Tacacs+ Install and Config Guide
What is TACACS
As per wikipedia
Terminal access controller access control system (TACACS) is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network.
Installing Tacacs on FreeBSD
This guide is intended to be a basic implementation of TACACS+, so although there are may features I am just going to document what I generally use. Please note that tac_plus is also available from Shrubbery Networks if you would like to install and configure on another platform.
You may also want to check out my Rancid How-To
Once again its in your ports directory. cd to /usr/ports/net/tac_plus4/
run a "make install clean"
Once installed vi /usr/local/etc/rc.d/tac_plus.sh
Then Change the following line from NO to YES
tac_plus_enable=$
Save the file, then vi /etc/rc.conf and add tac_plus_enable="YES" this will ensure that tacacs starts if the server is rebooted.
Now cd to /usr/local/etc/
and edit the tac_plus.conf file
key = *KEYEXAMPLE* (using a Key is optional but recommended as it creates and encrypted session between the tacacs+ server and the device)
user = user1 {
login = cleartext user1password
}
user = rancid {
login = cleartext rancidpassword
}
user = user2 {
login = cleartext user2password
}
For all the features of the tacacs config file you should read /usr/local/share/doc/tac_plus/users_guide
Configuring a Cisco Router
login to the router you want to configure
be sure to go into enable mode
conf t
aaa new-model
!
!
aaa authentication login default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 2 default start-stop group tacacs+
aaa accounting commands 3 default start-stop group tacacs+
aaa accounting commands 4 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
!
aaa session-id common
!
tacacs-server host 10.10.10.10 timeout 5
tacacs-server directed-request
tacacs-server key xxxxxxx
The tacacs-server host is as it seems its the server that the tacacs server is running on
The tacacs-server key is the key in the tac_plus.conf file
Depending on your network setup you might need to use the following command
ip tacacs source-interface Loopback0 (or whatever interface the cisco router can communicate to the tacacs server on)
For your own sake do not write the config on the router just yet.
Starting Tacacs+
/usr/local/etc/rc.d/tacacs.sh start
In a terminal window you might want to tail the tacacs log file
tail -f /var/log/tac_plus.acct
Now log into the router
If it works
You will see something like this.
***
User Access Verification
Username:
***
if not you will just see the usual
***
User Access Verification
Password:
***
If you do get the username prompt try to log in with your username and password in the tac_plus.conf file
If you are able to log in well done it works.
You can save your router config.
iI it does not log in you might want to enable the tacacs debug feature
Also disable the key from the config file and restart tacacs be sure to also remove the key from the routers config
If the tacacs login is successful you will see something like this in the tacacs accounting log
Fri Jul 7 13:13:28 2006 196.x.x.x username tty66 10.0.0.254 start task_id=22068 timezone=SAST service=shell start_time=1152270808
You will also see when someone is adding or changing a config as well as when a config is written.
Between Tacacs+ and Rancid you can keep a pretty close eye on your network.
What is TACACS
As per wikipedia
Terminal access controller access control system (TACACS) is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network.
Installing Tacacs on FreeBSD
This guide is intended to be a basic implementation of TACACS+, so although there are may features I am just going to document what I generally use. Please note that tac_plus is also available from Shrubbery Networks if you would like to install and configure on another platform.
You may also want to check out my Rancid How-To
Once again its in your ports directory. cd to /usr/ports/net/tac_plus4/
run a "make install clean"
Once installed vi /usr/local/etc/rc.d/tac_plus.sh
Then Change the following line from NO to YES
tac_plus_enable=$
Save the file, then vi /etc/rc.conf and add tac_plus_enable="YES" this will ensure that tacacs starts if the server is rebooted.
Now cd to /usr/local/etc/
and edit the tac_plus.conf file
key = *KEYEXAMPLE* (using a Key is optional but recommended as it creates and encrypted session between the tacacs+ server and the device)
user = user1 {
login = cleartext user1password
}
user = rancid {
login = cleartext rancidpassword
}
user = user2 {
login = cleartext user2password
}
For all the features of the tacacs config file you should read /usr/local/share/doc/tac_plus/users_guide
Configuring a Cisco Router
login to the router you want to configure
be sure to go into enable mode
conf t
aaa new-model
!
!
aaa authentication login default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 2 default start-stop group tacacs+
aaa accounting commands 3 default start-stop group tacacs+
aaa accounting commands 4 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
!
aaa session-id common
!
tacacs-server host 10.10.10.10 timeout 5
tacacs-server directed-request
tacacs-server key xxxxxxx
The tacacs-server host is as it seems its the server that the tacacs server is running on
The tacacs-server key is the key in the tac_plus.conf file
Depending on your network setup you might need to use the following command
ip tacacs source-interface Loopback0 (or whatever interface the cisco router can communicate to the tacacs server on)
For your own sake do not write the config on the router just yet.
Starting Tacacs+
/usr/local/etc/rc.d/tacacs.sh start
In a terminal window you might want to tail the tacacs log file
tail -f /var/log/tac_plus.acct
Now log into the router
If it works
You will see something like this.
***
User Access Verification
Username:
***
if not you will just see the usual
***
User Access Verification
Password:
***
If you do get the username prompt try to log in with your username and password in the tac_plus.conf file
If you are able to log in well done it works.
You can save your router config.
iI it does not log in you might want to enable the tacacs debug feature
Also disable the key from the config file and restart tacacs be sure to also remove the key from the routers config
If the tacacs login is successful you will see something like this in the tacacs accounting log
Fri Jul 7 13:13:28 2006 196.x.x.x username tty66 10.0.0.254 start task_id=22068 timezone=SAST service=shell start_time=1152270808
You will also see when someone is adding or changing a config as well as when a config is written.
Between Tacacs+ and Rancid you can keep a pretty close eye on your network.
Comments