TACACS+ (tac_plus daemon) ACL


I covered how to install and configure TACACS+ (tac_plus) on Ubuntu here. In this blog post, I am going to cover how to deny a group in accessing a network device or group of network devices. Yes, you can certainly restrict IPs using ACL on routers, switches, or ASA firewalls. However, if your security policy is to use a jump server to connect to network devices, then that jump server’s IP will not be blocked and users are still allowed. With this guide, you’ll be able to restrict access to network devices by user or group using your tac_plus server.

This guide assumes you know how to configure TACACS+ (tac_plus) daemon. If you haven’t had a chance to work on this then please feel free to visit it here. Without further ado, here’s the configuration on how to restrict a group of users on a particular network device.

The above configuration restricts the group called Test in accessing a network device with an IP address of 192.168.12.100. The IP address that is needed in the tac_plus.conf needs to be the IP address of the source interface (ip tacacs source-interface interface_type_here) that you configured on your network device. If the TACACS+ source interface IP address doesn’t match the one in the tac_plus.conf, then any other IP address of that network device can be used to connect and the group will be allowed to access it.

Below is an example of a user that is member of the Test group trying to access the network device and was denied.

The example config below is how to restrict group(s) using regex (regular expressions). If you’re not a scripter/programmer like me then please feel free to use cheat sheet found here. For more detailed info, regex is covered in CCIE Routing and Switching Certification Guide book by Wendell Odom.

Here’s an attempt of a member of Test group being denied.

If you noticed, the first attempt (172.17.99.50) had more prompts than others. This might be a bug on an IOS, due to the device type, or just how this particular IOS/device behaves with the tac_plus. Unfortunately, I didn’t dig deeper enough. In any case, tac_plus denied access to the device.

With this config, it allows an organization to give out privilege access to certain users or groups but still be able to deny access to certain devices. For example, an organization may allow the NOC employees to make changes on access layer routers/switches but are not allowed to connect to distribution and core routers/switches and ASA firewalls.

Hope this has been helpful and thank you for reading!

You might also like to read

How to build and configure tac_plus

Reference

TACACS+ daemon

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.


About Andrew Roderos

Andrew Roderos is an IT professional who specializes in networking, a CCIE aspirant, and forever a student of technology. Technologies that he is mostly interested in are routing and switching, virtualization, data center, and a little bit of network security. Outside of the information technology world, he enjoys reading science fiction books, manga, and photography.

  • Ratha HENG

    Hi,
    How can I configure one user to get different permission for two hosts ( host A and host B)
    => Example
    – user1 have only show permission on host A
    – user1 (the same user) have full permission on host B
    Please, kindly help me. I am looking forward to hearing from you soon.

    Thanks in advance!

  • Tacacs_warrior

    Hi Andrew,

    How to give a user rights only to configure this line: “switchport access vlan 101” only on this interface: “interface GigabitEthernet2/0/1” ?

    interface GigabitEthernet2/0/1
    switchport access vlan 101
    switchport mode access

    Thank you very much for your help,

    Vincent

    Content of tac_plus.conf file:

    user = appr2 {
    member = group_1
    login = cleartext appr2
    }

    group = group_1 {
    service = exec {
    priv-lvl = 0
    #default service = permit
    }
    cmd = enable {
    permit .*
    }
    cmd = show {
    deny “interfaces.*”
    permit “running.*”
    }
    cmd = configure {
    permit .*
    }
    cmd = switchport {
    permit “^access vlan [128][0-9][0-9] $”
    deny “^mode access $”
    }

    Configuration of the network device (Cisco Catalyst 3750):
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec default group tacacs+ local
    aaa authorization exec default group tacacs+ none
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    aaa accounting delay-start
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 0 default start-stop group tacacs+
    aaa accounting commands 1 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    tacacs-server host 192.168.10.121
    tacacs-server directed-request
    tacacs-server key 7 key

    • I haven’t been playing with tac_plus so I can’t play with one. What I think you should try to do is allow access for the group to enter interface mode then only permit Gi2/0/1. On another line, permit the switchport command and only permit access vlan 101. When I set the tac_plus, I had to do a lot of trial and error until I was happy with the configuration. I have a sample of what I’ve configured before here. http://networkjutsu.com/tacacs/

  • Devarsh

    Hello Everyone,
    Can Someone Help how to configure tacacs+ in ubuntu server for Juniper devices

  • Gino

    Hello

    I just installed TACACS+ on an Ubuntu server and it works OK, the only problem i want to enable the users to reset their own password whenever they want and as often as they want, but there is one or two methods i found on the internet is not working such as this one:
    http://tnnoble.wordpress.com/2008/10/05/easiest-way-to-change-password-of-a-tacacs-enabled-username/

    I wonder if you can help me out on this one.

    Thanks

    • Please visit my guide on how to install tac_plus http://networkjutsu.com/tacacs/. The guide use the local Linux user account so they can change their password as often as they want to.

      • Gino

        thanks Andrew for your reply and also i clicked on link you provided it is 404! the point is in the company i work they do not use Linux local users(i recommended that to them), so i defined the user in the tacacs+ config file, so i am wondering if there is any way for users to update their password themselves!!

        • You have to take out the parenthesis. Anyway, that guide won’t help you if you are not using the Linux local user account(s). You may be able to link the user accounts for tac_plus to your AD accounts. However, I do not have a guide for that nor was able to find a good guide that was able to link tac_plus and AD. If you do find one that works, please let me know.

  • Nice site! Very helpful. Thanks!

  • Sebastien Pepin

    Hi Andrew,

    Nice Howto … I wonder if it’s possible with tac_plus to implement hardening security with the password like lockout, history, strong password, expiring password with tac_plus ? or I should check with the linux settings to implement those features ?

    thanks

    • Thanks! You raise a very good point! I am not sure tac_plus can actually do that, feel free to let me know if you figure it out though. That said, I’d say use the Linux settings to implement the security features you’re talking about. My other blog post on how to install and configure tac_plus did mention about using the password tied to the /etc/passwd so I am pretty sure there’s Linux settings that do lockout, history, and requiring stronger password.