HOWTO TACACS+

Getting started with TACACS+

I originally posted this on http://networking-forum.com/blog/ but I’d like to post it on my personal site here as well.

Why a mini HOWTO? Well I’m going to explain how I set up a simple TACACS+ server on a Linux box. If you want any sort of AD integration you’ll need to look elsewhere.

I recently got given the project of installing a new linux box with a number of services. One of them was to replace the old TACACS+ server that has been claiming it’s pension already for a number of years.

Server Configuration

The server I have running in a virtual machine is running RedHat Enterprise 5. However the instructions should work for any rpm-based distro.

Debian/Ubuntu distro’s will be slightly different to install, but I would assume the config is identical. I’ll expand this another time when I get the chance.

I’m using Cisco’s free tac_plus server. You can find it here: ftp://ftpeng.cisco.com/pub/tacacs/

As you can see, Cisco provides only the source code. No binaries to be found. I attempted to compile the code but they’ve really made it difficult as you need to configure the makefile yourself

You can make your life a LOT easier by just downloading a compiled rpm. If you enjoy pain then knock yourself out installing from source.

By habit I do everything in /tmp/ so cd to that folder.

Download the rpm:

wget ftp://ftp.muug.mb.ca/mirror/redhat/contrib/libc6/i386/tac_plus-4.0.3-2.i386.rpm

 Of course if you’re using a Debian/Ubuntu based distro, you’ll be looking for a .deb file or at least a repository that has tac_plus on it.

Install the rpm now:

rpm -i tac_plus-4.0.3-2.i386.rpm

TACACS+ is now installed and should be working fine. You can check this by running:

ps -ef | grep tac_plus

You should see something like the following:

root 6134 1 0 Aug02 ? 00:00:00 /usr/local/sbin/tac_plus -C /etc/tacacs/tac_plus.cfg
root 18325 18283 0 21:30 pts/0 00:00:00 grep tac_plus

The output also gives us a clue as to where the config file is. Go ahead and run this:

vi /etc/tacacs/tac_plus.cfg

I personally cleared this file out and started it from scratch. I believe this makes it easier for me and all the fluff is out. tac_plus gives us the option of loading any file as a test. This is pretty handy. If you’re still in /tmp/ create a new file called new_test

This is my initial config. Paste this into this new file and save (I’ll go through what everything means later)

# Put your NAS key below
key = [email protected]@[email protected]

# Accounting File
accounting file = /var/log/tac_accounting.log

# * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
# *                     USERS                             *
# * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

user = mellowd {
        login = cleartext southafrica
     #mellowd is a member of group NOC
        member = NOC
}

user = foo {
        login = cleartext bar
     #foo is a member of group NOC
        member = NOC
}

user = elvis {
     #elvis is a member of group F_OPS
        member = F_OPS
}

# * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
# *                       GROUPS                          *
# * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

group = NOC {
      #NOC is a member of group ALL_STAFF
        member = ALL_STAFF
}

group = F_OPS {
      #F_OPS is a member of group ALL_STAFF
        member = ALL_STAFF
}

group = ALL_STAFF {
}

# End config file

A pretty simple config right? I have defined 3 users: mellowd; foo and elvis. mellowd and foo are both part of the NOC group. elvis is a member of the F_OPS group. The groups themselves are part of a group called ALL_STAFF. A user will get all the benefits of their group. Groups also pick up all attributes of groups they belong to. Currently there is no config here, but this will change later.

Note that user level settings will override group settings. i.e. if I put a setting both under group and the user, the users setting will override the group setting.

Right at the top you have a key currently set as [email protected]@[email protected] This isn’t needed but I would recommend having it. This same key would need to be on your routers and switches (We’ll get to that config later)

There is also an accounting file set up. We’ll get more into this later. 

Now remember this file is currently saved as /tmp/new_test. How do we actually run this and test it out? First of all tac_plus allows us to check the syntax of the file which I recommend doing. You can do it like so:

tac_plus -P -C /tmp/new_test

If you have any errors it’ll tell you on what line it is. (Real world tip. Open the file in vi and type :set number – This will show you line numbers)

If it passes without error it’ll just show you your config and you’ll be back at the prompt. This means all is okay so far.

