| 1 | <p></p> |
|---|
| 2 | <h1 id="getting-the-tacacs-server-configured"><a href="#getting-the-tacacs-server-configured"><span class="header-section-number">1</span> getting the tacacs+ server configured</a></h1> |
|---|
| 3 | <pre><code>$ sudo apt-get install tacacs+ |
|---|
| 4 | $ sudo groupadd -r cisco |
|---|
| 5 | $ sudo vi /etc/tacacs+/tac_plus.conf</code></pre> |
|---|
| 6 | <h2 id="change-the-following-settings"><a href="#change-the-following-settings"><span class="header-section-number">1.1</span> change the following settings</a></h2> |
|---|
| 7 | <ul> |
|---|
| 8 | <li>we want to set the shared key for routers who want to use our service to TacacsPassword</li> |
|---|
| 9 | <li>We also want to limit access for users based on groups. For this example we will use settings in tac_plus.conf</li> |
|---|
| 10 | </ul> |
|---|
| 11 | <h2 id="change-this-line"><a href="#change-this-line"><span class="header-section-number">1.2</span> change this line</a></h2> |
|---|
| 12 | <pre><code>key = TacacsPassword</code></pre> |
|---|
| 13 | <p>In the real world we'd choose a much stronger shared key e.g.</p> |
|---|
| 14 | <pre><code>$ pwgen -s 64 1 |
|---|
| 15 | BRSWUWgJLkuxyqfmwfrlRC8JW54bpm3a2rMEe1IWwwpupwGBreGCXGTdbqkMGo2F</code></pre> |
|---|
| 16 | <h2 id="then-at-the-end-of-the-file-....-add"><a href="#then-at-the-end-of-the-file-....-add"><span class="header-section-number">1.3</span> ... then at the end of the file .... add:</a></h2> |
|---|
| 17 | <pre><code># |
|---|
| 18 | # "level 2" users who cannot "debug" or "config" |
|---|
| 19 | # |
|---|
| 20 | group = l2_tacacs_users { |
|---|
| 21 | default service = permit |
|---|
| 22 | login = file /etc/passwd |
|---|
| 23 | enable = file /etc/passwd |
|---|
| 24 | service = exec { |
|---|
| 25 | priv-lvl = 15 |
|---|
| 26 | } |
|---|
| 27 | cmd = configure { |
|---|
| 28 | deny "." |
|---|
| 29 | } |
|---|
| 30 | cmd = debug { |
|---|
| 31 | deny "." |
|---|
| 32 | } |
|---|
| 33 | } |
|---|
| 34 | # |
|---|
| 35 | # "level 2" users with full privileges |
|---|
| 36 | # |
|---|
| 37 | group = netops { |
|---|
| 38 | default service = permit |
|---|
| 39 | login = file /etc/passwd |
|---|
| 40 | enable = file /etc/passwd |
|---|
| 41 | service = exec { |
|---|
| 42 | priv-lvl = 15 |
|---|
| 43 | } |
|---|
| 44 | } |
|---|
| 45 | # |
|---|
| 46 | # group member with entry in password fileapt- |
|---|
| 47 | # |
|---|
| 48 | user = sysadm { |
|---|
| 49 | member = netops |
|---|
| 50 | } |
|---|
| 51 | # |
|---|
| 52 | # group member not in password file |
|---|
| 53 | # use tac_pwd command to encode password |
|---|
| 54 | # |
|---|
| 55 | user = rancid { |
|---|
| 56 | member = netops |
|---|
| 57 | login = des GAxtUcNh5DBFQ |
|---|
| 58 | }</code></pre> |
|---|
| 59 | <h3 id="check-tacacs_plus-config"><a href="#check-tacacs_plus-config"><span class="header-section-number">1.3.1</span> check tacacs_plus config</a></h3> |
|---|
| 60 | <pre><code>$ sudo service tacacs_plus check</code></pre> |
|---|
| 61 | <p>You should see a response like:</p> |
|---|
| 62 | <pre><code> * Checking TACACS+ authentication daemon configuration files successful tacacs+</code></pre> |
|---|
| 63 | <h3 id="restart-tacacs_plus-to-pick-up-the-new-settings"><a href="#restart-tacacs_plus-to-pick-up-the-new-settings"><span class="header-section-number">1.3.2</span> restart tacacs_plus to pick up the new settings</a></h3> |
|---|
| 64 | <pre><code>$ sudo service tacacs_plus restart</code></pre> |
|---|
| 65 | <h1 id="getting-a-cisco-device-to-talk-to-your-tacacs"><a href="#getting-a-cisco-device-to-talk-to-your-tacacs"><span class="header-section-number">2</span> getting a cisco device to talk to your tacacs</a></h1> |
|---|
| 66 | <p>Enter configuration mode:</p> |
|---|
| 67 | <pre><code>tacacs-server host 10.10.9.1 |
|---|
| 68 | tacacs-server key TacacsPassword</code></pre> |
|---|
| 69 | <p>(Later versions of IOS (15...)have an alternative mechanism for defining these parameters but this can be used on all systems for now.)</p> |
|---|
| 70 | <p>Check that you can reach the tacacs server and authenticate correctly:</p> |
|---|
| 71 | <pre><code>test aaa group tacacs+ sysadm <password> port 49 legacy</code></pre> |
|---|
| 72 | <p>You should see a response like:</p> |
|---|
| 73 | <pre><code>Attempting authentication test to server-group tacacs+ using tacacs+ |
|---|
| 74 | User was successfully authenticated.</code></pre> |
|---|
| 75 | <h2 id="now-you-can-finish-configuring-the-router-to-use-tacacs-for-login-control"><a href="#now-you-can-finish-configuring-the-router-to-use-tacacs-for-login-control"><span class="header-section-number">2.1</span> Now you can finish configuring the router to use tacacs for login control:</a></h2> |
|---|
| 76 | <pre><code>aaa new-model |
|---|
| 77 | |
|---|
| 78 | aaa authentication login default group tacacs+ enable |
|---|
| 79 | aaa authentication login NSRCCONSOLE local-case |
|---|
| 80 | aaa authentication enable default group tacacs+ enable |
|---|
| 81 | aaa authorization exec default group tacacs+ none |
|---|
| 82 | aaa accounting delay-start |
|---|
| 83 | aaa accounting exec default start-stop group tacacs+ |
|---|
| 84 | aaa accounting commands 15 default start-stop group tacacs+ |
|---|
| 85 | |
|---|
| 86 | ! This lets us login via the console even if tacacs isn't working |
|---|
| 87 | username NSRCCONSOLE password 0 tpyPo9dT |
|---|
| 88 | line con 0 |
|---|
| 89 | exec-timeout 15 0 |
|---|
| 90 | login authentication NSRCCONSOLE</code></pre> |
|---|
| 91 | <h2 id="now-you-can-verify-accounting"><a href="#now-you-can-verify-accounting"><span class="header-section-number">2.2</span> Now you can verify accounting</a></h2> |
|---|
| 92 | <pre><code>Router#show aaa sessions |
|---|
| 93 | Router#show aaa users all</code></pre> |
|---|