Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 13

How to install TACACS+ on Linux CentOS

Lesson Contents
 Installation on CentOS:
 TACACS+ test with Cisco IOS router

TACACS+ (Terminal Access Controller Access-Control System Plus) is commonly used


to authenticate network devices like routers and switches using a central server. Instead of
using the local database on a router or switch, we can use the credentials that are stored on
the TACACS+ server. Whenever you try to log onto a network device, the credentials that
you supply will be forwarded to the TACACS+ server. Besides authentication, TACACS+
also allows us to configure authorization and accounting. Authorization lets us define
what commands a user is able to use on the router or switch, and accounting lets us log
whatever commands the user is typing.

Tac_plus is a TACACS+ daemon for Linux, It’s based on the original Cisco source code and
works with a simple configuration file.

Installation on CentOS:
In the example below I will show you how to install tac_plus on a CentOS server. There’s a
RPM available so this will save you the hassle of compiling the source code yourself. Let’s
add the repository first:

[root@server ~]# cd /etc/yum.repos.d/

[root@server yum.repos.d]# vim nux-misc.repo

We will create a new repository file where we can grab tac_plus. This is what you should
enter:

[nux-misc]

name=Nux Misc

baseurl=http://li.nux.ro/download/nux/misc/el6/x86_64/

enabled=0

gpgcheck=1
gpgkey=http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro

Save the file and install tac_plus with the following command:

[root@server ~]#yum --enablerepo=nux-misc install tac_plus

That’s all you need to do. All configuration is done from a single config file. Let’s take a look
at its contents:

[root@server /]# vim /etc/tac_plus.conf

You will see a lot of things in this default configuration file. Let me walk you through some of
the fields. The first thing you see is a key, we need to configure this on the TACACS+
server and on each network device that you want to control with the TACACS+ server.

By default there is no key:

#key = "your key here"

Change it to something else and get rid of the #:

key = "MYKEY"

I’ll call my key “MYKEY“. The second part is an ACL:

acl = default {

#permit = 192\.168\.0\.

permit = 192\.168\.2\.1

The ACL uses regular expressions so you can configure what IP addresses or networks
are allowed to use the TACACS+ server. By default it only permits IP address 192.168.2.1.

The next part are host-specific parameters:


# Example of host-specific configuration:

host = 192.168.2.1 {

prompt = "Enter your Unix username and password, Username: "

# Enable password for the router, generate a new one with tac_pwd

#enable = des 4P8MBRmulyloo

Here you can configure the IP address of the network device that you want to control and
the prompt that it should show the user when he/she tries to log into the network device.
You can also set the enable password if you want.

Next we will see some group specific parameters:

# Group that is allowed to do most configuration on all interfaces etc.

group = admin {

# group members who don't have their own login password will be

# looked up in /etc/passwd

#login = file /etc/passwd

login = PAM

# group members who have no expiry date set will use this one

#expires = "Jan 1 1997"

# only allow access to specific routers

acl = default
# Needed for the router to make commands available to user (subject

# to authorization if so configured on the router

service = exec {

priv-lvl = 15

#default service = permit

cmd = username {

permit .*

cmd = enable {

permit .*

cmd = show {

permit .*

cmd = exit {

permit .*

cmd = configure {

permit .*

}
cmd = interface {

permit .*

cmd = switchport {

permit .*

cmd = description {

permit .*

cmd = no {

permit shutdown

By default there’s a group called admin and login is set to PAM. This means we will use
the user database of the linux machine. The admin group is also susceptible to the
default ACL. If you also use authorization you can configure the commands that the admin
groups is allowed to use. Let’s take a look at the next group:

# A group that can change some limited configuration on switchports

# related to host-side network configuration

group = sysadmin {

# group members who don't have their own login password will be

# looked up in /etc/passwd:

#login = file /etc/passwd

# or authenticated via PAM:


login = PAM

acl = default

# Needed for the router to make commands available to user (subject

# to authorization if so configured on the router

service = exec {

priv-lvl = 15

cmd = enable {

permit .*

cmd = show {

permit .*

cmd = exit {

permit .*

cmd = configure {

permit .*

cmd = interface {

permit FastEthernet.*
permit GigabitEthernet.*

cmd = switchport {

permit "access vlan.*"

permit "trunk encapsulation.*"

permit "mode.*"

permit "trunk allowed vlan.*"

cmd = description {

permit .*

cmd = no {

permit shutdown

The sysadmin group is similar to the admin group. You can see a number of commands that
they are allowed to use (if you use authorization).

