As soon as your network grows to more than a few devices you quickly realize you need a way to manage the logins and passwords to these devices in an easy way. Cisco will sell you their ACS server for $6,000 or so or you can get the appliance for $12000. But if your budget doesn’t allow you to spend this kind of money what kind of options do you have? Lucky for us there is good ‘ole TACACS+.
TACACS+ (Terminal Access Controller Access-Control System Plus) is a protocol, using tcp port 49, that provides login control for your network devices. Setting up a TACACS+ server gives you the ability to have a central server for controlling Access, Authorization, and Accounting of your routers, switches and just about any other network device. TACACS+ runs on Linux, Sun and Windows and best of all its free.
Ahh but what about RADIUS you ask? Well radius works just fine and will do the same thing, however there are some benefits to using TACACS+. One of these benefits is that the services for access, authentication, and accounting are separated. This allows you to distribute these to multiple servers if you wish. Another benefit is that each service request is encrypted to ensure your login information is safe.
Configuring TACACS+ can be a bit of a challenge if you have never done it before. But once you understand the format of the config file its really pretty simple.
Here’s a sample tacacs+ config:
# Encryption key is the same key you configure in your router
# ENCYPTION KEY:
key = password
# You will want to log access to a file. Set that file here
# Remember to rotate the log, it will grow over time.
# write accounting to:
accounting file = accounting.log
#########################################
###############Users#####################
#########################################
### without "login = " need to authenticate through radius or local:
user = tom { member = itnetwork }
user = dick { member = itnetwork }
user = harry { member = itnetwork }
user = backup-user { member = show } # show profile for only doing backups
################################
##########Groups################
################################
group = itnetwork {
# IT-Network Engineers
login = file passwords.db
service = exec {
default attribute = permit
priv-lvl = 15
}
cmd = show {
permit .*
}
cmd = enable {
permit .*
}
#################################################
# The remainder edited for breavity
In the above sample config there are basically three sections. The top section of the config is where you define the encryption key that allows your routers and switches to authenticate to your tacacs+ server.
The next section is the users section. This is where you define the user names , which group they are a member of, and where the password is kept. In this example we are using a file called passwords.db that contains these passwords.
Finally is the group section. This is where you define the commands that can be executed by this group. Users can belong to multiple groups. Commands can be permitted or denied which allows for an amazing amount of control over what users and groups can do on your network devices.
The entire tacacs+ package can be downloaded here. It contains the entire tac.cfg file as well as a few extras for making setting up for you tacacs+ server on Windows a breeze.
As always, if you have any comments or would like to add to anything here on this post please do. Comments make a website come alive. We would love to here your opinion.
Freak!
19 Responses
Hi, i am trying to implement AAA through TACACS , now i have two type of users , Junior Network Admin and Senior Network Admin and two type of Network Devices , Access and Core, Both type of admin have full access to Access Devices but Junior Network only have limited privileges to Core Network Devices (Junos based Juniper devices) . Now i have created one template account on Access Devices and Two Template Accounts on Core Device , I want to map two template accounts to single user defined in TACACS configuration file, … i am ok with Single template account to Single TACACS user mapping but unable to map two template account from two different network device to single template account in TACACS
Hi all ,
We want to pass all our authentication to switch through the TACACS , So what are all the pre-requisites i need to have to achieve this , i am going to use WINDOWS 2008 Server which has Active Directory Installed already.so now how i can proceed with this.
HI I am new to this and I am trying to figure out how to configure this on the cisco router
this is what I have
aaa new-model
aaa authentication login group tacacs+ local line enable
aaa authentication enable default group tacacs+ enable
tacacs-server host 172.19.0.223
tacacs-server key onmlk123
ip tacacs source-interface Loopback12
I am litle confused on the second command where it says " login group tacacs+" should I be specifying any specific group or not?
Also does this work on Windows server 2008 R2 Enterprise?
Thank you
Can anyone tell me how to create use that only can do show command,configure router interfaces and ip route.My authorization dont work at all.
You can set user account privileges to be lower than standard admin. Router admins typically get privilege level 15 for all commands. Privilege level 11 will be allowed to perform most read functions but not be able to do a "show run".
Within TACACS you can be extremely specific as to which commands you want to permit or deny for each privilege level to execute.
Hi Joe,
I currently have tacacs up and running in my environment. Can a user be a member of more than one group with two different access levels? For example, could user Tom be a member of ITnetwork (with acl list of nodes) & ITnetwork2 (with acl list of nodes) where ITNetwork has privelege 15 and ITNetwork2 has privelege 7?
With the standard version of TACACS+ that's freely available I don't think you can do this. You would have to upgrade to Cisco ACS which has this capability. You can create user groups as well as group you network devices and assigned different permissions based on each group. It has a lot more flexibility.
Thats what i thought too.
Thanks alot for the information Joe. you have been helpful.
Thanks.
When you edit that config file be sure to use a text editor. Don't use notepad as it tend to add control characters to the file. Try Textpad its free, or Notepad++ which is also free.
Let me know if this helps
Joe
I think you meant don’t use Wordpad – that’s a full blown word processor and will insert control characters, etc. Notepad is a plain text editor, if you don’t have one of the upgrades listed above it’s built into Windoze. I have used it off and on for this purpose / reason for years.
No, Notepad is not entirely a plain test editor. It will insert hidden characters. So does Wordpad. The best apps to use on Windows desktops would either Textpad or Notepad ++. Both are free to use!
Joe, It appears to be if I modify the tac.cfg in anyway it won't run.I can copy the original tac.cfg,rename and run ok, but as soon as I make any change to the file config, even just adding one character to a passwoed for example it wont run…
Good to know! Thanks — keep me posted!
Joe, Really interesting none of above worked but, I had renamed default tac.cfg to tacold.cfg and created a new tac.cfg.If tried running .exe with my new tac.cfg it didn't start, tried it with the bundled renamed tacold.cfg and started !!, must be something in the orignal tac.cfg file that I'm missing or some such, will post back what I find.
Thanks
Thanks really interesting. Are you running it as administrator? … or try right-click "run as admin"? Just taking a stab in the dark. You may also try running in computability mode.. again just guessing.
Let me know if you get it working… thanks!
Hi,
That's exactly what I want windows and am trying to run on windows XP, but get the error mentioned and does not appear in task manager as stated in readme file.
I can find loads of unix/linux it's these rare windows ones I want to try
Simon
Hi, great post as I'm, trying to test out tacacs, but having trouble running the exe, I get following message:
C:tacacs>tac_plus.exe -C tac.cfg
Warning, not running as uid 0
Tac_plus is usually run as root
on line 2ecognised token
Any ideas?
Thanks Simon
Hi Simon,
I believe the download from RouterFreak.com is only for Windows platforms. Sorry about that. You may want to do a search for a linux/unix version. I know there are some out there. I would look too and try to include this in the downloads area of the site.
Thanks!