Overview

PyOpenAAA is an web system developed in Django to create basic configuration files for tac_plus software. With PyOpenAAA you will be able to control your management access through the AAA protocol TACACS+ in a small and medium size environment. That means you will know when an authorized user had access to a device and what configuration was performed. In addition will be able create groups of user and specify what command and parameters can be used by this group.

If you need a solution for a large environment, it's recommend look for Cisco ACS 5.x or Cisco ISE 2.x products or use the tac_plus without this web system.

Navigation

  1. Use this menu to navigate between options.
  2. Click this button to apply the changes configured.
  3. Click this button to display the help topics.
  4. Click this button to exit the system.
  5. This bar is displayed when the tac_plus process is not running.
  6. The selected content is displayed here.

Device Configuration

The configuration depends on the manufacturer and model of the equipment. Below is the basic configuration for a device that uses Cisco IOS.

configure terminal
!
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local none
aaa authorization commands 1 default group tacacs+ local none
aaa authorization commands 15 default group tacacs+ local none
aaa authorization configuration default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
tacacs-server host {PyOpenAAA IP Address}
tacacs-server key {PyOpenAAA pre-shared-key}

If you wants to authorize and account the privilege level 0 (includes the disable, enable, exit, help, and logout commands) you can add this configuration lines:

aaa authorization commands 0 default group tacacs+ local none
aaa accounting commands 0 default start-stop group tacacs+

Users

In this section you will manage users, passwords and define which group the user belongs to.

Create User

To create a new user, just click on "Create New User" button and provide an unique username and a password. On creation time you must define which is the group of the user, previously created at Groups Menu.

Edit User

Clicking on edit button of an user you can provide a new password, change the user group or both just clicking on Save button. If you don't wanna change nothing, click on Cancel button or navigate to other menu.

Delete User

Click on delete button of an user to remove it. The logs of a deleted user will be maintained on database.

Groups

In this section you will manage the groups settings like privilege-level, time for disconnection by inactivity (idle-time),time for brute disconnection (time-out) and the Command-Set for an group.

Create Group

To create a group, just click on "Create New Group" button and provide an unique Group Name, select an Command-set (previously created at Command-Sets menu), select a privilege-level On creation time you must define which is the group of the user,

By default, there are three privilege levels on the router:

   Privilege level 1 = non-privileged (prompt is router>), the default level for logging in
   Privilege level 15 = privileged (prompt is router#), the level after going into enable mode
   Privilege level 0 = seldom used, but includes 5 commands: disable, enable, exit, help, and logout

Levels 2-14 are not used in a default configuration, but commands that are normally at level 15 can be moved down to one of those levels and commands that are normally at level 1 can be moved up to one of those levels. Obviously, this security model involves some administration on the router.

http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13860-PRIV.html

Edit Group

Clicking on edit button of a group you can change the command-set, the privilege-level and the timers of a group. Click on Save button to commit the changes. If you don't wanna change nothing, click on Cancel button or navigate to other menu.

Delete Group

Clicking on Delete button of a group, you will not delete only the group but all members of this group. If you want to keep the members, change they to a valid group before delete the original group.

Command-Sets

In this section you will manage the Command-Sets and Default Permission of a command-set.

Create Command-Set

To create a new command-set, just click on "Create New Command-Set" button and provide an unique Command-Set Name, select the default action (whats gonna happens when the user uses a command not specified), commands and parameters of this Command-Set.

The commands and parameters supports Regular expression. For sample if you want to permit or deny the show running-config and show startup-config, you can fill the command field with show and the parameter field with /^(running|startup)-config/.

If you want to represents all variants of a commando, you must use .* on parameter. For sample if all copy parameters are allowed, you can fill command with copy and parameter with .* to represent all.

The command-sets are read from top to bottom, like an ACL, so the order of a permission is important and you can manage this order drag and drop the double-arrow symbol at each command.

For more informations, please check the documentation on tac_plus (http://www.pro-bono-publico.de/projects/tac_plus.html)

Edit Command-Set

Clicking on edit button of a command-set you can change the default action (Unmatched Commands), commands, parameters and order of commands with drag and drop the double-arrow symbol at each command. Click on Save button to commit the changes. If you don't wanna change nothing, click on Cancel button or navigate to other menu.

Delete Command-Set

Clicking on Delete button of a command-set, you will not delete only the command-set but all groups that use this command-set and users members of those groups. If you want to keep the groups, change the command-set to a valid one before delete the original command-set.

Logs

In this section you show the access and the applied commands registered on database.

Last Activity

In this section you show the last 5 access registered on database for researches references.

Search

Clicking on From and To fields you will able to provide a date interval to search access and commands registered. When these fields are filled you can click at Search button to view the correspondent records.

Clicking on View button of a record, you can see the commands used on that record.

Settings

In this section you will manage the Settings of this application like the Pre Shared Key, Login Message, failure authentication Message and custom configurations writes from tac_plus documentation. Login and failure messages accepts \t for tabulation and \n for newline.

License

This product includes software developed by Marc Huber (Marc.Huber@web.de) and Tacacs+ (tac_plus - http://www.pro-bono-publico.de/projects/tac_plus.html) accounting log event parser (tac_parse - https://github.com/jathanism/tac_parse)

About Us

Rafael Jardim (http://br.linkedin.com/in/rjardim/)

I'm a Network Analyst from Brazil, I'm working with IT since 2011 and I like to create tools to optimize my work and I built this web system as personal project with help of my wife Laís. I have currently this certifications:

Laís Moutinho

She is formed as Designer and specialized in Web User Interface. She helped me in this project with HTML, CSS, Javascript and this kind of stuffs.

You

Thanks for use this web system. I hope this is good enough to help you on your environment. If you want to help, please let me know about any problem with device compatibility or bug on web system.