Linux Client To Authenticate using TACACS I have customer who controls access to the internet via TACACS server, basically a PIX firewall uses authentication from the TACACS to say if traffic is allowed to pass out of the gateway. In today's open source roundup: A redditor wants to know why open source software is more secure. Plus: Mozilla releases Firefox 41. And Fedora 23 beta released.
2 days ago Linux Foundation debuts new, secure, open source cloud native access management software platform by N.F. Mendoza in Software on December 8, 2020, 8:00 AM PST. 22/tcp open ssh 49/tcp open tacacs. Nmap done: 1 IP address (1 host up) scann ed in 0.10 second. Now we need to open the firewall for tacplus port. # vim /etc/sysconfig/iptables-A INPUT -p tcp -m state –state NEW -m tcp –dport 49 -j ACCEPT # systemctl restart iptables # iptables -L -v -n.
TACACS+ (Terminal Access Controller Access-Control System Plus) is commonly used to authenticate network devices like routers and switches using a central server. Instead of using the local database on a router or switch, we can use the credentials that are stored on the TACACS+ server. Whenever you try to log onto a network device, the credentials that you supply will be forwarded to the TACACS+ server. Besides authentication, TACACS+ also allows us to configure authorization and accounting. Authorization lets us define what commands a user is able to use on the router or switch, and accounting lets us log whatever commands the user is typing.
Tac_plus is a TACACS+ daemon for Linux, It's based on the original Cisco source code and works with a simple configuration file.
Installation on CentOS:
In the example below I will show you how to install tac_plus on a CentOS server. There's a RPM available so this will save you the hassle of compiling the source code yourself. Let's add the repository first:
We will create a new repository file where we can grab tac_plus. This is what you should enter:
Save the file and install tac_plus with the following command:
That's all you need to do. All configuration is done from a single config file. Let's take a look at its contents:
You will see a lot of things in this default configuration file. Let me walk you through some of the fields. The first thing you see is a key, we need to configure this on the TACACS+ server and on each network device that you want to control with the TACACS+ server.
By default there is no key:
Change it to something else and get rid of the #:
I'll call my key 'MYKEY'. The second part is an ACL:
The ACL uses regular expressions so you can configure what IP addresses or networks are allowed to use the TACACS+ server. By default it only permits IP address 192.168.2.1.
The next part are host-specific parameters:
Open Source Tacacs+ Linux Distro
Here you can configure the IP address of the network device that you want to control and the prompt that it should show the user when he/she tries to log into the network device. You can also set the enable password if you want.
Next we will see some group specific parameters:
By default there's a group called admin and login is set to PAM. This means we will use the user database of the linux machine. The admin group is also susceptible to the default ACL. If you also use authorization you can configure the commands that the admin groups is allowed to use. Let's take a look at the next group:
Save the file and install tac_plus with the following command:
That's all you need to do. All configuration is done from a single config file. Let's take a look at its contents:
You will see a lot of things in this default configuration file. Let me walk you through some of the fields. The first thing you see is a key, we need to configure this on the TACACS+ server and on each network device that you want to control with the TACACS+ server.
By default there is no key:
Change it to something else and get rid of the #:
I'll call my key 'MYKEY'. The second part is an ACL:
The ACL uses regular expressions so you can configure what IP addresses or networks are allowed to use the TACACS+ server. By default it only permits IP address 192.168.2.1.
The next part are host-specific parameters:
Open Source Tacacs+ Linux Distro
Here you can configure the IP address of the network device that you want to control and the prompt that it should show the user when he/she tries to log into the network device. You can also set the enable password if you want.
Next we will see some group specific parameters:
By default there's a group called admin and login is set to PAM. This means we will use the user database of the linux machine. The admin group is also susceptible to the default ACL. If you also use authorization you can configure the commands that the admin groups is allowed to use. Let's take a look at the next group:
Open Source Tacacs+ Linux Command
The sysadmin group is similar to the admin group. You can see a number of commands that they are allowed to use (if you use authorization).
Below the group configuration you'll find a couple of default users:
User Joe is a member of the admin group and Fred belongs to the sysadmin group. Keep in mind we still need to create these users…
There's also a part for RANCID. If you have no idea what this is, RANCID is software that can monitor network devices and check if their configuration was changed, check the routing table, log changes, run commands to extract certain information, e-mail reports and more.
Last but not least there's a global enable password that we can use:
Now you have an idea what the tac_plus configuration looks like, let's create a user and test if authentication is working.
TACACS+ test with Cisco IOS router
We'll create a user called 'Joe' on the linux machine and configure a Cisco IOS router to use the TACACS+ server:
Don't forget to start the daemon:
Open Source Tacacs+ Linux Operating System
If you want to enable it on startup you can use chkconfig:
Now let's boot a Cisco router and configure it to use TACACS+ :
First you need to use the aaa new-model command otherwise many of the commands are unavailable. We'll tell the router to use TACACS+ for authentication but if the server is unavailable the router will use local authentication. I also configure the same key that I used in the configuration file of tac_plus.
Let's give it a test drive shall we…
Open Source Tacacs+ Linux Vm
Above you can see that the router displays the prompt that was configured in the tac_plus.conf file. After logging in with username joe and the password we have access to the router…mission accomplished! Hopefully this helps you to get started with TACACS+. If you have any questions please leave a comment!