IPv6 Tacacs+ Support (tac_plus)

Recently @ Facebook we found that we required IPv6 access to TACACS for auth (AAA) for the majority of our production Network Equipment. Tacacs+ (tac_plus) is an old daemon released by Cisco in the late 90s. It still works (even at our scale) and the config was doing what we required, so it was decided that we should add IPv6 Support to it to move forwards until we no longer require TACACS for authentication, authorization and accounting.

IPv6 has been added in true dirty 90s C code style via pre-processor macros. The source is publicly available via a GitHub Repository.

This version is based off F4.0.4.19 with the following patches (full history can be seen in the Git Repository):

  • Logging modifications
  • PAM Support
  • MD5 support
  • IPv6 (AF_INET6) Socket Listening

Readme.md has most of the information you require to build the software and I have included RPM .spec files (that have been tested on CentOS 6). The specs generate two RPMS with tacacs+6 relying on the tacacs+ rpm to be installed for libraries and man pages.

RPMS Build on CentOS 6.5 x86_64 + SRC rpms avaliable here: https://cooperlees.com/rpms/

Usage Tips:

  • Do not add listen directives into tac_plus.conf so that each daemon can load the same conf file (for consistency)
  • Logging:
    • /var/log/tac_plus.acct and tac_plus6.acct are where accounting information will go (as well as syslog) Logrotate time …
    • /var/log/tac_plus.log and tac_plus6.log is where default debug logs will go
  • Configure syslog to send the LOG_LOCAL3 somewhere useful (this will get both tac_plus and tac_plus6 log information)
  • Pid Files will live in /var/run/tac_plus.pid. and tac_plus6.pid.::
  • The RPM does not /sbin/chkconfig –add or enable, so be sure to enable the version of tac_plus you require.

Tested Support on Vendor Hardware

  • Arista EoS (4.13.3F): need to use ‘ipv6 host name ::1’ as TACACS conf can’t handle raw IPv6 addresses (lame) 
  • Cisco NXOS (6.0(2)U2(4) [build 6.0(2)U2(3.6)]):
    feature tacacs+
    tacacs-server key 7 “c00p3rIstheMan”
    tacacs-server host a:cafe::1
    tacacs-server host b:b00c::2
    aaa group server tacacs+ TACACS
    server a:cafe::1
    server b:b00c::2
    source-interface Vlan2001 (ensure what IP request will come from)
  • Juniper: >= Junos 13.3R2.7 required for IPv6 Tacacs (Tested on MX)

I know it’s old school code but please feel free to submit bug patches / enhancements. This should allow us to keep this beast running until we can deprecate it’s need …

VMWare Guest Consoles over a WAN with Latency

Have you ever used the VMWare console over a WAN with latency and it enters multiple key strokes into the console and makes using the console super annoying! It makes me HATE VMWare and want to smash it into 10000 pieces with a baseball bat.

Well the answer is to add a line to your VMs VMX file to allow it to be ‘laggier’. For example the following will give you 2 second between key strokes:

  • keyboard.typematicMinDelay = “2000000”

For more information: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=196

IPTables Template

So I thought I would share a good IPTables starting template, all tested on Ubuntu 10.10.


# Cooper Lees IPTables Rules
# Last Updated 20110409

# Drop by default
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
#ICMP is Good
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
# Only allow 4 new SSH connection per minute from a certain IP address
iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –set
iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –update –second 60 –hitcount 4 -j DROP
iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
# Handy if you have a IPv4 to IPv6 Tunnel …
iptables -A INPUT -p 41 -s ${IPv4-Tunnel-Address} -j ACCEPT
# Handy for debuging what is getting blocked …
iptables -A INPUT -j LOG –log-level debug –log-prefix "iptables INPUT: "
iptables -A INPUT -j REJECT –reject-with icmp-host-prohibited

– Load from CLI then use iptables-save > /etc/iptables.up.rules
– In Ubuntu add to /etc/network/interfaces “pre-up iptables-restore < /etc/iptables.up.rules" on to the loopback interface