TACACS Server using tac plus

From Wikipedia, the free encyclopedia:

''In computer networking, TACACS+ (Terminal Access Controller Access-Control System Plus) is a Cisco Systems proprietary protocol which provides access control for routers, network access servers and other networked computing devices via one or more centralized servers. TACACS+ provides separate authentication, authorization and accounting services.''

TACACS+ is a protocol for AAA services (Authentication, Authorisation, Accounting), very similar to RADIUS. Servers using RADIUS or TACACS protocol are often called NAS (Network Access Server), not to be confused with NAS - (Network Attached Storage).

About
This document describes how to use the most recent version of tac_plus provided by Shrubbery Networks and how to configure.

This installation howto uses tac_plus-4.0.4.19 as reference. General configuration and troubleshooting tips should also apply to older tac_plus versions available in the portage (tac_plus-4.0.4.14, tac_plus-4.0.4.15).

Installation
Emerge tac_plus with USE flag enabled.

Configuration
Shrubbery tac_plus is lacking a real good documentation. General configuration is split up in 3 main sections:


 * acl
 * group
 * users

The following sequence acl, group, users in is important. Further configuration tips at tac_plus FAQ

Ways to configure user authentication with tac_plus:
 * Authentication to local passwd file
 * Authentication to LDAP server with PAM
 * Authentication to password configured in

User authentication with example:

User authentication with example:

Network equipment configuration
TACACS+ protocol is supported on a variety of network equipment. Following companies implemented TACACS+ protocol communication support for its products:


 * Cisco (IOS, CatOS)
 * Juniper (ScreenOS, JUNOS)
 * Huawei
 * HP
 * OneAccess

Below a basic AAA (Authentication, Authorization, Accounting) configuration on a cisco IOS component.


 * For choose the ip where the tac_plus daemon is running
 * For choose the key which is configured in

! aaa new-model aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ aaa authorization exec default group tacacs+ local ! tacacs-server host 192.168.255.254 key 123-my_tacacs_key ! line con 0 login authentication default ! line vty 0 15 login authentication default !

Final configuration steps
Start tac_plus daemon:

Add tac_plus to the default runlevel:

Verify tac_plus is running:

root     8123     1  0 21:29 ? 00:00:00 /usr/bin/tac_plus -C /etc/tac_plus/tac_plus.conf

Troubleshooting
Checking if tac_plus is listening on port 49

Daemon listens on all local interfaces 0.0.0.0 tcp       0      0 0.0.0.0:49              0.0.0.0:*               LISTEN      0          27930913   8455/tac_plus

Looking for configuration errors if daemon fails to start

Possible output: 2011-04-09T21:26:28.847493+02:00 server tac_plus[7749]: Reading config 2011-04-09T21:26:28.847605+02:00 server tac_plus[7749]: Error Unrecognised keyword default for user on line 51 2011-04-09T21:26:28.851096+02:00 server /etc/init.d/tac_plus[7738]: ERROR: tac_plus failed to start

Check tacacs communication between tacacs-server and a network component. Run tcpdump on the local tacacs-server:

Example output to a successful user login on

22:53:01.692185 IP switch.11384 > server.tacacs: S 2173305858:2173305858(0) win 4128 22:53:01.692221 IP server.tacacs > switch.11384: S 4283961231:4283961231(0) ack 2173305859 win 5840 22:53:01.693690 IP switch.11384 > server.tacacs:. ack 1 win 4128 22:53:01.793233 IP switch.11384 > server.tacacs: P 1:43(42) ack 1 win 4128 22:53:01.793282 IP server.tacacs > switch.11384:. ack 43 win 5840 22:53:01.808601 IP server.tacacs > switch.11384: P 1:29(28) ack 43 win 5840 22:53:01.993368 IP switch.11384 > server.tacacs: P 43:68(25) ack 29 win 4100 22:53:02.002160 IP server.tacacs > switch.11384: P 29:47(18) ack 68 win 5840 22:53:02.002187 IP server.tacacs > switch.11384: F 47:47(0) ack 68 win 5840 22:53:02.004152 IP switch.11384 > server.tacacs:. ack 48 win 4082 22:53:02.096209 IP switch.11384 > server.tacacs: FP 68:68(0) ack 48 win 4082 22:53:02.096231 IP server.tacacs > switch.11384:. ack 69 win 5840 22:53:02.123615 IP switch.11385 > server.tacacs: S 4146347262:4146347262(0) win 4128 22:53:02.123641 IP server.tacacs > switch.11385: S 4294861878:4294861878(0) ack 4146347263 win 5840 22:53:02.127410 IP switch.11385 > server.tacacs:. ack 1 win 4128 22:53:02.229706 IP switch.11385 > server.tacacs: P 1:62(61) ack 1 win 4128 22:53:02.229751 IP server.tacacs > switch.11385:. ack 62 win 5840 22:53:02.229890 IP server.tacacs > switch.11385: P 1:52(51) ack 62 win 5840 22:53:02.229923 IP server.tacacs > switch.11385: F 52:52(0) ack 62 win 5840 22:53:02.232297 IP switch.11385 > server.tacacs:. ack 53 win 4077 22:53:02.330097 IP switch.11385 > server.tacacs: FP 62:62(0) ack 53 win 4077 22:53:02.330118 IP server.tacacs > switch.11385:. ack 63 win 5840