Introduction
A TACACS server provides a centralized location for Authentication, Authorization and accounting for Cisco devices. User authentication on Cisco devices can be done in one of 2 ways; via a local database of users on the device, or by a TACACS server. The TACACS model provides additional functionality such as authorizing which commands can be run by the user as well as logging of commands and incidents. This document outlines the installation and configuration of a TACACS+ server (tac-plus) under Linux as well as a list of some of the Cisco IOS configuration commands with basic descriptions.
Server configuration
TACACS Installation
Under Debian the installation is particularly straight forward. The following command will install the tac-plus service:
#apt-get install tac-plus
/usr/sbin/tac_plus -C /etc/tac-plus/tacacs.conf -d 16
The following command shows debugging information of the tac-plus service
The following command shows debugging information of the tac-plus service
tail -f /var/tmp/tac-plus.log
to kill....
kill -USR1 `cat /etc/tac-plus.pid`
To restart...
/etc/init.d/tac-plus restart
Files
/var/log/tac-plus/account.log (must make this file writable)
/var/tmp/tac_plus.log (service logfile)
/etc/init.d/tac-plus (startup script)
/etc/tac-plus/tacacs.conf (users and global settings)
/usr/sbin/tac_plus (executable)
create des encrypted password: htpasswd -n debianhelp
Server Config file
/etc/tac-plus/tacacs.conf
#This user can do anything
user = admins {
default service = permit
login = des 70e4lCVGyWSKM
}
#this user can only run 'show ip' and ‘show interface’ commands
user = users {
default service = deny
login = cleartext test
cmd = show
{
permit ip
permit interface
deny .*
}
}
#This user can do anything
user = admins {
default service = permit
login = des 70e4lCVGyWSKM
}
#this user can only run 'show ip' and ‘show interface’ commands
user = users {
default service = deny
login = cleartext test
cmd = show
{
permit ip
permit interface
deny .*
}
}
Router configuration
Each AAA command specified in the router describes the authentication and authorization and the order in which these methods are attempted.
Config for Cisco router
aaa new-model
#Authentication order
aaa authentication login default tacacs+ enable
aaa authentication enable default tacacs+ enable
#For ISDN connections (until tested with TACAcs+ will get to stage where use TACACS then local if unavailable)....
aaa authentication ppp RAS local
aaa authorization exec tacacs+ if-authenticated
#Must have the following 2 lines to explicitly authorize commands
#User level commands will be allowed even if tacacs server unavailable assuming user has been authenticated
aaa authorization commands 1 tacacs+ if-authenticated
{#If TACACS server is unavailable Enable level commands can only be run from a console (e.g. configire terminal, copy cmd etc) }
aaa authorization commands 15 tacacs+ if-authenticated
aaa authorization network tacacs+
#Enable passwd if tacacs server unavailable
aaa accounting exec start-stop tacacs+
aaa accounting commands 1 start-stop tacacs+
aaa accounting commands 15 start-stop tacacs+
aaa accounting network start-stop tacacs+
aaa accounting system start-stop tacacs+
enable password tester
If the tacacs server is unavailable you will be prompted with the standard Cisco login however instead of using a VTY password and an enable password you would use the 'enable' password for both login and to enable to router.
Config for Cisco router
aaa new-model
#Authentication order
aaa authentication login default tacacs+ enable
aaa authentication enable default tacacs+ enable
#For ISDN connections (until tested with TACAcs+ will get to stage where use TACACS then local if unavailable)....
aaa authentication ppp RAS local
aaa authorization exec tacacs+ if-authenticated
#Must have the following 2 lines to explicitly authorize commands
#User level commands will be allowed even if tacacs server unavailable assuming user has been authenticated
aaa authorization commands 1 tacacs+ if-authenticated
{#If TACACS server is unavailable Enable level commands can only be run from a console (e.g. configire terminal, copy cmd etc) }
aaa authorization commands 15 tacacs+ if-authenticated
aaa authorization network tacacs+
#Enable passwd if tacacs server unavailable
aaa accounting exec start-stop tacacs+
aaa accounting commands 1 start-stop tacacs+
aaa accounting commands 15 start-stop tacacs+
aaa accounting network start-stop tacacs+
aaa accounting system start-stop tacacs+
enable password tester
If the tacacs server is unavailable you will be prompted with the standard Cisco login however instead of using a VTY password and an enable password you would use the 'enable' password for both login and to enable to router.
For example:
User Access Verification
Password:
As apposed to :
User Access Verification
Username:
Password:
As apposed to :
User Access Verification
Username:
NOTE: Username and password are case-sensitive
The following cmd allows any commands if TACACS unavailable
aaa authorization exec tacacs+ none
aaa authorization exec tacacs+ none
Building configuration...
Current configuration:
!
version 11.1
service config
no service udp-small-servers
no service tcp-small-servers
!
hostname tacacstest
!
aaa new-model
aaa authentication login default tacacs+ enable
aaa authentication enable default tacacs+ enable
aaa authentication ppp RAS local
aaa authorization exec tacacs+ if-authenticated
aaa authorization commands 1 tacacs+ if-authenticated
aaa authorization commands 15 tacacs+ if-authenticated
aaa authorization network tacacs+
aaa accounting exec start-stop tacacs+
aaa accounting commands 1 start-stop tacacs+
aaa accounting commands 15 start-stop tacacs+
aaa accounting network start-stop tacacs+
aaa accounting system start-stop tacacs+
enable secret 5 $1$y1cB$sSAl.2azaTPo9GoPO3fp0.
!
!
interface Ethernet0
ip address 192.168.100.58 255.255.255.0
no cdp enable
!
interface Serial0
no ip address
shutdown
no fair-queue
!
interface Serial1
no ip address
shutdown
no cdp enable
!
interface BRI0
no ip address
shutdown
!
no ip classless
ip route 0.0.0.0 0.0.0.0 192.168.100.5
logging buffered
tacacs-server host 172.18.1.2
tacacs-server host 192.168.100.59
!
line con 0
exec-timeout 0 0
password whatever
login authentication conmethod
line aux 0
line vty 0 4
exec-timeout 0 0
!
end
Current configuration:
!
version 11.1
service config
no service udp-small-servers
no service tcp-small-servers
!
hostname tacacstest
!
aaa new-model
aaa authentication login default tacacs+ enable
aaa authentication enable default tacacs+ enable
aaa authentication ppp RAS local
aaa authorization exec tacacs+ if-authenticated
aaa authorization commands 1 tacacs+ if-authenticated
aaa authorization commands 15 tacacs+ if-authenticated
aaa authorization network tacacs+
aaa accounting exec start-stop tacacs+
aaa accounting commands 1 start-stop tacacs+
aaa accounting commands 15 start-stop tacacs+
aaa accounting network start-stop tacacs+
aaa accounting system start-stop tacacs+
enable secret 5 $1$y1cB$sSAl.2azaTPo9GoPO3fp0.
!
!
interface Ethernet0
ip address 192.168.100.58 255.255.255.0
no cdp enable
!
interface Serial0
no ip address
shutdown
no fair-queue
!
interface Serial1
no ip address
shutdown
no cdp enable
!
interface BRI0
no ip address
shutdown
!
no ip classless
ip route 0.0.0.0 0.0.0.0 192.168.100.5
logging buffered
tacacs-server host 172.18.1.2
tacacs-server host 192.168.100.59
!
line con 0
exec-timeout 0 0
password whatever
login authentication conmethod
line aux 0
line vty 0 4
exec-timeout 0 0
!
end
