def tacacs_cleanup(dut, tacacs_params):
set_aaa_authentication_properties(dut, 'login', 'local')
set_tacacs_properties(dut, 'default', 'authtype')
set_tacacs_properties(dut, 'default', 'passkey')
set_tacacs_properties(dut, 'default', 'timeout')
set_tacacs_server(dut, 'delete', tacacs_params.hosts[0].ip)
set_aaa_authentication_properties(dut, 'failthrough', 'default')
def tacacs_config():
tacacs.set_tacacs_server(vars.D1, 'add', security_data.tacacs_host_ip,
security_data.tacacs_tcp_port,
security_data.tacacs_timeout,
security_data.tacacs_passkey,
security_data.tacacs_auth_type,
security_data.tacacs_priority)
def test_mgmt_vrf_tacacs():
tacacs_params = st.get_service_info(vars.D1, "tacacs")
if not set_aaa_authentication_properties(vars.D1, 'failthrough', 'enable'):
st.report_fail("authentication failthrough config fail")
set_tacacs_server(vars.D1,
'add',
tacacs_params.hosts[0].ip,
tacacs_params.hosts[0].tcp_port,
tacacs_params.hosts[0].timeout,
tacacs_params.hosts[0].passkey,
tacacs_params.hosts[0].auth_type,
tacacs_params.hosts[0].priority,
use_mgmt_vrf=True)
if not verify_tacacs_server(
vars.D1, tacacs_params.hosts[0].ip,
tacacs_params.hosts[0].tcp_port, tacacs_params.hosts[0].timeout,
tacacs_params.hosts[0].passkey, tacacs_params.hosts[0].auth_type,
tacacs_params.hosts[0].priority):
st.report_fail("Tacacs_server_configs_are_not_successful",
tacacs_params.hosts[0].ip)
set_aaa_authentication_properties(vars.D1, 'login', 'tacacs+ local')
ip_addr = get_ifconfig_inet(vars.D1, 'eth0')
if not ip_addr:
st.report_fail('ip_verification_fail')
if not poll_wait(connect_to_device, 10, ip_addr[0], mgmt_vrf.tacusername,
mgmt_vrf.tacpassword, mgmt_vrf.protocol,
mgmt_vrf.ssh_port):
tacacs_cleanup(vars.D1, tacacs_params)
st.report_fail("mgmt_vrf_tacacs", "failed")
tacacs_cleanup(vars.D1, tacacs_params)
st.report_pass("mgmt_vrf_tacacs", "successful")
def security_module_epilog():
radius.config_server(vars.D1, ip_address=security_data.radius_host_ip, action="delete", cli_type="click")
radius.config_global_server_params(vars.D1, skip_error_check=False,
params={"key": {"value": security_data.global_diff_passkey, "no_form": True},
"timeout": {"value": security_data.global_timeout, "no_form": True},
"auth_type": {"value": security_data.global_auth_type, "no_form": True},
"retransmit": {"value": security_data.global_retransmit,
"no_form": True}},
cli_type="click")
tacacs.set_tacacs_server(vars.D1, 'delete', security_data.tacacs_host_ip)
def security_module_epilog():
tacacs.set_tacacs_server(vars.D1, 'delete', security_data.tacacs_host_ip)
if not st.is_feature_supported("radius", vars.D1):
return
radius.config_server(vars.D1, ip_address=security_data.radius_host_ip, action="delete")
radius.config_global_server_params(vars.D1, skip_error_check=False,
params={"key": {"value": security_data.global_diff_passkey, "no_form": True},
"timeout": {"value": security_data.global_timeout, "no_form": True},
"auth_type": {"value": security_data.global_auth_type, "no_form": True},
"retransmit": {"value": security_data.global_retransmit,
"no_form": True}})
def test_ft_tacacs_modify_server_parameters():
"""
Author: Karthik Kumar Goud Battula([email protected])
This Testcase covers the below scenarios
Scenario-1: Verify device behavior when TACACS+ application parameters (valid and invalid) are modified while traffic is running.
Scenario-2: Verify that the key and timeout options default to global but may be specified to unique values on a per Server basis.
Scenario-3: Verify that the NAS will stop communicating with the current server is the server is down after the duration of the configured server timeout or the default timeout value
Scenario-4: Verify that Taccacs server key can be configured with more that 4 special characters
"""
invalid_l4_port = '59'
invalid_pass_key = "key123"
invalid_timeout = '10'
invalid_ip_addr = '10.10.10.1'
tacacs_params = st.get_service_info(vars.D1, "tacacs")
tacacs_obj.set_tacacs_server(vars.D1, 'delete', tacacs_params.hosts[1].ip)
tacacs_obj.set_tacacs_properties(vars.D1, 'passkey', 'secretstring')
st.log("Configuring global tacacs server key with special characters")
tacacs_obj.set_tacacs_properties(vars.D1, 'passkey', data.passkey)
st.log(
"Check client authentication by modifing ip address,timeout,passkey")
tacacs_obj.set_tacacs_server(vars.D1, 'add', invalid_ip_addr,
invalid_l4_port, invalid_timeout,
invalid_pass_key, data.auth_type,
data.priority_server2)
st.log(
"Trying to SSH to the device when TACACS+ server is configured with invalid parameters"
)
if ssh_obj.connect_to_device(data.ip_address, data.username, data.password,
data.protocol, data.ssh_port):
st.log(
"Deleting the TACACS+ server which is invalid for failed scenario")
tacacs_obj.set_tacacs_server(vars.D1, 'delete', invalid_ip_addr)
st.report_fail("Login_to_DUT_via_SSH_is_failed")
st.log("Deleting the TACACS+ server which is invalid")
tacacs_obj.set_tacacs_server(vars.D1, 'delete', invalid_ip_addr)
st.log("Creating valid TACACS+ server")
tacacs_obj.set_tacacs_server(vars.D1, 'add', data.tacacs_ser_ip_1,
data.tcp_port, data.timeout, data.passkey,
data.auth_type, data.priority)
st.wait(2, "sync the tacacs server after config changes")
st.log(
"Trying to SSH to the device with TACACS+ server which is configured with the valid parameters"
)
if not ssh_obj.connect_to_device(data.ip_address, data.username,
data.password, data.protocol,
data.ssh_port):
debug_info("test_ft_tacacs_modify_server_parameters",
data.tacacs_ser_ip_1)
st.report_fail("Login_to_DUT_via_SSH_is_failed")
st.report_pass("test_case_passed")
def test_ft_tacacs_ssh_login_highest_priorityserver():
"""
Author:Karthik Kumar Goud Battula([email protected]
This test case covers the below Scenarios
Scenario-1: verify if DUT is configured with more than one tacacs server with priority configured client can login do dut via heightest priority tacacs server
Scenario-2: Verify user login with multiple TACACS server when nondefault priority is configured for all server.
Scenario-3: Verify that if the current TACACS server is unresponsive the NAS will failover to the next configured TACACS server according to configured server priorities and so on.
"""
st.log("Login to the device via SSH using the credentials of highest priority server")
if not ssh_obj.connect_to_device(data.ip_address, data.username1, data.password1, data.protocol):
debug_info("test_ft_tacacs_ssh_login_highest_priorityserver", data.tacacs_ser_ip_2)
st.report_fail("Login_to_DUT_via_SSH_is_failed")
tacacs_obj.set_tacacs_server(vars.D1, 'delete', data.tacacs_ser_ip_1)
st.report_pass("test_case_passed")
def tacacs_module_hooks(request):
# add things at the start of this module
global vars
vars = st.ensure_min_topology("D1")
tacacs_params = st.get_service_info(vars.D1, "tacacs")
st.log("Getting IP address of the device")
data.clear()
data.hosts = ensure_service_params(vars.D1, "tacacs", "hosts")
data.tacacs_ser_ip_1 = ensure_service_params(vars.D1, "tacacs", "hosts", 0, "ip")
data.tcp_port = ensure_service_params(vars.D1, "tacacs", "hosts", 0, "tcp_port")
data.passkey = ensure_service_params(vars.D1, "tacacs", "hosts", 0, "passkey")
data.priority = ensure_service_params(vars.D1, "tacacs", "hosts", 0, "priority")
data.timeout = ensure_service_params(vars.D1, "tacacs", "hosts", 0, "timeout")
data.auth_type = ensure_service_params(vars.D1, "tacacs", "hosts", 0, "auth_type")
data.tacacs_ser_ip_2 = ensure_service_params(vars.D1, "tacacs", "hosts", 1, "ip")
data.priority_server2 = ensure_service_params(vars.D1, "tacacs", "hosts", 1, "priority")
data.time_out = '10'
data.username = '******'
data.password = '******'
data.protocol = 'ssh'
data.ssh_port = '22'
data.login_type = "tacacs+"
data.failthrough_mode = 'enable'
data.local_username = '******'
data.local_password = '******'
data.local_password2 = 'broadcom'
data.username1 = 'test'
data.password1 = 'test'
data.rw_user = {'username': data.username, 'password': data.password, 'mode': 'rw'}
data.ro_username = ensure_service_params(vars.D1, "radius", "ro_user", "username")
ensure_device_ipaddress()
st.log("Configuring authentication login parameter as tacacs+ and local")
tacacs_obj.set_aaa_authentication_properties(vars.D1, 'login', 'tacacs+ local')
tacacs_obj.set_tacacs_server(vars.D1, 'add', data.tacacs_ser_ip_1, data.tcp_port, data.timeout, data.passkey,
data.auth_type, data.priority)
yield
config_default_tacacs_properties(vars.D1)
st.log("Deleting all TACACS+ servers from the device")
for i in range(0, 8):
tacacs_obj.set_tacacs_server(vars.D1, 'delete', tacacs_params.hosts[i].ip)
st.log("Making AAA parameters to default")
tacacs_obj.set_aaa_authentication_properties(vars.D1, 'login', 'default')
tacacs_obj.set_aaa_authentication_properties(vars.D1, 'failthrough', 'default')
clear_vlan_configuration([vars.D1])
def test_ft_tacacs_enable_disable_failthrough():
"""
Author: Karthik Kumar Goud Battula(karthikkumargoud,[email protected])
This test case covers the below Scenarios
Scenario-1: Verify the functionality of failthrough mechanism by changing the login authentication order
Scenario-2: Verify the functionality of failthrough mechanism when DUT have multiple server with default priority.
"""
tacacs_obj.set_tacacs_server(vars.D1, 'add', data.tacacs_ser_ip_2, data.tcp_port, data.timeout, data.passkey,
data.auth_type, data.priority_server2)
st.log(
"Trying to SSH to the device using local credetails when login method set to TACACS+ and local and fail through mode is not enabled")
if ssh_obj.connect_to_device(data.ip_address, data.local_username, data.local_password, data.protocol,
data.ssh_port, alt_password=data.local_password2):
st.report_fail("Login_to_DUT_via_SSH_is_failed")
st.log(
"Trying to SSH to the device using TACACS+ credetails when login method set to TACACS+ and local and fail through mode is not enabled")
if not ssh_obj.connect_to_device(data.ip_address, data.username, data.password, data.protocol):
debug_info("test_ft_tacacs_enable_disable_failthrough", data.tacacs_ser_ip_1)
st.report_fail("Login_to_DUT_via_SSH_is_failed")
st.log("Setting login authentication to local and tacacs+")
tacacs_obj.set_aaa_authentication_properties(vars.D1, 'login', 'local tacacs+')
st.log(
