How to install TACACS+ on Linux CentOS

TACACS+ (Terminal Access Controller Access-Control System Plus) is commonly used to authenticate network devices like routers and switches using a central server. Instead of using the local database on a router or switch, we can use the credentials that are stored on the TACACS+ server. Whenever you try to log onto a network device, the credentials you supply will be forwarded to the TACACS+ server. Besides authentication, TACACS+ also allows us to configure authorization and accounting. Authorization lets us define what commands a user is able to use on the router or switch, and accounting lets us log whatever commands the user is typing.

Tac_plus is a TACACS+ daemon for Linux, It’s based on the original Cisco source code and works with a simple configuration file.

Installation on CentOS:

In the example below, I will show you how to install tac_plus on a CentOS server. There’s an RPM available so this will save you the hassle of compiling the source code yourself. Let’s add the repository first:

[root@server ~]# cd /etc/yum.repos.d/
[root@server yum.repos.d]# vim nux-misc.repo

We will create a new repository file where we can grab tac_plus. This is what you should enter:

[nux-misc]
name=Nux Misc
baseurl=http://li.nux.ro/download/nux/misc/el6/x86_64/
enabled=0
gpgcheck=1
gpgkey=http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro

Save the file and install tac_plus with the following command:

[root@server ~]#yum --enablerepo=nux-misc install tac_plus

That’s all you need to do. All configuration is done from a single config file. Let’s take a look at its contents:

[root@server /]# vim /etc/tac_plus.conf

You will see a lot of things in this default configuration file. Let me walk you through some of the fields. The first thing you see is the key, we need to configure this on the TACACS+ server and on each network device that you want to control with the TACACS+ server.

By default, there is no key:

#key = "your key here"

Change it to something else and get rid of the #:

key = "MYKEY"

I’ll call my key “MYKEY.” The second part is an ACL:

acl = default   {
                #permit = 192\.168\.0\.
                permit = 192\.168\.2\.1

The ACL uses regular expressions so you can configure what IP addresses or networks are allowed to use the TACACS+ server. By default, it only permits IP address 192.168.2.1.

The next part is host-specific parameters:

# Example of host-specific configuration:
host = 192.168.2.1 {
        prompt = "Enter your Unix username and password, Username: "
        # Enable password for the router, generate a new one with tac_pwd
        #enable = des 4P8MBRmulyloo

Here you can configure the IP address of the network device that you want to control and the prompt that it should show the user when he/she tries to log into the network device. You can also set the enable password if you want.

Next, we will see some group-specific parameters:

# Group that is allowed to do most configuration on all interfaces etc.
group = admin {
        # group members who don't have their own login password will be
        # looked up in /etc/passwd
        #login = file /etc/passwd
        login = PAM

        # group members who have no expiry date set will use this one
        #expires = "Jan 1 1997"

        # only allow access to specific routers
        acl = default

        # Needed for the router to make commands available to user (subject
        # to authorization if so configured on the router
        service = exec {
                priv-lvl = 15
                #default service = permit
 }

        cmd = username {
                permit .*
        }
        cmd = enable {
                permit .*
        }
        cmd = show {
                permit .*
        }
        cmd = exit {
                permit .*
        }
        cmd = configure {
                permit .*
        }
        cmd = interface {
                permit .*
        }
        cmd =  switchport  {
                permit .*
        }
        cmd = description {
                permit .*
        }
        cmd = no {
                permit shutdown
        }

By default, there’s a group called admin, and login is set to PAM. This means we will use the user database of the Linux machine. The admin group is also susceptible to the default ACL. If you also use authorization, you can configure the commands that the admin groups are allowed to use. Let’s take a look at the next group:

# A group that can change some limited configuration on switchports
# related to host-side network configuration
group = sysadmin {
        # group members who don't have their own login password will be
        # looked up in /etc/passwd:
        #login = file /etc/passwd
        # or authenticated via PAM:
        login = PAM
        acl = default

        # Needed for the router to make commands available to user (subject
        # to authorization if so configured on the router
        service = exec {
                priv-lvl = 15
        }
        cmd = enable {
                permit .*
        }
        cmd = show {
                permit .*
        }
        cmd = exit {
                permit .*
        }
        cmd = configure {
                permit .*
        }
        cmd = interface {
                permit FastEthernet.*
                permit GigabitEthernet.*
        }
        cmd =  switchport  {
                permit "access vlan.*"
                permit "trunk encapsulation.*"
                permit "mode.*"
                permit "trunk allowed vlan.*"
        }
        cmd = description {
                permit .*
        }

        cmd = no {
                permit shutdown
        }

}

}

The sysadmin group is similar to the admin group. You can see some commands that they are allowed to use (if you use authorization).

