User Tools

Site Tools


tech:network:cisco:tacacs:tacacs

FIXME: Cisco TACACS+ AAA Configuration

Blueprint

  • CCIE R&S
    • Written v5.1
      • 5.0 Infrastructure Security
        • 5.1 Device security
          • 5.1.a Implement and troubleshoot IOS AAA using local database
          • 5.1.d Describe device security using IOS AAA with TACACS+ and RADIUS
          • 5.1.d [i] AAA with TACACS+ and RADIUS
    • Lab v5.0
      • 4.0 Infrastructure Security
        • 4.1 Device security
          • 4.1.a Implement and troubleshoot IOS AAA using local database

TACACS+ Server Configuration

TACACS+ is Cisco proprietary AAA technology. But seems available in Linux Platform as tac_plus?

The base source for this TACACS+ package is Cisco's publicly available TACACS+ “developer's kit”, for which we are grateful.

Shrubbery Networks - TACACS+ daemon

I don't have Cisco ISE, ACS…

wnoguchi@kotone:~$ apt search tacacs
Sorting... Done
Full Text Search... Done
libauthen-tacacsplus-perl/bionic 0.26-1build4 amd64
  Perl module for authentication using TACACS+ server

libpam-tacplus/bionic 1.3.8-2 amd64
  PAM module for using TACACS+ as an authentication service

libtacacs+1/bionic 4.0.4.27a-3 amd64
  TACACS+ authentication daemon — shared library

libtacacs+1-dev/bionic,bionic 4.0.4.27a-3 all
  TACACS+ authentication daemon — development header

tacacs+/bionic 4.0.4.27a-3 amd64
  TACACS+ authentication daemon

wnoguchi@kotone:~$ man apt\
> 
wnoguchi@kotone:~$ man apt
wnoguchi@kotone:~$ apt show tacacs+
Package: tacacs+
Version: 4.0.4.27a-3
Priority: extra
Section: universe/net
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Debian QA Group <packages@qa.debian.org>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 213 kB
Depends: libpam0g (>= 0.99.7.1), libtacacs+1 (>= 4.0.4.27a), libwrap0 (>= 7.6-4~), python, libc6 (>= 2.14)
Homepage: http://www.shrubbery.net/tac_plus/
Download-Size: 87.2 kB
APT-Sources: http://jp.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
Description: TACACS+ authentication daemon
 TACACS+ is a protocol (not TACACS or XTACACS) for authentication,
 authorization and accounting (AAA) services for routers and network devices.
wnoguchi@kozue:~$ sudo apt install tacacs+
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  libpython-stdlib libtacacs+1 python python-minimal python2.7 python2.7-minimal
Suggested packages:
  python-doc python-tk python2.7-doc binutils binfmt-support
The following NEW packages will be installed:
  libpython-stdlib libtacacs+1 python python-minimal python2.7 python2.7-minimal tacacs+
0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,820 kB of archives.
After this operation, 5,574 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y

(snip)

wnoguchi@kozue:~$ systemctl status tacacs+
● tacacs_plus.service - LSB: TACACS+ authentication daemon
   Loaded: loaded (/etc/init.d/tacacs_plus; generated)
   Active: active (running) since Tue 2019-08-13 13:44:07 JST; 58s ago
     Docs: man:systemd-sysv-generator(8)
    Tasks: 1 (limit: 4285)
   CGroup: /system.slice/tacacs_plus.service
           └─2919 /usr/sbin/tac_plus -C /etc/tacacs+/tac_plus.conf

Aug 13 13:44:06 kozue tacacs_plus[2899]:  * Starting TACACS+ authentication daemon  tacacs+
Aug 13 13:44:06 kozue tac_plus[2915]: Reading config
Aug 13 13:44:06 kozue tac_plus[2915]: Version F4.0.4.27a Initialized 1
Aug 13 13:44:06 kozue tac_plus[2916]: Reading config
Aug 13 13:44:06 kozue tac_plus[2916]: Version F4.0.4.27a Initialized 1
Aug 13 13:44:06 kozue tac_plus[2919]: socket FD 0 AF 2
Aug 13 13:44:06 kozue tac_plus[2919]: socket FD 2 AF 10
Aug 13 13:44:06 kozue tac_plus[2919]: uid=0 euid=0 gid=0 egid=0 s=1286030592
Aug 13 13:44:07 kozue tacacs_plus[2899]:    ...done.
Aug 13 13:44:07 kozue systemd[1]: Started LSB: TACACS+ authentication daemon.
/etc/tacacs+/tac_plus.conf
group = staff {
        default service = permit
        service = exec {
                priv-lvl = 15
        }
}
 
user = wnoguchi {
    name = "Wataru Noguchi"
    member = staff
    login = cleartext ilovekotone
}
sudo diff -u /root/orig/etc/tacacs+/tac_plus.conf /etc/tacacs+/tac_plus.conf
--- /root/orig/etc/tacacs+/tac_plus.conf        2016-09-28 02:03:22.000000000 +0900
+++ /etc/tacacs+/tac_plus.conf  2019-08-14 14:00:52.955924912 +0900
@@ -7,7 +7,7 @@
 
