Disclaimer:
My humble request, Kindly donot consider me as an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. When you are enslaved by private job & working as one man army, you have to perform many task in which you are not formally trained for. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.
So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and try to help others
TACACS+
Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe) refers to a authentication / authorization related services for cisco switches/routers/firewalls access control through a centralized server. With the help of Tacacs+ you can set up a much more granular level access for the users, groups, subnets or device type etc. Example which user can issue which commands on switches etc.
Hardware Software Components used in this guide:
In this post I have used
- Ubuntu 18 server edition for TACACS+ deployment / IP: 101.11.11.254
- Cisco WS-C3850-24T switch / IOS Version 16.3.9 [Denali]
Quick Notes:
TACACS Server installation
apt-get -y install tacacs+
Once the installation is done , we will modify or add the tacacs+ server default config file to to suite our needs. On default installation, the configuration file is found here /etc/tacacs+/tac_plus.conf
nano /etc/tacacs+/tac_plus.conf
Remove existing configuration, and use below sample config, make sure to change the KEY, id pass as required
# Key is like password or shared secret, make sure to make it strong
key = testing123
accounting file = /var/log/tacplus.log
#default authentication = file /etc/passwd
group = admins {
default service = permit
service = exec {
priv-lvl = 15
}
}
# For support group, we are allowing only specific sets of CMD only
group = support {
default service = deny
service = shell {
priv-lvl = 15
}
cmd = show {
permit version.*
permit clock.*
permit interface.*
permit running-config.*
permit logging.*
}
cmd = configure {
permit .*
}
cmd = interface {
permit .*
}
cmd = vlan {
permit .*
}
cmd = switchport {
permit .*
}
cmd = write {
permit .*
}
}
#Create local user here
user = admin {
login = cleartext admin123
name = "Admin Group"
member = admins
}
user = support {
login = cleartext support123
name = "Network Support"
member = support
}<span style="color:var(--color-text);">
& if all configuration is OK , you should get something like below …
* Checking TACACS+ authentication daemon configuration files successful tacacs+
Restart tacacs+ service
/etc/init.d/tacacs_plus restart
Next up we will make changes to the Cisco switch ,
in this example am using a Cisco switch WS-C3850-24T and the one working configuration look like this:
Note: This is just basic example. It may be not well tuned insecure too but for test it will work fine.
Switch configuration
enable conf t aaa new-model aaa authentication login default group tacacs+ local aaa authentication enable default enable aaa authorization config-commands aaa authorization commands 1 support group tacacs+ local aaa authorization commands 15 admins group tacacs+ local aaa accounting commands 1 support-act1 start-stop group tacacs+ aaa accounting commands 15 admins-act15 start-stop group tacacs+ login on-success log # change tacacs IP address / KEY as per your local network tacacs-server host 101.11.11.254 tacacs-server key 0 testing123 ! line con 0 exec-timeout 35791 0 privilege level 15 stopbits 1 line aux 0 no exec stopbits 1 line vty 0 3 privilege level 15 authorization commands 1 support authorization commands 15 admins accounting commands 1 support-act1 accounting commands 15 admins-act15 length 0 transport input ssh line vty 4 exec-timeout 35791 0 privilege level 15 authorization commands 1 support authorization commands 15 admins length 0 transport input ssh line vty 5 15 length 0 ! do wr
Done.
Now try to login to switch with support account & execute try to permitted / non-permitted commands.
Result for SUPPORT ACCOUNT
login as: support Using keyboard-interactive authentication. Password: spare-sw#ping 101.11.11.254 Command authorization failed. spare-sw#show clock *10:24:07.527 UTC Mon Dec 16 2019 spare-sw#sh inter spare-sw#sh interfaces status Port Name Status Vlan Duplex Speed Type Gi1/0/1 notconnect 1 auto auto 10/100/1000BaseTX Gi1/0/2 notconnect 1 auto auto 10/100/1000BaseTX Gi1/0/3 notconnect 1 auto auto 10/100/1000BaseTX Gi1/0/4 notconnect 1 auto auto 10/100/1000BaseTX Gi1/0/5 notconnect 1 auto auto 10/100/1000BaseTX Gi1/0/6 notconnect 1 auto auto 10/100/1000BaseTX Gi1/0/7 notconnect 1 auto auto 10/100/1000BaseTX Gi1/0/8 notconnect 1 auto auto 10/100/1000BaseTX Gi1/0/9 notconnect 1 auto auto 10/100/1000BaseTX Gi1/0/10 notconnect 1 auto auto 10/100/1000BaseTX Gi1/0/11 notconnect 1 auto auto 10/100/1000BaseTX spare-sw#
Regard’s
Syed Jahanzaib
Syed Jahanzaib - Personal Blog to Share Knowledge ! 