1. Logon with "root" user account and Install TACACS+ by downloading below rpm file:
2. Edit the TACACS+ configurations by navigating to "/etc/tac_plus.conf". Open the file with any text editing software, gedit for example.
Sample tac_plus.conf content:
################################################
# A. Pre-shared key
key = "mykey"
# B. Location for the accounting log file
accounting file = /var/log/tac.acct
# C. List of permitted network devices which will have access to the TACACS+ server (the ACL is optional and you can have multiple ACLs)
acl = default {
#permit = 192\.168\.0\.
permit = 10\.0\.0\.1
}
# 4. Host-specific configuration (recommended to have config for each network device, top reason is the prompt which will give you a proof that the connection to TACACS+ server is established when it appears, second reason is that you can create an enable password for the device):
host = 10.0.0.1 {
prompt = "Enter your Unix username and password, Username: "
# Enable password for the router, generate a new one with tac_pwd
#enable = des 4P8MBRmulyloo
}
# D. Create a group and specify the privilege level, authorized commands and more (you can create multiple groups)
group = admin {
# Enable it if you want to use the users created on CentOS (you still need to create the user in the tac_plus.conf file, the advantage here is that you do not need to change the user's password in tac_plus.conf every time the user changes his password)
#login = PAM
# Group members who have no expiry date set will use this one
#expires = "Jan 1 1997"
# Only allow access to specific routers
acl = default
# Set privilege level
service = exec {
priv-lvl = 15
#default service = permit
}
# set authorized commands
cmd = username {
permit .*
}
cmd = enable {
permit .*
}
cmd = show {
permit .*
}
cmd = exit {
permit .*
}
cmd = configure {
permit .*
}
cmd = interface {
# this will permit all FastEthernet interfaces
#permit FastEthernet.*
# this
will permit all GigabitEthernet interfaces
#permit GigabitEthernet.*
# this
will permit all interfaces
permit .*
}
cmd = switchport {
#permit "access vlan.*"
#permit "trunk encapsulation.*"
#permit "mode.*"
#permit "trunk allowed vlan.*"
permit .*
}
cmd = description {
permit .*
}
cmd = no {
permit shutdown
}
}
# E. Create a user and specify the group he belongs to and his password
user = aburadwan {
login = cleartext cisco@541
# Enable if the user is created on CentOS (don't forget to comment out the previous line if enabled)
#login = PAM
member = admin
}
# F. The global enable password (optional)
#user = $enab15$ {
#login = des 97cZOIgSXU/4I
#}
################################################
3. To create a user on CentOS open a terminal and type:
adduser xxx
passwd xxx
where "xxx" is the user's name
4. Open port 49 on CentOS firewall
- Open port 49 on all zones (after successful connection to the TACACS+ server you can then decide which zone will allow incoming connections on port 49)
- Make sure that you select "Permanent" at the top so you don't need to open the port again every time you restart CentOS.
5. Start the TACACS+ service by typing the below command in the terminal:
service tac_plus start
Note 1: when you get an error after typing the above command that means that you have an error in the tac_plus.conf file, usually it is a syntax error just correct it and start the service again
Note 2: you need to restart the TACACS+ service every time you make a change to the tac_plus.conf file. Restart the service using the below command:
service tac_plus restart
Note 3: to enable TACACS+ service on startup use the below commands:
chkconfig --add tac_plus
chkconfig tac_plus on
6. Below is my experimental topology. Make sure the router can ping the TACACS+ server.
7. I used the following configurations on router R1
!ENABLE AAA
aaa new-model
!
!CREATE THE METHODS OF THE AAA MODEL
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting commands 15 default start-stop group tacacs+
!
!CREATE BACKUP USER TO USE IN CASE NO CONNECTIVITY TO TACACS+ SERVER
username myadmin privilege 15 secret cisco@631
!
!SPECIFY THE ADDRESS OF THE TACACS SERVER AND THE SHARED KEY (SHOULD BE THE SAME KEY CONFIGURED IN TAC_PLUS.CONF FILE)
tacacs-server host 10.0.0.11 key 0 mykey
!
!ASSIGN THE AAA MODEL "DEFAULT" TO CONNECTION LINES
line console 0
login authentication default
exit
line vty 0 15
login authentication default
exit
8. Optionally, you can enable the debugging for the AAA activities by using the below commands in the privileged mode:
debug aaa authentication
debug aaa authorization
debug aaa accounting
9. All done, give it a try. On successful connection to the TACACS+ server you will see the prompt which we configured in the tac_plus.conf file.
10. Navigate to file "/var/log/tac.acct" to have a look at the log file. Below is a sample one file from my experiment.
Enjoy.
Enjoy.