Below the group configuration, you’ll find a couple of default users:

user = joe {
        login = PAM
        #member = sysadmin
        member = admin
}

user = fred {
        login = PAM
        member = sysadmin
}

User Joe is a member of the admin group, and Fred belongs to the sysadmin group. Keep in mind we still need to create these users…

There’s also a part for RANCID. If you have no idea what this is, RANCID is software that can monitor network devices and check if their configuration was changed, check the routing table, log changes, run commands to extract specific information, e-mail reports, and more.

# User account configured for use with "rancid"
user = rancid {
        # Generate a new password with tac_pwd
        #login = des LXUxLCkFhGpwA

        service = exec {
                priv-lvl = 15
        }

        cmd = show { permit .* }
        cmd = exit { permit .* }
        cmd = dir { permit .* }
        cmd = write { permit term }
}

Last but not least, there’s a global enable password that we can use:

# Global enable level 15 password, generate a new one with tac_pwd
user = $enab15$ {
        #login = des 97cZOIgSXU/4I
}

Now you know what the tac_plus configuration looks like, let’s create a user and test if authentication is working.

TACACS+ test with Cisco IOS router

We’ll create a user called “Joe” on the Linux machine and configure a Cisco IOS router to use the TACACS+ server:

[root@server etc]# adduser joe
[root@server etc]# passwd joe
Changing password for user joe.
New password: 
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password: 
passwd: all authentication tokens updated successfully.

Don’t forget to start the daemon:

[root@server etc]# service tac_plus start
Starting tacacs+:                                          [  OK  ]

If you want to enable it on startup, you can use chkconfig:

[root@server etc]# chkconfig --add tac_plus
[root@server etc]# chkconfig tac_plus on
Don’t forget to configure your firewall to allow TCP port 49 for tac_plus.

Now let’s boot a Cisco router and configure it to use TACACS+ :

R1(config)#aaa new-model 
R1(config)#aaa authentication login default group tacacs+ local
R1(config)#tacacs-server host 192.168.2.144
R1(config)#tacacs-server key 0 MYKEY

First, you need to use the aaa new-model command; otherwise, many of the commands are unavailable. We’ll tell the router to use TACACS+ for authentication, but if the server is unavailable, the router will use local authentication. I also configure the same key that I used in the configuration file of tac_plus.

Let’s give it a test drive, shall we…

R1 con0 is now available

Press RETURN to get started.

Enter your Unix username and password, 
Username: joe
Password: 

R1>

Above, you can see that the router displays the prompt that was configured in the tac_plus.conf file. After logging in with username joe and the password, we have access to the router…mission accomplished! Hopefully, this helps you to get started with TACACS+. If you have any questions, please leave a comment!

Tags: ,


Forum Replies

  1. No package tac_plus available. (Centos 6.4)
    Funny, since I can see via web that it’s there.

  2. Hmm are you sure it’s using the Nux repository? you can always just grab the RPM and install it manually…

  3. Same here. “No package tac_plus available”. I can also see it in the list. Cannot install it manually, as there are too many dependencies (which is why we use yum. haha)

    I, too, am using Centos 6.4. If I do just a yum list, it does not show it.

    [root@logger ~]# yum list --enablerepo=nux-misc | grep nux-miscanything-sync-daemon.noarch 3.11-3.el6.nux nux-misc
    chronicle.noarch 4.6-1.el6.nux nux-misc
    clamassassin.noarch 1.2.4-1.el6.nux nux-misc
    cobbler.noa

    ... Continue reading in our forum

  4. Hey ,
    Great post. I got this working.

    Although i few problems and questions

    First, whenever i put default service = permit and privilege command in the config i cannot get the damon to start it fails.
    Second, if i use just login with PAM i get to the user level > but i need exec level access to provide. How can i go about doing that.

    Thanks

    Neil

29 more replies! Ask a question or join the discussion by visiting our Community Forum