Name: tacacs_plus
Owner: Ansible
Description: A Python-based TACACS+ client that supports authentication, authorization and accounting.
Created: 2017-03-24 18:50:03.0
Updated: 2017-12-19 13:33:21.0
Pushed: 2017-09-14 15:21:58.0
Size: 59
Language: Python
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
A TACACS+ client that supports authentication, authorization and accounting.
Unlike RADIUS, which was designed for similar purposes, the TACACS+ protocol offers basic packet encryption but, as with most crypto designed back then, it's not secure and definitely should not be used over untrusted networks.
This package has been successfully used with the free tac_plus TACACS+ server on a variety of operating systems.
p install tacacs_plus
cacs_client -u myuser -H localhost authenticate
cacs_client -u myuser -H localhost authenticate -t pap
cacs_client -u myuser -H localhost -v authenticate -t chap
us: PASS
cacs_client -u myuser -H localhost authorize -c service=shell cmd=show cmdarg=version
cacs_client -u myuser -H localhost -v authorize -t pap -c service=shell cmd=show cmdarg=version
us: PASS
cacs_client -u myuser -H localhost -v authorize -t pap -c service=junos-exec
us: REPL
airs:
allow-commands=^acommandregex$
deny-commands=^anothercommandregex$
cacs_client -u myuser -H localhost account -f start -c service=shell cmd=show cmdarg=version
cacs_client -u myuser -H localhost account -f stop -c service=shell cmd=show cmdarg=version
cacs_client -h
e: tacacs_client [-h] -u USERNAME -H HOST [-p PORT] [-l PRIV_LVL]
[-t {ascii,pap,chap}] [-r REM_ADDR] [-P VIRTUAL_PORT]
[--timeout TIMEOUT] [-d] [-v] [-k KEY]
{authenticate,authorize,account} ...
Tacacs+ client with full AAA support:
* Authentication supports both ascii, pap and chap.
* Authorization supports AV pairs and single commands.
* Accounting support AV pairs and single commands.
NOTE: shared encryption key can be set via environment variable TACACS_PLUS_KEY or via argument.
NOTE: user password can be setup via environment variable TACACS_PLUS_PWD or via argument.
tional arguments:
uthenticate,authorize,account}
action to perform over the tacacs+ server
authenticate authenticate against a tacacs+ server
authorize authorize a command against a tacacs+ server
account account commands with accounting flags against a tacacs+ server
onal arguments:
, --help show this help message and exit
USERNAME, --username USERNAME
user name
HOST, --host HOST tacacs+ server address
PORT, --port PORT tacacs+ server port (default 49)
PRIV_LVL, --priv-lvl PRIV_LVL
user privilege level
{ascii,pap,chap}, --authen-type {ascii,pap,chap}
authentication type
REM_ADDR, --rem-addr REM_ADDR
remote address (logged by tacacs server)
VIRTUAL_PORT, --virtual-port VIRTUAL_PORT
console port used in connection (logged by tacacs server)
timeout TIMEOUT
, --debug enable debugging output
, --verbose print responses
KEY, --key KEY tacacs+ shared encryption key
cacs_client authenticate -h
e: tacacs_client authenticate [-h] [-p PASSWORD]
onal arguments:
, --help show this help message and exit
PASSWORD, --password PASSWORD
user password
cacs_client authorize -h
e: tacacs_client authorize [-h] -c CMDS [CMDS ...]
onal arguments:
, --help show this help message and exit
CMDS [CMDS ...], --cmds CMDS [CMDS ...]
list of cmds to authorize
cacs_client account -h
e: tacacs_client account [-h] -c CMDS [CMDS ...] -f {start,stop,update}
onal arguments:
, --help show this help message and exit
CMDS [CMDS ...], --cmds CMDS [CMDS ...]
list of cmds to authorize
{start,stop,update}, --flag {start,stop,update}
accounting flag
sr/bin/env python
tacacs_plus.client import TACACSClient
tacacs_plus.flags import TAC_PLUS_ACCT_FLAG_START, TAC_PLUS_ACCT_FLAG_WATCHDOG, TAC_PLUS_ACCT_FLAG_STOP
= TACACSClient('host', 49, 'secret', timeout=10)
thenticate user and pass
en = cli.authenticate('username', 'password')
t "PASS!" if authen.valid else "FAIL!"
thorize user and command
or = cli.authorize('username', arguments=[b"service=shell", b"cmd=show", b"cmdargs=version"])
t "PASS!" if author.valid else "FAIL!"
art accounting session for command
= cli.account('username', TAC_PLUS_ACCT_FLAG_START, arguments=[b"service=shell", b"cmd=show", b"cmdargs=version"])
t "PASS!" if acct.valid else "FAIL!"
ntinue accounting session for another command
= cli.account('username', TAC_PLUS_ACCT_FLAG_WATCHDOG, arguments=[b"service=shell", b"cmd=debug", b"cmdargs=aaa"])
t "PASS!" if acct.valid else "FAIL!"
ose accounting session
= cli.account('username', TAC_PLUS_ACCT_FLAG_STOP, arguments=[b"service=shell", b"cmd=exit"])
t "PASS!" if acct.valid else "FAIL!"