1. Logon with "root" user account and Install TACACS+ by downloading below rpm file:
2. Edit the TACACS+ configurations by navigating to "/etc/tac_plus.conf". Open the file with any text editing software, gedit for example.
Sample tac_plus.conf content:
################################################
# A. Pre-shared key
key = "mykey"
# B. Location for the accounting log file
accounting file = /var/log/tac.acct
# C. List of permitted network devices which will have access to the TACACS+ server (the ACL is optional and you can have multiple ACLs)
acl = default {
#permit = 192\.168\.0\.
permit = 10\.0\.0\.1
}
# 4. Host-specific configuration (recommended to have config for each network device, top reason is the prompt which will give you a proof that the connection to TACACS+ server is established when it appears, second reason is that you can create an enable password for the device):
host = 10.0.0.1 {
prompt = "Enter your Unix username and password, Username: "
# Enable password for the router, generate a new one with tac_pwd
#enable = des 4P8MBRmulyloo
}
# D. Create a group and specify the privilege level, authorized commands and more (you can create multiple groups)
group = admin {
# Enable it if you want to use the users created on CentOS (you still need to create the user in the tac_plus.conf file, the advantage here is that you do not need to change the user's password in tac_plus.conf every time the user changes his password)
#login = PAM
# Group members who have no expiry date set will use this one
#expires = "Jan 1 1997"
# Only allow access to specific routers
acl = default
# Set privilege level
service = exec {
priv-lvl = 15
#default service = permit
}
# set authorized commands
cmd = username {
permit .*
}
cmd = enable {
permit .*
}
cmd = show {
permit .*
}
cmd = exit {
permit .*
}
cmd = configure {
permit .*
}
cmd = interface {
# this will permit all FastEthernet interfaces
#permit FastEthernet.*
# this
will permit all GigabitEthernet interfaces
#permit GigabitEthernet.*
# this
will permit all interfaces
permit .*
}
cmd = switchport {
#permit "access vlan.*"
#permit "trunk encapsulation.*"
#permit "mode.*"
#permit "trunk allowed vlan.*"
permit .*
}
cmd = description {
permit .*
}
cmd = no {
permit shutdown
}
}
# E. Create a user and specify the group he belongs to and his password
user = aburadwan {
login = cleartext cisco@541
# Enable if the user is created on CentOS (don't forget to comment out the previous line if enabled)
#login = PAM
member = admin
}
# F. The global enable password (optional)
#user = $enab15$ {
#login = des 97cZOIgSXU/4I
#}
################################################
3. To create a user on CentOS open a terminal and type:
adduser xxx
passwd xxx
where "xxx" is the user's name
4. Open port 49 on CentOS firewall
- Open port 49 on all zones (after successful connection to the TACACS+ server you can then decide which zone will allow incoming connections on port 49)
- Make sure that you select "Permanent" at the top so you don't need to open the port again every time you restart CentOS.
5. Start the TACACS+ service by typing the below command in the terminal:
service tac_plus start
Note 1: when you get an error after typing the above command that means that you have an error in the tac_plus.conf file, usually it is a syntax error just correct it and start the service again
Note 2: you need to restart the TACACS+ service every time you make a change to the tac_plus.conf file. Restart the service using the below command:
service tac_plus restart
Note 3: to enable TACACS+ service on startup use the below commands:
chkconfig --add tac_plus
chkconfig tac_plus on
6. Below is my experimental topology. Make sure the router can ping the TACACS+ server.
7. I used the following configurations on router R1
!ENABLE AAA
aaa new-model
!
!CREATE THE METHODS OF THE AAA MODEL
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting commands 15 default start-stop group tacacs+
!
!CREATE BACKUP USER TO USE IN CASE NO CONNECTIVITY TO TACACS+ SERVER
username myadmin privilege 15 secret cisco@631
!
!SPECIFY THE ADDRESS OF THE TACACS SERVER AND THE SHARED KEY (SHOULD BE THE SAME KEY CONFIGURED IN TAC_PLUS.CONF FILE)
tacacs-server host 10.0.0.11 key 0 mykey
!
!ASSIGN THE AAA MODEL "DEFAULT" TO CONNECTION LINES
line console 0
login authentication default
exit
line vty 0 15
login authentication default
exit
8. Optionally, you can enable the debugging for the AAA activities by using the below commands in the privileged mode:
debug aaa authentication
debug aaa authorization
debug aaa accounting
9. All done, give it a try. On successful connection to the TACACS+ server you will see the prompt which we configured in the tac_plus.conf file.
10. Navigate to file "/var/log/tac.acct" to have a look at the log file. Below is a sample one file from my experiment.
Enjoy.
Enjoy.
I followed all the above step but still tac is not working also there is no file var log
ReplyDeleteplease help
Salam Shiraz,
ReplyDeletePlease check that there is connectivity first with the TACACS server then make sure that port 49 TCP is open, also make sure that you edit the tac_plus.conf with appropriate info such as the permitted network which is in my case 10.0.0.0 and the permitted user (in my case username is "aburadwan"). Finally check that when you start the service it doesn't give you any error.
Please revert back if you still can't get it to work, I'll be glad to help you.
I am trying to use this for WLC, and it requires the following:
ReplyDeleteattribute - "role1"
requirement - "Mandatory"
Value - "ALL"