Centralizing Logins with TACACS+

| February 28, 2009 | 19 Replies

padlockAs soon as your network grows to more than a few devices you quickly realize you need a way to manage the logins and passwords to these devices in an easy way. Cisco will sell you their ACS server for $6,000 or so or you can get the appliance for $12000. But if your budget doesn't allow you to spend this kind of money what kind of options do you have? Lucky for us there is good 'ole TACACS+.

TACACS+ (Terminal Access Controller Access-Control System Plus) is a protocol, using tcp port 49, that provides login control for your network devices.   Setting up a TACACS+ server gives you the ability to have a central server for controlling Access, Authorization, and Accounting of your routers, switches and just about any other network device.  TACACS+ runs on Linux, Sun and Windows and best of all its free.

Ahh but what about RADIUS you ask?  Well radius works just fine and will do the same thing, however there are some benefits to using TACACS+. One of these benefits is that the services for access, authentication, and accounting are separated. This allows you to distribute these to multiple servers if you wish.  Another benefit is that each service request is encrypted to ensure your login information is safe.

Configuring TACACS+ can be a bit of a challenge if you have never done it before.  But once you understand the format of the config file its really pretty simple.

Here's a sample tacacs+ config:

# Encryption key is the same key you configure in your router
# ENCYPTION KEY:
	key = password

# You will want to log access to a file. Set that file here
# Remember to rotate the log, it will grow over time.
# write accounting to:
	accounting file = accounting.log

#########################################
###############Users#####################
#########################################

### without "login = " need to authenticate through radius or local:

	user 	= tom 		{ member = itnetwork }
	user 	= dick		{ member = itnetwork }
	user 	= harry		{ member = itnetwork } 

	user	= backup-user	{ member = show } # show profile for only doing backups

################################
##########Groups################
################################

group = itnetwork {
		# IT-Network Engineers
        login = file passwords.db

		service	= exec {
			default attribute = permit
			priv-lvl = 15
		}

cmd = show {
                permit .*
                }
cmd = enable {
                permit .*
                }
#################################################
# The remainder edited for breavity

In the above sample config there are basically three sections.  The top section of the config is where you define the encryption key that allows your routers and switches to authenticate to your tacacs+ server.

The next section is the users section.  This is where you define the user names , which group they are a member of, and where the password is kept.  In this example we are using a file called passwords.db that contains these passwords.

Finally is the group section.  This is where you define the commands that can be executed by this group. Users can belong to multiple groups.  Commands can be permitted or denied which allows for an amazing amount of control over what users and groups can do on your network devices.

The entire tacacs+ package can be downloaded here.  It contains the entire tac.cfg file as well as a few extras for making setting up for you tacacs+ server on Windows a breeze.

As always, if you have any comments or would like to add to anything here on this post please do.  Comments make a website come alive. We would love to here your opinion.

Freak!

 

Rate this post

Tags: , , , ,

Category: Configuration Tips

About the Author ()

Senior Network Engineer, technology enthusiast, guitar and bass player. Joe Wilson is the creator and owner of RouterFreak.com as well as other niche websites that can be found around on the Internets. You can also find me on my personal blog at JoeWilson.org.

Comments (19)

Trackback URL | Comments RSS Feed

Sites That Link to this Post

  1. What is Radius Authentication Protocol? : Router Freak | June 5, 2013
  1. kashif says:

    Hi, i am trying to implement AAA through TACACS , now i have two type of users , Junior Network Admin and Senior Network Admin and two type of Network Devices , Access and Core, Both type of admin have full access to Access Devices but Junior Network only have limited privileges to Core Network Devices (Junos based Juniper devices) . Now i have created one template account on Access Devices and Two Template Accounts on Core Device , I want to map two template accounts to single user defined in TACACS configuration file, … i am ok with Single template account to Single TACACS user mapping but unable to map two template account from two different network device to single template account in TACACS

  2. NayabRasool says:

    Hi all ,

    We want to pass all our authentication to switch through the TACACS , So what are all the pre-requisites i need to have to achieve this , i am going to use WINDOWS 2008 Server which has Active Directory Installed already.so now how i can proceed with this.

