Reply

Creating and running a script for Cisco TACACS?

truittc
Techie
Posts: 2
4014     0

Does anybody have a full Ad Hoc NetMRI script to be able to configure Cisco TACACS+ in routers and switches?  I want to get a good template down and break the script down to various Cisco devices and IOS code.

 

Thanks,

 

-C

Re: Creating and running a script for Cisco TACACS?

Adviser
Posts: 267
4015     0

you may want to have a look here, and comment on the thread for more info.

 

https://community.infoblox.com/t5/DNS-DHCP-IPAM/TACACS-with-Cisco-ACS-5-x-and-Infoblox-NIOS-7-3-x-Au...

 

If you appreciate my efforts, please give me a kudo ↓ or Accept as solution to help others find it faster.

Re: Creating and running a script for Cisco TACACS?

truittc
Techie
Posts: 2
4015     0

Eric, et al...

I appreciate the feedback... Unfortunately, I think you misunderstood my post.  I am trying to write a full script in NetMRi in order to be able to have NetMRI push partial configuration out to Cisco routers and switches.

 

For example, here is what I have started to write (but I know I don't have a complete set up yet):

 

Script-Filter:
$Vendor eq "Cisco" and
$Model eq "1841" and
$SysDescr like /IOS/ and
$Version like /^15/
########################

Action:
Get Interface

Action-Description:
Get the Interface Name from the list.

Action-Commands:
SET: $sourceint = getListValue(AAA-sourceint,old_name,$name,sourceint,NOTFOUND)

Action-Commands:{$sourceint ne "NOTFOUND"}
config t
ip host <nameACSserver1> 10.x.x.1
ip host <nameACSserver2> 10.x.x.2

tacacs server ACS1
address ipv4 10.x.x.1
key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
single-connection
tacacs server ACS2
address ipv4 10.x.x.2
key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
single-connection

aaa new-model

aaa group server tacacs+ ACS-SERVERS
server name ACS1
server name ACS2
ip tacacs source-interface $sourceint

aaa authentication login default group ACS-SERVERS
aaa authentication login ACS-FALLBACK group ACS-SERVERS local
aaa authorization console
aaa authorization exec default group ACS-SERVERS local
aaa authorization commands 1 default group ACS-SERVERS
aaa authorization commands 1 ACS-CONFIG group ACS-SERVERS if-authenticated
aaa authorization commands 15 default group ACS-SERVERS
aaa authorization commands 15 ACS-CONFIG group ACS-SERVERS if-authenticated
aaa authorization network default if-authenticated
aaa authorization configuration default group ACS-SERVERS
aaa accounting suppress null-username
aaa accounting send stop-record authentication failure
aaa accounting delay-start
aaa accounting nested
aaa accounting update periodic 1440
aaa accounting exec default start-stop group ACS-SERVERS
aaa accounting commands 1 default start-stop group ACS-SERVERS
aaa accounting commands 15 default start-stop group ACS-SERVERS
aaa accounting network default start-stop group ACS-SERVERS
aaa accounting connection default start-stop group ACS-SERVERS
aaa accounting system default start-stop group ACS-SERVERS

line con 0
authorization commands 1 ACS-CONFIG
authorization commands 15 ACS-CONFIG
login authentication ACS-FALLBACK

line vty 0 4
authorization commands 1 ACS-CONFIG
authorization commands 15 ACS-CONFIG
login authentication ACS-FALLBACK

line vty 5 15
authorization commands 1 ACS-CONFIG
authorization commands 15 ACS-CONFIG
login authentication ACS-FALLBACK

wr mem

 

 

Any help is appreciated.

 

Chris

Re: Creating and running a script for Cisco TACACS?

Expert
Posts: 262
4015     0

AAA configurations are very different between customers.  The one you list above is far more elaborate than most I've seen.  So I don't think anyone can offer you a template that is "standard".

 

What you have will work with one correction: prior to "wr mem", exit configuration mode with "end".  FWIW, that's probably the most frequent error people make with the Ad Hoc Batch script.

 

I'm puzzled as to what device authentication method is being used by NetMRI with what credentials, prior to entering all of these new config statements.  If it's relying on TACACS, then the necessary statements must already exist.  Otherwise there's a catch-22.

 

Similarly, the script sets the TACACS source-interface.  If that gets changed from what is already being used for the script session, then it will immediately cause ACS to no longer succeed in looking up the device by the new IP.

 

Also, be careful not to saw off the limb that the script is running upon.  As soon as command authorization is enabled, the remaining commands that the script is sending had better get approval from the TACACS server.

 

One additional thought -- I'm not sure why an external list is necessary just to specify the TACACS source-interface.  Couldn't you handle that with device groups or some other combination of attributes that are then tested by Action-Commands qualifiers?  E.G., all routers use Loopback0, switches have no such command, and so on.

 

HTH,

- Marty

Re: Creating and running a script for Cisco TACACS?

Adviser
Posts: 267
4015     0

I just saw this blog, which may provide some additional info.  Hope it is helpful:

 

http://socpuppet.blogspot.fr/2016/04/infoblox-and-cisco-acs-5x.html

 

If you appreciate my efforts, please give me a kudo ↓ or Accept as solution to help others find it faster.

Re: Creating and running a script for Cisco TACACS?

Adviser
Posts: 357
4015     0

Eric, I believe the request here is for a NetMRI script that will automate the configuration on a set of Cisco devices, not for configuring the Infoblox server itself.

 

Showing results for 
Search instead for 
Do you mean 

Recommended for You