Tac plus

From Wikipedia, the free encyclopedia:

''In computer networking, TACACS+ (Terminal Access Controller Access-Control System Plus) is a Cisco Systems proprietary protocol which provides access control for routers, network access servers and other networked computing devices via one or more centralized servers. TACACS+ provides separate authentication, authorization and accounting services.''

TACACS+ is a protocol for AAA services (Authentication, Authorisation, Accounting), very similar to RADIUS. Servers using RADIUS or TACACS protocol are often called NAS (Network Access Server), not to be confused with NAS - (Network Attached Storage).

About
This document describes how to configure and use the most recent version of tac_plus provided by Shrubbery Networks.

This installation howto uses tac_plus-4.0.4.19 as reference. General configuration and troubleshooting tips should also apply to older tac_plus versions available in the portage. (tac_plus-4.0.4.14, tac_plus-4.0.4.15).

Installation
The following USE flags are supported by the package.

Enable the recommended USE flags and install the package.

Configuration
Shrubbery tac_plus is lacking a good documentation. General configuration is split up in 3 main sections:


 * ACL (Access Lists)
 * group
 * users

Further configuration tips at tac_plus FAQ

Ways to configure user authentication with tac_plus:
 * Authentication to local passwd file /etc/passwd
 * Authentication to LDAP server with PAM
 * Authentication to password configured in /etc/tac_plus/tac_plus.conf

User authentication with /etc/passwd example:

User authentication with PAM example:

Network equipment configuration
TACACS+ protocol is supported on a variety of network equipment. Following companies implemented TACACS+ protocol communication support for its products:


 * Cisco (IOS, CatOS)
 * Juniper (ScreenOS, JUNOS)
 * Huawei
 * HP
 * OneAccess

Basic AAA (Authentication, Authorization, Accounting) configuration on a cisco IOS component.


 * substitute tacacs-server host with IP address of the tac_plus server
 * For key choose the key which is configured in /etc/tac_plus/tac_plus.conf

! aaa new-model aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ aaa authorization exec default group tacacs+ local ! tacacs-server host 192.168.255.254 key 123-my_tacacs_key ! line con 0 login authentication default ! line vty 0 15 login authentication default !

Final configuration steps
Start tac_plus daemon:

Add tac_plus to the default runlevel:

Verify tac_plus is running:

Troubleshooting
Verifying the interfaces and ports on which tac_plus is listening:

Looking for configuration errors if daemon fails to start:

Tacacs communication between tacacs-server and a network component. Example output of a a successful user session: Run tcpdump on the local tacacs-server: