Lab environment/requirement
Ubuntu/Debian server
Tacacs+ software from Shruberry
Cisco Catalyst switches
User id: advanxer
Password: helloword
Enable password: ciscoenable
Download and install tacacs+
wget ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.27a.tar.gz
Extract it
tar -zxvf tacacs+-F4.0.4.27a.tar.gz
Go into extracted folder
cd tacacs+-F4.0.4.27a
Install dependencies (if needed)
apt-get install build-essential flex bison libwrap0-dev
Install tacacs+
./configure
make install
Check tacacs+ is installed
ls /usr/local/bin/
You should see 2 files:
tac_plus
– tacacs+ executable file
tac_pwd
– generate DES or MD5 encryption of a password
Create user id and encrypted password, for example username is advanxer password is helloworld
root@vps:~# tac_pwd
Password to be encrypted: helloworld
6Zvw8uD3yX4eI
Create encrypted password for enable password:
root@vps:~# tac_pwd
Password to be encrypted: ciscoenable
2mq3JtC3knwQw
Now we have this user info:
username advanxer
cleartext password helloword encrypted password 6Zvw8uD3yX4eI
cleartext enable password ciscoenable encrypted password 2mq3JtC3knwQw
Tacacs+ configuration
Create tacacs folder in /etc & create the tac_plus.conf file
mkdir /etc/tacacs
cd /etc/tacacs
nano tac_plus.conf
#setting the tacacs/NAS key"
key = "sup36s3c63t"
# Where is the accounting records to go
accounting file = /var/log/tacacs.log
#Enable password setup for all users:
user = $enable$ {
login = des 2mq3JtC3knwQw
}
#user accounts–here user details are defined
#[email protected]
user = advanxer {
default service = permit
member = networkadmingroup
login = des 6Zvw8uD3yX4eI
}
#user account for read only access
user = helpdesk{
default service = deny
member = readonly
login = des 6Zvw8uD3yX4eI
}
#group details
# admin group
group = networkadmingroup {
default service = permit
service = exec {
priv-lvl = 15
}
}
# read only group
group =readonly {
default service = deny
service = exec {
priv-lvl = 0
}
cmd=show {
permit .*
}
cmd=enable {
permit .*
}
cmd=exit {
permit .*
}
}
To support Cisco Nexus OS, add following lines to your user groups so it will become like this:
# admin group
group = networkadmingroup {
default service = permit
service = exec {
priv-lvl = 15
shell:roles=”network-admin”
}
References:
http://freelinuxtutorials.com/tutorials/installation-setup-of-free-tacacs-server-in-linux/
http://wiki.gentoo.org/wiki/TACACS_Server_using_tac_plus#Installation
http://www.debianhelp.co.uk/tacas.htm
http://routing-bits.com/2011/05/24/nexus-user-roles/
Incoming search terms:
- tac_plus user configuration example