In order to test out this file you’ll need to stop the daemon from running:

[[email protected] ~]# /etc/init.d/tacacs stop Shutting down tacacs+: [ OK ]

Now run the daemon forcing it to both use your new file and to send out debug output as well:

[[email protected] tmp]# tac_plus -C /tmp/new_test -d 16

I’d now tail the log file to ensure all is okay when logging on via a router:

[[email protected] tmp]# tail -f /var/tmp/tac_plus.log
Tue Aug  4 22:54:13 2009 [18632]: Reading config
Tue Aug  4 22:54:13 2009 [18632]: Version F4.0.3.alpha Initialized 1
Tue Aug  4 22:54:13 2009 [18632]: tac_plus server F4.0.3.alpha starting
Tue Aug  4 22:54:13 2009 [18633]: Backgrounded
Tue Aug  4 22:54:13 2009 [18634]: uid=0 euid=0 gid=0 egid=0 s=0

Router configuration

Now for the router itself. I’ve got here a standard 2612XM. The config has been wiped. The only initial config I’ve done is to configure one of the interfaces so it’s on the same network as my TACACS+ server.

You’ll need to tell the router that it needs to use TACACS+ as authentication:

Router#conf t
Router(config)#aaa new-model
Router(config)#aaa authentication login default group tacacs+ local
Router(config)#tacacs-server host x.x.x.x
Router(config)#tacacs-server key 0 [email protected]@[email protected]

Here we have told the router the IP address of our TACACS+ server as well as the server key that we configured on the server earlier. We have also told the router that it needs to login via TACACS+ first. I recommend allowing authentication locally after that, as if your server is down you still want to have access to your network. It’ll only check the local database if the TACACS+ server is unreachable. If authentication fails via TACACS+ the router will NOT allow you to log in.

Telnet to your router and test:

User Access Verification
Username: mellowd
Password: Router>

If you’re still tailing on the server you should see this:

Tue Aug 4 22:55:05 2009 [18637]: login query for 'mellowd' tty66 from x.x.x.x accepted

If you’re not seeing this then there is some sort of non-connectivity between the router and the server. Make sure port 49 incoming is open on the server (check iptables)

You can also console into the router at the same time and run this and then telnet in:

Router#debug tacacs

That should give you all the information you need to figure out the problem.

If everything is okay you need to copy your TACACS+ config file on the server over to the actual live daemon config:

[[email protected] tmp]# cp /tmp/new_test /etc/tacacs/tac_plus.cfg

This will require a restart of the daemon itself:

[[email protected] tmp]# # /etc/init.d/tacacs restart

That’s pretty much it done. I’d like to add a few things later. For example I’ll show the configuration on a Foundry switch/router to use TACACS+. I’ll also show you how to encrypt the passwords in the configuration file.

If there are any errors in the above. Please let me know via comments so I can fix it!

Parts starting to arrive

I ordered from 2 seperate companies so I have to wait for both to deliver. One of them is still waiting on stock :(

I’ve just received my motherboard, the CPU and a Wi-Fi card which I forgot to mention earlier. This motherboard has 3 PCI slots which I want to upgrade later to have 3 Quad NIC’s. Because of this I wanted a Wi-Fi card that fit into my PCI-Express 1X slot. This particular Wi-Fi card fits the bill. It does not however have a Linux driver, so that’ll be fun and games when I get to that part.

CPU_BOARD_WIFI

Dynamips parts ordered

I’ve already got a lab at work with 4 X 2621XM’s, 2 X EMI 2950’s, 1 X 3750 and 2 X 1721’s. However for some of the bigger CCIE labs this simply isn’t enough and I cannot justify to my boss the use of another 10 routers.

So I’ve decided to put together a Dynamips box. I use real routers and switches all the time so this isn’t a problem. I’ve ordered the following:

AMD Athlon II X4 620 2.6GHz Quad-Core
MSI 770T-C45 AM2+ Motherboard
4GB DDR2 RAM
Case and 500 Watt power supply

No screen, video card or peripherals as this will be a headless Linux box. As soon as I get the parts together I can crack on with installing it. I’ll be sure to cover all the steps in the blog

Welcome to my new blog.

Hi and welcome to my new blog.

I’ve created this blog to track my progress towards my CCIE number. Currently I am CCNP certified and I’ll be CCIP certified soon as well. I’ve got my 642-661 BGP exam to write soon and then just my 642-611 MPLS. After that I’m going to dive into my CCIE R&S studies.