Professional Documents
Culture Documents
How To Install TACACS
How To Install TACACS
Lesson Contents
Installation on CentOS:
TACACS+ test with Cisco IOS router
Tac_plus is a TACACS+ daemon for Linux, It’s based on the original Cisco source code and
works with a simple configuration file.
Installation on CentOS:
In the example below I will show you how to install tac_plus on a CentOS server. There’s a
RPM available so this will save you the hassle of compiling the source code yourself. Let’s
add the repository first:
We will create a new repository file where we can grab tac_plus. This is what you should
enter:
[nux-misc]
name=Nux Misc
baseurl=http://li.nux.ro/download/nux/misc/el6/x86_64/
enabled=0
gpgcheck=1
gpgkey=http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
Save the file and install tac_plus with the following command:
That’s all you need to do. All configuration is done from a single config file. Let’s take a look
at its contents:
You will see a lot of things in this default configuration file. Let me walk you through some of
the fields. The first thing you see is a key, we need to configure this on the TACACS+
server and on each network device that you want to control with the TACACS+ server.
key = "MYKEY"
acl = default {
#permit = 192\.168\.0\.
permit = 192\.168\.2\.1
The ACL uses regular expressions so you can configure what IP addresses or networks
are allowed to use the TACACS+ server. By default it only permits IP address 192.168.2.1.
host = 192.168.2.1 {
# Enable password for the router, generate a new one with tac_pwd
Here you can configure the IP address of the network device that you want to control and
the prompt that it should show the user when he/she tries to log into the network device.
You can also set the enable password if you want.
group = admin {
# group members who don't have their own login password will be
# looked up in /etc/passwd
login = PAM
# group members who have no expiry date set will use this one
acl = default
# Needed for the router to make commands available to user (subject
service = exec {
priv-lvl = 15
cmd = username {
permit .*
cmd = enable {
permit .*
cmd = show {
permit .*
cmd = exit {
permit .*
cmd = configure {
permit .*
}
cmd = interface {
permit .*
cmd = switchport {
permit .*
cmd = description {
permit .*
cmd = no {
permit shutdown
By default there’s a group called admin and login is set to PAM. This means we will use
the user database of the linux machine. The admin group is also susceptible to the
default ACL. If you also use authorization you can configure the commands that the admin
groups is allowed to use. Let’s take a look at the next group:
group = sysadmin {
# group members who don't have their own login password will be
# looked up in /etc/passwd:
acl = default
service = exec {
priv-lvl = 15
cmd = enable {
permit .*
cmd = show {
permit .*
cmd = exit {
permit .*
cmd = configure {
permit .*
cmd = interface {
permit FastEthernet.*
permit GigabitEthernet.*
cmd = switchport {
permit "mode.*"
cmd = description {
permit .*
cmd = no {
permit shutdown
The sysadmin group is similar to the admin group. You can see a number of commands that
they are allowed to use (if you use authorization).
login = PAM
#member = sysadmin
member = admin
user = fred {
login = PAM
member = sysadmin
User Joe is a member of the admin group and Fred belongs to the sysadmin group. Keep in
mind we still need to create these users…
There’s also a part for RANCID. If you have no idea what this is, RANCID is software that
can monitor network devices and check if their configuration was changed, check the
routing table, log changes, run commands to extract certain information, e-mail reports and
more.
user = rancid {
service = exec {
priv-lvl = 15
}
Last but not least there’s a global enable password that we can use:
user = $enab15$ {
Now you have an idea what the tac_plus configuration looks like, let’s create a user and test
if authentication is working.
New password:
BAD PASSWORD: it is based on a dictionary word
Starting tacacs+: [ OK ]
Don’t forget to configure your firewall to allow TCP port 49 for tac_plus.
Now let’s boot a Cisco router and configure it to use TACACS+ :
R1(config)#aaa new-model
First you need to use the aaa new-model command otherwise many of the commands are
unavailable. We’ll tell the router to use TACACS+ for authentication but if the server is
unavailable the router will use local authentication. I also configure the same key that I used
in the configuration file of tac_plus.
Username: joe
Password:
R1>
Above you can see that the router displays the prompt that was configured in the
tac_plus.conf file. After logging in with username joe and the password we have access to
the router…mission accomplished! Hopefully this helps you to get started with TACACS+. If
you have any questions please leave a comment!
Previous Lesson
BFD (Brute Force Detection) on Linux
Next Lesson
MPLS VPN Configuration Example
Tags: Linux, Security
Forum Replies
1. ReneMolenaarsays:
Hmm are you sure it’s using the Nux repository? you can always just grab the RPM and install it
manually…
3. systemsays:
Same here. “No package tac_plus available”. I can also see it in the list. Cannot install it manually, as
there are too many dependencies (which is why we use yum. haha)
I, too, am using Centos 6.4. If I do just a yum list, it does not show it.
3.el6.nux nux-misc
cobbler.noa
4. ReneMolenaarsays:
Are you sure the nux repository is enabled? You can see at the following URL that it has the tacacs
package:
http://li.nux.ro/download/nux/misc/el6/x86_64/
5. systemsays:
Hey ,
First, whenever i put default service = permit and privilege command in the config i cannot get the damon
to start it fails.
Second, if i use just login with PAM i get to the user level > but i need exec level access to provide. How
Thanks
Neil
27 more replies! Ask a question or join the discussion by visiting our Community Forum
Disclaimer
Privacy Policy
Support
About