Tacacs Plus installation and configuration with Active Directory

By | April 19, 2020

TACACS (Terminal Access Controller Access Control System) is an authentication protocol commonly used in UNIX network to allow the remote access control authentication and related services through a centralized server. There are 3 flavors of this protocol such as TACACS, XTACACS, and TACACS+.

In this topic, we are going to discuss, install, and configure TACACS+ on Redhat 7.4 as well as binding the authentication back-end with Microsoft Active Directory (AD).Following is the logical flow diagram which we are going to work on our lab.

Tacacs+ Installation

Install pre-requisites and other dependencies

# yum -y install gcc perl-LDAP wget bind-utils bzip2

Download Tacacs+ Server package
# wget http://www.pro-bono-publico.de/projects/src/DEVEL.tar.bz2
Extract the downloaded package
# tar xvfj DEVEL.tar.bz2
Compile and install the Tacacs+ Server from source code
# cd PROJECT/
# ./configure tac_plus
# make
# make install
Create a directory for Tacacs+ logs
# mkdir -m 760 /var/log/tac_plus
Create Tacacs+ service systemd configuration
# cp tac_plus/extra/tac_plus.service /etc/systemd/system/

Tacacs+ Configuration

After the installation completed, create tacacs+ configuration file named tac_plus.cfg in /usr/local/etc directory
# vi /usr/local/etc/tac_plus.cfg
Configure your Tacacs+ Server with following configuration. Change the settings in red color to be your own configuration information.
#!/usr/local/sbin/tac_plus
######################### Start of Config ############################
## Event mechanism
setenv IO_POLL_MECHANISM = 4
id = spawnd {
    listen = { port = 49 }
    background = yes
}
id = tac_plus {
## AAA logs on local TACACS server
    authentication log = /var/log/tac_plus/authentication_%Y%m%d.log
    authorization log = /var/log/tac_plus/authorization_%Y%m%d.log
    accounting log = /var/log/tac_plus/accounting_%Y%m%d.log
    password max-attempts = 3
    single-connection = yes
    ## Mavis Configuration
    ## Systems & Network Administrator LDAP Backend (Active Directory)
    mavis module = external {
        setenv LDAP_SERVER_TYPE = “microsoft”
#      setenv LDAP_HOSTS = “ldap://sna-dc01.sysnet-admin.com:389
        setenv LDAP_HOSTS = “ldaps://sna-dc01.sysnet-admin.com:636
        setenv LDAP_SCOPE = sub
        setenv LDAP_BASE = “dc=sysnet-admin,dc=com”
        setenv LDAP_FILTER = “(&(objectclass=user)(sAMAccountName=%s))”
        setenv LDAP_USER = “tacacs.bind@sysnet-admin.com
        setenv LDAP_PASSWD = P@ssw0rd
        setenv AD_GROUP_PREFIX = tacacs_
        setenv REQUIRE_AD_GROUP_PREFIX = 1
        exec = /usr/local/lib/mavis/mavis_tacplus_ads.pl
    }
    ## Shadow Backend configuration for local authentication
    mavis module = external {
        setenv SHADOWFILE = /etc/shadow
        exec = /usr/local/lib/mavis/mavis_tacplus_shadow.pl
    }
    login backend = mavis
    user backend = mavis
    ## Host Definition
    host = nas_cisco {
        key = “cisco
        address = 192.168.10.0/24
    }
    ## ACL Definition
    acl = acl_net permit {
        nas = nas_cisco
    }
    acl = acl_net deny {
        nas = 0.0.0.0/0
    }
    ## Group Definiation
# Admin group with full permission
        group = NetAdmins {
        message = “[Network Administrator Privileges Mode!!!]”
        acl = acl_net
        default service = permit
        service = shell {
            default command = permit
            default attribute = permit
            set priv-lvl = 15
        }
    }
# Operator group with specific permission and commands allowed
group = NetOperators {
        message = “[Operator Privileges Mode!!!]”
        acl = acl_net
        default service = deny
        service = shell {
            default command = deny
            set priv-lvl = 15
            cmd = show { deny star.* }
            cmd = show { permit .* }
            cmd = exit { permit .* }
            cmd = logout { permit .* }
            cmd = ping { permit .* }
            cmd = traceroute { permit .* } 
            message deny = “You are not allowed to use this command. Contact to Administrator!”
        }
    }

# Read Only group with privilege level 7
    group = NetReadOnly {
        message = “[Read Only Privileges 7 for Service Account!!!]”
        acl = acl_net
        service = shell {
            default command = permit
            set priv-lvl = 7
     message deny = “You are not allowed to use this command. Contact to Administrator!”
        }
    }
}
########################## End of Config ############################
After you saved the configuration, use the following command to verify your configuration setting.
# /usr/local/sbin/tac_plus -P /usr/local/etc/tac_plus.cfg

Enable auto startup and start the tacacs+ service
# systemctl enable tac_plus && systemctl start tac_plus

User the following command to restart tacacs+ service after you make any further changes
# systemctl restart tac_plus.service

Users and Groups on Microsoft Active Directory

We have created 3 users with difference role as mentioned in the diagram


And 3 groups for administrators, operators, and read-only users.

Cisco Device Configuration

Now we can configure Cisco devices to use Tacacs+ Server, I am using Cisco Router 3725 on GNS3
# aaa new-model
# ip tacacs source-interface FastEthernet 0/0
# tacacs-server host 192.168.10.11 key cisco
# aaa authentication password-prompt “Please enter password:”
# aaa authentication username-prompt “Please enter username:”
# aaa authentication login default group tacacs+ local
# aaa authentication enable default group tacacs+ enable
# aaa authorization console
# aaa authorization config-commands
# aaa authorization exec default group tacacs+ local if-authenticated
# aaa authorization commands 15 default group tacacs+ local if-authenticated
# aaa accounting exec default start-stop group tacacs+
# aaa accounting commands 15 default start-stop group tacacs+

Let test sign-in to Cisco router with tacadmin user. tacadmin has full access permission so that he can make any changes on this router.

Let test sign-in to Cisco router with tacreadonly user, he should not have permission to make any changes and also cannot go into configuration mode.


Bingo! We have successfully configure Tacacs+ server with Active Directory.

Leave a Reply

Your email address will not be published. Required fields are marked *