Below the group configuration you’ll find a couple of default users:


user = joe {

login = PAM

#member = sysadmin

member = admin

user = fred {

login = PAM

member = sysadmin

User Joe is a member of the admin group and Fred belongs to the sysadmin group. Keep in
mind we still need to create these users…

There’s also a part for RANCID. If you have no idea what this is, RANCID is software that
can monitor network devices and check if their configuration was changed, check the
routing table, log changes, run commands to extract certain information, e-mail reports and
more.

# User account configured for use with "rancid"

user = rancid {

# Generate a new password with tac_pwd

#login = des LXUxLCkFhGpwA

service = exec {

priv-lvl = 15
}

cmd = show { permit .* }

cmd = exit { permit .* }

cmd = dir { permit .* }

cmd = write { permit term }

Last but not least there’s a global enable password that we can use:

# Global enable level 15 password, generate a new one with tac_pwd

user = $enab15$ {

#login = des 97cZOIgSXU/4I

Now you have an idea what the tac_plus configuration looks like, let’s create a user and test
if authentication is working.

TACACS+ test with Cisco IOS router


We’ll create a user called “Joe” on the linux machine and configure a Cisco IOS router to
use the TACACS+ server:

[root@server etc]# adduser joe

[root@server etc]# passwd joe

Changing password for user joe.

New password:
BAD PASSWORD: it is based on a dictionary word

BAD PASSWORD: is too simple

Retype new password:

passwd: all authentication tokens updated successfully.

Don’t forget to start the daemon:

[root@server etc]# service tac_plus start

Starting tacacs+: [ OK ]

If you want to enable it on startup you can use chkconfig:

[root@server etc]# chkconfig --add tac_plus

[root@server etc]# chkconfig tac_plus on

Don’t forget to configure your firewall to allow TCP port 49 for tac_plus.
Now let’s boot a Cisco router and configure it to use TACACS+ :

R1(config)#aaa new-model

R1(config)#aaa authentication login default group tacacs+ local

R1(config)#tacacs-server host 192.168.2.144

R1(config)#tacacs-server key 0 MYKEY

First you need to use the aaa new-model command otherwise many of the commands are
unavailable. We’ll tell the router to use TACACS+ for authentication but if the server is
unavailable the router will use local authentication. I also configure the same key that I used
in the configuration file of tac_plus.

Let’s give it a test drive shall we…


R1 con0 is now available

Press RETURN to get started.

Enter your Unix username and password,

Username: joe

Password:

R1>

Above you can see that the router displays the prompt that was configured in the
tac_plus.conf file. After logging in with username joe and the password we have access to
the router…mission accomplished! Hopefully this helps you to get started with TACACS+. If
you have any questions please leave a comment!

Previous Lesson
BFD (Brute Force Detection) on Linux
Next Lesson
MPLS VPN Configuration Example
Tags: Linux, Security

Forum Replies

1. ReneMolenaarsays:

No package tac_plus available. (Centos 6.4)

Funny, since I can see via web that it’s there.


2. ReneMolenaarsays:

Hmm are you sure it’s using the Nux repository? you can always just grab the RPM and install it

manually…

3. systemsays:

Same here. “No package tac_plus available”. I can also see it in the list. Cannot install it manually, as

there are too many dependencies (which is why we use yum. haha)

I, too, am using Centos 6.4. If I do just a yum list, it does not show it.

[root@logger ~]# yum list --enablerepo=nux-misc | grep nux-miscanything-sync-daemon.noarch 3.11-

3.el6.nux nux-misc

chronicle.noarch 4.6-1.el6.nux nux-misc

clamassassin.noarch 1.2.4-1.el6.nux nux-misc

cobbler.noa

... Continue reading in our forum

4. ReneMolenaarsays:

Are you sure the nux repository is enabled? You can see at the following URL that it has the tacacs

package:

http://li.nux.ro/download/nux/misc/el6/x86_64/

5. systemsays:
Hey ,

Great post. I got this working.

Although i few problems and questions

First, whenever i put default service = permit and privilege command in the config i cannot get the damon

to start it fails.

Second, if i use just login with PAM i get to the user level > but i need exec level access to provide. How

can i go about doing that.

Thanks

Neil

27 more replies! Ask a question or join the discussion by visiting our Community Forum

© 2013 - 2022 NetworkLessons.com 45249

 Disclaimer
 Privacy Policy
 Support
 About

You might also like