Installation of the TACACS+

TACACS+ (Terminal Access Controller Access-Control System Plus) is commonly used to authenticate network devices like routers and switches using a central server. Instead of using the local database on a router or switch, we can use the credentials that are stored on the TACACS+ server. Whenever you try to log onto a network device, the credentials that you supply will be forwarded to the TACACS+ server. Besides authentication, TACACS+ also allows us to configure authorization and accounting. Authorization lets us define what commands a user is able to use on the router or switch, and accounting lets us log whatever commands the user is typing.

We need to install the necessary package on Centos 7 :

yum update

yum -y install gcc

yum -y install perl-LDAP

yum -y install bind-utils

yum -y install telnet.x86_64

yum -y install atop iotop nload iftop htop

yum -y install perl-IO-Socket-SSL

yum -y install pam-devel

yum -y install ld-linux.so.2

yum -y install wget

We need to configure wget to use the proxy :

root@cos-tacacs-pa:~ vim /etc/wgetrc

# You can set the default proxies for Wget to use for http, https, and ftp.

# They will override the value in the environment.

https_proxy = https://proxy.XXXX.lan:9876/

http_proxy = http://proxy.XXXX.lan:9876/

ftp_proxy = http://proxy.XXXX.lan:9876/

Active directory Ip address need to be configured as nameserver

root@cos-tacacs-pa:~ cat /etc/resolv.conf

search domain.lan

nameserver 192.168.0.49 # DC3

nameserver 192.168.0.50 # DC4

nameserver 10.106.1.7 # dc1-cluj

Some folder need to be created manually before starting the installation

mkdir /root/tacacs

mkdir -p /var/log/tac_plus/access

mkdir /var/log/tac_plus/acct

Change the folder permission

chmod 760 -R /var/log/tac_plus/

Now we can download then extract the source code and compile the application

cd /root/tacacs

wget http://www.pro-bono-publico.de/projects/src/DEVEL.201407301604.tar.bz2

tar jxf DEVEL.201407301604.tar.bz2

cd PROJECTS/

./configure

echo $? # must return 0

make

echo $? # must return 0

make install

echo $? # must return 0

Configuration file need to be copied to the good folder

cp /root/tacacs/PROJECTS/tac_plus/extra/tac_plus.cfg-ads /usr/local/etc/tac_plus.cfg

cp /root/tacacs/PROJECTS/tac_plus/extra/tac_plus.cfg-ads /usr/local/etc/tac_plus.cfg.sample # keep a sample just in case

We add the application in autoload to start automatically when reboot

cp/root/PROJECTS/tac_plus/extra/etc_init.d_tac_plus /etc/init.d/tac_plus

chmod 755/etc/init.d/tac_plus

chkconfig --add tac_plus

chkconfig --levels 2345 tac_plus on

The firewall and SElinux need to be deactivated

systemctl disable firewalld

vim /etc/selinux/config

SELINUX=disabled

Change the configuration file to the following

#!/usr/local/sbin/tac_plus

id = spawnd {

listen = { port = 49 }

spawn = {

instances min = 1

instances max = 10

}

background = yes

}

id = tac_plus {

access log = /var/log/tac_plus/access/%Y%m%d.log

accounting log = /var/log/tac_plus/acct/%Y%m%d.log

mavis module = external {

setenv LDAP_SERVER_TYPE = "microsoft"

setenv LDAP_HOSTS = "dc3:3268 dc4:3268 dc1-ny:3268"

setenv LDAP_BASE = "dc=domain,dc=lan"

setenv LDAP_USER = "tacacs@domain.lan"

setenv LDAP_PASSWD = "(User AD PWD)"

setenv REQUIRE_TACACS_GROUP_PREFIX = 1

setenv FLAG_USE_MEMBEROF = 1

exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl

}

login backend = mavis

user backend = mavis

#pap backend = mavis

host = world {

address = ::/0

prompt = "Welcome to domain Network\n"

enable 15 = clear secret

key = (secret key between tacacs+ and cisco)

}

group = admin {

message = "[Admin Privileges]"

default service = permit

service = shell {

default command = permit

default attribute = permit

set priv-lvl = 15

}

}

group = user {

message = "[User privileges]"

default service = permit

enable = deny

service = shell {

default command = permit

default attribute = permit

set priv-lvl = 1

}

}

}

ATTENTION

Active Directory

In an Active Directory it is necessary to create 2 groups (proceeding from our config): tacacsadmin and tacacsuser.

Tac Plus cuts off a prefix the tacacs at a ratio of the group specified in AD, group in a config and translates the remained characters in an uppercase.

Thus tacacsadmin will be resolve ADMIN, and tacacsuser matches USER (to change the given behavior it is possible having played by attributes: AD_GROUP_PREFIX and REQUIRE_TACACS_GROUP_PREFIX in a config).

Groups are specified in a config by capital letters not casually!

We add users in the created groups.

To check the configuration File

/usr/local/sbin/tac_plus -P /usr/local/etc/tac_plus.cfg # Check the configuration file(If everything is ok nothing will come)

Start the service

service tac_plus start