In this blog post, I will cover on how to build and configure TACACS+ on Ubuntu Server using tac_plus. While this is an old blog post, the instructions covered here are still valid in Ubuntu Server 16.04 LTS. I highly recommend that you integrate two-factor authentication (2FA) as well, which is covered here.
If you are looking for an alternative to Cisco Secure Access Control Server (ACS) and how to implement it, then you came to the right place. Since you are looking for an alternative, I think it is safe to assume that you’ve seen how much is the price tag of Cisco Secure ACS (EoS/EoL now – functionality is now on Cisco ISE) and you think it’s too expensive for your network – my quote was $17K. A lot of companies do not have a budget for something like that. The Great Recession also didn’t help since a lot more companies are tightening their belt, especially in IT projects and that’s not something new.
Having said all of that, how can Network Engineers harden the networking devices that is also cost efficient? Well, let’s thank Cisco for that by releasing the source code of TACACS+ back in the day and of course the open source community. The source can still be downloaded from Cisco’s FTP site. Cisco has not updated this source code for probably more than a decade but Open Source community has made some changes to it so features may be better than the source code. However, if you’re just looking for a simple AAA (Authentication Authorization Accounting) then tac_plus will be fine. This is actually one of the topics in a Cisco Press book called Network Administrators Survival Guide.
Tac_plus is a TACACS+ daemon for Linux that is based on the original Cisco TACACS+ source code.
Security is paramount to any organization, so hardening the organization’s networking devices add a layer to organization’s security. A security enthusiast once told me that security is more effective if you deploy in several layers. By deploying security in layers, organizations can mitigate security risks. Cisco Secure ACS can add a layer to organization’s security by providing AAA. The appliance or software serves as NAS (Network Access Server) and it supports two security protocols, RADIUS (Remote Access Dial-In User Service) and TACACS (Terminal Access Controller Access Control Server).
The main difference between the two protocols is how they encrypt the packet. RADIUS only encrypts the password and the rest are unencrypted, so the username, authorized services, and accounting can be captured. On the other hand, TACACS+ encrypts the entire packet which is more secure. If you are tasked to deploy AAA in your organization, make sure that you opt with the TACACS+ implementation and not RADIUS.
This article will talk about how to deploy TACACS+ using the publicly available source code from Cisco. Without further delay, here’s the tutorial on how to implement TACACS+.
What’s needed
In this tutorial, you will need the following:
- Know how to download, install, and update the latest Ubuntu Linux (latest at this time of writing is Ubuntu 11.04 – preferably Server Edition).
- Know how to use VI editor or any text editor under Linux environment.
- Physical machine(s) or virtual machine(s)
- 6GB hard drive space is more than enough. Though, if you’re concern of keeping tons of accounting logs, then please feel free to increase the size.
- 256MB of RAM should be enough. Start small and monitor your memory usage.
Instructions
Below are the steps in successfully implementing TACACS+ to your routers and switches.
Download, Install and Update
Download, install and update Ubuntu 11.04 Server Edition on your machine(s). While one machine is enough, I suggest deploying two for backup. If getting another physical/virtual machine is an issue, then do not worry about it. There is a backup user account that will be created in this tutorial, so when the TACACS+ is not available Network Administrators/Technicians/Engineers can still authenticate and issue commands.
Download and install TACACS+. To download TACACS+, issue the command below:
sudo apt-get install tacacs+Edit tac_plus Configuration File
Once installed, you’re now ready to edit the tac_plus configuration file. I will try to break down the configuration file to explain what it does.
Using VI editor to edit the configuration file. Feel free to use nano or other text editors available.
admin@ubuntu:~$ vi /etc/tacacs+/tac_plus.confThe default configuration of the TACACS+ accounting log is /var/log/tac_plus.acct. Feel free to change this to your liking. However, I suggest you change the read and write permissions using chmod, so that only certain users or groups are allowed to edit or view the file.
accounting file = /var/log/tac_plus.acctDefine TACACS+ Key
Define your TACACS+ key here. Remember this key since it will be used later on your AAA configuration.
key = tacacskey123User Accounts And Groups
In this section, I will create three user accounts and assign them to their proper group.
#*************************
#***USERS ACCOUNTS HERE***
#*************************
user = NetworkEngineer1 {
member = Network_Engineers
}
user = FieldTech1 {
member = Field_Techs
}
user = Manager1 {
member = Managers
}In this tutorial, I will not use the built-in DES encryption of TACACS+ daemon. Due to the fact that DES has been cracked back in the late 90s. I will be using Linux’s default authentication and incorporate that to tac_plus.conf.
This section will create groups, specify their authentication method (in this case using /etc/passwd – Linux user authentication), and what authorized commands are available to the groups.
Network engineers have all commands available to them. The default service = permit parameter tells TACACS+ daemon that all commands are allowed for this group. The login = file /etc/passwd parameter tells the daemon to look for the user account and password matches in the file. If it matches, allow the account to log in to the router and switch. The enable = file /etc/passwd tells the daemon that it needs to match the password of the user account. If it matches, allow to enter privileged EXEC mode, also known as enable mode.