 # This is the key that clients have to use to access Tacacs+
 
-key = testing123
+key = pg1xtacpsk
 
 # Use /etc/passwd file to do authentication
 
@@ -58,3 +58,17 @@
 # Much more features are availables, like ACL, more service compatibilities,
 # commands authorization, scripting authorization.
 # See the man page for those features.
+
+group = staff {
+       default service = permit
+       service = exec {
+               priv-lvl = 15
+       }
+}
+
+user = wnoguchi {
+    name = "Wataru Noguchi"
+    member = staff
+    login = cleartext ilovekotone
+}
+
sudo diff -u /root/orig/etc/tacacs+/tac_plus.conf /etc/tacacs+/tac_plus.conf
wnoguchi@kozue:~$ sudo systemctl restart tacacs+
Job for tacacs_plus.service failed because the control process exited with error code.
See "systemctl status tacacs_plus.service" and "journalctl -xe" for details.
wnoguchi@kozue:~$ sudo systemctl status tacacs+
● tacacs_plus.service - LSB: TACACS+ authentication daemon
   Loaded: loaded (/etc/init.d/tacacs_plus; generated)
   Active: failed (Result: exit-code) since Wed 2019-08-14 09:02:25 JST; 13s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 1676 ExecStop=/etc/init.d/tacacs_plus stop (code=exited, status=0/SUCCESS)
  Process: 1693 ExecStart=/etc/init.d/tacacs_plus start (code=exited, status=1/FAILURE)

Aug 14 09:02:25 kozue systemd[1]: Starting LSB: TACACS+ authentication daemon...
Aug 14 09:02:25 kozue tacacs_plus[1693]:  * Starting TACACS+ authentication daemon  tacacs+
Aug 14 09:02:25 kozue tac_plus[1709]: Reading config
Aug 14 09:02:25 kozue tac_plus[1709]: Error user=wnoguchi, group staff does not exist
Aug 14 09:02:25 kozue tac_plus[1709]: Error Parsing /etc/tacacs+/tac_plus.conf
Aug 14 09:02:25 kozue tacacs_plus[1693]:    ...fail!
Aug 14 09:02:25 kozue systemd[1]: tacacs_plus.service: Control process exited, code=exited status=1
Aug 14 09:02:25 kozue systemd[1]: tacacs_plus.service: Failed with result 'exit-code'.
Aug 14 09:02:25 kozue systemd[1]: Failed to start LSB: TACACS+ authentication daemon.

why failing…

Error user=wnoguchi, group staff does not exist
wnoguchi@kozue:~$ sudo vim /etc/tacacs+/tac_plus.conf
wnoguchi@kozue:~$ sudo systemctl start tacacs+
wnoguchi@kozue:~$ sudo systemctl status tacacs+
● tacacs_plus.service - LSB: TACACS+ authentication daemon
   Loaded: loaded (/etc/init.d/tacacs_plus; generated)
   Active: active (running) since Wed 2019-08-14 09:05:45 JST; 3s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 1676 ExecStop=/etc/init.d/tacacs_plus stop (code=exited, status=0/SUCCESS)
  Process: 1792 ExecStart=/etc/init.d/tacacs_plus start (code=exited, status=0/SUCCESS)
    Tasks: 1 (limit: 4285)
   CGroup: /system.slice/tacacs_plus.service
           └─1812 /usr/sbin/tac_plus -C /etc/tacacs+/tac_plus.conf

