Professional Documents
Culture Documents
Server Tacacs
Server Tacacs
Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe)
refers to a family of related protocols handling remote authentication and related services for
networked access control through a centralized server. The original TACACS protocol, which dates
back to 1984, was used for communicating with an authentication server, common in older UNIX
networks.(Source: wikipedia)
In this tutorial, I will show you how to install tacacs+ on Ubuntu using stock image in the AWS cloud. I
show you how to change your security groups to allow your routers, switches reach your tacacs+
server. You could really use any IaaS Cloud including on-premise infrastructure.
Once that is installed, we proceed to configure the tacacs+ server to our needs. On default installation,
the configuration file is found here /etc/tacacs+/tac_plus.conf Open the file with your favourite editor
and make changes as below
vi /etc/tacacs+/tac_plus.conf
#Am using local PAM which allows us to use local linux users, you can use any
backend like Windows AD
default authentication = file /etc/passwd
group = support {
default service = deny
service = exec {
priv-lvl = 1
}
}
group = unicorns {
default service = permit
service = exec {
priv-lvl = 15
}
}
#Defining my users and assigning them to groups above
user = mary {
name = "Network Support"
member = support
}
user = tina {
name = "Network Unicorn"
member = unicorns
}
Thats it, restart your tacacs+ server and if your server comes up fine, your are clear to proceed. If you
experience errors please look out for typos, its very easy to misspell a keyword.
Note: Don't forget to give these users strong passwords, just as you would for local users on your Cisco
devices. Also make changes to your firewall to allow tcp/49 in. Since I was doing this on AWS, my
security group change looked like this. Its not a good idea to let the whole world in, better to restrict it
to your networks.
Thats it, at this point, your users should be able to access the router with their default restrictions. This
is the prompt Mary gets on login
root@m#ssh mary@router.infraops.io
Password:
infraops>
This is the prompt Tina gets on login
root@m#ssh tina@router.infraops.io
Password:
infraops#