2006 Nov 24 - Fri

Tacacs Installation

Updated: 2006/11/23

Here is one of a series of installation procedures for an Open Source monitoring tool.

Tacacs is used for authenticating users in to (mostly) Cisco devices.  The Shrubbery.net's version is used here.

Login into www.shrubbery.net's ftp server and retrieve tac_plus into /usr/src.  Use 'tar -zxvf' to expand out the file and then cd into the newly expanded directory.

You'll need a couple of prerequisites:

apt-get install libwrap0

apt-get install libwrap-devel

You'll need to configure the Makefile:

./configure \

--bindir=/usr/local/bin \

--sbindir=/usr/local/sbin \

--localstatedir=/var/local/tacacs \

--sysconfdir=/etc \

--with-logfile=/var/log/tacacs/tacacs \

--with-pidfile=/var/run/tacacs.pid \

--with-acctfile=/var/log/tacacs/acctfile

Then perform the build and install:

make

make install

mkdir /var/local/tacacs

Update /etc/logrotate.conf:

/var/log/tacacs/acctfile /var/log/tacacs/tacacs {
  rotate 10
  daily
  compress
  }

Here is an example simple configuration file for /etc/tacacs.conf:

key = yourkey

user = outech {

  member = admin

  login = cleartext apassword

  }

user = lastresort {

  member = admin

  login = cleartext apassword

  }

user = webadmin {

  member = level1

  login = cleartext apassword

  }

user = $enab15$ {

  login = cleartext apassword

  }

group = admin {

  default service = permit

  }

group = level1 {

  cmd = show {

    deny run

    permit .*

    }

  }

In the device use a configuration similar to:

conf t

username lastresort secret apassword

ip tacacs source-interface Loopback0

enable secret apassword

aaa new-model

!

tacacs-server host 10.10.10.10 timeout 3

tacacs-server directed-request

tacacs-server key yourkey

aaa session-id common

aaa new-model

aaa authentication login default group tacacs+ local enable

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

line vty 0 15

  no pass

  login authen default

end

Then start the service with:

tac_plus -C /etc/tacacs.conf

This configuration places a unique 'lastresort' username, secret, and enable into the device. If the tacacs server becomes unavailable, those are the credentials you use for gaining access to the device. When tacacs is available, the username, secret, and enable credentials as found in the tacacs config file are used.

Further Information

A page showing how to automatically assign privilege levels:

http://www.cisco.com/en/US/partner/tech/tk59/technologies_tech_note09186a008009465c.shtml