Ubuntu installing tacacs+ server for Cisco AAA

Aug 15, 2017 by blog admin

Tags: TACACS+ AWS Ubuntu
Categories: Cisco

Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe)
refers to a family of related protocols handling remote authentication and related services for
networked access control through a centralized server. The original TACACS protocol, which dates
back to 1984, was used for communicating with an authentication server, common in older UNIX
networks.(Source: wikipedia)
In this tutorial, I will show you how to install tacacs+ on Ubuntu using stock image in the AWS cloud. I
show you how to change your security groups to allow your routers, switches reach your tacacs+
server. You could really use any IaaS Cloud including on-premise infrastructure.

TACACS+ installation and configuration.

This is perhaps the easiest thing to do, tacacs+ package is available in the Ubuntu repositories. So here
goes.

apt-get install tacacs+

Once that is installed, we proceed to configure the tacacs+ server to our needs. On default installation,
the configuration file is found here /etc/tacacs+/tac_plus.conf Open the file with your favourite editor
and make changes as below

vi /etc/tacacs+/tac_plus.conf

#Make this a strong key

key = testing123

#Am using local PAM which allows us to use local linux users, you can use any
backend like Windows AD
default authentication = file /etc/passwd

#Define groups that we shall add users to later

#In this example I have defined 2 groups support and unicorns and assign them
respective privileges

group = support {
default service = deny
service = exec {
priv-lvl = 1
}
}

group = unicorns {
 default service = permit
service = exec {
priv-lvl = 15
}
}
#Defining my users and assigning them to groups above
user = mary {
name = "Network Support"
member = support
}

user = tina {
name = "Network Unicorn"
member = unicorns
}

Thats it, restart your tacacs+ server and if your server comes up fine, your are clear to proceed. If you
experience errors please look out for typos, its very easy to misspell a keyword.

root@m:~# /etc/init.d/tacacs_plus restart

[ ok ] Restarting tacacs_plus (via systemctl): tacacs_plus.service.

Next I add system users to match the users in tacacs+

root@m:~# adduser tina
root@m:~# adduser mary

Note: Don't forget to give these users strong passwords, just as you would for local users on your Cisco
devices. Also make changes to your firewall to allow tcp/49 in. Since I was doing this on AWS, my
security group change looked like this. Its not a good idea to let the whole world in, better to restrict it

to your networks.

Making changes to your Cisco device.

Next up we make changes to the Cisco device, in this example am using a Cisco router and the
necessary configuration look like this:
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
!
tacacs-server host 2.3.4.5
tacacs-server key 0 testing123

Thats it, at this point, your users should be able to access the router with their default restrictions. This
is the prompt Mary gets on login
root@m#ssh mary@router.infraops.io
Password:
infraops>
This is the prompt Tina gets on login
root@m#ssh tina@router.infraops.io
Password:
infraops#