IT Systems
17 votes, 11 comments. Has anyone used an open source TACACS server like TACACS.net for Cisco AAA? Just curious if it's a valid replacement.
Tacacs Plus is a identity and access management solutions with a protocol for AAA services such as , authentication, authorization, accounting. It is used as a centralized authentication and identity access management to network devices.
Tacplus is a TACACS+ daemon for Linux, It’s based on the original Cisco source code and works with a simple configuration file. Ip tacacs source-interface Loopback0 This sets the source interface the router uses to connect to the server, and thus the address is the primary address of that interface. 192.168.0.1/32, for exmaple. Tacplus is a TACACS+ daemon. It provides Cisco Systems routers and access servers with authentication, authorisation and accounting services. This version is a major rewrite of the original Cisco source code. Using the tacacs-server host command, you can also configure the following options: Use the single-connection keyword to specify single-connection. Rather than have the router open and close a TCP connection to the daemon each time it must communicate, the single-connection option maintains a single open connection between the router and the daemon.
It is the protocols security that can provide a specific authorization with centralized access to particular user to work with network devices. With accounting, it gives a mandatory audit logs or event log monitoring by logging all actions executed by privileged users.
Tacacs For Windows Server
In this article of how to install Tacac+ identity and access management solutions , it is presumed that:
a. You have already install RHEL/CentOS 7 Linux dedicated server up and running. In case that you don’t, you would probably like to read this link. Minimal RHEL/CentOS 7 Installation With Logical Volume Manager (LVM).
b. You have already done the initial server setup. Please refer to this link Minimal RHEL/CentOS 7 Initial Server Setup.
First of all we need to create a new Yum repository file where we can grab tac_plus packet of Tacac+ identity and access management solutions, so we don’t need to compiling the source code.
# cd /etc/yum.repos.d/
# vim tacacs-plus.repo
[tacacs-plus]
name=Tacacs Plus
baseurl=http://li.nux.ro/download/nux/misc/el6/x86_64/
enabled=0
gpgcheck=1
gpgkey=http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
Now we can start to install Tacac+ identity and access management solutions by installing tac_plus packet by using the following command.
# yum –enablerepo=tacacs-plus install tac_plus
Below is the configuration requirement. There are two groups. The first group name is “netadmins” with full privilege on the network devices and the second group name is “guestusers” who can only execute command show view the configuration but not be able to make any change on the network devices.
Cisco Tacacs+ Server
| Authentication | Authorization Commands | Accounting | |
| Group Name | Group Member | ||
| netadmins | tom | Full privileges | /var/log/tac.acct |
| jerry | |||
| guestusers | noc | show | |
| exit | |||
| end | |||
Before starting to edit Tacacs Plus Tacac+ identity and access management solutions configuration file to meet above requirement.
we should generate the encrypted password for Tacacs Plus user first by executing command tac_pwd as shown below. Since it is a test, we will give “tom”, “jerry” and “noc” user the same password. So, we do not need to generate the password for three times.
# tac_pwd
Password to be encrypted: 4444
AQTf0/E.xcBhU
We can start editing Tacacs Plus Tacac+ identity and access management solutions configuration file as the following.
# vim /etc/tac_plus.conf
key = “VK@123”
accounting file = /var/log/tac.acct
## Groups Definition ##
group = netadmins {
default service = permit
service = exec {
priv-lvl = 15
}
}
group = guestusers {
default service = deny
service = exec {
priv-lvl = 15
}
cmd = show {
permit .*
}
cmd = exit {
permit .*
}
cmd = quit {
permit .*
}
cmd = end {
permit .*
}
}
## Users Definition ##
user = tom {
login = des AQTf0/E.xcBhU
member = netadmins
}
user = jerry {
login = des AQTf0/E.xcBhU
member = netadmins
}
user = noc {
login = des AQTf0/E.xcBhU
member = guestusers
}
Finally, we need to start tac_plus service of Tacac+ identity and access management solutions and enable it to start after systems reboot.
# system restart tac_plus
# chkconfig tac_plus on
We can view tac_plus port with the following command.
Free Tacacs
# nmap localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2017-05-25 22:19 +07
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000080s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
49/tcp open tacacs
Nmap done: 1 IP address (1 host up) scanned in 0.10 second
Now we need to open the firewall for tac_plus port.
# vim /etc/sysconfig/iptables
-A INPUT -p tcp -m state –state NEW -m tcp –dport 49 -j ACCEPT
# systemctl restart iptables
# iptables -L -v -n
Free Tacacs Server
This is how to configure Tacacs+ identity and access management solutions on RHEL/CentOS 7. Hopefully, you can understand and be able to install and configure for authenticating with Tacacs Plus users. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them. Thank you and have a great day.
Comments
Open Source Tacacs Server Linux Command
comments
Related posts: