Configuring TACACS+ in Linux

  • Make sure TACACS+ server is installed in the linux system [RedHat is used for below testing]
[root@server2 ~]# rpm -qa | grep tac_plus
tac_plus-F4.0.3.alpha-7
[root@server2 ~]#
  • Check whether tacacs+ service is running on the linux server;
[root@server2 ~]# service tac_plus status
tac_plus (pid 4367) is running...
[root@server2 ~]#
  • TACACS uses TCP/UDP on port 49 by default. Check whether the port is on listening state.
[root@server2 ~]# netstat -an | grep :49
tcp        0      0 0.0.0.0:49                  0.0.0.0:*                   LISTEN
[root@server2 ~]#
  • Tacacs+ configuration is available in “/etc/tacacs/tac_plus.cfg” file.
  • Several debug options are available which can be invoked while re/starting tacacs service.
  • Change the “debug” value in startup script file, “/etc/init.d/tac_plus” to any of values from below reference links;
  • For example, Using “debug=16” enables all authentication debug messages to store in “/var/log/tac_plus.log” file.
[root@server2 ~]# cat /var/log/tac_plus.log  | grep demo
Sat Aug 28 20:00:44 2010 [6876]: login query for 'demo' vty0 from 10.11.131.167 rejected

Task:

Create user named “demo” with password “demo1” in encrypted form. This user should be in enable mode 10 and can execute only “show {ip | privilege | environment}” commands and can ping only to  10.16.x.x network. He should not configure any protocols or execute any other show commands. All commands executed should be accounted. And this user should be timeout after 15 minutes or after 2 minutes idle time-out.

Configurations in tac_plus.cfg file to accomplish above:

key = "sharedpasswd"
# Set up accounting file if enabling accounting on NAS
accounting file = /var/log/tac.log # Accounting information will be in “cat /var/log/tac.log”
user = demo {
        default service = deny
        login = des "vmf2i5weikAFw"   ## created using “tac_pwd –e” command.
        service = exec {
                priv-lvl = 10
                timeout = 15
                idletime = 2
        }
        cmd = show { permit "ip"
                     permit "environment"
                     permit "privilege"
                     deny .* }
        cmd = ping { permit 10\.16\.[0-9]+\.[0-9]+
                     deny .* }
 }

Client (Force10 device- in our test) configuration:

Force10#show run aaa  <<  From admin User
!
aaa authentication enable default tacacs+
aaa authentication login default tacacs+
aaa authorization exec default tacacs+
aaa authorization commands 10 default tacacs+
aaa authorization commands 15 default tacacs+
aaa accounting exec default start-stop tacacs+
aaa accounting commands 10 default start-stop tacacs+
aaa accounting commands 15 default start-stop tacacs+

<From ‘demo’ user>

Force10#show chassis

% Error: Command authorization failed.

Force10#show privi

Current privilege level is 10.

Force10#

Accounting information will be saved in “/var/log/tac.log” file:

[root@server2 ~]# cat /var/log/tac.log | tail -1
Sat Aug 28 23:18:35 2010        10.11.131.167   demo    vty0    10.11.131.3     stop    task_id=102     
timezone=UTC  service=shell   priv-lvl=10     cmd=show environment  <cr>
[root@server2 ~]#

References:

http://www.iphelp.ru/faq/34/ch03lev1sec2.html#ch03lev2sec4

http://www.debianhelp.co.uk/tacas.htm

http://www.stben.net/tacacs/users_guide.html

http://www.debian-administration.org/articles/429

Advertisements
This entry was posted in Linux and tagged , . Bookmark the permalink.

One Response to Configuring TACACS+ in Linux

  1. Venkat says:

    Installing TACACS+ on Ubuntu:

    1. Update apt-get Cache:

    admin@Ubuntu:~$ sudo apt-get update

    2. Search for tacacs in the apt-get cache:

    admin@Ubuntu:~$ sudo apt-cache search tacacs
    jffnms – PHP Network Management System
    libauthen-tacacsplus-perl – Perl module for authentication using TACACS+ server
    libpam-tacplus – PAM module for using TACACS+ as an authentication service
    libtacacs+1 – TACACS+ authentication daemon
    libtacacs+1-dev – TACACS+ authentication daemon
    tacacs+ – TACACS+ authentication daemon
    admin@Ubuntu:~$

    3. Install the tacacs+ server

    admin@Ubuntu:~$ sudo apt-get install tacacs+

    4. Edit the config file:

    admin@Ubuntu:/etc/tacacs+$ vim tac_plus.conf

    key = testing123
    #basic config
    user = demo {
    login = cleartext “force10”
    enable = cleartext “force10”
    service = shell {
    priv-lvl = 15
    }

    5. Restart the service:

    admin@Ubuntu:/etc/tacacs+$ sudo service tacacs_plus restart

    6. In case of any error, check the logs in the syslog file:

    admin@Ubuntu:/etc/tacacs+$ cat /var/log/syslog

    7. If successfully started, TACACS should be listening on default port 49

    admin@Ubuntu:/etc/tacacs+$ netstat -a | grep tac
    tcp 0 0 *:tacacs *:* LISTEN
    admin@Ubuntu:/etc/tacacs+$

    8. To manually start the daemon with debug options;

    admin@Ubuntu:/etc/tacacs+$ sudo tac_plus -C /etc/tacacs+/tac_plus.conf -d 16 -d 256 -t
    admin@Ubuntu:/etc/tacacs+$
    admin@Ubuntu:/etc/tacacs+$

    admin@Ubuntu:/etc/tacacs+$ tail -f /var/log/syslog

    admin@Ubuntu:/etc/tacacs+$ sudo netstat -ap | grep taca
    tcp 0 0 *:tacacs *:* LISTEN 11837/tac_plus
    tcp 0 0 10.11.210.243:tacacs 192.168.60.237:46676 ESTABLISHED 11873/tac_plus
    admin@Ubuntu:/etc/tacacs+$

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s