Aug 14 09:05:44 kozue tacacs_plus[1792]:  * Starting TACACS+ authentication daemon  tacacs+
Aug 14 09:05:44 kozue tac_plus[1808]: Reading config
Aug 14 09:05:44 kozue tac_plus[1808]: Version F4.0.4.27a Initialized 1
Aug 14 09:05:44 kozue tac_plus[1810]: Reading config
Aug 14 09:05:44 kozue tac_plus[1810]: Version F4.0.4.27a Initialized 1
Aug 14 09:05:44 kozue tac_plus[1812]: socket FD 0 AF 2
Aug 14 09:05:44 kozue tac_plus[1812]: socket FD 2 AF 10
Aug 14 09:05:44 kozue tac_plus[1812]: uid=0 euid=0 gid=0 egid=0 s=-231746000
Aug 14 09:05:45 kozue tacacs_plus[1792]:    ...done.
Aug 14 09:05:45 kozue systemd[1]: Started LSB: TACACS+ authentication daemon.
  • Open Port
sudo ufw allow proto tcp from 10.0.8.0/22 to any port 49

TACACS+ Client Configuration

modern

configure terminal
!
interface Vlan 1
 ip address 10.0.8.210 255.255.252.0
 no shutdown
exit
!
aaa new-model
!
tacacs server ISE01
 address ipv4 10.0.8.193
 key pg1xtacpsk
 single-connection
!
aaa group server tacacs+ GROUP-ISE
 server name ISE01
!
aaa authentication login default group GROUP-ISE local
aaa authorization console
aaa authorization exec default group GROUP-ISE local
aaa accounting exec default start-stop group GROUP-ISE
!
username admin privilege 15 secret Cisco123
!
line vty 0 15
 login authentication default
line console 0
 login authentication default
!
aaa authentication attempts login 5
!
interface GigabitEthernet 0/1
 spanning-tree portfast
!
monitor session 1 source interface GigabitEthernet 0/1
monitor session 1 destination interface FastEthernet 0/8 encapsulation replicate
!
end
!
debug aaa authentication
debug aaa authorization

capture display filter

not (stp or dtp  or ssdp or loop or cdp or mdns or arp or bjnp or icmpv6)

SW10 Console Log

root@kozue:~# telnet 10.0.8.210
Trying 10.0.8.210...
Connected to 10.0.8.210.
Escape character is '^]'.

% Authentication failed


User Access Verification

Username: 

User Access Verification

Username: wnoguchi
Password: 
% Authorization failed.
Connection closed by foreign host.
root@kozue:~# 

exit privileged mode and user mode logout, then user access verification required but login failed…

SW10(config)#do sh run | i admin                                         
username admin privilege 15 secret 5 $1$ZGY3$3YP6l0pf9fFfsFRr1TBYu/
root@kozue:~# telnet 10.0.8.210
Trying 10.0.8.210...
Connected to 10.0.8.210.
Escape character is '^]'.


User Access Verification

Username: wnoguchi
Password: 

SW10>en
% Error in authentication.

SW10>
root@kozue:~# systemctl restart tacacs+
root@kozue:~# telnet 10.0.8.210
Trying 10.0.8.210...
Connected to 10.0.8.210.
Escape character is '^]'.


User Access Verification

Username: wnoguchi
Password: 

SW10#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW10(config)#sh run | i aaa
                ^
% Invalid input detected at '^' marker.

SW10(config)#do sh run | i aaa
aaa new-model
aaa group server tacacs+ GROUP-ISE
aaa authentication attempts login 5
aaa authentication login default group GROUP-ISE local
aaa authorization exec default group GROUP-ISE local 
aaa session-id common
SW10(config)#aaa atuho
SW10(config)#aaa autho
SW10(config)#aaa authorization con
SW10(config)#do sh run | i aaa    
aaa new-model
aaa group server tacacs+ GROUP-ISE
aaa authentication attempts login 5
aaa authentication login default group GROUP-ISE local
aaa authorization exec default group GROUP-ISE local 
aaa session-id common
SW10(config)#disable
               ^
% Invalid input detected at '^' marker.

SW10(config)#^Z
SW10#disable
SW10>logout
Connection closed by foreign host.

but i entered following configuration, i locked out console, telnet.

aaa authorization console

i can't understand whether configuration is wrong…

legacy

configure terminal
!
aaa new-model
!
tacacs-server host 192.168.10.101 key pg1xtacpsk
tacacs-server host 192.168.10.102 key pg1xtacpsk
!
aaa authentication login default group tacacs+
aaa authorization console
aaa authorization exec default group tacacs+
!
end

