TACACS (Terminal Access Controller Access Control System) is an authentication protocol commonly used in UNIX network to allow the remote access control authentication and related services through a centralized server. There are 3 flavors of this protocol such as TACACS, XTACACS, and TACACS+.
In this topic, we are going to discuss, install, and configure TACACS+ on Redhat 7.4 as well as binding the authentication back-end with Microsoft Active Directory (AD).Following is the logical flow diagram which we are going to work on our lab.
Tacacs+ Installation
Install pre-requisites and other dependencies
# yum -y install gcc perl-LDAP wget bind-utils bzip2
Download Tacacs+ Server package
# wget http://www.pro-bono-publico.de/projects/src/DEVEL.tar.bz2
Extract the downloaded package
# tar xvfj DEVEL.tar.bz2
Compile and install the Tacacs+ Server from source code
# ./configure tac_plus
# make
# make install
Create a directory for Tacacs+ logs
# mkdir -m 760 /var/log/tac_plus
Create Tacacs+ service systemd configuration
# cp tac_plus/extra/tac_plus.service /etc/systemd/system/
Tacacs+ Configuration
After the installation completed, create tacacs+ configuration file named tac_plus.cfg in /usr/local/etc directory
# vi /usr/local/etc/tac_plus.cfg
Configure your Tacacs+ Server with following configuration. Change the settings in red color to be your own configuration information.
#!/usr/local/sbin/tac_plus
######################### Start of Config ############################
## Event mechanism
setenv IO_POLL_MECHANISM = 4
id = spawnd {
listen = { port = 49 }
background = yes
}
id = tac_plus {
## AAA logs on local TACACS server
authentication log = /var/log/tac_plus/authentication_%Y%m%d.log
authorization log = /var/log/tac_plus/authorization_%Y%m%d.log
accounting log = /var/log/tac_plus/accounting_%Y%m%d.log
password max-attempts = 3
single-connection = yes
## Mavis Configuration
## Systems & Network Administrator LDAP Backend (Active Directory)
mavis module = external {
setenv LDAP_SERVER_TYPE = “microsoft”
# setenv LDAP_HOSTS = “ldap://sna-dc01.sysnet-admin.com:389“
setenv LDAP_HOSTS = “ldaps://sna-dc01.sysnet-admin.com:636“
setenv LDAP_SCOPE = sub
setenv LDAP_BASE = “dc=sysnet-admin,dc=com”
setenv LDAP_FILTER = “(&(objectclass=user)(sAMAccountName=%s))”
setenv LDAP_USER = “tacacs.bind@sysnet-admin.com“
setenv LDAP_PASSWD = P@ssw0rd
setenv AD_GROUP_PREFIX = tacacs_
setenv REQUIRE_AD_GROUP_PREFIX = 1
exec = /usr/local/lib/mavis/mavis_tacplus_ads.pl
}
## Shadow Backend configuration for local authentication
mavis module = external {
setenv SHADOWFILE = /etc/shadow
exec = /usr/local/lib/mavis/mavis_tacplus_shadow.pl
}
login backend = mavis
user backend = mavis
## Host Definition
host = nas_cisco {
key = “cisco“
address = 192.168.10.0/24
}
## ACL Definition
acl = acl_net permit {
nas = nas_cisco
}
acl = acl_net deny {
nas = 0.0.0.0/0
}
## Group Definiation
# Admin group with full permission
group = NetAdmins {
message = “[Network Administrator Privileges Mode!!!]”
acl = acl_net
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
# Operator group with specific permission and commands allowed
group = NetOperators {
message = “[Operator Privileges Mode!!!]”
acl = acl_net
default service = deny
service = shell {
default command = deny
set priv-lvl = 15
cmd = show { deny star.* }
cmd = show { permit .* }
cmd = exit { permit .* }
cmd = logout { permit .* }
cmd = ping { permit .* }
cmd = traceroute { permit .* }
message deny = “You are not allowed to use this command. Contact to Administrator!”
}
}
# Read Only group with privilege level 7
group = NetReadOnly {
message = “[Read Only Privileges 7 for Service Account!!!]”
acl = acl_net
service = shell {
default command = permit
set priv-lvl = 7
message deny = “You are not allowed to use this command. Contact to Administrator!”
}
}
}
########################## End of Config ############################
After you saved the configuration, use the following command to verify your configuration setting.
# /usr/local/sbin/tac_plus -P /usr/local/etc/tac_plus.cfg
Enable auto startup and start the tacacs+ service
# systemctl enable tac_plus && systemctl start tac_plus
User the following command to restart tacacs+ service after you make any further changes
# systemctl restart tac_plus.service
Users and Groups on Microsoft Active Directory
We have created 3 users with difference role as mentioned in the diagram
And 3 groups for administrators, operators, and read-only users.
Cisco Device Configuration
Now we can configure Cisco devices to use Tacacs+ Server, I am using Cisco Router 3725 on GNS3
# aaa new-model
# ip tacacs source-interface FastEthernet 0/0
# tacacs-server host 192.168.10.11 key cisco
# aaa authentication password-prompt “Please enter password:”
# aaa authentication username-prompt “Please enter username:”
# aaa authentication login default group tacacs+ local
# aaa authentication enable default group tacacs+ enable
# aaa authorization console
# aaa authorization config-commands
# aaa authorization exec default group tacacs+ local if-authenticated
# aaa authorization commands 15 default group tacacs+ local if-authenticated
# aaa accounting exec default start-stop group tacacs+
# aaa accounting commands 15 default start-stop group tacacs+
Let test sign-in to Cisco router with tacadmin user. tacadmin has full access permission so that he can make any changes on this router.
Let test sign-in to Cisco router with tacreadonly user, he should not have permission to make any changes and also cannot go into configuration mode.
Bingo! We have successfully configure Tacacs+ server with Active Directory.