TACACS+ Test Plan
Related documents
| Document Name | Link |
|---|---|
| AAA_with_SONiC_v2 | https://github.com/sonic-net/SONiC/blob/gh-pages/doc/aaa/AAA_with_SONiC_v2.docx |
| pam_tacplus | https://github.com/jeroennijhof/pam_tacplus/blob/master/README.md |
| tacacs+ daemon | http://manpages.ubuntu.com/manpages/xenial/man8/tac_plus.8.html |
Overview
TACACS+ (Terminal Access Controller Access Control System Plus) provides Authentication, Authorization and Accounting services, used most commonly for administration access to network devices like routers, switches and terminal servers.
The purpose is to test functionality of TACACS+ authentication on the SONIC switch DUT. Each test covers a basic functionality of TACACS+ authentication feature, and ensures the switch works as expected under production scenarios. The test assumes that there is a TACACS+ server has connected to the switch DUT and installed TACACS+ daemon(tac_plus).
Scope
The test is targeting on SSH login via TACACS+ authentication. Console login is also supported for TACACS+ authentication, its configuartion and process are the same as SSH login. But the test focus on ssh login which is the major procduction scenario.
NOTE: Authorization will be implemented after CLI shell is OK. Accounting is not in the development plan.
Scale / Performance
No scale/performance test involved in this test plan
Related DUT CLI commands
Manual TACACS+ configuration can be done using config command in switch DUT.
| Command | Comment |
|---|---|
| Configuration commands | |
| config aaa authentication login { local / tacacs+ } | Authentication login policy |
| config aaa authentication failthrough enable | Enable authentication fail-through |
| config tacacs timeout < 1 – 60 > | TACACS+ server connection timeout |
| config tacacs authtype [ pap / chap ] | TACACS+ authentication service |
| config tacacs passkey < TEXT > | Secret key used to encrypt/decrypt packets |
| config tacacs src_ip < ADDRESS > | Set source ip address for outgoing packets |
| config tacacs add < ADDRESS > --port < 1 – 65535 > --timeout < 1 – 60 > --key < TEXT > --type [ pap / chap ] --pri < 1 - 64 > | Specify a TACACS+ server |
| config tacacs delete < ADDRESS > | Delete a TACACS+ server |
| Show commands | |
| show aaa | Show AAA configuration |
| show tacacs | Show TACACS+ configuration |
Related DUT configuration files
The TACACS+ configuration is not supported for the minigrah. All configurations are saved in config_db.json, and loaded by the host config enforcer. The configuration in config_db.json can be generated by config command, or modified manually.
Configuration sample in config_db.json
"TACPLUS": {
"global": {
"auth_type": "pap",
"src_ip": "100.1.1.1",
"timeout": "3",
"passkey": "test123"
}
},
"TACPLUS_SERVER": {
"10.65.254.248": {
"priority": "20",
"tcp_port": "49"
},
"10.65.254.222": {
"priority": "30",
"tcp_port": "49"
}
},
"AAA": {
"authentication": {
"login": "local,tacacs+",
"failthrough": "True"
}
}
Related SAI APIs
N/A
Test structure
Setup configuration
- TACACS+ server is connected to the management network.
Configuration scripts
TACACS+ related minigrah data
All TACACS+ configurations are saved in config_db.json, not in minigraph. To avoid misunderstanding user, the information about TACACS+ server in ansible/templates/topo/dev_metadata.j2 should be deleted.
TACACS+ server address
The TACACS+ server address is defined in group_vars/lab/lab.yml. The test only use the first server.
TACACS+ server configuration
The TACACS+ passkey, user account and password are stored in the /etc/tacacs/tac_plus.conf for the TACACS+ daemon. They should be deployed in TACACS+ server.
Configuration sample for passkey in tac_plus.conf
# Encryption key
key = "test123"
Configuration sample for user account and password in tac_plus.conf
group = network_admin {
default service = permit
service = exec {
priv-lvl = 15
}
cmd = show {
permit .*
}
}
user = test
{
login = des teWtwbeIm3BdA
pap = des teWtwbeIm3BdA
member = network_admin
}
Note: tac_pwd is a utility supplied with tac_plus to assist in performing the encryption.
Ansible scripts to setup and run test
tacacs.yml includes three parts
- tacacs_configure.yml: apply TACACS+ configuration.
- tacacs_test.yml: run TACACS+ authentication test.
- tacacs_cleanup.yml: clear TACACS+ configuration from the switch.
Test cases
TACACS+ authentication Test
Test objective
Verify TACACS+ authentication via ssh works.
Test description
- Enable TACACS+ authentication by config command.
- Verfiy the PAM configuration includes TACACS+ authenticaiton. All PAM configurations for SONIC authentication are saved in /etc/pam.d/common-auth-sonic. This file can be checked to verify if the command is configured correctly.
- Verify TACACS+ user login via ssh is successful, and login username is equal with TACACS+ username. The command "sshpass" can be used to login with password, and the command "whoami" can be used to check the current user name.
Failthrough mechanism Test
Test objective
Verify failthrough mechanism works. Failthrough is enabled by default. If failthrough mechanism is disabled, authentication won't pass when any one of the pam modules return fail.
Test description
- Config local authentication is prior to TACACS+.
- Disable authentication failthrough by config command.
- Verify TACACS+ user login via ssh fails. When local authentication fails, it will return error directly and not go to the TACACS+ authentication.
- Enable authentication failthrough by config command.
- Verify TACACS+ user login succeeds.
Source address Test
Test objective
Verify TACACS+ source address configuration works. In the procduction scenario, the TACACS+ source address is configured as the loopback address. This test will verify this configuration.
Test description
- Config ip address for the loopback interface in switch DUT.
- Config the loopback address as TACACS+ source address.
- Check no route for the loopback address in TACACS+ server.
- Verfiy TACACS+ user login via ssh fails.
- Create a route for the loopback address in TACACS+ server.
- Verfiy TACACS+ user login via ssh succeeds.