As soon as your network grows to more than a few devices you quickly realize you need a way to manage the logins and passwords to these devices in an easy way. Cisco will sell you their ACS server for $6,000 or so or you can get the appliance for $12000. But if your budget doesn't allow you to spend this kind of money what kind of options do you have? Lucky for us there is good 'ole TACACS+.
TACACS+ (Terminal Access Controller Access-Control System Plus) is a protocol, using tcp port 49, that provides login control for your network devices. Setting up a TACACS+ server gives you the ability to have a central server for controlling Access, Authorization, and Accounting of your routers, switches and just about any other network device. TACACS+ runs on Linux, Sun and Windows and best of all its free.
Ahh but what about RADIUS you ask? Well radius works just fine and will do the same thing, however there are some benefits to using TACACS+. One of these benefits is that the services for access, authentication, and accounting are separated. This allows you to distribute these to multiple servers if you wish. Another benefit is that each service request is encrypted to ensure your login information is safe.
Configuring TACACS+ can be a bit of a challenge if you have never done it before. But once you understand the format of the config file its really pretty simple.
Here's a sample tacacs+ config:
# Encryption key is the same key you configure in your router
# ENCYPTION KEY:
key = password
# You will want to log access to a file. Set that file here
# Remember to rotate the log, it will grow over time.
# write accounting to:
accounting file = accounting.log
#########################################
###############Users#####################
#########################################
### without "login = " need to authenticate through radius or local:
user = tom { member = itnetwork }
user = dick { member = itnetwork }
user = harry { member = itnetwork }
user = backup-user { member = show } # show profile for only doing backups
################################
##########Groups################
################################
group = itnetwork {
# IT-Network Engineers
login = file passwords.db
service = exec {
default attribute = permit
priv-lvl = 15
}
cmd = show {
permit .*
}
cmd = enable {
permit .*
}
#################################################
# The remainder edited for breavity
In the above sample config there are basically three sections. The top section of the config is where you define the encryption key that allows your routers and switches to authenticate to your tacacs+ server.
The next section is the users section. This is where you define the user names , which group they are a member of, and where the password is kept. In this example we are using a file called passwords.db that contains these passwords.
Finally is the group section. This is where you define the commands that can be executed by this group. Users can belong to multiple groups. Commands can be permitted or denied which allows for an amazing amount of control over what users and groups can do on your network devices.
The entire tacacs+ package can be downloaded here. It contains the entire tac.cfg file as well as a few extras for making setting up for you tacacs+ server on Windows a breeze.
As always, if you have any comments or would like to add to anything here on this post please do. Comments make a website come alive. We would love to here your opinion.
Freak!
For more advanced features check out Cisco Secure ACS Server.
| User Reviews Send this to a friend | |||||||||||||||
 |
|
||||||||||||||
Product Description |
|||||||||||||||
|
|||||||||||||||
Product Details |
|||||||||||||||
|
|||||||||||||||
Video Reviews |
|||||||||||||||
 No video reviews found for this product.
|
|||||||||||||||
Customer Reviews |
|||||||||||||||
 No customer reviews were found for this product. |
|||||||||||||||
Hi, great post as I’m, trying to test out tacacs, but having trouble running the exe, I get following message:
C:\tacacs>tac_plus.exe -C tac.cfg
Warning, not running as uid 0
Tac_plus is usually run as root
on line 2ecognised token
Any ideas?
Thanks Simon
Hi Simon,
I believe the download from RouterFreak.com is only for Windows platforms. Sorry about that. You may want to do a search for a linux/unix version. I know there are some out there. I would look too and try to include this in the downloads area of the site.
Thanks!
Hi,
That’s exactly what I want windows and am trying to run on windows XP, but get the error mentioned and does not appear in task manager as stated in readme file.
I can find loads of unix/linux it’s these rare windows ones I want to try
Simon
Thanks really interesting. Are you running it as administrator? … or try right-click “run as admin”? Just taking a stab in the dark. You may also try running in computability mode.. again just guessing.
Let me know if you get it working… thanks!
Joe, Really interesting none of above worked but, I had renamed default tac.cfg to tacold.cfg and created a new tac.cfg.If tried running .exe with my new tac.cfg it didn’t start, tried it with the bundled renamed tacold.cfg and started !!, must be something in the orignal tac.cfg file that I’m missing or some such, will post back what I find.
Thanks
Good to know! Thanks — keep me posted!
Joe, It appears to be if I modify the tac.cfg in anyway it won’t run.I can copy the original tac.cfg,rename and run ok, but as soon as I make any change to the file config, even just adding one character to a passwoed for example it wont run…
When you edit that config file be sure to use a text editor. Don’t use notepad as it tend to add control characters to the file. Try Textpad its free, or Notepad++ which is also free.
Let me know if this helps
Joe
Hi Joe,
I currently have tacacs up and running in my environment. Can a user be a member of more than one group with two different access levels? For example, could user Tom be a member of ITnetwork (with acl list of nodes) & ITnetwork2 (with acl list of nodes) where ITNetwork has privelege 15 and ITNetwork2 has privelege 7?
With the standard version of TACACS+ that’s freely available I don’t think you can do this. You would have to upgrade to Cisco ACS which has this capability. You can create user groups as well as group you network devices and assigned different permissions based on each group. It has a lot more flexibility.
Thats what i thought too.
Thanks alot for the information Joe. you have been helpful.
Thanks.
Can anyone tell me how to create use that only can do show command,configure router interfaces and ip route.My authorization dont work at all.
You can set user account privileges to be lower than standard admin. Router admins typically get privilege level 15 for all commands. Privilege level 11 will be allowed to perform most read functions but not be able to do a “show run”.
Within TACACS you can be extremely specific as to which commands you want to permit or deny for each privilege level to execute.