Beyond authentication, TACACS+ also supports authorization and accounting. With all three access control features combined, you have an AAA (authentication, authorization, accounting) framework that provides the three access controls necessary to validate user logons.
- Authorization allows us to specify which commands a user can execute on a router or a switch.
- Accounting enables logging of all commands that a user enters, providing an accountability auditing trail for actions executed on the device.
To implement TACACS+ on a Linux server, we can use tac_plus, a TACACS+ daemon based on Cisco's original code, managed via a straightforward configuration file.
Installation on CentOS
In this example, we'll install the tac_plus on a CentOS server. A pre-built RPM package is available, which simplifies installation by removing the need to compile from source.
Let's start by first adding the repository:
[root@server ~]# cd /etc/yum.repos.d/
[root@server yum.repos.d]# vim nux-misc.repoWe will now create a new repository file where we can grab tac_plus. This is what you should enter next:
[nux-misc]
name=Nux Misc
baseurl=http://li.nux.ro/download/nux/misc/el6/x86_64/
enabled=0
gpgcheck=1
gpgkey=http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.roSave the file and install tac_plus with the following command:
[root@server ~]#yum --enablerepo=nux-misc install tac_plusThat's all you need to do. All configuration is done from a single config file. Let us now take a look at its contents:
[root@server /]# vim /etc/tac_plus.confIn the default configuration file for tac_plus, you'll notice several key settings. Let's go over some of the main fields included.
The first field to note is key. This shared key is essential for securing communications between the TACACS+ server and each network device that will use it for AAA. You'll need to configure the same key on both the TACACS+ server and on each network device that you want to manage through TACACS+.
By default, there is no key, so you have to create it by running the following command:
#key = "your key here"Change it to something else and get rid of the #:
key = "MYKEY"I'll call my key "MYKEY." The second part is constructing an ACL (Access Control List):
acl = default {
#permit = 192\.168\.0\.
permit = 192\.168\.2\.1The ACL uses regular expressions so you can configure what IP addresses or networks are allowed to use your TACACS+ server. By default, it only permits IP address 192.168.2.1.
The next part is host-specific parameters:
# Example of host-specific configuration:
host = 192.168.2.1 {
prompt = "Enter your Unix username and password, Username: "
# Enable password for the router, generate a new one with tac_pwd
#enable = des 4P8MBRmulylooIn this section of the tac_plus configuration file, you can specify the IP address of the network device you want to control, ensuring only designated devices are managed by your TACACS+ server. Additionally, you can set a custom login prompt that the user will see upon logging into the device, making the login experience more consistent with security in-mind.
You also have the option to configure an enable password if required, which provides an additional layer of security for privileged commands. This setup ensures that only authenticated users can access sensitive device functions and calls.
Next, we'll look at some group-specific parameters:
# Group that is allowed to do most configuration on all interfaces etc.
group = admin {
# group members who don't have their own login password will be
# looked up in /etc/passwd
#login = file /etc/passwd
login = PAM
# group members who have no expiry date set will use this one
#expires = "Jan 1 1997"
# only allow access to specific routers
acl = default
# Needed for the router to make commands available to user (subject
# to authorization if so configured on the router
service = exec {
priv-lvl = 15
#default service = permit
}
cmd = username {
permit .*
}
cmd = enable {
permit .*
}
cmd = show {
permit .*
}
cmd = exit {
permit .*
}
cmd = configure {
permit .*
}
cmd = interface {
permit .*
}
cmd = switchport {
permit .*
}
cmd = description {
permit .*
}
cmd = no {
permit shutdown
}In the default configuration, there's an admin group with login set to PAM, meaning it will only rely on the Linux machine's user database for authentication. The admin group is subject to the default ACL (Access Control List), so its permissions and access rules can be managed as part of this ACL.
