Installation & Setup of Free Tacacs+ server in Linux
(Tested via GNS3 & VirtualBox)
Software Used:
GNS3 0.8.3.1
-use 3700 IOS as Router & DHCP
-use Ethernet switch to connect hosts
-use VirtualBox guest running on Ubuntu Linux server 12.04.2 LTS
http://shrubbery.net/tac_plus/
ftp://ftp.shrubbery.net/pub/tac_plus
Installation:
1.Login as root and install dependencies such as tcp wrappers and compilation tools e.g. gcc, bison, flex, make
If you’re not sure if these packages are installed, you can use the command:
dpkg -s [packagename]
Sample:
root@freelinux:~# dpkg -s gcc bison flex
Package `gcc’ is not installed and no info is available.
Package `bison’ is not installed and no info is available.
Package `flex’ is not installed and no info is available.
To install:
root@freelinux:~# apt-get install gcc make flex \
bison libwrap0-dev
2. Download the tacacs+ package on ftp://ftp.shrubbery.net/pub/tac_plus/. It’s good to read additional information or changes on http://shrubbery.net/tac_plus/.
Latest version as of this writing is tacacs+-F4.0.4.26
root@freelinux:~# wget \
ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.26.tar.gz
3. uncompress the tarball file
root@ubuntu:~# tar zxvf tacacs+-F4.0.4.26.tar.gz
4. Build
check the INSTALL file first to see the installation guide
root@ubuntu:~/tacacs+-F4.0.4.26# less INSTALL
root@ubuntu:~/tacacs+-F4.0.4.26# ./configure
If you missed installing those dependecies, you will receive messages something like this:
configure: error: Could not find libwrap. You must first install tcp_wrappers.
So to resolve this, install the necessary packages.
# apt-get install libwrap0-dev
Libraries have been installed in:
/usr/local/lib
If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR’
flag during linking and do at least one of the following:
– add LIBDIR to the `LD_LIBRARY_PATH’ environment variable
during execution
– add LIBDIR to the `LD_RUN_PATH’ environment variable
during linking
– use the `-Wl,-rpath -Wl,LIBDIR’ linker flag
– have your system administrator add LIBDIR to `/etc/ld.so.conf’
See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
Configuration:
1. After extracting the files, default directory would be /usr/local/bin/
root@ubuntu:~/tacacs+-F4.0.4.26# ls /usr/local/bin/tac*
/usr/local/bin/tac_plus /usr/local/bin/tac_pwd
$man tac_plus
$man tac_pwd
So basically,
tac_plus – tacacs plus daemon
tac_pwd – generate DES or MD5 encryption of a password
3. use tac_pwd to encrypt clear text passwords to make it more secure
e.g.
We want to use “password” to login the username freelinux and “enablepass” to go privilege mode
# /usr/local/bin/tac_pwd
Password to be encrypted: password
VUjB99kC2IGws# /usr/local/bin/tac_pwd
Password to be encrypted: enablepass
HD.Hw0OHKmO/c
4. Setup config files
a.create tacacs directory under /etc
5. create the tac_plus.conf file
tac_plus.conf setup:
i. set the key
#tacacs key
key = “tackey”
ii. set the user accounts
#user details
#admin freelinuxtutorials@gmail.com
user = freelinux {
default service = permit
member = admingroup
login = des VUjB99kC2IGws
}
iii. set the group details
#group details
# admin group
group = admingroup {
default service = permit
service = exec {
priv-lvl = 15
}
}
iv. set enable password
#Enable password setup for users:
user = $enable$ {
login = des HD.Hw0OHKmO/c
}
Note: This is how it looks like, get it here
v. set the location of the accounting file
accounting file = /var/log/tacacs/tac_plus.log
6. change permission
#chmod 600 /etc/tacacs/tac_plus.conf
Note: If along the way, if you encoutered such as below, then you need to create necessary links using ldconfig
tac_plus: error while loading shared libraries: libtacacs.so.1:
cannot open shared object file: No such file or directory
# vi /etc/ld.so.conf
add /usr/local/lib under /etc/ld.so.conf
root@freelinux#ldconfig
7. Run the tacacs service
# /etc/init.d/tac_plus start
Starting Tacacs+ server: tac_plus.
this tac_plus file, contents can be downloaded here
8. check if process running
root@freelinux:/etc/tacacs# netstat -na | grep 49
tcp 0 0 0.0.0.0:49 0.0.0.0:* LISTEN
——————–
Sample Cisco configuration
Configuring Cisco:
Cisco>en
Cisco#conf t
Cisco#service password-encryption
Cisco#tacacs-server host 192.168.56.10
Cisco#tacacs-server directed-request
Cisco#tacacs-server key tackeyCisco#aaa new-model
Cisco#aaa authentication login default group tacacs+ local
Cisco#aaa authentication enable default group tacacs+ enable
Cisco#aaa authorization commands 1 default group tacacs+ local
Cisco#aaa authorization commands 15 default group tacacs+ local
Cisco#aaa accounting commands 0 default start-stop group tacacs+
Cisco#aaa accounting commands 1 default start-stop group tacacs+
Cisco#aaa accounting commands 7 default start-stop group tacacs+
Cisco#aaa accounting commands 15 default start-stop group tacacs+
Cisco#aaa accounting network 15 start-stop group tacacs+
Cisco#aaa accounting connection 15 start-stop group tacacs+
I will not go deeper into client configuration as it differs on devices and softwares by different vendors. Anyway, what has shown here is just the basic tacacs config that is proven working. Go try explore further the advance tacacs configuration. Enjoy!
This tutorial imho would be very useful, if only the link to http://ftp.shrubbery.net would work. When I google tac_plus, every site references the shrubbery.net ftp site; however, it does not work. At best I get a time out.
@Jasper,
You can try downloading the tac_plus tarball file using FTP client if does not work using your browser.
Latest version as of this moment is tacacs+-F5.0.0a1.tar.gz
ftp://ftp.shrubbery.net/pub/tac_plus
ftp link not working
There might be realized an authentication delegated on another server tacacs if a user was not finding in the list.
Hi, There,
I found interesting project – tacacsGUI. It is self-hosted front-end UI for tac_plus configuration. My installation was easy, try it. Plus it has some advantages like Backup Maker for auto backup, Subnet searcher for subnets collection etc. Good luck!
Hello admin !! I read your blog everyday and i must say you have very interesting content here.
Your website deserves to go viral. You need initial traffic only.
How to go viral fast? Search for: forbesden’s tools
Mingle this shirt (Abercrombie & Fitch Flip Flops )and puff ensemble with a bleak course, someone,
shoes, and a palm and. The Jordan Brazil Pack will drop June 21 for a suggested retail price of $500.
So, it was on to the thrift shops where I did find a decent pair of new shorts just
in my size only when I got home it turned out they were my size in youth, not adult,
even though they were in the adult section.
Hi
I’m having problems in setting up a banner, i tried may configurations :
host = *.*.*.* {
# welcome banner = “\nTACACS+ Login\n”
# prompt = “TACACS+ Login: ”
}
with no success
Any hints?
Thanks a lot
Antonello
can elaborate what are u trying to achieve? can share your aaa configuration on the client device?
Hi
Our problem is to configure a banner that can be displayed when connecting to cisco routers or switches.
When i tried to set the banner with the following options in tacacs configuration file :
“host = *.*.*.* {
welcome banner = “\nTACACS+ Login\n”
}
or
host = *.*.*.* {
# prompt = “TACACS+ Login: ”
}
tacacs daemon refuses to start .
I was looking for a valid configuration , that’s it
Antonello
What a data of un-ambiguity and preserveness of precious knowledge on the topic of unexpected emotions.