SW10 Console Log

radius version

configure terminal
!
interface Vlan 1
 ip address 10.0.8.210 255.255.252.0
 no shutdown
exit
!
aaa new-model
!
radius server ISE01
 address ipv4 10.0.8.193 auth-port 1812 acct-port 1813
 key pg1xhimitsu
exit
!
aaa group server radius GROUP-ISE
 server name ISE01
exit
!
aaa authentication login default group GROUP-ISE local
aaa authorization console
aaa authorization exec default group GROUP-ISE local
aaa accounting exec default start-stop group GROUP-ISE
!
username admin privilege 15 secret Cisco123
!
line vty 0 15
 login authentication default
line console 0
 login authentication default
!
aaa authentication attempts login 5
!
interface GigabitEthernet 0/1
 spanning-tree portfast
!
monitor session 1 source interface GigabitEthernet 0/1
monitor session 1 destination interface FastEthernet 0/8 encapsulation replicate
!
end
!
debug aaa authentication
debug aaa authorization
/etc/freeradius/3.0/users
wnoguchi        Cleartext-Password := "kotoneaishiteru"
        Service-Type := NAS-Prompt-User,
        Cisco-AVPair := "shell:priv-lvl=15",
        Reply-Message := "Hello, %{User-Name}"

accounting log

root@kozue:~# tail -f /var/log/freeradius/radacct/10.0.8.210/detail-20190814
        NAS-Port-Id = "tty0"
        NAS-Port-Type = Async
        Service-Type = NAS-Prompt-User
        NAS-IP-Address = 10.0.8.210
        Acct-Delay-Time = 0
        Event-Timestamp = "Aug 14 2019 15:11:03 JST"
        Tmp-String-9 = "ai:"
        Acct-Unique-Session-Id = "11c33a837c898effcde26bcf7e796601"
        Timestamp = 1565763063

Wed Aug 14 15:14:03 2019
        Acct-Session-Id = "00000003"
        User-Name = "wnoguchi"
        Acct-Authentic = RADIUS
        Acct-Status-Type = Start
        NAS-Port = 0
        NAS-Port-Id = "tty0"
        NAS-Port-Type = Async
        Service-Type = NAS-Prompt-User
        NAS-IP-Address = 10.0.8.210
        Acct-Delay-Time = 0
        Event-Timestamp = "Aug 14 2019 15:14:03 JST"
        Tmp-String-9 = "ai:"
        Acct-Unique-Session-Id = "b427dc4145fa26d5b66367c046c22b14"
        Timestamp = 1565763243

Wed Aug 14 15:14:37 2019
        Acct-Session-Id = "00000003"
        User-Name = "wnoguchi"
        Acct-Authentic = RADIUS
        Acct-Terminate-Cause = User-Request
        Acct-Session-Time = 34
        Acct-Status-Type = Stop
        NAS-Port = 0
        NAS-Port-Id = "tty0"
        NAS-Port-Type = Async
        Service-Type = NAS-Prompt-User
        NAS-IP-Address = 10.0.8.210
        Acct-Delay-Time = 0
        Event-Timestamp = "Aug 14 2019 15:14:37 JST"
        Tmp-String-9 = "ai:"
        Acct-Unique-Session-Id = "b427dc4145fa26d5b66367c046c22b14"
        Timestamp = 1565763277

Wed Aug 14 15:15:41 2019
        Acct-Session-Id = "00000004"
        User-Name = "wnoguchi"
        Acct-Authentic = RADIUS
        Acct-Status-Type = Start
        NAS-Port = 1
        NAS-Port-Id = "tty1"
        NAS-Port-Type = Virtual
        Service-Type = NAS-Prompt-User
        NAS-IP-Address = 10.0.8.210
        Acct-Delay-Time = 0
        Event-Timestamp = "Aug 14 2019 15:15:41 JST"
        Tmp-String-9 = "ai:"
        Acct-Unique-Session-Id = "2d5b6fafb64e6d84f0a3ffb0e34e81d0"
        Timestamp = 1565763341

Wed Aug 14 15:16:20 2019
        Acct-Session-Id = "00000004"
        User-Name = "wnoguchi"
        Acct-Authentic = RADIUS
        Acct-Terminate-Cause = User-Request
        Acct-Session-Time = 39
        Acct-Status-Type = Stop
        NAS-Port = 1
        NAS-Port-Id = "tty1"
        NAS-Port-Type = Virtual
        Service-Type = NAS-Prompt-User
        NAS-IP-Address = 10.0.8.210
        Acct-Delay-Time = 0
        Event-Timestamp = "Aug 14 2019 15:16:20 JST"
        Tmp-String-9 = "ai:"
        Acct-Unique-Session-Id = "2d5b6fafb64e6d84f0a3ffb0e34e81d0"
        Timestamp = 1565763380

References

tac_plus

tech/network/cisco/tacacs/tacacs.txt · Last modified: 2019/08/14 16:59 by wnoguchi