padlockAs soon as your network grows to more than a few devices you quickly realize you need a way to manage the logins and passwords to these devices in an easy way. Cisco will sell you their ACS server for $6,000 or so or you can get the appliance for $12000. But if your budget doesn't allow you to spend this kind of money what kind of options do you have? Lucky for us there is good 'ole TACACS+.

TACACS+ (Terminal Access Controller Access-Control System Plus) is a protocol, using tcp port 49, that provides login control for your network devices.   Setting up a TACACS+ server gives you the ability to have a central server for controlling Access, Authorization, and Accounting of your routers, switches and just about any other network device.  TACACS+ runs on Linux, Sun and Windows and best of all its free.

Ahh but what about RADIUS you ask?  Well radius works just fine and will do the same thing, however there are some benefits to using TACACS+. One of these benefits is that the services for access, authentication, and accounting are separated. This allows you to distribute these to multiple servers if you wish.  Another benefit is that each service request is encrypted to ensure your login information is safe.

Configuring TACACS+ can be a bit of a challenge if you have never done it before.  But once you understand the format of the config file its really pretty simple.

Here's a sample tacacs+ config:

# Encryption key is the same key you configure in your router
# ENCYPTION KEY:
	key = password

# You will want to log access to a file. Set that file here
# Remember to rotate the log, it will grow over time.
# write accounting to:
	accounting file = accounting.log

#########################################
###############Users#####################
#########################################

### without "login = " need to authenticate through radius or local:

	user 	= tom 		{ member = itnetwork }
	user 	= dick		{ member = itnetwork }
	user 	= harry		{ member = itnetwork } 

	user	= backup-user	{ member = show } # show profile for only doing backups

################################
##########Groups################
################################

group = itnetwork {
		# IT-Network Engineers
        login = file passwords.db

		service	= exec {
			default attribute = permit
			priv-lvl = 15
		}

cmd = show {
                permit .*
                }
cmd = enable {
                permit .*
                }
#################################################
# The remainder edited for breavity

In the above sample config there are basically three sections.  The top section of the config is where you define the encryption key that allows your routers and switches to authenticate to your tacacs+ server.

The next section is the users section.  This is where you define the user names , which group they are a member of, and where the password is kept.  In this example we are using a file called passwords.db that contains these passwords.

Finally is the group section.  This is where you define the commands that can be executed by this group. Users can belong to multiple groups.  Commands can be permitted or denied which allows for an amazing amount of control over what users and groups can do on your network devices.

The entire tacacs+ package can be downloaded here.  It contains the entire tac.cfg file as well as a few extras for making setting up for you tacacs+ server on Windows a breeze.

As always, if you have any comments or would like to add to anything here on this post please do.  Comments make a website come alive. We would love to here your opinion.

Freak!

Related posts:

  1. AAA Best Practices
  2. Is Your Network Getting Backed Up?


Related Posts