I was just testing around and finding a simple way to have a look at TACACS+ without getting a friend to obtain Cisco ACS for me. I have an Ubunutu VM that I was testing on so I thought I'd find a TACACS+ package or somewhat, many are available but I found one which is based off the original cisco TACACS+ code (doesn't provide LDAP integration but they have examples how to 'almost' fully integrate it haha)...
So this is more or less a quick post so I can look back when I need to review all the studies and such. Assuming currently we have the VM installed and updated (currently using Ubunutu Server 17.04.
sudo apt-get install tacacs+
We need to do a tiny bit of configuration for the shared secret, user/groups and then finally the device configuration to get the basics up and running. Once the package is installed, we will mainly be working in: /etc/tacacs+/tac_plus.conf.
I normally copy this file and rename it .old so I can refer back to it if needed, and clear the config file since there is many comments and I like a tidy file... The main changes we will make is:
key = mynewsecretkey123
and then creating users/groups. We can do quite a bit (some examples in the .old conf file I mentioned to copy) but to get the bare basic configuration all up and running I'll create a user and a group (which will allow by default to permit all commands, we can define specific commands to permit/deny which is the advantage of TACACS+ compared to RADIUS.. RADIUS we can define the privilege level but I believe we can't limit specific commands...)
key = oioi123
user = netdbackup {
member = backup_operators
}
group = backup_operators {
default service = permit
login = file /etc/passwd
enable = file /etc/passwd
}
A lot of people recommend to use the authentication in linux (create the user also in linux) since we can use either clear text passwords in our configuration file, or DES encryption which isn't the best...
Once we have made a change to the configuration file we'll issue: sudo /etc/init.d/tacacs_plus restart
If any errors might occur, configuration file may have a typo in.
That is practically the basic setup, we just need to create a quick user in linux. I've created the user 'netdbackup' with a password of oioi456...
Now the configuration is extremely easy on our devices, I've come across a ton of post that just tell you what to put and doesn't explain it. My VM is assigned 10.0.100.10 and the topology looks like this:
Firstly, we'll start with our basics of a local user to roll back on in the event of the tacacs+ server going offline:
R1(config)#username cisco priv 15 password cisco
R1(config)#enable secret cisco
Lets begin with the configuration for TACACS+ and AAA.
R1(config)#tacacs-server host 10.0.100.10 !Defines our host, even when we create our AAA group, we still need to define this
R1(config)#tacacs-server key oioi123 !Our key in the configuration file on the TACACS+ server
R1(config)#tacacs-server directed-request !This allows users to choose which TACACS+ server to authenticate with if we have multiple
R1(config)#aaa new-model !Enable AAA and give us more commands
R1(config)#aaa group server tacacs+ TAC_SERVERS !We are creating a TACACS+ group and called it TAC_SERVERS
R1(config-sg-tacacs+)#server 10.0.100.10 !Adding our TACACS+ server to our group to authenticate with
R1(config)#aaa authentication login default group TAC_SERVERS local !Use our TACACS+ group, then fall back to local authentication
R1(config)#aaa authorization exec default group TAC_SERVERS local if-authenticated !Practically allows us to authenticate with our user so we shouldn't need to enable secret/password to get into priv mode. Although beware since a few bugs exsisted in IOS 12.4 where an error message would prompt 'Authentication failed'. This command practically uses TACACS+ first, then local and finally falls back onto if we are already authenticated with the device
!!!output omitted
User Access Verification
Username: netdbackup
Password:
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#
