can be said to be done in hardware with CEF.
          The CPU doesn't have much work to do in a Cisco box.

          Comments
          1. By Srebrenko Sehic () haver@insecure.dk on http://www.insecure.dk

            Correct. My Cisco 6500 switches/routers have each a single 300MHz CPU. However, they can process 32 million packets/sec (using the 256Gbit backplane). I bet no OpenBSD/blade combo can outperform that.

            Comments
            1. By Anonymous Coward () on

              i don't doubt cisco's superior performance, but have you actually seen that performance level or did you just read it from cisco's marketing people? I would tend to distrust the marketing people when it comes to raw figures like that

    2. By Anonymous Coward () on


      Yes, Cisco does love tftp and telnet but newer versions of Cisco IOS support ssh/scp. If I recall correctly, there was a bug in their implementation of ssh though but may havy have been fixed in later releases.

      OpenBSD on a Dell 1655MC blasde would be cool. Anyone else have experience with OBSD on any blades?

      Comments
      1. By Anonymous Coward () on

        OpenBSD on a Dell 1655MC blasde would be cool. Anyone else have experience with OBSD on any blades?

        looking through the specs at Dell's site and the supported hardware at openbsd.org , the PERC 4/im isn't supported, and the scsi 320 probably isnt (but i havent found indication of what chipset is used). The gig-e may be supported by bge(4). So, you probably wont have any disk and the networking is unsure. Maybe you can diskless(8) boot these systems into OpenBSD.

      2. By Anonymous Coward () on

        If I recall correctly, there was a bug in their implementation of ssh though but may havy have been fixed in later releases.

        It's a royal pain. It might be fixed in newer IOS that happens to break some functionality other places... the end result is something like pasting 5 lines of config into a cisco via ssh connection tends to end the connection with an error. Makes updating access-lists more exciting!

  2. By Anonymous Coward () on

    Didn't you know that by downloading OpenBSD and not buying CDs you're not supporting the project, and are therefore evil?

    Comments
    1. By Anonymous Coward () on

      I don't necessarily think that. I download openBSD when it comes out, but eventually buy the cd a week or so later. Only because 1> it takes awhile to get here i cant wait that long :) 2> sometimes like the release of 3.2 which i havent bought yet, has not released a tshirt. I usually wait for that so i can order both at once. Although this time it looks like i will be unable to do this. :( because i have seen no tshirt in site, so i shall be just getting the cd or maybe an older shirt.

      But if someone chooses not to buy the cd's or anything else i wouldnt consider them evil, because anyone using openBSD supports more use of the OS. Maybe we can call them, neutral :)

    2. By RC () on

      Although probably a Troll, I am getting tired of this mindset. OpenBSD is a FREE operating system. If someone chooses not to donate, then that is their option. If the money situation was actually bad, Theo could just as well remove the binaries from the FTP server, and that would be the end of that problem (if it was a problem mind you).

      So, fuck off.

      Comments
      1. By Anonymous Coward () on

        That's funny, people were saying just the opposite the other day.

        Comments
        1. By Anonymous Coward () on

          yes its called selective asshole-ness.

          i never bought it - why should i when its free and may i burn in hell for eternity.

        2. By RC () on

          Yes.... People WERE saying the opposite.... If they weren't, I probably wouldn't have gotten tired of hearing it.

  3. By chuckx () chuckx - at - cold-sun.com on http://www.cold-sun.com

    TACACS+ has the ability to use a shared encryption key in order to encrypt the packets sent back and forth between the routers and the daemon.

    To enable this functionality, add the following line to the TACACS+ configuration file:

    key = "sufficientlylongandrandomkey"

    Then add the following configuration line to each of the routers:

    tacacs-server key sufficientlylongandrandomkey

    If you don't enable this, the username and password will be sent in the clear. Unfortunately, the username and password is already being sent in the clear via the telnet session, but every layer of security helps.

    --
    chuckx

  4. By chuckx () chuckx - at - cold-sun.com on http://www.cold-sun.com

    Another note... TACACS+ has the capability to store
    a DES encrypted copy of the password in the
    configuration file instead of a cleartext copy.

    A small program to encrypt the password is included
    in the TACACS+ source tree. The program is
    compiled by the port, but is not installed into
    usr/local/bin by default. Just copy the
    generate_passwd binary from the source tree to
    usr/local/bin.

    Once you have access to the program use it's output
    to create lines like the following in the
    configuration file:

    login = des encryptedPassword

    --
    chuckx

  5. By Skinny Puppy () on

    At my office we use tacacs+ for about 1000 users, needless to say this is a major pain. But we are still using becuase the version of tac_plus we have allows the following syntax.

    user = skin_pup {
    login = des *LK*
    member = privs
    }

    group = privs {
    enable 15
    serive = exec {
    priv-lvl = 1
    }
    }

    This allows the user to login and then use his own password when changing to enable.

    I have searched the internet far and wide for this tac server with this option, but never have I found one. All I have is the binary, it is version F4.0.2alpha. The current version F4.0.4 does not have the same features.




    Comments
    1. Comments
      1. By Skinny Puppy () on

        Thank you so very much, reading though the patches now.

        Ohh did i say thank you. Well maybe once more for good luck :)

        Comments
        1. By jcs@openbsd.org () on

          sure thing. i'm not sure where i collected those patches from, but that's what we're running on our network-wide tacacs+ server to allow techs their own enable passwords. it's been working great.

  6. By Steve Rue () on

    I just want to thank everyone for the comments, needless to say, I'll be using a few of them on my *new* tac configs :-)

    Comments
    1. By jose () on http://monkey.org/~jose/

      and i think i speak for everyone here when i say thank you for taking the time to draft this up and share it with the community.

  7. By Zeeshan Ahmed () zeeshan@worldcall.net.pk on mailto:zeeshan@worldcall.net.pk

    I installed the Tacacs server. i want to pur acces on cammands that after a user get authenticated from tacacs server that user should only be able to give those commands that are mentions in tacacs.Now how can i give commands in tacacs conf file for users.

    Regards
    Zeeshan Ahmed
    relply to: zeeshan@worldcall.net.pk

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]