Tac plus

From the TACACS+ article at Wikipedia, the free encyclopedia:
 * In computer networking, TACACS+ (Terminal Access Controller Access-Control System Plus) is a Cisco Systems proprietary protocol which provides access control for routers, network access servers and other networked computing devices via one or more centralized servers. TACACS+ provides separate authentication, authorization and accounting services.

TACACS+ is a protocol for AAA services (Authentication, Authorisation, Accounting), very similar to RADIUS. A system that provides logins to users is often called a NAS (Network Access Server), not to be confused with NAS - (Network Attached Storage). A NAS can be a client to an AAA server, such as a RADIUS, LDAP, or TACACS server. The client must use the authentication protocol appropriate for the server. A Linux system may act as an authentication client when when logging in a user. Based on the PAM configuration, the Linux system can use a RADIUS, LDAP, or TACACS server or may perform purely local authentication. To use TACACS, the Linux (or other) client must have IP access to a TACACS server, which is usually a separate physical server that provides authentication services to many clients. This page describes how to configure a Linux system to act as a TACACS server using the tac plus software package. It is often useful to have a TACACS server to support authentication for proprietary systems on your network, such as Cisco routers, that implement TACACS clients. With such a server, you can add or delete a new router administrator on all of your routers at the same time in one place. If some of your Linux systems are acting as network elements that should be accessed only by your network administrators, you may choose to configure these systems to also use your TACACS server for AAA.

About
This document describes how to configure and use the most recent version of tac_plus provided by Shrubbery Networks.

This installation howto uses tac_plus-4.0.4.27a as reference. General configuration and troubleshooting tips should also apply to older tac_plus versions available in the portage.

Emerge
Be sure to review and set USE flags accordingly before emerging the package:

Configuration
Shrubbery tac_plus is lacking a good documentation. General configuration is split up in 3 main sections:


 * ACL (Access Lists)
 * group
 * users

Further configuration tips at tac_plus FAQ

Ways to configure user authentication with tac_plus:
 * Authentication to local passwd file
 * Authentication to LDAP server with PAM
 * Authentication to password configured in

Authentication with passwd file
User authentication to local passwd file example:

Authentication with PAM
User authentication with PAM example:

Authentication to tac_plus.conf
User authentication to password configured in example:

tac_plus uses the crypt library in the underlying operating system and asks it to hash a given password against the hash in tac_plus.conf.

As such, one can transparently put any hash value you like in tac_plus.conf as long as glibc crypt supports it. On Linux systems these days with >=glibc-2.7 are supported. To show supported encryption methodes use following command:
 * SHA-256
 * SHA-512

Password hash generation can be done with following commands:


 * MD5


 * SHA256


 * SHA512

Network equipment configuration
A variety of systems implements the client side of the TACACS+ protocol. The following companies implement TACACS+ protocol communication support for some or all products:
 * Cisco (IOS, CatOS)
 * Juniper (ScreenOS, JUNOS)
 * Huawei
 * HP
 * OneAccess
 * Linux-based systems (via PAM)

Basic AAA (Authentication, Authorization, Accounting) configuration on a cisco IOS component.
 * Substitute tacacs-server host with IP address of the tac_plus server
 * For key choose the key which is configured in

! aaa new-model aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ aaa authorization exec default group tacacs+ local ! tacacs-server host 192.0.2.10 key 123-my_tacacs_key ! line con 0 login authentication default ! line vty 0 15 login authentication default !

Final configuration steps
Start tac_plus daemon:

Add tac_plus to the default runlevel:

Verify tac_plus is running:

Troubleshooting
Verifying the interfaces and ports on which tac_plus is listening:

Looking for configuration errors if daemon fails to start:

Tacacs communication between tacacs-server and a network component. Example output of a a successful user session: Run tcpdump on the local tacacs-server:

To get debug ouput from tac_plus run tac_plus from shell with following command:

for used command line options in this command read the tac_plus manual.

External resources

 * tac_plus FAQ
 * http://tacacs.org/
 * http://packetlife.net/blog/2010/sep/27/basic-aaa-configuration-ios/
 * http://en.wikipedia.org/wiki/AAA_protocol
 * http://www.stben.net/tacacs/users_guide.html
 * http://www.shrubbery.net/pipermail/tac_plus/2011-December/001033.html
 * http://man7.org/linux/man-pages/man3/crypt.3.html