Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[tacacs+ test]: Add TACACS+ test #372

Closed
wants to merge 2 commits into from
Closed

[tacacs+ test]: Add TACACS+ test #372

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cd4dd6f
[tacacs+ test]: Add TACACS+ test
Nov 30, 2017
00d520b
[tacacs+ test]: Remove src_ip test and unnecessary setup
Dec 12, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions ansible/group_vars/lab/lab.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,3 +37,8 @@ snmp_location: testlab
#For Arista fanout switch deployment only
fanout_admin_user: "fanoutadminuser"
fanout_admin_password: "fanoutadminpassword"

# tacacs server configuration
tacacs_passkey: "test123"
tacacs_username: "test"
tacacs_passwd: "test"
3 changes: 3 additions & 0 deletions ansible/inventory
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,6 @@ switch5

[ptf]
ptf-1 ansible_host=10.0.0.200 ansible_ssh_user=root ansible_ssh_pass=password

[tacacs_server]
tacacs_server ansible_host=10.0.0.9 ansible_ssh_user=root ansible_ssh_pass=root
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@liuqu are you using the default ptf docker within the testbed? I didn't closely follow up PRs in sonic-buildimage, is this server been included and deployed with testbed ptf docker?
did you add your Tacacs+ design/testing document to sonic/wiki so the community member can follow? (I remembered last time it's from your own repo)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry too late to reply. You can find the the test plan in TACACS+ Test Plan.md
TACACS+ server is a host which installed tac_plus, not included in ptf docker. This configuration is used to save the username and password to ensure that TACACS+ server can be logined to execute sudo command.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The feature source address for TACACS+ is needed for source address test. It will be pulled request after the current PRs are merged.

4 changes: 4 additions & 0 deletions ansible/roles/test/tasks/sonic.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,3 +169,7 @@
- name: neighbor mac change test without using ptf
include: neighbour-mac-noptf.yml
tags: neighbour_mac_noptf

- name: Test TACACS+
include: tacacs.yml
tags: tacacs
70 changes: 70 additions & 0 deletions ansible/roles/test/tasks/tacacs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
# Setup for TACACS+ testbed:
# 1. Start TACACS+ service (tac_plus) in TACACS+ server.
# 2. Add TACACS+ passkey, user account and password for test in TACACS+ server.
# 3. Update TACACS+ server ip, passkey, user account and password in group_vars/lab/lab.yml
# 4. Update ssh_user and ssh_pass for TACACS+ server in inventory
###############################################################################################

# Set TACACS+ authentication configuration in DUT
- name: Set global TACACS+ passkey
become: true
shell: config tacacs passkey {{ tacacs_passkey }}

- name: Add TACACS+ server
become: true
shell: config tacacs add {{ tacacs_servers[0] }}

# Test TACACS+ login authentication
- name: Enable TACACS+ Authentication
become: true
shell: config aaa authentication login tacacs+ local

- name: Check if pam configuration ok
become: true
shell: "grep 'pam_tacplus.so server={{ tacacs_servers[0] }}' /etc/pam.d/common-auth-sonic"
register: tacplus_pam_module
failed_when: '"secret={{ tacacs_passkey }}" not in tacplus_pam_module.stdout'

- name: Check if TACACS+ user login ok
shell: "sshpass -p {{ tacacs_passwd }} ssh {{ tacacs_username }}@{{ ansible_host }} whoami"
connection: local
become: no
register: login_result
failed_when: login_result.stdout != "{{ tacacs_username }}"

# Test failthrough mechanism
- name: Config local authentication prior to TACACS+ authentication
become: true
shell: config aaa authentication login local tacacs+

- name: Disable fail-through mechanism
become: true
shell: config aaa authentication failthrough disable

- name: Check if TACACS+ user login fail
shell: "sshpass -p {{ tacacs_passwd }} ssh {{ tacacs_username }}@{{ ansible_host }} whoami"
connection: local
become: no
register: login_result
failed_when: login_result.stdout == "{{ tacacs_username }}"

- name: Restore fail-through mechanism
become: true
shell: config aaa authentication failthrough default

# Cleanup TACACS+ configuration
- name: Delete TACACS+ server
become: true
shell: config tacacs delete {{ tacacs_servers[0] }}

- name: Delete TACACS+ passkey
become: true
shell: config tacacs default passkey

- name: Set AAA authentication default
become: true
shell: config aaa authentication login default

- name: Set AAA authentication failthrough default
become: true
shell: config aaa authentication failthrough default