#*************************
#*** GROUPS HERE ***
#*************************
group = Network_Engineers {
default service = permit
login = file /etc/passwd
enable = file /etc/passwd
}Permissions
Field Technicians, on the other hand, has a default service = deny parameter which tells the daemon that all other commands except for user EXEC commands are allowed. Having said that, you will need to permit the commands that they’re allowed to use. Service = exec and priv-lvl = 2 allows us to give a higher privilege than an ordinary user. We do not want to give this group a privilege level of 15, meaning the same level as the network engineers. I will not explain all the parameters here since I believe they’re pretty much self-explanatory for an IT professional who knows Cisco IOS.
group = Field_Techs {
default service = deny
login = file /etc/passwd
enable = file /etc/passwd
service = exec {
priv-lvl = 2
}
cmd = enable {
permit .*
}
cmd = show {
permit .*
}
cmd = do {
permit .*
}
cmd = exit {
permit .*
}
cmd = configure {
permit terminal
}
cmd = interface {
permit .*
}
cmd = shutdown {
permit .*
}
cmd = no {
permit shutdown
}
cmd = speed {
permit .*
}
cmd = duplex {
permit .*
}
cmd = write {
permit memory
}
cmd = copy {
permit running-config
}
}Managers are given access as well, however, the only privilege EXEC mode allowed is show running-config. Feel free to add more commands necessary for your boss and/or your boss’ boss.
group = Managers {
default service = deny
login = file /etc/passwd
enable = file /etc/passwd
service = exec {
priv-lvl = 2
}
cmd = enable {
permit .*
}
cmd = show {
permit .*
}
cmd = exit {
permit .*
}
}Creating a test user account and the group might be a good idea, so you can test things out that have been added to this configuration. This particular test user will only have a cleartext password.
user = test {
member = Test_Group
}
group = Test_Group {
default service = deny
service = exec {
priv-lvl = 2
login = password1
enable = password1
}Restart tac_plus Daemon
Most of the time in Linux/Unix environment, you need to restart the daemon before your configuration will take effect.
admin@ubuntu:~$ sudo /etc/init.d/tacacs_plus restart
password for admin:
* Restarting TACACS+ authentication daemon tacacs+ [ OK ]
admin@ubuntu:~$User Accounts
It is now time to create the user account under Linux.
admin@ubuntu:~$ sudo adduser test
Adding user `test' ...
Adding new group `test' (1001) ...
Adding new user `test' (1001) with group `test' ...
The home directory `/home/test' already exists. Not copying from `/etc/skel'.
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for test
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] yChange Password
For the password, please use the organization’s standard on default passwords. Always remind the users to change their password when they first log in. To change the password, have the user issue the command below.
test@ubuntu:~$ passwd
Changing password for test.
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfullyIf I am showing you how to add a Linux user account, then I should be showing you how to remove an account as well, since all organizations lose good and/or bad employees all the time. Not deleting an account is a big no-no and obviously a huge security risk.
admin@ubuntu:~$ sudo deluser test
password for admin: Removing user `test' ... Warning: group `test' has no more members. Done.Changing IP Address
When you first install Ubuntu, it uses DHCP and that’s not a great idea for a server – at the time of writing. You will need to change the IP configuration on this server, so you can specify the IP of the TACACS server(s) on routers and switches.
admin@ubuntu:~$ sudo vi /etc/network/interfacesLook for the following:
# The primary network interface
auto eth0
iface eth0 inet dhcpOnce found, change it to something similar:
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.10.100
netmask 255.255.255.0
network 192.168.10.0
broadcast 192.168.10.255
gateway 192.168.10.254Again, if you change something it needs to be restarted.
admin@ubuntu:~$ sudo /etc/init.d/networking restart
* Reconfiguring network interfaces... [ OK ]
admin@ubuntu:~$If you chose to have two TACACS+ servers and you used a VM, then you don’t need to do a whole lot. Just clone your TACACS+ VM, change the hostname and IP address and you’re done. Make sure your two TACACS+ VMs are not on the same physical host, so your implementation is fault tolerant.
Cisco Configuration
The how to configure AAA on Cisco routers and switches is covered here and the how to configure AAA on Cisco ASA is covered here. To create ACL on tac_plus, please see this post.
Final Words
TACACS+ is now ready to go. Congratulations, you just accomplished one part of hardening your organization’s networking devices!
Do not be afraid of Linux. There are a lot of freebies out there that can help your organization to save money on network tools and etc. Being free, it won’t be as fancy as the paid software but it will get the job done.
I hope this tutorial has been helpful and thank you for reading!
You might also like to read
TACACS+ (tac_plus daemon) ACL
Adding two-factor authentication (2FA) to TACACS+
How to configure AAA on Cisco router/switches
Enabling AAA on Cisco ASA
Reference
Want to learn more about AAA?
AAA Identity Management Security
Disclosure
NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.
