Lesson Contents
TACACS+ (Terminal Access Controller Access-Control System Plus) is commonly used to authenticate network devices like routers and switches using a central server. Instead of using the local database on a router or switch, we can use the credentials that are stored on the TACACS+ server. Whenever you try to log onto a network device, the credentials you supply will be forwarded to the TACACS+ server. Besides authentication, TACACS+ also allows us to configure authorization and accounting. Authorization lets us define what commands a user is able to use on the router or switch, and accounting lets us log whatever commands the user is typing.
Tac_plus is a TACACS+ daemon for Linux, It’s based on the original Cisco source code and works with a simple configuration file.
Installation on CentOS:
In the example below, I will show you how to install tac_plus on a CentOS server. There’s an RPM available so this will save you the hassle of compiling the source code yourself. Let’s add the repository first:
[root@server ~]# cd /etc/yum.repos.d/
[root@server yum.repos.d]# vim nux-misc.repoWe will create a new repository file where we can grab tac_plus. This is what you should enter:
[nux-misc]
name=Nux Misc
baseurl=http://li.nux.ro/download/nux/misc/el6/x86_64/
enabled=0
gpgcheck=1
gpgkey=http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.roSave the file and install tac_plus with the following command:
[root@server ~]#yum --enablerepo=nux-misc install tac_plusThat’s all you need to do. All configuration is done from a single config file. Let’s take a look at its contents:
[root@server /]# vim /etc/tac_plus.confYou will see a lot of things in this default configuration file. Let me walk you through some of the fields. The first thing you see is the key, we need to configure this on the TACACS+ server and on each network device that you want to control with the TACACS+ server.
By default, there is no key:
#key = "your key here"Change it to something else and get rid of the #:
key = "MYKEY"I’ll call my key “MYKEY.” The second part is an ACL:
acl = default {
#permit = 192\.168\.0\.
permit = 192\.168\.2\.1The ACL uses regular expressions so you can configure what IP addresses or networks are allowed to use the TACACS+ server. By default, it only permits IP address 192.168.2.1.
The next part is host-specific parameters:
# Example of host-specific configuration:
host = 192.168.2.1 {
prompt = "Enter your Unix username and password, Username: "
# Enable password for the router, generate a new one with tac_pwd
#enable = des 4P8MBRmulylooHere you can configure the IP address of the network device that you want to control and the prompt that it should show the user when he/she tries to log into the network device. You can also set the enable password if you want.
Next, we will see some group-specific parameters:
# Group that is allowed to do most configuration on all interfaces etc.
group = admin {
# group members who don't have their own login password will be
# looked up in /etc/passwd
#login = file /etc/passwd
login = PAM
# group members who have no expiry date set will use this one
#expires = "Jan 1 1997"
# only allow access to specific routers
acl = default
# Needed for the router to make commands available to user (subject
# to authorization if so configured on the router
service = exec {
priv-lvl = 15
#default service = permit
}
cmd = username {
permit .*
}
cmd = enable {
permit .*
}
cmd = show {
permit .*
}
cmd = exit {
permit .*
}
cmd = configure {
permit .*
}
cmd = interface {
permit .*
}
cmd = switchport {
permit .*
}
cmd = description {
permit .*
}
cmd = no {
permit shutdown
}By default, there’s a group called admin, and login is set to PAM. This means we will use the user database of the Linux machine. The admin group is also susceptible to the default ACL. If you also use authorization, you can configure the commands that the admin groups are allowed to use. Let’s take a look at the next group:
# A group that can change some limited configuration on switchports
# related to host-side network configuration
group = sysadmin {
# group members who don't have their own login password will be
# looked up in /etc/passwd:
#login = file /etc/passwd
# or authenticated via PAM:
login = PAM
acl = default
# Needed for the router to make commands available to user (subject
# to authorization if so configured on the router
service = exec {
priv-lvl = 15
}
cmd = enable {
permit .*
}
cmd = show {
permit .*
}
cmd = exit {
permit .*
}
cmd = configure {
permit .*
}
cmd = interface {
permit FastEthernet.*
permit GigabitEthernet.*
}
cmd = switchport {
permit "access vlan.*"
permit "trunk encapsulation.*"
permit "mode.*"
permit "trunk allowed vlan.*"
}
cmd = description {
permit .*
}
cmd = no {
permit shutdown
}
}
}The sysadmin group is similar to the admin group. You can see some commands that they are allowed to use (if you use authorization).
Below the group configuration, you’ll find a couple of default users:
user = joe {
login = PAM
#member = sysadmin
member = admin
}
user = fred {
login = PAM
member = sysadmin
}User Joe is a member of the admin group, and Fred belongs to the sysadmin group. Keep in mind we still need to create these users…
There’s also a part for RANCID. If you have no idea what this is, RANCID is software that can monitor network devices and check if their configuration was changed, check the routing table, log changes, run commands to extract specific information, e-mail reports, and more.
# User account configured for use with "rancid"
user = rancid {
# Generate a new password with tac_pwd
#login = des LXUxLCkFhGpwA
service = exec {
priv-lvl = 15
}
cmd = show { permit .* }
cmd = exit { permit .* }
cmd = dir { permit .* }
cmd = write { permit term }
}Last but not least, there’s a global enable password that we can use:
# Global enable level 15 password, generate a new one with tac_pwd
user = $enab15$ {
#login = des 97cZOIgSXU/4I
}Now you know what the tac_plus configuration looks like, let’s create a user and test if authentication is working.
TACACS+ test with Cisco IOS router
We’ll create a user called “Joe” on the Linux machine and configure a Cisco IOS router to use the TACACS+ server:
No package tac_plus available. (Centos 6.4)
Funny, since I can see via web that it’s there.
Hmm are you sure it’s using the Nux repository? you can always just grab the RPM and install it manually…
Same here. “No package tac_plus available”. I can also see it in the list. Cannot install it manually, as there are too many dependencies (which is why we use yum. haha)
I, too, am using Centos 6.4. If I do just a yum list, it does not show it.
[root@logger ~]# yum list --enablerepo=nux-misc | grep nux-miscanything-sync-daemon.noarch 3.11-3.el6.nux nux-misc
... Continue reading in our forumchronicle.noarch 4.6-1.el6.nux nux-misc
clamassassin.noarch 1.2.4-1.el6.nux nux-misc
cobbler.noa
Are you sure the nux repository is enabled? You can see at the following URL that it has the tacacs package:
http://mirrors.coreix.net/li.nux.ro//nux/misc/el6/x86_64/
Hey ,
Great post. I got this working.
Although i few problems and questions
First, whenever i put default service = permit and privilege command in the config i cannot get the damon to start it fails.
Second, if i use just login with PAM i get to the user level > but i need exec level access to provide. How can i go about doing that.
Thanks
Neil