  3. Kemal says:

    HI I am new to this and I am trying to figure out how to configure this on the cisco router

    this is what I have

    aaa new-model
    aaa authentication login group tacacs+ local line enable
    aaa authentication enable default group tacacs+ enable

    tacacs-server host 172.19.0.223
    tacacs-server key onmlk123

    ip tacacs source-interface Loopback12

    I am litle confused on the second command where it says " login group tacacs+" should I be specifying any specific group or not?
    Also does this work on Windows server 2008 R2 Enterprise?
    Thank you

  4. brendon says:

    Can anyone tell me how to create use that only can do show command,configure router interfaces and ip route.My authorization dont work at all.

    • Joe says:

      You can set user account privileges to be lower than standard admin. Router admins typically get privilege level 15 for all commands. Privilege level 11 will be allowed to perform most read functions but not be able to do a "show run".

      Within TACACS you can be extremely specific as to which commands you want to permit or deny for each privilege level to execute.

  5. Sue says:

    Hi Joe,

    I currently have tacacs up and running in my environment. Can a user be a member of more than one group with two different access levels? For example, could user Tom be a member of ITnetwork (with acl list of nodes) & ITnetwork2 (with acl list of nodes) where ITNetwork has privelege 15 and ITNetwork2 has privelege 7?

    • Joe says:

      With the standard version of TACACS+ that's freely available I don't think you can do this. You would have to upgrade to Cisco ACS which has this capability. You can create user groups as well as group you network devices and assigned different permissions based on each group. It has a lot more flexibility.

  6. Joe says:

    When you edit that config file be sure to use a text editor. Don't use notepad as it tend to add control characters to the file. Try Textpad its free, or Notepad++ which is also free.

    Let me know if this helps

    Joe

    • Ian says:

      I think you meant don’t use Wordpad – that’s a full blown word processor and will insert control characters, etc. Notepad is a plain text editor, if you don’t have one of the upgrades listed above it’s built into Windoze. I have used it off and on for this purpose / reason for years.

      • Joe says:

        No, Notepad is not entirely a plain test editor. It will insert hidden characters. So does Wordpad. The best apps to use on Windows desktops would either Textpad or Notepad ++. Both are free to use!

  7. simon says:

    Joe, It appears to be if I modify the tac.cfg in anyway it won't run.I can copy the original tac.cfg,rename and run ok, but as soon as I make any change to the file config, even just adding one character to a passwoed for example it wont run…

  8. Joe says:

    Good to know! Thanks — keep me posted!

  9. simon says:

    Joe, Really interesting none of above worked but, I had renamed default tac.cfg to tacold.cfg and created a new tac.cfg.If tried running .exe with my new tac.cfg it didn't start, tried it with the bundled renamed tacold.cfg and started !!, must be something in the orignal tac.cfg file that I'm missing or some such, will post back what I find.

    Thanks

  10. Joe says:

    Thanks really interesting. Are you running it as administrator? … or try right-click "run as admin"? Just taking a stab in the dark. You may also try running in computability mode.. again just guessing.

    Let me know if you get it working… thanks!

  11. simon says:

    Hi,

    That's exactly what I want windows and am trying to run on windows XP, but get the error mentioned and does not appear in task manager as stated in readme file.

    I can find loads of unix/linux it's these rare windows ones I want to try

    Simon

  12. simon says:

    Hi, great post as I'm, trying to test out tacacs, but having trouble running the exe, I get following message:

    C:tacacs>tac_plus.exe -C tac.cfg

    Warning, not running as uid 0

    Tac_plus is usually run as root

    on line 2ecognised token

    Any ideas?

    Thanks Simon

    • Joe says:

      Hi Simon,
      I believe the download from RouterFreak.com is only for Windows platforms. Sorry about that. You may want to do a search for a linux/unix version. I know there are some out there. I would look too and try to include this in the downloads area of the site.

      Thanks!

Leave a Reply

Read previous post:
Is Your Network Getting Backed Up?

Once your network is designed, installed and your users are happy, you next need to setup tools to keep an...

Close