Ubuntu installing tacacs+ server for Cisco AAA

Aug 15, 2017 by blog admin

Tags: TACACS+ AWS Ubuntu

Categories: Cisco

Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe) refers to a family of related protocols handling remote authentication and related services for networked access control through a centralized server. The original TACACS protocol, which dates back to 1984, was used for communicating with an authentication server, common in older UNIX networks.(Source: wikipedia)

In this tutorial, I will show you how to install tacacs+ on Ubuntu using stock image in the AWS cloud. I show you how to change your security groups to allow your routers, switches reach your tacacs+ server. You could really use any IaaS Cloud including on-premise infrastructure.

TACACS+ installation and configuration.

This is perhaps the easiest thing to do, tacacs+ package is available in the Ubuntu repositories. So here goes.


apt-get install tacacs+

Once that is installed, we proceed to configure the tacacs+ server to our needs. On default installation, the configuration file is found here /etc/tacacs+/tac_plus.conf Open the file with your favourite editor and make changes as below


vi /etc/tacacs+/tac_plus.conf


#Make this a strong key
key = testing123

#Am using local PAM which allows us to use local linux users, you can use any backend like Windows AD
default authentication = file /etc/passwd
 
#Define groups that we shall add users to later
#In this example I have defined 2 groups support and unicorns and assign them respective privileges

group = support {
    default service = deny
    service = exec {
    priv-lvl = 1
    }
}

group = unicorns {
    default service = permit
    service = exec {
    priv-lvl = 15
    }
}
#Defining my users and assigning them to groups above
user = mary {
    name = "Network Support"
    member = support
}

user = tina {
    name = "Network Unicorn"
    member = unicorns
}

Thats it, restart your tacacs+ server and if your server comes up fine, your are clear to proceed. If you experience errors please look out for typos, its very easy to misspell a keyword.


root@m:~#  /etc/init.d/tacacs_plus restart
[ ok ] Restarting tacacs_plus (via systemctl): tacacs_plus.service.

Next I add system users to match the users in tacacs+

root@m:~# adduser tina
root@m:~# adduser mary

Note: Don't forget to give these users strong passwords, just as you would for local users on your Cisco devices. Also make changes to your firewall to allow tcp/49 in. Since I was doing this on AWS, my security group change looked like this. Its not a good idea to let the whole world in, better to restrict it to your networks. security groups

Making changes to your Cisco device.

Next up we make changes to the Cisco device, in this example am using a Cisco router and the necessary configuration look like this:

aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
!
tacacs-server host 2.3.4.5
tacacs-server key 0 testing123

Thats it, at this point, your users should be able to access the router with their default restrictions. This is the prompt Mary gets on login

root@m#ssh mary@router.infraops.io
Password:
infraops>

This is the prompt Tina gets on login

root@m#ssh tina@router.infraops.io
Password:
infraops#

If you run into issues with the aaa commands on your Cisco devices, please refer to this post which shows the various formats of the commands on the different versions of IOS.