Search My Techie Guy

Friday, August 12, 2016

Installing Tacacs plus to manage juniper routers, switches and firewalls

Summary:

Today am tasked with installing tacacs+ to manage authentication to all the IP nodes, most of the nodes here are juniper. sorry i won't be very organized in writing this article, i will pretty much paste every challenge and solution as i work, in fact this will be my new style of work instead of waiting to first finish the work and then putting in more time to write a clean article. let's face it, i suck at writing and am lazy just like all other engineers :-), so sorry if this article is a mess.

Problem or Goal:

To install TACACS+ to manage authentication to juniper nodes (routers, switches, firewalls)

Cause:

Consider this a good house keeping cause, you need centralized management of logins, logging, easy to manage users and an added layer of security.

Solution:

Working on setting up the server side

1. Platform

# cat /etc/*release
openSUSE 13.2 (x86_64)
VERSION = 13.2

2. Download site for TACACS+ rpm
3. ftp/sftp the above file to your server; you can use FileZilla or WinSCP
4. Install using Zypper (but oops, looks like i have some missing dependencies!!! welcome to the opensource world :-) )

# zypper --non-interactive install tac_plus-4.0.4.26-1.52.x86_64.rpm
Loading repository data...
Reading installed packages...
Resolving package dependencies...

Problem: nothing provides libtacacs.so.1()(64bit) needed by tac_plus-4.0.4.26-1.52.x86_64
 Solution 1: do not install tac_plus-4.0.4.26-1.52.x86_64
 Solution 2: break tac_plus-4.0.4.26-1.52.x86_64 by ignoring some of its dependencies

5. Download site for libtacacs

libtacacs1 rpm build for : OpenSuSE. For other distributions click libtacacs1.

Name : libtacacs1
Version : 4.0.4.26Vendor : obs://build_opensuse_org/home:anubisg1
Release : 1.52Date : 2013-08-24 07:40:02
Group : Development/Languages/C and C++Source RPM : tac_plus-4.0.4.26-1.52.src.rpm
Size : 0.35 MB
Packager : (none)
Summary : Tacacs+ library
Description :
This package contains TACACS+ library

RPM found in directory: /mirror/ftp5.gwdg.de/pub/opensuse/repositories/home:/anubisg1:/networking/openSUSE_Factory/x86_64

Download
ftp.pbone.netlibtacacs1-4.0.4.26-1.52.x86_64.rpm
     

6. Similarly download and ftp this package to your server
7. Install the libtacacs rpm as below:

# zypper --non-interactive install libtacacs1-4.0.4.26-1.52.x86_64.rpm 
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following NEW package is going to be installed:
  libtacacs1 

1 new package to install.
Overall download size: 24.1 KiB. Already cached: 0 B  After the operation, additional 354.6 KiB will be used.
Continue? [y/n/? shows all options] (y): y
Retrieving package libtacacs1-4.0.4.26-1.52.x86_64                                                                                                                          (1/1),  24.1 KiB (354.6 KiB unpacked)
Checking for file conflicts: ..............................................................................................................................................................................[done]
(1/1) Installing: libtacacs1-4.0.4.26-1.52 ................................................................................................................................................................[done]
Additional rpm output:
warning: /var/cache/zypp/packages/_tmpRPMcache_/libtacacs1-4.0.4.26-1.52.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID e558cb38: NOKEY

8. Now re-attempt to the tac_plus installation, this time it should be successful after adding the libtacacs dependency

# zypper --non-interactive install tac_plus-4.0.4.26-1.52.x86_64.rpm
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following NEW package is going to be installed:
  tac_plus 

1 new package to install.
Overall download size: 95.1 KiB. Already cached: 0 B  After the operation, additional 229.0 KiB will be used.
Continue? [y/n/? shows all options] (y): y
Retrieving package tac_plus-4.0.4.26-1.52.x86_64                                                                                                                            (1/1),  95.1 KiB (229.0 KiB unpacked)
Checking for file conflicts: ..............................................................................................................................................................................[done]
(1/1) Installing: tac_plus-4.0.4.26-1.52 ..................................................................................................................................................................[done]
Additional rpm output:
warning: /var/cache/zypp/packages/_tmpRPMcache_/tac_plus-4.0.4.26-1.52.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID e558cb38: NOKEY

9. Test your installation, looks good :-) 

# tac_plus -v
tac_plus version F4.0.4.26
ACLS
FIONBIO
LIBWRAP
LINUX
LITTLE_ENDIAN
LOG_DAEMON
PAM
NO_PWAGE
REAPCHILD
RETSIGTYPE RETSIGTYPE
SHADOW_PASSWORDS
SIGTSTP
SIGTTIN
SIGTTOU
SO_REUSEADDR
STRERROR
TAC_PLUS_PORT
UENABLE
__STDC__

10. Tacacs config file is located at: 

/etc/tac_plus.conf 

11. Tacacs manual is located at: 

# man tac_plus

12. The tacacs plus daemon is found at:
# /etc/init.d/tac_plus
Usage: tacacs {start|stop|status|restart|reload}

13. Starting tacacs (oops looks like we have an error! )

SMPP:/etc/init.d # ./tac_plus start
./tac_plus: line 16: /etc/rc.d/init.d/functions: No such file or directory
./tac_plus: line 19: .: /etc/sysconfig/network: is a directory
./tac_plus: line 22: [: =: unary operator expected
Starting tacacs+: ./tac_plus: line 35: daemon: command not found

14. Edit the tacacs plus init file to comment out the above lines and also delete the "daemon" command
# vi /etc/init.d/tac_plus

# Source function library.
#. /etc/rc.d/init.d/functions

# Source networking configuration.
#. /etc/sysconfig/network

start)
        # Start daemons.
        echo -n "Starting tacacs+: "
        /usr/bin/tac_plus -C $CONFIG ${LOGFILE:+-l $LOGFILE}  ${WHOLOG:+-w $WHOLOG} ${DEBUG_LEVEL:+-d $DEBUG_LEVEL}
        RETVAL=$?
        echo
        [ $RETVAL == 0 ] && touch /var/lock/subsys/tac_plus
        ;;

15. Attempt to start tacacs again:
SMPP:/etc/init.d # /etc/init.d/tac_plus start
Starting tacacs+: 

16. check to make sure it's running in the processes

SMPP:/etc/init.d # ps -ef | grep tac
root     20176     1  0 20:26 pts/0    00:00:00 /usr/bin/tac_plus -C /etc/tac_plus.conf







Problem Solved?

No comments: