How to install free TACACS+ on Ubuntu

Here is the simple steps to install free TACACS+ application. 

1. Download TACACS+
2. Install Free TACACS+ on Ubuntu
3. Configure tac_plus.conf
4. Testing
5. configure Network device(Cisco router)


1. Download TACACS+

Get lastest tacacs+ binary rpm file from http://www.shrubbery.net/tac_plus/

 

2. Install Free TACACS+ on Ubuntu

Login your machine as a ‘root’ (account) to avoid any interruption while installing Free TACACS+

By typing following command from prompt, the TACACS+ could download and install at the same time.

 

root@Ubuntu64#sudo apt-get install tacacs+

 


3. Configure tac_plus.config

TACACS+ application is installed at /etc/tacacs+. And configuration file, tac_plus.conf is located under the directory.

Using pico/vi editor, open the file, tac_plus.conf (as a root) 

 

The following essential options are needed to run TACACS+  

 

# Define where to log accounting data, this is the default. It will provide a history of commands applied by each users from devices

accounting file = /var/log/tac_plus.acct

 

 

# Use /etc/passwd to do authentication

default authentication = file /etc/passwd 

 

 

# This is the key that clients(Cisco devices in this case) have to use to access Tacacs+

key = IPBALANCE <—- You might need to change it.  

 

# user accounts(optional)  

user = Security_Engineer {
        member = Engineers
}

user = Network_Engineer {
        member = Engineers
}

user = Network_Technician {
        member = Technician
}
user = Gov_sales {
        member = Sales
}

 

# Group(optional)

group = Engineers {
        default service = permit
        login = file /etc/passwd
        enable = file /etc/passwd

 

group = Technician {
       default service = deny
       service = exec {

        priv-lvl = 2

        }

        cmd = enable {

                permit .*

        }

        cmd = show {

                permit .*

        }

        cmd = exit {

                permit .*

        }

}

 

# Users

 

user = user1 {
        member = Engineers
}

 

---- or ----

If you are not using /etc/passwd file to login, you could define each user
with below configuration



user = $enab15$ {
login = cleartext Pr1celess
}

# Profiles for user accounts

user = Superman {
login = cleartext SuperPOP40

}



In this case, username; Superman and password; SuperPOP40

 


4. Testing.

# Modify/add a file, /etc/tacacs+/tac_plus.conf. 
 

user = test {
        member = GROUP_TEST
}

group = GROUP_TEST {
default service = permit
service = exec {
priv-lvl = 15
login = 12345
enable = cisco }

 

# Add user
root@Ubuntu64:~# sudo adduser test

# Restart TACACS+
root@Ubuntu64:~# sudo /etc/init.d/tacacs_plus restart


# Debugging 
From Cisco box

Cisco_Router# terminial monitor
Cisco_Router# debug aaa authorization

* 'u all' for disable debug command

 

5.  Configure Network Device(Cisco Router)

username scbnm privilege 0 secret CISCO
enable secret Ci$co
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

tacacs-server host 192.168.80.80
tacacs-server key IPBALANCE
tacacs-server directed-request
ip tacacs source-interface VLAN xxx

# Add accounting 

From Cisco router

 

aaa accounting exec default start-stop tacacs+
aaa accounting connection default start-stop tacacs+
aaa accounting network default start-stop tacacs+
aaa accounting system default start-stop tacacs+
 

 

 

Leave a Reply