If you also configure authorization, you can define specific commands that members of the admin group are allowed to execute on the device. This lets you tightly control which actions are available to users in this group. Let's take a look at the next group:
# A group that can change some limited configuration on switchports
# related to host-side network configuration
group = sysadmin {
# group members who don't have their own login password will be
# looked up in /etc/passwd:
#login = file /etc/passwd
# or authenticated via PAM:
login = PAM
acl = default
# Needed for the router to make commands available to user (subject
# to authorization if so configured on the router
service = exec {
priv-lvl = 15
}
cmd = enable {
permit .*
}
cmd = show {
permit .*
}
cmd = exit {
permit .*
}
cmd = configure {
permit .*
}
cmd = interface {
permit FastEthernet.*
permit GigabitEthernet.*
}
cmd = switchport {
permit "access vlan.*"
permit "trunk encapsulation.*"
permit "mode.*"
permit "trunk allowed vlan.*"
}
cmd = description {
permit .*
}
cmd = no {
permit shutdown
}
}
}The sysadmin group has a setup similar to the admin group. Here, specific commands are listed that members of the sysadmin group are permitted to use, provided that authorization is enabled. This allows you to fine-tune which commands users in this group can execute, giving them targeted access to necessary functions without granting full administrative privileges.
Below the group configurations, you'll see some default user entries. These users are typically pre-configured with basic access rules or permissions, and you can adjust these based on your requirements for default access across the TACACS+ environment.
user = joe {
login = PAM
#member = sysadmin
member = admin
}
user = fred {
login = PAM
member = sysadmin
}In this configuration, Joe is assigned to the admin group, while Fred is part of the sysadmin group. Remember, these users will need to be created on the server for them to authenticate successfully through the TACACS+ server.
There's also a section for RANCID integration. If you're unfamiliar, RANCID (Really Awesome New Cisco config Differ) is a tool that monitors network devices for configuration changes. It can track configuration edits, examine the routing table, log changes, run specific commands to gather information, and even send email reports. This is especially useful for maintaining a detailed record of network configurations and spotting unauthorized changes.
# User account configured for use with "rancid"
user = rancid {
# Generate a new password with tac_pwd
#login = des LXUxLCkFhGpwA
service = exec {
priv-lvl = 15
}
cmd = show { permit .* }
cmd = exit { permit .* }
cmd = dir { permit .* }
cmd = write { permit term }
}And, finally, there's a global enable password that we can use:
# Global enable level 15 password, generate a new one with tac_pwd
user = $enab15$ {
#login = des 97cZOIgSXU/4I
}Now you know what the tac_plus configuration looks like. Let's create a user and test if authentication is working.
2. TACACS+ Test with Cisco IOS Router
We'll first start out by creating a user named "Joe" on the Linux machine and configure a Cisco IOS router to use the TACACS+ server. Start by entering the commands below:
[root@server etc]# adduser joe
[root@server etc]# passwd joe
Changing password for user joe.
New password:
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.Don't forget to start the daemon:
[root@server etc]# service tac_plus start
Starting tacacs+: [ OK ]If you want to enable it on startup, you can use chkconfig:
[root@server etc]# chkconfig --add tac_plus
[root@server etc]# chkconfig tac_plus on‼ Don't forget to configure your firewall to allow TCP port 49 for tac_plus.Now, let's fire up a Cisco router and configure it to use TACACS+:
R1(config)#aaa new-model
R1(config)#aaa authentication login default group tacacs+ local
R1(config)#tacacs-server host 192.168.2.144
R1(config)#tacacs-server key 0 MYKEYTo set up TACACS+ on the router, start by enabling the aaa new-model command; this activates the AAA (Authentication, Authorization, Accounting) framework, which are necessary for TACACS+ integrations. Once this is enabled, we'll next configure the routers to prioritize TACACS+ for authentication and fall back to local authentication if the TACACS+ server is unavailable, ensuring full availability of the authentication system should administrators need to access it in case of connectivity issues.
You'll also need to configure the key we set up beforehand in the tac_plus configuration file to ensure secure communications between the router and the TACACS+ server.
Let's give it a test drive, shall we?
R1 con0 is now available
Press RETURN to get started.
Enter your Unix username and password,
Username: joe
Password:
R1>As shown above, the router displays the custom login prompt specified in the tac_plus.conf file, confirming that the TACACS+ configuration is functioning as intended. After logging in with the username Joe and the pre-configured password, you'll now have access to the router - mission accomplished!
This tutorial should provide you with a basic yet solid foundation for getting started with TACACS+. If you have any questions or need further assistance, please feel free to drop a comment below.
Happy Setting Up TACACS+!
Rate This Article
Thanks for reading: How to Install TACACS+ on Linux CentOS, Sorry, my English is bad:)