TACACS+ Installation and Configuration
Summary
This document provides the steps necessary to complete the download and configuration of the TACACS+ CentOS 7 VM. The TACACS+ configuration already contains configuration for the most common use cases including AD/LDAP integration, privilege levels and per-command authorization. The configuration can be customized to meet the specific requirements of the environment.
TACACS+ OVA Download
Click the link below and initiate the download of the TACACS+ CentOS 7 OVA. Import the OVA into your existing ESXi infrastructure. The OVA was built on ESXi6.5 and VM Hardware Version 13.
SafeConnect Download Page - TACACS+
The VM image requires 4Gig of dedicated memory with 40Gig thin provisioned storage partition and 2 vCPUs.
TACACS+ VM Configuration
The default username and password are below:
user = root
password = P@55w0rD
It is highly recommended that you change the default password. To do this type passwd and hit enter. You will be prompted to type in the new password.
Configure networking:
vi /etc/sysconfig/network-scripts/ifcfg-ens160
Change the following fields to the desired setting for your network.
IPADDR=x.x.x.x
NETMASK=x.x.x.x
GATEWAY=x.x.x.x
DNS1=x.x.x.x
DNS2=x.x.x.x
systemctl restart network.service
Configure the desired hostname for the server:
hostnamectl set-hostname hostname.your.domain
Reboot for the hostname change to take effect.
TACACS+ Configuration – AD/LDAP
vi /usr/local/etc/tac_plus.cfg
#!/usr/local/sbin/tac_plus
id = spawnd {
listen = {
port =
49
}
spawn = {
instances min =
1
instances max =
10
}
background = yes
}
id = tac_plus {
access log = /var/log/tac_plus/access/%Y%m%d.log
accounting log = /var/log/tac_plus/acct/%Y%m%d.log
authentication log = /var/log/tac_plus/authentication/%Y%m%d.log
authorization log = /var/log/tac_plus/authorization/%Y%m%d.log
#debug = ALL
mavis module = external {
script out = {
# Require group membership:
if
(undef($TACMEMBER) && $RESULT == ACK) set $RESULT = NAK
# Don.t cache passwords:
if
($RESULT == ACK) set $PASSWORD_ONESHOT =
1
}
setenv LDAP_SERVER_TYPE =
"microsoft"
###################################################
# Comment/uncomment below to select LDAP or LDAPS #
###################################################
#setenv LDAP_HOSTS =
"ldap:// x.x.x.x:389"
setenv LDAP_HOSTS =
"ldaps:// x.x.x.x:636"
setenv LDAP_BASE =
"dc=your,dc=domain,dc=here"
setenv LDAP_USER =
"user@your.domain.here"
setenv LDAP_PASSWD =
"your_ldap_password"
setenv REQUIRE_TACACS_GROUP_PREFIX =
1
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
login backend = mavis
user backend = mavis
pap backend = mavis
host = world {
address = ::/
0
#################################################
# Adjust prompt below to preferred login banner #
#################################################
prompt =
"\nUnauthorized Access Is Prohibited\n\n"
enable
15
= clear your_enable_secret
key = “your_tacacs_key”
}
}
TACACS+ Configuration - Privilege Level Concept
The following can be used to assign a privilege level to users based on group
AD groups need to be prefaced with “TACACS” when created on the AD server, e.g. TACACSNetEngPriv in AD, NetEngPriv in tac_plus.cfg
group = NetEngPriv {
enable = login
default
service = permit
service = shell {
default
command = permit
default
attribute = permit
set priv-lvl =
15
}
}
group = NetAdminPriv {
default
service = permit
service = shell {
default
command = permit
default
attribute = permit
set priv-lvl =
1
}
}
TACACS+ Configuration - Per Command Authorization
As an alternative to privilege levels, the following configuration can be used # # to assign specific commands that a user is allowed to issue.
