Jump to content
  • entries
    9
  • comments
    3
  • views
    2,854

GNS3 and Ubunutu VM for TACACS+

BSpendlove

Entry posted by BSpendlove

2,642 views

 Share

I was just testing around and finding a simple way to have a look at TACACS+ without getting a friend to obtain Cisco ACS for me. I have an Ubunutu VM that I was testing on so I thought I'd find a TACACS+ package or somewhat, many are available but I found one which is based off the original cisco TACACS+ code (doesn't provide LDAP integration but they have examples how to 'almost' fully integrate it haha)...

 

So this is more or less a quick post so I can look back when I need to review all the studies and such. Assuming currently we have the VM installed and updated (currently using Ubunutu Server 17.04.

 

sudo apt-get install tacacs+

 

We need to do a tiny bit of configuration for the shared secret, user/groups and then finally the device configuration to get the basics up and running. Once the package is installed, we will mainly be working in: /etc/tacacs+/tac_plus.conf.

 

I normally copy this file and rename it .old so I can refer back to it if needed, and clear the config file since there is many comments and I like a tidy file... ;) The main changes we will make is:

 

key = mynewsecretkey123

 

and then creating users/groups. We can do quite a bit (some examples in the .old conf file I mentioned to copy) but to get the bare basic configuration all up and running I'll create a user and a group (which will allow by default to permit all commands, we can define specific commands to permit/deny which is the advantage of TACACS+ compared to RADIUS.. RADIUS we can define the privilege level but I believe we can't limit specific commands...) 

key = oioi123

user = netdbackup {
	member = backup_operators
}

group = backup_operators {
	default service = permit
    login = file /etc/passwd
    enable = file /etc/passwd
}

A lot of people recommend to use the authentication in linux (create the user also in linux) since we can use either clear text passwords in our configuration file, or DES encryption which isn't the best...

 

Once we have made a change to the configuration file we'll issue:  sudo /etc/init.d/tacacs_plus restart

If any errors might occur, configuration file may have a typo in.

 

That is practically the basic setup, we just need to create a quick user in linux. I've created the user 'netdbackup' with a password of oioi456...

 

Now the configuration is extremely easy on our devices, I've come across a ton of post that just tell you what to put and doesn't explain it. My VM is assigned 10.0.100.10 and the topology looks like this:

NGfcahT.png

 

Firstly, we'll start with our basics of a local user to roll back on in the event of the tacacs+ server going offline: 

R1(config)#username cisco priv 15 password cisco
R1(config)#enable secret cisco

 

Lets begin with the configuration for TACACS+ and AAA. 

R1(config)#tacacs-server host 10.0.100.10	!Defines our host, even when we create our AAA group, we still need to define this
R1(config)#tacacs-server key oioi123		!Our key in the configuration file on the TACACS+ server
R1(config)#tacacs-server directed-request	!This allows users to choose which TACACS+ server to authenticate with if we have multiple
R1(config)#aaa new-model				!Enable AAA and give us more commands
R1(config)#aaa group server tacacs+ TAC_SERVERS		!We are creating a TACACS+ group and called it TAC_SERVERS
R1(config-sg-tacacs+)#server 10.0.100.10		!Adding our TACACS+ server to our group to authenticate with
R1(config)#aaa authentication login default group TAC_SERVERS local		!Use our TACACS+ group, then fall back to local authentication
R1(config)#aaa authorization exec default group TAC_SERVERS local if-authenticated !Practically allows us to authenticate with our user so we shouldn't need to enable secret/password to get into priv mode. Although beware since a few bugs exsisted in IOS 12.4 where an error message would prompt 'Authentication failed'. This command practically uses TACACS+ first, then local and finally falls back onto if we are already authenticated with the device
!!!output omitted
User Access Verification

Username: netdbackup
Password: 

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#

 

 Share

3 Comments

Clyne

I'm trying this command, but it still seems I get Authorization Denied. Just wondering if you used Telnet or SSH for yours, but I guess redo my configurations on the router since I had no problems with restarting the TACACS service on Linux. Is it the secret key that you would use to login along with the created username?

Link to comment
Link to post
BSpendlove
10 hours ago, Bubblewhale said:

I'm trying this command, but it still seems I get Authorization Denied. Just wondering if you used Telnet or SSH for yours, but I guess redo my configurations on the router since I had no problems with restarting the TACACS service on Linux. Is it the secret key that you would use to login along with the created username?

It should work both via telnet and ssh, the secret key is what you define on the device:

  

R1(config)#tacacs-server key oioi123

 

But I used linux to authenticate the password, you can create a user on the linux box itself and then point the passwords in the tac_plus.conf to use /etc/passwd, sorry I wasn't clear about that :D

Link to comment
Link to post
Clyne
11 hours ago, BSpendlove said:

It should work both via telnet and ssh, the secret key is what you define on the device:

  


R1(config)#tacacs-server key oioi123

 

But I used linux to authenticate the password, you can create a user on the linux box itself and then point the passwords in the tac_plus.conf to use /etc/passwd, sorry I wasn't clear about that :D

Alright thanks! Got everything working right!

Link to comment
Link to post
×