So I finally took the plunge and decided to implement TACACS+ at Dark Horse Networks as well as for my personal network. TACACS+ stands for “Terminal Access Controller Access-Control System” and can be used to authenticate users to Unix systems and more importantly Cisco equipment. This will remove the need to have user accounts on each individual device and provide central unified authentication.
In addition to authentication of users it also allows for authorizing a given user to different levels of access. For example: Alice may only have access to view the current configuration of a router, while Bob has access to change the configuration.
Finally, TACACS provides accounting. This allows central logging of all commands a user executes for auditing purposes. That way if “someone” happens to destroy your configuration on a device, you know who to hunt down.
Just to note… In case you are wondering what the difference is between TACACS and TACACS+, TACACS+ is a completely new protocol and is not compatible with the older TACACS protocol. TACACS+ was created by Cisco Systems. The specific implementation I will be using is usually referred to as “tac_plus” and is also the name of the daemon.
Ok, so on to the fun stuff… For this project I used the following:
The first step was to install the daemon. As there is currently no RPM based packages for “tac_plus”, I had to build from source which was as painless as:
Next, I had to draft up a configuration file:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | accounting file = /var/log/tac_plus/accounting.log key = "insertkeyhere" group = admin { default service = permit service = exec { priv-lvl = 15 } } user = jfeisley { member = admin login = des "foobarbaz" } |
The next task was to code up a working init script for the tac_plus daemon:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 | #!/bin/bash # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 # Some config parameters #For config file tacacs_config="/etc/tacacs.conf" tacacs_log="/var/log/tac_plus/tac_plus.log" #For debug option debug=0 [ -f /usr/local/bin/tac_plus ] || exit 0 [ -f $tacacs_config ] || exit 0 # See how we were called. case "$1" in start) # Start daemon. if [ $debug -gt 0 ] then echo -n "Starting TACACS+ with debug level $debug : " daemon /usr/local/bin/tac_plus -C $tacacs_config -d $debug -l $tacacs_log else echo -n "Starting TACACS+ :" daemon /usr/local/bin/tac_plus -C $tacacs_config -l $tacacs_log fi echo touch /var/lock/subsys/tac_plus ;; stop) # Stop daemons. echo -n "Shutting down TACACS+: " killproc tac_plus rm -f /var/lock/subsys/tac_plus echo ;; status) status tac_plus exit $? ;; restart) $0 stop $0 start ;; reload) echo "TACACS+ now reloading......" kill -SIGUSR1 `cat /var/run/tac_plus.pid` exit $? ;; test) echo "TACACS+ config being testing..." /usr/local/bin/tac_plus -P -C $tacacs_config ;; *) echo "Usage: tac_plus {start|stop|status|restart|reload|test}" exit 1 esac exit 0 |
Finally, I configured my various Cisco devices to authenticate against the TACACS+ daemon.