TACACS+ – (Terminal Access Controller Access Control System plus) — is a session protocol developed by Cisco.

Security(encryption) of the Protocol has improved. TACACS+ is a separately handles authentication, authorization, and accounting (AAA) services.

Used resources:

FreeBSD 9.2 x64 (VM, IP: 10.0.0.10) GNS3 (Router 3700, IP: 10.0.0.100) Windows LoopBACK_Adapter (IP: 10.0.0.1)

Flow structure will be as follows:

FreeBSD x64 10.0.0.10 => LoopBACK Adapter (10.0.0.1) => GNS Cloud => Cisco Router 10.0.0.100

Network topology will be as follows:



Start the server configuration

Note : As virtual machine I used VmWare Workstation.

Before connect FreeBSD virtual port to LoopBack adapter update all ports and reboot thee server.

portsnap fetch extract update

cd /usr/ports/net/tac_plus4 # Go to the tac_plus4 port

make install clean # install

rehash # Update binary database

Add tac_plus to startup.

cat /etc/rc.conf

ifconfig_em0=”inet 10.0.0.10 netmask 255.255.255.0″

hostname=”tacacs.az”

sshd_enable=”YES”

tac_plus_enable=”YES” # StartUP tac_plus

tac_plus_flags=”-d 8 -d 16 -d 32 -d 64 -C /usr/local/etc/tac_plus.conf”

‘-d‘ – debuging

8 – authorization debugging

16 – authentication debugging

32 – crypt file debugging

64 – accounting debugging

‘-C‘ – ‘/usr/local/etc/tac_plus.conf‘ configuration file

The configuration file will be as follows:

cat /usr/local/etc/tac_plus.conf

# Path for accounting file

accounting file = /var/log/tac_plus.acct

# Pre-shared key which will be used between Cisco device and TACACS server

key = “freebsd”

# Groups

# Create groups with names ‘admin‘ and ‘service‘ and give access to this groups.

group = admin {

default service = permit # Allow all by default.

service = exec { # Privilege level is 15

priv-lvl = 15

}

}

group = service {

default service = deny # Deny by default.

service = exec { # Privilege level is 15

priv-lvl = 15

}

}

# Users

# Create users, add users to already created groups. Filter user commands.

user = jamal { # Create user by name ‘jamal‘

member = admin # and add to ‘admin‘ group.

login = des NQU3rObo2Ntoc # Crypt password with ‘des‘ algorithm (About crypt password with ‘tac_pwd‘ we will speak later)

}

user = auditor { # Create user by name ‘auditor‘,

member = admin # and add to ‘admin‘ group. Deny command list below.

cmd = configure {

deny .*

}

cmd = enable {

deny .*

}

cmd = clear {

deny .*

}

cmd = reload {

deny .*

}

cmd = write {

deny .*

}

cmd = copy {

deny .*

}

cmd = erase {

deny .*

}

cmd = delete {

deny .*

}

cmd = archive {

deny .*

}

login = cleartext secret # Password for ‘auditor‘ user we wrote as ‘cleartext‘.

}

user = event_manager { # ‘event_manager‘ user is member of,

member = service # ‘service‘ group(By default everything is deny for this group)

cmd = clear { # Here are allowed to use only the following commands.

permit .*

}

cmd = tclsh {

permit .*

}

cmd = squeeze {

permit .*

}

cmd = event {

permit .*

}

cmd = more {

permit .*

}

cmd = show {

permit version

}

cmd = delete {

permit .*

}

cmd = “delete /force” {

permit .*

}

cmd = “enable” {

permit .*

}

login = des 07xU3lvh1hC3I # Of course and here we encrypting password with ‘des‘ algorithm.

}

Qeyd : If we don’t want to see our passwords as cleartext, we must encrypt our passwords with ‘des‘ algorithm. For this we will use ‘tac_pwd‘ command.

tac_pwd # Just write this command and press the ENTER button. Then write password which you need, and press the ENTER button. Then copy ‘des‘ encrypted new line. You will use this encrypted password in ‘login = des‘ directive.

touch /var/log/tac_plus.acct # Create tacacs accounting file for logs.

chown tacacs /var/log/tac_plus.acct # Change owner to tacacs.

chmod 755 /var/log/tac_plus.acct # Give access to file.

/usr/local/etc/rc.d/tac_plus start # restart the service

netstat -a | grep tac # Check the daemon listener

tcp4 0 0 *.tacacs *.* LISTEN

Configure Cisco Router in GNS3.

conf t # Go to global mode.

interface fastEthernet 0/0 # Configure interface connected to cloud

ip address 10.0.0.100 255.255.255.0 # Set the IP address.

aaa new-model # Enter the AAA model

tacacs-server host 10.0.0.10 key 0 freebsd # Set IP address of tacacs server ‘10.0.0.10‘ and write pre-shared key ‘freebsd‘.

tacacs-server timeout 2 # Login timeout will be 2 second

tacacs-server directed-request # Request will be directly

aaa group server tacacs+ tac-int # Create aaa tacacs+ group with ‘tac-int‘ name

server 10.0.0.10 # And add ‘10.0.0.10‘ tacacs server to this list.

Add all aaa to tac-int admin group:

aaa authentication login admin group tac-int local

aaa authorization exec admin group tac-int local

aaa authorization commands 15 admin group tac-int local

aaa accounting update newinfo

aaa accounting commands 15 admin start-stop group tac-int

Apply admin login to terminal sessions between 0 and 4:

line vty 0 4

authorization commands 15 admin

authorization exec admin

accounting commands 15 admin

login authentication admin

For debug Router we can use the following commands.

Debug for AAA:

debug aaa per-user

debug aaa authentication

debug aaa authorization

debug aaa accounting

Debug for tacacs we can use the following commands:

debug tacacs authentication

debug tacacs authorization

debug tacacs accounting

debug tacacs events

debug tacacs packet

At the end from our Windows7 desktop connect to our router:

telnet 10.0.0.100

If you will see lines as follow then TACACS is working:

User Access Verification

Username:

If you will see line as follow then, something is wrong and go to debug.

Password: