TACACS+ Installation on Linux [CentOS]

 TACACS+ Installation on CentOS:

In the example below I will show you how to install tac_plus on a CentOS server. There’s a RPM available so this will save you the hassle of compiling the source code yourself. Let’s add the repository first:

[root@server ~]# cd /etc/yum.repos.d/
[root@server yum.repos.d]# vim nux-misc.repo

We will create a new repository file where we can grab tac_plus. This is what you should enter:

[nux-misc]
name=Nux Misc
baseurl=http://li.nux.ro/download/nux/misc/el6/x86_64/
enabled=0
gpgcheck=1
gpgkey=http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro

Save the file and install tac_plus with the following command:

[root@server ~]#yum --enablerepo=nux-misc install tac_plus

That’s all you need to do. All configuration is done from a single config file. Let’s take a look at its contents:

[root@server /]# vim /etc/tac_plus.conf

You will see a lot of things in this default configuration file. Let me walk you through some of the fields. The first thing you see is a key, we need to configure this on the TACACS+ server and on each network device that you want to control with the TACACS+ server.

By default there is no key:

#key = "your key here"

Change it to something else and get rid of the #:

key = "MYKEY"

I’ll call my key “MYKEY“. The second part is an ACL:

acl = default   {
                #permit = 192\.168\.0\.
                permit = 192\.168\.2\.1

The ACL uses regular expressions so you can configure what IP addresses or networks are allowed to use the TACACS+ server. By default it only permits IP address 192.168.2.1.

The next part are host-specific parameters:

# Example of host-specific configuration:
host = 192.168.2.1 {
        prompt = "Enter your Unix username and password, Username: "
        # Enable password for the router, generate a new one with tac_pwd
        #enable = des 4P8MBRmulyloo

Here you can configure the IP address of the network device that you want to control and the prompt that it should show the user when he/she tries to log into the network device. You can also set the enable password if you want.

Next we will see some group specific parameters:

# Group that is allowed to do most configuration on all interfaces etc.
group = admin {
        # group members who don't have their own login password will be
        # looked up in /etc/passwd
        #login = file /etc/passwd
        login = PAM

        # group members who have no expiry date set will use this one
        #expires = "Jan 1 1997"

        # only allow access to specific routers
        acl = default

        # Needed for the router to make commands available to user (subject
        # to authorization if so configured on the router
        service = exec {
                priv-lvl = 15
                #default service = permit
 }

        cmd = username {
                permit .*
        }
        cmd = enable {
                permit .*
        }
        cmd = show {
                permit .*
        }
        cmd = exit {
                permit .*
        }
        cmd = configure {
                permit .*
        }
        cmd = interface {
                permit .*
        }
        cmd =  switchport  {
                permit .*
        }
        cmd = description {
                permit .*
        }
        cmd = no {
                permit shutdown
        }

By default there’s a group called admin and login is set to PAM. This means we will use the user database of the linux machine. The admin group is also susceptible to the default ACL. If you also use authorization you can configure the commands that the admin groups is allowed to use. Let’s take a look at the next group:

# A group that can change some limited configuration on switchports
# related to host-side network configuration
group = sysadmin {
        # group members who don't have their own login password will be
        # looked up in /etc/passwd:
        #login = file /etc/passwd
        # or authenticated via PAM:
        login = PAM
        acl = default

        # Needed for the router to make commands available to user (subject
        # to authorization if so configured on the router
        service = exec {
                priv-lvl = 15
        }
        cmd = enable {
                permit .*
        }
        cmd = show {
                permit .*
        }
        cmd = exit {
                permit .*
        }
        cmd = configure {
                permit .*
        }
        cmd = interface {
                permit FastEthernet.*
                permit GigabitEthernet.*
        }
        cmd =  switchport  {
                permit "access vlan.*"
                permit "trunk encapsulation.*"
                permit "mode.*"
                permit "trunk allowed vlan.*"
        }
        cmd = description {
                permit .*
        }

        cmd = no {
                permit shutdown
        }

}

}

The sysadmin group is similar to the admin group. You can see a number of commands that they are allowed to use (if you use authorization).

Below the group configuration you’ll find a couple of default users:

user = joe {
        login = PAM
        #member = sysadmin
        member = admin
}

user = fred {
        login = PAM
        member = sysadmin
}

User Joe is a member of the admin group and Fred belongs to the sysadmin group. Keep in mind we still need to create these users as it is set to PAM.

There’s also a part for RANCID. If you have no idea what this is, RANCID is software that can monitor network devices and check if their configuration was changed, check the routing table, log changes, run commands to extract certain information, e-mail reports and more.

# User account configured for use with "rancid"
user = rancid {
        # Generate a new password with tac_pwd
        #login = des LXUxLCkFhGpwA

        service = exec {
                priv-lvl = 15
        }

        cmd = show { permit .* }
        cmd = exit { permit .* }
        cmd = dir { permit .* }
        cmd = write { permit term }
}

Last but not least there’s a global enable password that we can use:

# Global enable level 15 password, generate a new one with tac_pwd
user = $enab15$ {
        #login = des 97cZOIgSXU/4I
}

Now you have an idea what the tac_plus configuration looks like, let’s create a user and test if authentication is working.

We’ll create a user called “Joe” on the linux machine 

[root@server etc]# adduser joe
[root@server etc]# passwd joe
Changing password for user joe.
New password: 
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password: 
passwd: all authentication tokens updated successfully.

Don’t forget to start the daemon:

[root@server etc]# service tac_plus start
Starting tacacs+:                                          [  OK  ]

If you want to enable it on startup you can use chkconfig:

[root@server etc]# chkconfig --add tac_plus
[root@server etc]# chkconfig tac_plus on
Don’t forget to configure your firewall to allow TCP port 49 for tac_plus.
 firewall-cmd --zone=public --permanent --add-port=49/tcp

Comments

Popular posts from this blog

Configure IPsec site-to-site VPN in Linux Machine

Free Radius setup/configuration in Linux [Ubuntu/CentOS]