Tacacs Server Configuration in Debian

Introduction

 A TACACS server provides a centralized location for Authentication, Authorization and accounting for Cisco devices.  User authentication on Cisco devices can be done in one of 2 ways; via a local database of users on the device, or by a TACACS server.  The TACACS model provides additional functionality such as authorizing which commands can be run by the user as well as logging of commands and incidents.  This document outlines the installation and configuration of a TACACS+ server (tac-plus) under Linux as well as a list of some of the Cisco IOS configuration commands with basic descriptions.

 Server configuration

 TACACS Installation

Under Debian the installation is particularly straight forward.  The following command will install the tac-plus service:
 
#apt-get install tac-plus

/usr/sbin/tac_plus -C /etc/tac-plus/tacacs.conf -d 16

The following command shows debugging information of the tac-plus service

tail -f /var/tmp/tac-plus.log

to kill....
kill -USR1 `cat /etc/tac-plus.pid`

To restart...
/etc/init.d/tac-plus restart

Files

/var/log/tac-plus/account.log (must make this file writable)
/var/tmp/tac_plus.log (service logfile)
/etc/init.d/tac-plus (startup script)
/etc/tac-plus/tacacs.conf (users and global settings)
/usr/sbin/tac_plus (executable)


create des encrypted password: htpasswd -n debianhelp
 
Server Config file
 
/etc/tac-plus/tacacs.conf

#This user can do anything

user = admins {
    default service = permit
    login = des 70e4lCVGyWSKM
              }

#this user can only run 'show ip' and ‘show interface’ commands

user = users {
    default service = deny
    login = cleartext test
        cmd = show
                {
                permit ip
                permit interface
                deny .*
                }
            }
 

 Router configuration

Each AAA command specified in the router describes the authentication and authorization and the order in which these methods are attempted.
Config for Cisco router

aaa new-model
#Authentication order
aaa authentication login default tacacs+ enable
aaa authentication enable default tacacs+ enable

#For ISDN connections (until tested with TACAcs+ will get to stage where use TACACS then local if unavailable)....
aaa authentication ppp RAS local
aaa authorization exec tacacs+ if-authenticated

#Must have the following 2 lines to explicitly authorize commands
#User level commands will be allowed even if tacacs server unavailable assuming user has been authenticated
aaa authorization commands 1 tacacs+ if-authenticated
{#If TACACS server is unavailable Enable level commands can only be run from a console (e.g. configire terminal, copy cmd etc) }
aaa authorization commands 15 tacacs+ if-authenticated
aaa authorization network tacacs+

#Enable passwd if tacacs server unavailable
aaa accounting exec start-stop tacacs+
aaa accounting commands 1 start-stop tacacs+
aaa accounting commands 15 start-stop tacacs+
aaa accounting network start-stop tacacs+
aaa accounting system start-stop tacacs+
enable password tester


If the tacacs server is unavailable you will be prompted with the standard Cisco login however instead of using a VTY password and an enable password you would use the 'enable' password for both login and to enable to router.
For example:
User Access Verification
Password:

As apposed to :
User Access Verification
Username:
 NOTE: Username and password are case-sensitive
 The following cmd allows any commands if TACACS unavailable
aaa authorization exec tacacs+ none
 
Building configuration...

Current configuration:
!
version 11.1
service config
no service udp-small-servers
no service tcp-small-servers
!
hostname tacacstest
!
aaa new-model
aaa authentication login default tacacs+ enable
aaa authentication enable default tacacs+ enable
aaa authentication ppp RAS local
aaa authorization exec tacacs+ if-authenticated
aaa authorization commands 1 tacacs+ if-authenticated
aaa authorization commands 15 tacacs+ if-authenticated
aaa authorization network tacacs+
aaa accounting exec start-stop tacacs+
aaa accounting commands 1 start-stop tacacs+
aaa accounting commands 15 start-stop tacacs+
aaa accounting network start-stop tacacs+
aaa accounting system start-stop tacacs+
enable secret 5 $1$y1cB$sSAl.2azaTPo9GoPO3fp0.

!
!
interface Ethernet0
ip address 192.168.100.58 255.255.255.0
no cdp enable
!
interface Serial0
no ip address
shutdown
no fair-queue
!
interface Serial1
no ip address
shutdown
no cdp enable
!
interface BRI0
no ip address
shutdown
!
no ip classless
ip route 0.0.0.0 0.0.0.0 192.168.100.5
logging buffered
tacacs-server host 172.18.1.2
tacacs-server host 192.168.100.59
!
line con 0
exec-timeout 0 0
password whatever
login authentication conmethod
line aux 0
line vty 0 4
exec-timeout 0 0
!
end

Tacacs+ Install Guide

Tacacs+ Install Guide
This document try to basicly explain how to install and use tacacs+
It's not prepared very well. I am sorry for this reason.

First off all there are 4 kind of installation methods for tacacs+.These are:
1)First time rpm install
2)Binary packet(rpm) upgrade 
3)src.rpm compile and install 
4)Tarball install

So lets describe it.

1)First time install

When you want to use tacacs+ at your RPM based system. You must use this choice.
It is very easy process.Just do following things:

Get lastest tacacs+ binary rpm file from http://www.gazi.edu.tr/tacacs.
Login as a root or switch user to root.
Type;
 rpm -ivh tac_plus.xxx.i386.rpm

By this command tacacs+ must install your system.

Try to query if tacacs+ correctly install
 rpm -q tac_plus

If this command give a output like :
 tac_plus-F4.0.3.alpha-7

Viola . You succesfully installed tacacs+ :).

Otherwise if not there are some problem either system or tacacs+ packet.
 
2) Binary packet(rpm) upgrade

When you use this choice, tacacs+ rpm must installed your system before.
I haven't add any check to avoid to erase for old config files. 
So please backupnecessary files before this operation.
(RPM backup old files but sometimes not)

So only just type:
 rpm -Fvh tac_plus.xxx.i386.rpm

Before upgrade tacacs+ please backup of your config files for all probable error.

3)src.rpm compile and install 

This type of installation are very complicated but i try to figure in basic way
If you want to use tacacs+ other features like db authentication etc. you must 
recompile tacacs+ rpm packet.

So first of all you must get lastest src.rpm file from my site.

Install it by command:
 rpm -ivh tac_plus.xxxx.src.rpm

By this command rpm installed tac_plus files to required location. On Redhat 
systems it's put files to /usr/src/redhat directory.

So find SPEC directory then edit tacacs.spec file

Change configure options for your requirements.

Next try to compile by typing:
 rpm -bb tacacs.spec

If the compiling is success it's write binary rpm to RPMS/i386 directory

Then go back and read stage 1 or 2.

Thats all..
 
4)Tarball install

These section is for other than RPM based systems.

For this type of installation you must get lastest tarball distro from my site 

Then unpack it by command:
 tar zxvf tac_plus_xxx.tgz

Then change directory to unpacked dir
For configure tac_plus type:
 ./configure 
If you like to add more feature like db AA or pam 
 ./configure --help   shows configure options

For compile ;
 make tac_plus

then for installing
 make install or manullay install files