TACACS+

So I finally took the plunge and decided to implement TACACS+ at Dark Horse Networks as well as for my personal network. TACACS+ stands for “Terminal Access Controller Access-Control System” and can be used to authenticate users to Unix systems and more importantly Cisco equipment. This will remove the need to have user accounts on each individual device and provide central unified authentication.

In addition to authentication of users it also allows for authorizing a given user to different levels of access. For example: Alice may only have access to view the current configuration of a router, while Bob has access to change the configuration.

Finally, TACACS provides accounting. This allows central logging of all commands a user executes for auditing purposes. That way if “someone” happens to destroy your configuration on a device, you know who to hunt down.

Just to note… In case you are wondering what the difference is between TACACS and TACACS+, TACACS+ is a completely new protocol and is not compatible with the older TACACS protocol. TACACS+ was created by Cisco Systems. The specific implementation I will be using is usually referred to as “tac_plus” and is also the name of the daemon.

Ok, so on to the fun stuff… For this project I used the following:

The first step was to install the daemon. As there is currently no RPM based packages for “tac_plus”, I had to build from source which was as painless as:

  1. Extract the archive
  2. ./configure
  3. make install

Next, I had to draft up a configuration file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
accounting file = /var/log/tac_plus/accounting.log
 
key = "insertkeyhere"
 
group = admin {
  default service = permit
  service = exec {
    priv-lvl = 15
  }
}
 
user = jfeisley {
  member = admin
  login = des "foobarbaz"
}

The next task was to code up a working init script for the tac_plus daemon:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
#!/bin/bash
 
# Source function library.
. /etc/rc.d/init.d/functions
 
# Source networking configuration.
. /etc/sysconfig/network
 
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
 
# Some config parameters
#For config file
tacacs_config="/etc/tacacs.conf"
tacacs_log="/var/log/tac_plus/tac_plus.log"
#For debug option
debug=0
 
[ -f /usr/local/bin/tac_plus ] || exit 0
 
[ -f $tacacs_config ] || exit 0
 
# See how we were called.
case "$1" in
  start)
        # Start daemon.
        if [ $debug -gt 0 ]
        then
        echo -n "Starting TACACS+ with debug level $debug : "
        daemon /usr/local/bin/tac_plus -C $tacacs_config -d $debug -l $tacacs_log
        else
        echo -n "Starting TACACS+ :"
        daemon /usr/local/bin/tac_plus -C $tacacs_config -l $tacacs_log
        fi
        echo
        touch /var/lock/subsys/tac_plus
        ;;
  stop)
        # Stop daemons.
        echo -n "Shutting down TACACS+: "
        killproc tac_plus
        rm -f /var/lock/subsys/tac_plus
        echo
        ;;
  status)
        status tac_plus
        exit $?
        ;;
  restart)
        $0 stop
        $0 start
        ;;
 
  reload)
        echo "TACACS+ now reloading......"
        kill -SIGUSR1 `cat /var/run/tac_plus.pid`
        exit $?
        ;;
  test)
        echo "TACACS+ config being testing..."
        /usr/local/bin/tac_plus -P -C $tacacs_config
        ;;
  *)
        echo "Usage: tac_plus {start|stop|status|restart|reload|test}"
        exit 1
esac
 
exit 0

Finally, I configured my various Cisco devices to authenticate against the TACACS+ daemon.

 

Leave a Reply