Privilege level defaults to 1
group = NetAdminCmd {
default
service = deny
service = shell {
default
command = deny
default
attribute = deny
cmd = ping { permit .* }
cmd = show { permit .* }
cmd = traceroute { permit .* }
cmd = terminal { permit [length].* }
cmd = exit
}
}
TACACS+ Configuration - Validation
Once the desired changes have been made to the configuration, the tac_plus configuration will need to be verified and the service restarted in order for the changes to take effect.
If changes have been made to this file, the tac_plus service must be restarted
Pre-flight check (Make sure there are no errors returned):
/usr/local/sbin/tac_plus -P /usr/local/etc/tac_plus.cfg
Restart the service:
systemctl restart tac_plus.service
Make sure that the service is running:
systemctl status tac_plus.service –l
Example Output:
[root
@tacacs
-vm ~]# /usr/local/sbin/tac_plus -P /usr/local/etc/tac_plus.cfg
[root
@tacacs
-vm ~]# systemctl restart tac_plus.service
[root
@tacacs
-vm ~]# systemctl status tac_plus.service –l
● tac_plus.service - TACACS+ Service
Loaded: loaded (/etc/systemd/system/tac_plus.service; enabled; vendor preset:
disabled)
Active: active (running) since Tue
2017
-
05
-
30
17
:
57
:
09
EDT; 12s ago
Main PID:
5709
(tac_plus)
CGroup: /system.slice/tac_plus.service
├─
5709
tac_plus:
0
connections, accepting up to
600
more
├─
5710
tac_plus:
0
connections
└─
5711
perl /usr/local/lib/mavis/mavis_tacplus_ldap.pl
May
30
17
:
57
:
09
tacacs-vm.impulse.com systemd[
1
]: Started TACACS+ Service.
May
30
17
:
57
:
09
tacacs-vm.impulse.com systemd[
1
]: Starting TACACS+ Service...
May
30
17
:
57
:
09
tacacs-vm.impulse.com tac_plus[
5709
]: startup (version
201705210930
)
May
30
17
:
57
:
09
tacacs-vm.impulse.com tac_plus[
5709
]: epoll event notification mechanism is being used
May
30
17
:
57
:
09
tacacs-vm.impulse.com tac_plus[
5709
]: bind to [::]:
49
succeeded
May
30
17
:
57
:
09
tacacs-vm.impulse.com tac_plus[
5710
]: - Version
201705210930
initialized
May
30
17
:
57
:
09
tacacs-vm.impulse.com tac_plus[
5710
]: epoll event notification mechanism is being used
Unit \xe2\x80\x93l.service could not be found.
[root
@tacacs
-vm ~]#
Device Configuration – Cisco Example
In the event the device is unable to connect to the TACACS+ server, the device will resort back to using the local access credentials after a default or specified time-out period.
conf t
!
aaa
new
-model
!
aaa authentication login
default
local group tacacs+
aaa authentication login telnet group tacacs+ local
aaa authentication login console group tacacs+ local
aaa authentication enable
default
group tacacs+ enable
aaa authorization exec
default
group tacacs+ local
aaa authorization commands
0
default
group tacacs+ local
aaa authorization commands
1
default
group tacacs+ local
aaa authorization commands
15
default
group tacacs+ local
aaa accounting update newinfo
aaa accounting exec
default
start-stop group tacacs+
aaa accounting commands
0
default
start-stop group tacacs+
aaa accounting commands
1
default
start-stop group tacacs+
aaa accounting commands
15
default
start-stop group tacacs+
!
tacacs-server host x.x.x.x
tacacs-server key your_tacacs_key
tacacs-server administration
!
end
End-to-End Validation
In order to validate the result on the switch, log in as a user in one of the TACACS+ AD groups and issue the show privileges command for privilege level concept or “?” for per command authorization.
Privilege Level Concept
Per-Command Authorization
TACACS+ Logging Examples:
Access log:
Accounting log:
Authentication log:
Authorization log:
COPYRIGHT © 2017 Impulse Point LLC. ALL RIGHTS RESERVED