How to install free TACACS+ on Ubuntu

Tweet

Here is the simple steps to install free TACACS+ application. 

1. Download TACACS+

Get lastest tacacs+ binary rpm file from http://www.shrubbery.net/tac_plus/

 

2. Install Free TACACS+ on Ubuntu

Login your machine as a ‘root’ (account) to avoid any interruption while installing Free TACACS+

By typing following command from prompt, the TACACS+ could download and install at the same time.

 

root@Ubuntu64#sudo apt-get install tacacs+

 

3. Configure tac_plus.config

TACACS+ application is installed at /etc/tacacs+. And configuration file, tac_plus.conf is located under the directory.

Using pico/vi editor, open the file, tac_plus.conf (as a root) 

 

The following essential options are needed to run TACACS+  

 

# Define where to log accounting data, this is the default. It will provide a history of commands applied by each users from devices

accounting file = /var/log/tac_plus.acct

 

 

# Use /etc/passwd to do authentication

default authentication = file /etc/passwd 

 

# This is the key that clients(Cisco devices in this case) have to use to access Tacacs+

key = IPBALANCE <—- You might need to change it.  

 

# user accounts(optional)  

user = Security_Engineer {
        member = Engineers
}

user = Network_Engineer {
        member = Engineers
}

user = Network_Technician {
        member = Technician
}
user = Gov_sales {
        member = Sales
}

# Group(optional)

group = Engineers {
        default service = permit
        login = file /etc/passwd
        enable = file /etc/passwd

 

group = Technician {
       default service = deny
       service = exec {

        priv-lvl = 2

        }

        cmd = enable {

                permit .*

        }

        cmd = show {

                permit .*

        }

        cmd = exit {

                permit .*

        }

}

 

# Users
 
user = user1 {
        member = Engineers
}
 
---- or ----
If you are not using /etc/passwd file to login, you could define each user
with below configuration


user = $enab15$ {
 login = cleartext Pr1celess
 }
 
 # Profiles for user accounts
 
 user = Superman {
 login = cleartext SuperPOP40
 }


In this case, username; Superman and password; SuperPOP40 

 

4. Testing.
# Modify/add a file, /etc/tacacs+/tac_plus.conf. 
 
user = test {
        member = GROUP_TEST
}

group = GROUP_TEST { 
        default service = permit
        service = exec { 
        priv-lvl = 15
         login = 12345
         enable = cisco }

 
# Add user
root@Ubuntu64:~# sudo adduser test

# Restart TACACS+
root@Ubuntu64:~# sudo /etc/init.d/tacacs_plus restart


# Debugging 
From Cisco box
Cisco_Router# terminial monitor
Cisco_Router# debug aaa authorization
* 'u all' for disable debug command

 
 
5.  Configure Network Device(Cisco Router)
 
username scbnm privilege 0 secret CISCO
enable secret Ci$co
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
 
tacacs-server host 192.168.80.80
tacacs-server key IPBALANCE
tacacs-server directed-request
ip tacacs source-interface VLAN xxx

# Add accounting 
From Cisco router
 
aaa accounting exec default start-stop tacacs+
aaa accounting connection default start-stop tacacs+
aaa accounting network default start-stop tacacs+
aaa accounting system default start-stop tacacs+