Installation & Setup of Free Tacacs+ server in Linux
(Tested via GNS3 & VirtualBox by AnSaRiTrixs.com)
Software Used:
GNS3 0.8.3.1
-use 3700 IOS as Router & DHCP
-use Ethernet switch to connect hosts
-use VirtualBox guest running on Ubuntu Linux server 12.04.2 LTS
http://shrubbery.net/tac_plus/
ftp://ftp.shrubbery.net/pub/tac_plus
Installation:
1.Login as root and install dependencies such as tcp wrappers and compilation tools e.g. gcc, bison, flex, make
If you’re not sure if these packages are installed, you can use the command:
dpkg -s [packagename]
Sample:
root@freelinux:~# dpkg -s gcc bison flex
Package `gcc’ is not installed and no info is available.
Package `bison’ is not installed and no info is available.
Package `flex’ is not installed and no info is available.
To install:
root@freelinux:~# apt-get install gcc make flex \
bison libwrap0-dev
2. Download the tacacs+ package on ftp://ftp.shrubbery.net/pub/tac_plus/. It’s good to read additional information or changes on http://shrubbery.net/tac_plus/.
Latest version as of this writing is tacacs+-F4.0.4.26
root@freelinux:~# wget \
ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.26.tar.gz
3. uncompress the tarball file
root@ubuntu:~# tar zxvf tacacs+-F4.0.4.26.tar.gz
4. Build
check the INSTALL file first to see the installation guide
root@ubuntu:~/tacacs+-F4.0.4.26# less INSTALL
root@ubuntu:~/tacacs+-F4.0.4.26# ./configure
If you missed installing those dependecies, you will receive messages something like this:
configure: error: Could not find libwrap. You must first install tcp_wrappers.
So to resolve this, install the necessary packages.
# apt-get install libwrap0-dev
Libraries have been installed in:
/usr/local/lib
If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR’
flag during linking and do at least one of the following:
– add LIBDIR to the `LD_LIBRARY_PATH’ environment variable
during execution
– add LIBDIR to the `LD_RUN_PATH’ environment variable
during linking
– use the `-Wl,-rpath -Wl,LIBDIR’ linker flag
– have your system administrator add LIBDIR to `/etc/ld.so.conf’
See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
Configuration:
1. After extracting the files, default directory would be /usr/local/bin/
root@ubuntu:~/tacacs+-F4.0.4.26# ls /usr/local/bin/tac*
/usr/local/bin/tac_plus /usr/local/bin/tac_pwd
2. Read the manual page for the following:
$man tac_plus
$man tac_pwd
So basically,
tac_plus – tacacs plus daemon
tac_pwd – generate DES or MD5 encryption of a password
3. use tac_pwd to encrypt clear text passwords to make it more secure
e.g.
We want to use “password” to login the username freelinux and “enablepass” to go privilege mode
root@freelinux:/etc/tacacs# /usr/local/bin/tac_pwd
Password to be encrypted: password
VUjB99kC2IGws
root@freelinux:/etc/tacacs# /usr/local/bin/tac_pwd
Password to be encrypted: enablepass
HD.Hw0OHKmO/c
4. Setup config files
a.create tacacs directory under /etc
5. create the tac_plus.conf file
tac_plus.conf setup:
i. set the key
#tacacs key
key = "tackey"
ii. set the user accounts
#user details
#admin freelinuxtutorials@gmail.com
user = freelinux {
default service = permit
member = admingroup
login = des VUjB99kC2IGws
}
iii. set the group details
#group details
# admin group
group = admingroup {
default service = permit
service = exec {
priv-lvl = 15
}
}
iv. set enable password
#Enable password setup for users:
user = $enable$ {
login = des HD.Hw0OHKmO/c
}
Note: This is how it looks like, get it here
v. set the location of the accounting file
accounting file = /var/log/tacacs/tac_plus.log
6. change permission
#chmod 600 /etc/tacacs/tac_plus.conf
Note: If along the way, if you encoutered such as below, then you need to create necessary links using ldconfig
tac_plus: error while loading shared libraries: libtacacs.so.1:
cannot open shared object file: No such file or directory
# vi /etc/ld.so.conf
add /usr/local/lib under /etc/ld.so.conf
root@freelinux#ldconfig
7. Run the tacacs service
root@freelinux:/etc/tacacs# /etc/init.d/tac_plus start
Starting Tacacs+ server: tac_plus.
this tac_plus file,
#!/bin/sh
#
### BEGIN INIT INFO
# Provides: tac-plus
# Required-Start: $network
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: S 0 1 6
# Short-Description: Start tac-plus server.
# Description: Run the tac-plus server listening for
# AAA ( access, acounting and autorization request )
# from routers or RAS (remote access servers) via
# tacacs+ protocol
### END INIT INFO
PATH=/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/local/bin/tac_plus
NAME=tac_plus
DESC="Tacacs+ server"
OTHER_OPTS="-d 256" # Default, if no /etc/default/tac-plus available
CONFIG_FILE="/etc/tacacs/tac_plus.conf" # Default, if no /etc/default/tac-plus available
test -f $DAEMON || exit 0
if [ -r /etc/default/tac_plus ] ; then
. /etc/default/tac_plus
fi
DAEMON_OPTS="-C $CONFIG_FILE $OTHER_OPTS"
case "$1" in
start)
echo -n "Starting $DESC: "
start-stop-daemon --start --quiet --pidfile /var/run/$NAME.pid --exec $DAEMON -- $DAEMON_OPTS
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
start-stop-daemon --stop --quiet --pidfile /var/run/$NAME.pid --exec $DAEMON
echo "$NAME."
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop}" >&2
exit 1
;;
esac
exit 0
8. check if process running
root@freelinux:/etc/tacacs# netstat -na | grep 49
tcp 0 0 0.0.0.0:49 0.0.0.0:* LISTEN
——————–
Sample Cisco configuration
Configuring Cisco:
Cisco>en
Cisco#conf t
Cisco#service password-encryption
Cisco#tacacs-server host 192.168.56.10
Cisco#tacacs-server directed-request
Cisco#tacacs-server key tackey
Cisco#aaa new-model
Cisco#aaa authentication login default group tacacs+ local
Cisco#aaa authentication enable default group tacacs+ enable
Cisco#aaa authorization commands 1 default group tacacs+ local
Cisco#aaa authorization commands 15 default group tacacs+ local
Cisco#aaa accounting commands 0 default start-stop group tacacs+
Cisco#aaa accounting commands 1 default start-stop group tacacs+
Cisco#aaa accounting commands 7 default start-stop group tacacs+
Cisco#aaa accounting commands 15 default start-stop group tacacs+
Cisco#aaa accounting network 15 start-stop group tacacs+
Cisco#aaa accounting connection 15 start-stop group tacacs+
I will not go deeper into client configuration as it differs on devices and softwares by different vendors. Anyway, what has shown here is just the basic tacacs config that is proven working. Go try explore further the advance tacacs configuration. Enjoy!