diff --git a/ansible/group_vars/lab/lab.yml b/ansible/group_vars/lab/lab.yml index 034ebe8058c..77c34870b4f 100644 --- a/ansible/group_vars/lab/lab.yml +++ b/ansible/group_vars/lab/lab.yml @@ -37,3 +37,8 @@ snmp_location: testlab #For Arista fanout switch deployment only fanout_admin_user: "fanoutadminuser" fanout_admin_password: "fanoutadminpassword" + +# tacacs server configuration +tacacs_passkey: "test123" +tacacs_username: "test" +tacacs_passwd: "test" diff --git a/ansible/inventory b/ansible/inventory index d0f58bb61df..9ef934b251a 100644 --- a/ansible/inventory +++ b/ansible/inventory @@ -14,3 +14,6 @@ switch5 [ptf] ptf-1 ansible_host=10.0.0.200 ansible_ssh_user=root ansible_ssh_pass=password + +[tacacs_server] +tacacs_server ansible_host=10.0.0.9 ansible_ssh_user=root ansible_ssh_pass=root diff --git a/ansible/roles/test/tasks/sonic.yml b/ansible/roles/test/tasks/sonic.yml index d254ed6dbe2..9da046269a6 100644 --- a/ansible/roles/test/tasks/sonic.yml +++ b/ansible/roles/test/tasks/sonic.yml @@ -169,3 +169,7 @@ - name: neighbor mac change test without using ptf include: neighbour-mac-noptf.yml tags: neighbour_mac_noptf + +- name: Test TACACS+ + include: tacacs.yml + tags: tacacs diff --git a/ansible/roles/test/tasks/tacacs.yml b/ansible/roles/test/tasks/tacacs.yml new file mode 100644 index 00000000000..3608d7c543c --- /dev/null +++ b/ansible/roles/test/tasks/tacacs.yml @@ -0,0 +1,70 @@ +# Setup for TACACS+ testbed: +# 1. Start TACACS+ service (tac_plus) in TACACS+ server. +# 2. Add TACACS+ passkey, user account and password for test in TACACS+ server. +# 3. Update TACACS+ server ip, passkey, user account and password in group_vars/lab/lab.yml +# 4. Update ssh_user and ssh_pass for TACACS+ server in inventory +############################################################################################### + +# Set TACACS+ authentication configuration in DUT +- name: Set global TACACS+ passkey + become: true + shell: config tacacs passkey {{ tacacs_passkey }} + +- name: Add TACACS+ server + become: true + shell: config tacacs add {{ tacacs_servers[0] }} + +# Test TACACS+ login authentication +- name: Enable TACACS+ Authentication + become: true + shell: config aaa authentication login tacacs+ local + +- name: Check if pam configuration ok + become: true + shell: "grep 'pam_tacplus.so server={{ tacacs_servers[0] }}' /etc/pam.d/common-auth-sonic" + register: tacplus_pam_module + failed_when: '"secret={{ tacacs_passkey }}" not in tacplus_pam_module.stdout' + +- name: Check if TACACS+ user login ok + shell: "sshpass -p {{ tacacs_passwd }} ssh {{ tacacs_username }}@{{ ansible_host }} whoami" + connection: local + become: no + register: login_result + failed_when: login_result.stdout != "{{ tacacs_username }}" + +# Test failthrough mechanism +- name: Config local authentication prior to TACACS+ authentication + become: true + shell: config aaa authentication login local tacacs+ + +- name: Disable fail-through mechanism + become: true + shell: config aaa authentication failthrough disable + +- name: Check if TACACS+ user login fail + shell: "sshpass -p {{ tacacs_passwd }} ssh {{ tacacs_username }}@{{ ansible_host }} whoami" + connection: local + become: no + register: login_result + failed_when: login_result.stdout == "{{ tacacs_username }}" + +- name: Restore fail-through mechanism + become: true + shell: config aaa authentication failthrough default + +# Cleanup TACACS+ configuration +- name: Delete TACACS+ server + become: true + shell: config tacacs delete {{ tacacs_servers[0] }} + +- name: Delete TACACS+ passkey + become: true + shell: config tacacs default passkey + +- name: Set AAA authentication default + become: true + shell: config aaa authentication login default + +- name: Set AAA authentication failthrough default + become: true + shell: config aaa authentication failthrough default