08 Oct

TACACS+ Config

Lab environment/requirement
Ubuntu/Debian server
Tacacs+ software from Shruberry
Cisco Catalyst switches
User id: advanxer
Password: helloword
Enable password: ciscoenable

Download and install tacacs+
wget ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.27a.tar.gz

Extract it
tar -zxvf tacacs+-F4.0.4.27a.tar.gz

Go into extracted folder
cd tacacs+-F4.0.4.27a

Install dependencies (if needed)
apt-get install build-essential flex bison libwrap0-dev

Install tacacs+
make install

Check tacacs+ is installed
ls /usr/local/bin/
You should see 2 files:
tac_plus – tacacs+ executable file
tac_pwd – generate DES or MD5 encryption of a password

Create user id and encrypted password, for example username is advanxer password is helloworld
root@vps:~# tac_pwd
Password to be encrypted: helloworld

Create encrypted password for enable password:
root@vps:~# tac_pwd
Password to be encrypted: ciscoenable

Now we have this user info:
username advanxer
cleartext password helloword encrypted password 6Zvw8uD3yX4eI
cleartext enable password ciscoenable encrypted password 2mq3JtC3knwQw

Tacacs+ configuration
Create tacacs folder in /etc & create the tac_plus.conf file
mkdir /etc/tacacs
cd /etc/tacacs
nano tac_plus.conf

#setting the tacacs/NAS key"
key = "sup36s3c63t"

# Where is the accounting records to go
accounting file = /var/log/tacacs.log

#Enable password setup for all users:
user = $enable$ {
login = des 2mq3JtC3knwQw

#user accounts–here user details are defined
user = advanxer {
default service = permit
member = networkadmingroup
login = des 6Zvw8uD3yX4eI

#user account for read only access
user = helpdesk{
default service = deny
member = readonly
login = des 6Zvw8uD3yX4eI

#group details
# admin group
group = networkadmingroup {
default service = permit
service = exec {
priv-lvl = 15

# read only group
group =readonly {
default service = deny
service = exec {
priv-lvl = 0
cmd=show {
permit .*
cmd=enable {
permit .*
cmd=exit {
permit .*

To support Cisco Nexus OS, add following lines to your user groups so it will become like this:
# admin group
group = networkadmingroup {
default service = permit
service = exec {
priv-lvl = 15

Incoming search terms:

  • tac_plus user configuration example
  • tacacs conf group=readonly
  • tacacs config md5 password
  • cagenzf
  • create tacacs md5 password
  • landd77
  • logqi9
  • newspaperp1r
  • onlykx8
  • stormo2t
  • tacacs md5
  • tacacs net nxos
  • tacacs_plus conf password file
  • tac_plus conf login = des
  • tac_plus config file format