tac plus

From Gentoo Wiki
Jump to: navigation, search

Resources

From the TACACS+ article at Wikipedia, the free encyclopedia:

In computer networking, TACACS+ (Terminal Access Controller Access-Control System Plus) is a Cisco Systems proprietary protocol which provides access control for routers, network access servers and other networked computing devices via one or more centralized servers. TACACS+ provides separate authentication, authorization and accounting services.

TACACS+ is a protocol for AAA services (Authentication, Authorisation, Accounting), very similar to RADIUS. A system that provides logins to users is often called a NAS (Network Access Server), not to be confused with NAS - (Network Attached Storage). A NAS can be a client to an AAA server, such as a RADIUS, LDAP, or TACACS server. The client must use the authentication protocol appropriate for the server. A Linux system may act as an authentication client when when logging in a user. Based on the PAM configuration, the Linux system can use a RADIUS, LDAP, or TACACS server or may perform purely local authentication. To use TACACS, the Linux (or other) client must have IP access to a TACACS server, which is usually a separate physical server that provides authentication services to many clients. This page describes how to configure a Linux system to act as a TACACS server using the tac plus software package. It is often useful to have a TACACS server to support authentication for proprietary systems on your network, such as Cisco routers, that implement TACACS clients. With such a server, you can add or delete a new router administrator on all of your routers at the same time in one place. If some of your Linux systems are acting as network elements that should be accessed only by your network administrators, you may choose to configure these systems to also use your TACACS server for AAA.

About

This document describes how to configure and use the most recent version of tac_plus provided by Shrubbery Networks.

This installation howto uses tac_plus-4.0.4.27a as reference. General configuration and troubleshooting tips should also apply to older tac_plus versions available in the portage.

Installation

USE flags

USE flags for net-nds/tac_plus An updated version of Cisco's TACACS+ server

debug Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces global
finger Adds support for checking user counts via fingering the NAS local
maxsess Enforce a limit on maximum sessions per user local
skey Enable S/Key (Single use password) authentication support global
static-libs Build static versions of dynamic libraries as well global
tcpd Add support for TCP wrappers global

Emerge

Be sure to review and set USE flags accordingly before emerging the package:

root #emerge --ask net-nds/tac_plus

Configuration

Shrubbery tac_plus is lacking a good documentation. General configuration is split up in 3 main sections:

  • ACL (Access Lists)
  • group
  • users
Important
The sequence ACL, groups, users in the file /etc/tac_plus/tac_plus.conf is important

Further configuration tips at tac_plus FAQ

Ways to configure user authentication with tac_plus:

  • Authentication to local passwd file /etc/passwd
  • Authentication to LDAP server with PAM
  • Authentication to password configured in /etc/tac_plus/tac_plus.conf

Authentication with passwd file

User authentication to local passwd file /etc/passwd example:

FILE /etc/tac_plus/tac_plus.conf
key = 123-my_tacacs_key

group = netadmin {
        default service = permit
        login = file /etc/passwd
        service = exec {
                priv-lvl = 15
                }
}

user = larry {
        member = netadmin
}

Authentication with PAM

User authentication with PAM example:

FILE /etc/tac_plus/tac_plus.conf
key = 123-my_tacacs_key

group = netadmin {
        default service = permit
        service = exec {
                priv-lvl = 15
                }
}

user = larry {
        login = PAM
        member = netadmin
}
Note
Recent tac_plus versions support user authentication with LDAP. Group membership has to be defined in tac_plus.conf configuration file.

Authentication to tac_plus.conf

User authentication to password configured in /etc/tac_plus/tac_plus.conf example:

FILE /etc/tac_plus/tac_plus.conf
key = 123-my_tacacs_key

group = netadmin {
        default service = permit
        service = exec {
                priv-lvl = 15
                }
}

user = larry {
        # SHA-512 encrypted password 
        login = des $6$Jb5Gk14S90Pc0uAu$YRUqI7qBMqOiPEfI78qz11zaB0QCAbsUxHTojd1RwI1loFX0/RHTqQxaFRj7aXN3qBLdogCs365V/QSuERDzo/
        member = netadmin   
}

tac_plus uses the crypt() library in the underlying operating system and asks it to hash a given password against the hash in tac_plus.conf.

As such, one can transparently put any hash value you like in tac_plus.conf as long as glibc crypt() supports it. On Linux systems these days with >=glibc-2.7

  • SHA-256
  • SHA-512

are supported. To show supported encryption methodes use following command:

user $man 3 crypt
Important
There is almost no reason left anymore to use DES hashes in tac_plus.conf http://www.shrubbery.net/pipermail/tac_plus/2011-December/001033.html

Password hash generation can be done with following commands:

  • MD5
user $openssl passwd -1
  • SHA256
user $grub-crypt --sha-256
  • SHA512
user $grub-crypt --sha-512

Network equipment configuration

A variety of systems implements the client side of the TACACS+ protocol. The following companies implement TACACS+ protocol communication support for some or all products:

  • Cisco (IOS, CatOS)
  • Juniper (ScreenOS, JUNOS)
  • Huawei
  • HP
  • OneAccess
  • Linux-based systems (via PAM)

Basic AAA (Authentication, Authorization, Accounting) configuration on a cisco IOS component.

  • Substitute tacacs-server host with IP address of the tac_plus server
  • For key choose the key which is configured in /etc/tac_plus/tac_plus.conf
!
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+
aaa authorization exec default group tacacs+ local
!
tacacs-server host 192.0.2.10 key 123-my_tacacs_key
!
line con 0
 login authentication default
!
line vty 0 15
 login authentication default
!

Final configuration steps

Start tac_plus daemon:

root #/etc/init.d/tac_plus start

Add tac_plus to the default runlevel:

root #rc-update add tac_plus default

Verify tac_plus is running:

root #ps -ef |grep tac_plus
root      8123     1  0 21:29 ?        00:00:00 /usr/bin/tac_plus -C /etc/tac_plus/tac_plus.conf

Troubleshooting

Verifying the interfaces and ports on which tac_plus is listening:

root #netstat -tulpen | grep tac_plus
tcp        0      0 0.0.0.0:49              0.0.0.0:*               LISTEN      0          27930913   8455/tac_plus

Looking for configuration errors if daemon fails to start:

root #tail -f /var/log/messages
2011-04-09T21:26:28.847493+02:00 server tac_plus[7749]: Reading config
2011-04-09T21:26:28.847605+02:00 server tac_plus[7749]: Error Unrecognised keyword default for user on line 51
2011-04-09T21:26:28.851096+02:00 server /etc/init.d/tac_plus[7738]: ERROR: tac_plus failed to start

Tacacs communication between tacacs-server and a network component. Example output of a a successful user session: Run tcpdump on the local tacacs-server:

root #tcpdump -i eth0 tcp port 49
22:53:01.692185 IP switch.11384 > server.tacacs: S 2173305858:2173305858(0) win 4128 <mss 1460>
22:53:01.692221 IP server.tacacs > switch.11384: S 4283961231:4283961231(0) ack 2173305859 win 5840 <mss 1460>
22:53:01.693690 IP switch.11384 > server.tacacs: . ack 1 win 4128
22:53:01.793233 IP switch.11384 > server.tacacs: P 1:43(42) ack 1 win 4128
22:53:01.793282 IP server.tacacs > switch.11384: . ack 43 win 5840
22:53:01.808601 IP server.tacacs > switch.11384: P 1:29(28) ack 43 win 5840
22:53:01.993368 IP switch.11384 > server.tacacs: P 43:68(25) ack 29 win 4100
22:53:02.002160 IP server.tacacs > switch.11384: P 29:47(18) ack 68 win 5840
22:53:02.002187 IP server.tacacs > switch.11384: F 47:47(0) ack 68 win 5840
22:53:02.004152 IP switch.11384 > server.tacacs: . ack 48 win 4082
22:53:02.096209 IP switch.11384 > server.tacacs: FP 68:68(0) ack 48 win 4082
22:53:02.096231 IP server.tacacs > switch.11384: . ack 69 win 5840
22:53:02.123615 IP switch.11385 > server.tacacs: S 4146347262:4146347262(0) win 4128 <mss 1460>
22:53:02.123641 IP server.tacacs > switch.11385: S 4294861878:4294861878(0) ack 4146347263 win 5840 <mss 1460>
22:53:02.127410 IP switch.11385 > server.tacacs: . ack 1 win 4128
22:53:02.229706 IP switch.11385 > server.tacacs: P 1:62(61) ack 1 win 4128
22:53:02.229751 IP server.tacacs > switch.11385: . ack 62 win 5840
22:53:02.229890 IP server.tacacs > switch.11385: P 1:52(51) ack 62 win 5840
22:53:02.229923 IP server.tacacs > switch.11385: F 52:52(0) ack 62 win 5840
22:53:02.232297 IP switch.11385 > server.tacacs: . ack 53 win 4077
22:53:02.330097 IP switch.11385 > server.tacacs: FP 62:62(0) ack 53 win 4077
22:53:02.330118 IP server.tacacs > switch.11385: . ack 63 win 5840

To get debug ouput from tac_plus run tac_plus from shell with following command:

root #tac_plus -C /etc/tac_plus/tac_plus.conf -L -p 49 -d128 -g

for used command line options in this command read the tac_plus manual.

user $man tac_plus

See also

External resources