Syed Jahanzaib Personal Blog to Share Knowledge !

December 16, 2019

TACACS+ Cisco centralized authentication server

Filed under: Cisco Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 3:29 PM

tacacs plus server.png

Disclaimer:

My humble request, Kindly donot consider me as an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. When you are enslaved by private job & working as one man army, you have to perform many task in which you are not formally trained for. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and try to help others


TACACS+

Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe) refers to a authentication / authorization related services for cisco switches/routers/firewalls access control through a centralized server. With the help of Tacacs+ you can set up a much more granular level access for the users, groups, subnets or device type etc. Example which user can issue which commands on switches etc.

 

central auth server.jpeg

 

Hardware Software Components used in this guide:

In this post I have used

  • Ubuntu 18 server edition for TACACS+ deployment / IP: 101.11.11.254
  • Cisco WS-C3850-24T switch / IOS Version 16.3.9 [Denali]

Quick Notes:

TACACS Server installation

apt-get -y install tacacs+

Once the installation is done , we will modify or add the tacacs+ server default config file to to suite our needs. On default installation, the configuration file is found here /etc/tacacs+/tac_plus.conf

nano /etc/tacacs+/tac_plus.conf

Remove existing configuration, and use below sample config, make sure to change the KEY, id pass as required

# Key is like password or shared secret, make sure to make it strong

key = testing123
accounting file = /var/log/tacplus.log
#default authentication = file /etc/passwd
group = admins {
default service = permit
service = exec {
priv-lvl = 15
}
}

# For support group, we are allowing only specific sets of CMD only
group = support {
default service = deny
service = shell {
priv-lvl = 15
}
cmd = show {
permit version.*
permit clock.*
permit interface.*
permit running-config.*
permit logging.*
}
cmd = configure {
permit .*
}
cmd = interface {
permit .*
}
cmd = vlan {
permit .*
}
cmd = switchport {
permit .*
}
cmd = write {
permit .*
}
}

#Create local user here
user = admin {
login = cleartext admin123
name = "Admin Group"
member = admins
}
user = support {
login = cleartext support123
name = "Network Support"
member = support
}<span style="color:var(--color-text);">


 

& if all configuration is OK , you should get something like below …

 * Checking TACACS+ authentication daemon configuration files successful tacacs+

Restart tacacs+ service

/etc/init.d/tacacs_plus restart

Next up we will make changes to the Cisco switch ,
in this example am using a Cisco switch WS-C3850-24T and the one working configuration look like this:

Note: This is just basic example. It may be not well tuned insecure too but for test it will work fine.


Switch configuration

enable
conf t

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default enable
aaa authorization config-commands
aaa authorization commands 1 support group tacacs+ local
aaa authorization commands 15 admins group tacacs+ local
aaa accounting commands 1 support-act1 start-stop group tacacs+
aaa accounting commands 15 admins-act15 start-stop group tacacs+
login on-success log

# change tacacs IP address / KEY as per your local network
tacacs-server host 101.11.11.254
tacacs-server key 0 testing123

!
line con 0
exec-timeout 35791 0
privilege level 15
stopbits 1
line aux 0
no exec
stopbits 1
line vty 0 3
privilege level 15
authorization commands 1 support
authorization commands 15 admins
accounting commands 1 support-act1
accounting commands 15 admins-act15
length 0
transport input ssh
line vty 4
exec-timeout 35791 0
privilege level 15
authorization commands 1 support
authorization commands 15 admins
length 0
transport input ssh
line vty 5 15
length 0
!

do wr

Done.

Now try to login to switch with support account & execute try to permitted / non-permitted commands.

Result for SUPPORT ACCOUNT

login as: support
Using keyboard-interactive authentication.
Password:

spare-sw#ping 101.11.11.254
Command authorization failed.

spare-sw#show clock
*10:24:07.527 UTC Mon Dec 16 2019

spare-sw#sh inter
spare-sw#sh interfaces status

Port Name Status Vlan Duplex Speed Type
Gi1/0/1 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/2 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/3 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/4 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/5 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/6 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/7 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/8 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/9 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/10 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/11 notconnect 1 auto auto 10/100/1000BaseTX

spare-sw#

 



Regard’s
Syed Jahanzaib

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: