Thursday, August 1, 2013

Adding Security to the primary CCNA rack, and TACACS+

I sold a smattering of my 1841 stock, and with the proceeds will likely be adding an ASA5505 to the CCNA Rack 1 to facilitate it's use for those pursuing CCNA security.

Also in the interest of learning more security, I'm building both Linux and a wintel TACACS+ servers.

I am really having to brush up on my poor linux skills.

windows version can be found here:

http://www.tacacs.net/

even the windows version requires skills I didn't previously have. Working within an XML config file is not something I've had to do before. Make sure you adjust your permissions to the config file.

MS XML notepad can be found here:

http://www.microsoft.com/en-us/download/details.aspx?id=7973

and linux:

ftp://ftp.shrubbery.net/pub/tac_plus

and a decent walkthrough here for the linux install:

http://bejoybkn.blogspot.com/2011/07/network-monitoring-toolstacplusrancidsy.html

watch out for the tcp_wrapper issue. The fix is listed in the comments. This is not recommended for someone with zero linux experience, but if you are a wannabe network engineer you better get some. My working in the world of GUI based transport EMS lets me get away with it, but I don't think anyone will be mistaking me for a network engineer yet, if ever.


Not necessarily the easiest thing in the world:, but we're up and working, at least I think we are:

Help info:

  C:\Program Files (x86)\TACACS.net>tactest /?
<87> 2013-08-01 08:25:32 TACTest 1.2.2.0 (C) TACACS.net
A tool for testing TACACS+ server responses.
This host must be in the server's authorized client list to work.

Usage: tactest [options]

Options:
 -\?    Display help
 -s     ServerIP IP     (If this is not provided then 127.0.0.1 is used)
 -port  ServerIP Port   (If this is not provided then port 49 is used)
 -k     Shared Key      (If this is not provided then no encryption is used)
 -u     Username
 -p     Password
 -np    New Password    (used only for change password commands)
 -type  Authentication type. Can be ASCII or PAP, CHAP  Default is ASCII
 -en    This sends an enable command to the server
 -c     Send this many requests. Default is 1
 -m     Send repeatedly for this many seconds.
 -t     Send this many requests per second.
 -r     Retries
 -w     Wait time between retries in seconds.
 -f     Input file to be used.
 -pppid CHAP PPP Id to be be used. Default is 'A'
 -challenge     CHAP Challenge to be be used. Default is abcdef followed by 25 r
andom ascii characters
 -service       This is used to request authorization AV pairs from server
 -command       This is used to request authorization of a command from server
 -authen        This is used to send authentication commands to the server. This
 is the default command.
 -acct  The type of accounting command to send. Valid values are start, stop & w
atchdog
 -author        This is used to send authorization commands to server or to requ
est authorization AV pairs from the server

Input file can be used for commands e.g., tactest -f filename.txt
If input file is used then the 't' option must be specified at command line
e.g, tactest -f filename.txt -t 20

Authentication Examples:
tactest -s 127.0.0.1 -k mykey -u myuser -p mypassword
tactest -s 127.0.0.1 -k mykey -u myuser -p mypassword -c 20
tactest -s 127.0.0.1 -k mykey -u myuser -p mypassword -t 20
tactest -s 127.0.0.1 -k mykey -u myuser -p mypassword -m 5
tactest -s 127.0.0.1 -k mykey -u myuser -p mypassword -m 5 -t 20

Accounting Examples:
tactest -s 127.0.0.1 -k mykey -u myuser -acct start bytes_in=100 bytes_out=200
tactest -s 127.0.0.1 -k mykey -u myuser -acct stop bytes_in=400 bytes_out=300
tactest -s 127.0.0.1 -k mykey -u myuser -m 5 -acct stop bytes_in=400 bytes_out=3
00

Authorization Examples:
tactest -s 127.0.0.1 -k mykey -u myuser -author -service shell
tactest -s 127.0.0.1 -k mykey -u myuser -author -command configure terminal
tactest -s 127.0.0.1 -k mykey -u myuser -author -c 20 -command configure termina
l

And TACTest output:


C:\Program Files (x86)\TACACS.net>tactest -k XXXXXXXX -u shawn -p cisco
<87> 2013-08-01 08:30:31 Performing LoginASCII with shawn,cisco,True
<87> 2013-08-01 08:30:31 Trying to open connection to 127.0.0.1:49
<87> 2013-08-01 08:30:31
Sending:
 MajorVersion=12
MinorVersion=0
Type=Authentication
SeqNum=1
IsEncrypted=True
IsSingleConnect=True
SessionID=xxxxxxxxx
DataLength=13
 **Authentication Start**:
Action=Login
Priv_Lvl=1
Type=Ascii
Service=Login
User=shawn
Port=
RemAddr=
Data=
<87> 2013-08-01 08:30:31
Received Header:
 MajorVersion=12
MinorVersion=0
Type=Authentication
SeqNum=2
IsEncrypted=True
IsSingleConnect=True
SessionID=xxxxxxxxx
DataLength=16
<87> 2013-08-01 08:30:31
Received Body:
 Authentication AuthReply:
Status=GetPass
Flags=No Echo
UserMsg=Password:
Data=
<87> 2013-08-01 08:30:31
Sending:
 MajorVersion=12
MinorVersion=0
Type=Authentication
SeqNum=3
IsEncrypted=True
IsSingleConnect=True
SessionID=xxxxxxxxxx
DataLength=10
 Authentication Continue:
Flags=None
UserMsg=*******[Hidden for security]
Data=
<87> 2013-08-01 08:30:31
Received Header:
 MajorVersion=12
MinorVersion=0
Type=Authentication
SeqNum=4
IsEncrypted=True
IsSingleConnect=True
SessionID=123691515
DataLength=45
<87> 2013-08-01 08:30:31
Received Body:
 Authentication AuthReply:
Status=Fail
Flags=Debug
UserMsg=User does not belong to specified group
Data=
<87> 2013-08-01 08:30:31 Command Pass status = False, Message=User does not belo
ng to specified group,
<87> 2013-08-01 08:30:31
------------------
<87> 2013-08-01 08:30:31
SUMMARY STATISTICS
<87> 2013-08-01 08:30:31
------------------

Total Commands  .....................  1
Successes  ..........................  0
Failures  ...........................  1
No Results  .........................  0
Time Taken for commands  ............  0.745 secs
Avg Possible Transactions/Second  ...  1
Network Time per command  ...........  0.372 secs
Total Network time  .................  0.372 secs
<87> 2013-08-01 08:30:31 Sent Transactions/Second  ...........  1.3

C:\Program Files (x86)\TACACS.net>






1 comment: