Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Show Page Sections

Behavior changes

This release contains behavior changes that relate to the TACACS+ protocol.

TACACS+ authenticated users group

The implementation detail for users to be automatically authenticated through TACACS+ has changed.

Users who are authenticated through TACACS+ are automatically placed into a system group. In 1903 this changed from vyatta-system-user-tacplus to vyatta.system.user.tacplus. This is an implementation detail and may be subject to further changes in the future.

Home directories

This release changes the home directories for TACACS+ authenticated users.

The on-the-fly generated home directories for TACACS+ authenticated users have changed from /tmp/<username> to /var/tmp/aaa-home/<user>.  These generated home directories do not persist across reboots.

Session authorization

This release changes the session authorization requirements to be more compliant with the TACACS+ protocol.

The TACACS+ implementation is now more compliant with section 11.1 of https://tools.ietf.org/html/draft-grant-tacacs-02.  From 1903 onward, a TACACS+ server must not send any mandatory arguments other than level, or local-user-name, which is now deprecated.

Command accounting

This release contains updates and behavior changes to command accounting.

Accounting support has been re-implemented in 1903 with the following benefits:

  • Secrets are redacted
  • Accounted commands are expanded and normalized

The following behavior changes should also be noted:

  • An additional protocol AV pair is sent in Accounting messages. The value will be either op-mode, or conf-mode indicating that the command was executed in operational mode or configuration mode, respectively.
  • The run configuration mode command is accounted as an operational command (protocol=op-mode) with the run keyword removed.
  • The edit configuration mode command will be accounted as a set command if it results in new configuration. If no new configuration results then no accounting will occur.
  • Invalid or un-authorized commands are not accounted.
  • The executed command and arguments are no longer concatenated into a single cmd AV pair. Instead the command is sent as the cmd AV pair and each argument is sent as a distinct cmd-arg AV pair.

In addition to the above, the following commands will no longer be accounted:
Table 1. Commands that are no longer accounted
Mode Command Notes
Configuration save (no arguments) Command does not have any effect.
Configurationtop Navigational command (no system impact)
Configurationup Navigational command (no system impact)
ConfigurationexitThe protocol AV pair provides the CLI mode context
Operationalconfigure The protocol AV pair provides the CLI mode context
Operationalreset terminal Command affects the executing user's console only
Operationalset terminal … Command affects the executing user's console only
Operationalspawn … Executes a non-modeled command
Any Non-modeled command Accounting is supported for modeled commands only

Command authorization

This release updates and corrects command authorization for configuration mode commands and is now more compliant with the TACACS+ protocol.

The TACACS+ implementation is now more compliant with section 12.1 of https://tools.ietf.org/html/draft-grant-tacacs-02. Starting in 1903, a server must not send any mandatory arguments in response to a command authorization request.

The command and arguments being authorized are no longer concatenated into a single cmd AV pair. Instead, the command is sent as the cmd AV pair and each argument is sent as a distinct cmd-arg AV pair.

Additionally, the behavior of command authorization for configuration mode commands has been corrected. Configuration mode commands are now authorized as follows.

Table 2. Configuration mode commands authorization
Command Request Notes
commit None (not authorized) No change
commit-confirm None (not authorized) No change
compare Single request reflecting what was entered by the user
confirm None (not authorized) No change
deleteSingle request reflecting what was entered by the user No change
discard None (not authorized) No change
edit If the command results in the creation of new configuration, then a request will be sent reflecting what was entered by the user, except the edit keyword will be substituted with set; otherwise  none (not authorized)
exit None (not authorized) No change
load Single request reflecting what was entered by the user
loadkey Single request reflecting what was entered by the user
merge Single request reflecting what was entered by the user
rollback Single request reflecting what was entered by the user
run Authorized as an operational mode command with the run keyword removed No change
save Executing save with no additional arguments has no system impact, therefore no requests are made (not authorized) No change
save <args>Single request reflecting what was entered by the user
set Single request reflecting what was entered by the user No change
show Single request reflecting what was entered by the user
top None (not authorized) No change
up None (not authorized) No change
validate None (not authorized) No change
Tab completion None (not authorized)

Interaction with ACM

This release removes the requirement for TACACS+ authenticated users to interact with the ACM ruleset.

When TACACS+ command authorization is enabled in 1903, TACACS+ authenticated users are no longer subjected to the operational (system acm operational-ruleset) mode ACM ruleset. This matches the existing behavior of TACACS+ users not being subjected to the configuration (system acm ruleset) mode ACM ruleset. This means TACACS+ users are presented with all the operational mode commands and the TACACS+ server is authoritative in whether a given user is allowed to execute a command or not.