TACACS+ Config

By | October 8, 2013
4 Comments

Lab environment/requirement
Ubuntu/Debian server
Tacacs+ software from Shruberry
Cisco Catalyst switches
User id: advanxer
Password: helloword
Enable password: ciscoenable

Download and install tacacs+
wget ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.27a.tar.gz

Extract it
tar -zxvf tacacs+-F4.0.4.27a.tar.gz

Go into extracted folder
cd tacacs+-F4.0.4.27a

Install dependencies (if needed)
apt-get install build-essential flex bison libwrap0-dev

Install tacacs+
./configure
make install

Check tacacs+ is installed
ls /usr/local/bin/
You should see 2 files:
tac_plus – tacacs+ executable file
tac_pwd – generate DES or MD5 encryption of a password

Create user id and encrypted password, for example username is advanxer password is helloworld
root@vps:~# tac_pwd
Password to be encrypted: helloworld
6Zvw8uD3yX4eI

Create encrypted password for enable password:
root@vps:~# tac_pwd
Password to be encrypted: ciscoenable
2mq3JtC3knwQw

Now we have this user info:
username advanxer
cleartext password helloword encrypted password 6Zvw8uD3yX4eI
cleartext enable password ciscoenable encrypted password 2mq3JtC3knwQw

Tacacs+ configuration
Create tacacs folder in /etc & create the tac_plus.conf file
mkdir /etc/tacacs
cd /etc/tacacs
nano tac_plus.conf

#setting the tacacs/NAS key"
key = "sup36s3c63t"

# Where is the accounting records to go
accounting file = /var/log/tacacs.log

#Enable password setup for all users:
user = $enable$ {
login = des 2mq3JtC3knwQw
}

#user accounts–here user details are defined
#[email protected]
user = advanxer {
default service = permit
member = networkadmingroup
login = des 6Zvw8uD3yX4eI
}

#user account for read only access
user = helpdesk{
default service = deny
member = readonly
login = des 6Zvw8uD3yX4eI
}

#group details
# admin group
group = networkadmingroup {
default service = permit
service = exec {
priv-lvl = 15
}
}

# read only group
group =readonly {
default service = deny
service = exec {
priv-lvl = 0
}
cmd=show {
permit .*
}
cmd=enable {
permit .*
}
cmd=exit {
permit .*
}
}

To support Cisco Nexus OS, add following lines to your user groups so it will become like this:
# admin group
group = networkadmingroup {
default service = permit
service = exec {
priv-lvl = 15
shell:roles=”network-admin”
}
References:
http://freelinuxtutorials.com/tutorials/installation-setup-of-free-tacacs-server-in-linux/
http://wiki.gentoo.org/wiki/TACACS_Server_using_tac_plus#Installation
http://www.debianhelp.co.uk/tacas.htm
http://routing-bits.com/2011/05/24/nexus-user-roles/

Loading

Incoming search terms:

  • tac_plus user configuration example