November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  

Categories

November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  

Tacacs server on Redhat / CentOS

Terminal Access Controller Access-Control System (TACACS) is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network. TACACS is defined in RFC 1492, and uses (either TCP or UDP) port 49 by default. A later version of TACACS introduced by Cisco in 1990 was called Extended TACACS (XTACACS). The XTACACS protocol was developed by and is proprietary to Cisco Systems.

TACACS allows a client to accept a username and password and send a query to a TACACS authentication server, sometimes called a TACACS daemon or simply TACACSD. This server was normally a program running on a host. The host would determine whether to accept or deny the request and send a response back. The TIP (routing node accepting dial-up line connections, which the user would normally want to log in into) would then allow access or not, based upon the response. In this way, the process of making the decision is “opened up” and the algorithms and data used to make the decision are under the complete control of whomever is running the TACACS daemon.

TACACS+ and RADIUS have generally replaced TACACS and XTACACS in more recently built or updated networks. TACACS+ is an entirely new protocol and not compatible with TACACS or XTACACS. TACACS+ uses the Transmission Control Protocol (TCP) and RADIUS uses the User Datagram Protocol (UDP). Some administrators[who?] recommend using TACACS+ because TCP is seen as a more reliable protocol. Whereas RADIUS combines authentication and authorization in a user profile, TACACS+ separates the two operations.

TACACS Plus installation

To describe how to install TACACS application on step by step. Specifically we are install tac-plus in this article.
1. Download TACACS+
2. Install Tac-plus application
3. Configure TACACS.conf
4. configure Network device(Cisco router)

1. Download TACACS+
Get lastest tacacs+ binary rpm file from http://www.gazi.edu.tr/tacacs.

2. Install Tac-plus application
Login your machine with root account to avoid any interruption while installing TACACS+
and type
rpm -ivh tac_plus.xxx.i386.rpm

By this command tacacs+ must install your system and to verify your installation type below
rpm -q tac_plus

If you see below output, you are good to go.
tac_plus-F4.0.3.alpha-7

3. Configure TACACS.conf
# Created by Devrim SERAL
# It’s very simple configuration file
# Please read user_guide and tacacs+ FAQ to more information to do more
# complex tacacs+ configuration files.

key = CISCONET
# Use /etc/passwd file to do authentication

default authentication = file /etc/passwd.log

# Now tacacs+ also use default PAM authentication
#default authentication = pam pap

#If you like to use DB authentication
#default authentication = db “db_type://db_user:db_pass@db_hostname/db_name/db_table?name_field&pass_field
# db_type: mysql or null
# db_user: Database connect username
# db_pass: Database connection password
# db_hostname : Database hostname
# db_name : Database name
# db_table : authentication table name
# name_field and pass_field: Username and password field name at the db_table

# Accounting records log file

accounting file = /var/log/tacacs/tacacs.log

# Would you like to store accounting records in database..
# db_accounting = “db_type://db_user:db_pass@db_hostname/db_name/db_table”
# Same as above..

# Permit all authorization request

default authorization = permit

# Profile for enable access, username is $enab15$. Used to be $enable$

user = $enab15$ {
login = cleartext Pr1celess
}

# Profiles for user accounts

user = Superman {
login = cleartext SuperPOP40
}
In this case, username; Superman and password; SuperPOP40
4. configure Network device(Cisco router)
aaa new-model
aaa authentication login default tacacs+ line enable none
aaa authentication login defaut tacacs+ line enable none
tacacs-server host 65.222.247.53
tacacs-server host 65.222.247.37
tacacs-server key CISCONET

Or another sample (if tacacs login is failed, local database will be used)
aaa new-model
username CiscoNET password xxx-CiscoNet
aaa authentication login default enable
aaa authentication login access1 local
aaa authentication login access2 tacacs+ local
tacacs-server host 65.222.247.53
tacacs-server host 65.222.247.37
tacacs-server key CISCONET
!
!
Line console 0
login authentication access 2
!
!
Line vty 0 4
password yyy-CiscoNET
login

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>