TACACS+ Load Testing with JMeter: Learn How
This is the third article devoted to load testing AAA protocols with Apache JMeter™. Prior to this, we explained how to use JMeter to run performance tests for the protocols RADIUS and for DIAMETER. In this article we are going to go into the details of load testing the TACACS+ server and, correspondingly, the TACACS + protocol.
First, let us have a look at the features of the protocol that may be of interest for us.
TACACS+ (Control Access Control System Plus) is the latest generation protocol of the TACACS family. All current versions of TACACS and extensions of this protocol, like TACACS+, use port 49, which is a TCP port.
Transactions between the client and server are identified by a secret key, which is never transferred over the communication channels. TACACS+ can be configured to encrypt the traffic (only the body of the request).
In TACACS+, AAA (authentication, authorization, accounting) are enacted as three separate operations. Let's have a general look at how they work. This information will be useful when working with libraries and JSR223.
During authentication, TACACS+ uses three types of packages: START, CONTINUE, and REPLY. START and CONTINUE are always sent by the client, and REPLY is always sent by the server.
Authentication begins when the client sends a START message to the server. The START message describes the type of future authentication and may contain the user name and some authentication data.
In response to the START packet, the server sends a REPLY packet. The REPLY message indicates whether the authentication has been completed or should continue. If the REPLY package requires further authentication, it also indicates what additional information it needs. The client collects this information and sends it to the server in the CONTINUE message.
Upon the completion of authentication, the client can begin the authorization process (if it is required). The authorization session consists of two message types: a REQUEST message and a following RESPONSE message. The REQUEST message contains a fixed number of fields that describe the user or process, and a set of arguments that describe the services and options that require authorization. The RESPONSE message contains the result of the services availability checking.
The TACACS+ accounting process is very similar process to the authorization process (and also uses a similar first package). Two types of REQUEST and REPLY packages are used in this process too. The client sends a REQUEST and the server responds with a REPLY package that contains information about whether the action, which was passed in REQUEST package, was recorded to the log.
As a result, we have 3 outcomes:
- ID confirmation;
- Using of resources that are available to the specified ID;
- Logging of all operations which are associated with the specified resources and ID.
The TACACS+ Server
For the purpose of demonstration, we will use popular free TACACS+ server implementation as is and install it to Ubuntu 18.04. Now we have a server and our current task is to emulate the work of the TACACS+ client.
JMeter as a TACACS+ Client
As for the client, we have two ways of implementation:
1. Using 3rd party TACACS+ clients to create a connection to the server and a Process OS Samper to run these clients from JMeter to create multiple connections;
2. JSR223 + Java libraries.They will connect to the server directly through JMeter, and execute commands to check authorization capabilities.
The first way is much simpler than the second, but the second is more functional, as usual when working with code. We will show them both.
Testing with the Process OS Sampler and TACACS+ Clients
The Process OS Sampler is a sampler that you can use from JMeter to call various tools. For example, you can open a notepad or browser. If you open a console utility, the complete output will be available in the JMeter Response tab. It is also important to understand that we can only start an application or utility, but we cannot interact with it while it is running. Therefore, the utility should do everything what we need after the first command execution.
We chose three TACACS+ clients from all that we found in the Internet, to connect to the TACACS+ server. Each of them supports all three AAA options. You can also choose your own client depending on your OS.
- tacacs_plus - A client implementation in the Python language, it can be used as a library in JSR223 with Jython. The main page contains a lot of examples.
- tactest - A Windows client that works only on Windows. The page also contains a good/all-round guide.
- pam_tacplus - C library and TACACS + client; Note: JSR223 does not support C.
Let’s use the first utility in our load test. The other two utilities work in the same way, therefore you can easily reproduce the example with the Process OS Sampler and another tool. Let's start.
2. Now you can check the client's work and ensure everything is OK. Go to /tacacs_plus/bin directory and write in the console:
- admin is the login of the user that is trying interact with TACACS+ server;
- localhost is the address of the TACACS+ server;
- testing123 is the key for message encryption/decryption, which you can find in the /etc/tacacs+/tac_plus.conf file or in another tacacs config file if you have another TACACS+ server;
- authenticate is the type of operation that we want to perform (authenticate/authorize/account).
- my_password is the password for admin. This parameter works only for authentication operation;
- You can learn which parameters that you can set in tacacs_client by using the -h flag: python tacacs_client -h; To get information about flags that are specified only for certain operations you need to write python tacacs_client <type of operation> -h.
After the checks, we can run JMeter and pass the command to Process OS Sampler.
- Command for the sampler - python;
- Working directory - path to tacacs_plus/bin folder;
- Command parameters - the rest part of the command with a space separator.
- Do not forget to set Check Return Code checkbox. It is necessary for marking the sampler as unsuccessful if the process terminates with an unsuccessful code, for example, if the authentication failed.
- Besides, you can use CSV Data Set Config to pass different user’s credentials to the sampler.
3. Run it. You can see that the output of the utility is displayed in the sampler’s response.
Testing with the JSR223 Sampler + Java libraries
Now let's move on to a more complex version. Only two Java libraries were found for the implementation of the interaction with the TACACS+ server:
- jnetlib - 2004, without examples and documentation;
- TACACS Client from AugurSystems - currently supported, there are enough detailed examples in the repository with different configurations, but there is no documentation.
Of course, we will choose the second library. Let's continue.
1. At first, you need to compile this library and put the jar file in the /lib/ext folder. You can easily compile it using IntelliJ IDEA and Ant.
2. Next, you can see one of these examples to understand how this library works: first and second. The second example contains an analysis of each stage of TACACS+. Because the library does not have documentation, we can only explore the examples.
3. Now we only need to select an example, add it to the sampler and test the work. For example, the code below authenticates the user through PAP. Note: for the demonstration, you need to add a PAP password to the config file for the user - pap = cleartext password1;
4. The big plus of this scripting is that we can easily build nested calls. That is, at first, we pass authentication, and if it is successful, we go to the authorization. We do not need to add additional samplers and controllers for this.
Code for authentication + authorization, should be added to a new sampler:
5. That's it. As you can see in the code there are a lot of flags like TAC_PLUS.PRIV_LVL.USER, all names were took from the IETF document, therefore you have some documentation for learning how to script.
Running Your JMeter Script in BlazeMeter
After creating your script, you can get more results by running it in BlazeMeter. Use BlazeMeter to massively scale your performance tests, manage your scripts in smaller pieces so you can shift left, share results with managers and drill down to analyze by labels or locations. Learn more here.
Try out BlazeMeter by putting your URL in the box below, and your test will start in minutes.