"Trying to SSH to the device using local credetails when login method set to local and TACACS+ and fail through mode is not enabled")
if not ssh_obj.connect_to_device(data.ip_address, data.local_username, data.local_password,
alt_password=data.local_password2):
st.report_fail("Login_to_DUT_via_SSH_is_failed")
st.log(
"Trying to SSH to the device using TACACS+ credetails when login method set to local and TACACS+ and fail through mode is not enabled")
if ssh_obj.connect_to_device(data.ip_address, data.username, data.password, data.protocol, data.ssh_port):
st.report_fail("Login_to_DUT_via_SSH_is_failed")
st.log("Configuring AAA login to tacacs+ and local and enabling failthrough mode")
tacacs_obj.set_aaa_authentication_properties(vars.D1, 'login', 'tacacs+ local')
tacacs_obj.set_aaa_authentication_properties(vars.D1, 'failthrough', 'enable')
st.log(
"Trying to SSH to the device using local credetails when login method set to TACACS+ and local and fail through mode is enabled")
if not ssh_obj.connect_to_device(data.ip_address, data.local_username, data.local_password,
alt_password=data.local_password2):
st.report_fail("Login_to_DUT_via_SSH_is_failed")
st.log(
"Trying to SSH to the device using TACACS+ credetails when login method set to TACACS+ and local and fail through mode is enabled")
if not ssh_obj.connect_to_device(data.ip_address, data.username, data.password, data.protocol, data.ssh_port):
debug_info("test_ft_tacacs_enable_disable_failthrough", data.tacacs_ser_ip_1)
st.report_fail("Login_to_DUT_via_SSH_is_failed")
st.report_pass("test_case_passed")
def security_warm_reboot_module_hooks(request):
# add things at the start of this module
init_vars()
initialize_variables()
get_parms()
st.log("Checking whether the platform supports warm-reboot")
if not data.platform.lower() in data.constants['WARM_REBOOT_SUPPORTED_PLATFORMS']:
st.report_unsupported('test_case_unsupported')
st.log("configuring tacacs server")
tacacs_config()
st.log("Verifying tacacs server details in running-config before warm-reboot")
tacacs_config_verify()
yield
# add things at the end of this module"
#Below step will clear the TACACS+ server config from the device
tacacs_params = st.get_service_info(vars.D1, "tacacs")
tacacs_obj.set_tacacs_server(vars.D1, 'delete', tacacs_params.hosts[0].ip)
def test_ft_tacacs_maximum_servers():
"""
Author: Karthik Kumar Goud Battula([email protected])
This testcase covers the below scenarios
Scenario-1: Verify that more than one TACACS server can be configured on the NAS, upto the maximum number of servers that are allowed.
Scenario-2: Verify that TACACS+ servers with IPv4 and IPv6 address can be added at the same time.
Scenario-3: Verify that Maximum number of TACACS IPv4 servers can be configured on DUT.
Scenario-4: Verify that Maximum number of TACACS IPv6 servers can be configured on DUT.
Scenario-5: Verify the Save and Reload Functionality for TACACS IPv6 feature.
"""
tacacs_params = st.get_service_info(vars.D1, "tacacs")
for i in range(2, 8):
ip_addr = ensure_service_params(vars.D1, "tacacs", "hosts", i, "ip")
priority = ensure_service_params(vars.D1, "tacacs", "hosts", i, "priority")
tacacs_obj.set_tacacs_server(vars.D1, 'add', ip_addr, data.tcp_port,
data.timeout, data.passkey,
data.auth_type, priority)
if not tacacs_obj.verify_tacacs_details(vars.D1, tacacs_params.hosts):
st.report_fail("Tacacs_server_configs_are_not_successful", tacacs_params.hosts)
st.report_pass("test_case_passed")
def tacacs_config():
st.log("configuring tacacs server")
tacacs_params = st.get_service_info(vars.D1, "tacacs")
tacacs_obj.set_tacacs_server(vars.D1, 'add', tacacs_params.hosts[0].ip, tacacs_params.hosts[0].tcp_port,
tacacs_params.hosts[0].timeout, tacacs_params.hosts[0].passkey,
tacacs_params.hosts[0].auth_type, tacacs_params.hosts[0].priority)
def security_module_epilog():
if st.is_feature_supported("radius", vars.D1):
radius.config_server(vars.D1,
ip_address=security_data.radius_host_ip,
action="delete")
tacacs.set_tacacs_server(vars.D1, 'delete', security_data.tacacs_host_ip)
