$ sudo apt-get install tacacs+
$ sudo groupadd -r cisco
$ sudo vi /etc/tacacs+/tac_plus.conf
key = TacacsPassword
In the real world we'd choose a much stronger shared key e.g.
$ pwgen -s 64 1
BRSWUWgJLkuxyqfmwfrlRC8JW54bpm3a2rMEe1IWwwpupwGBreGCXGTdbqkMGo2F
#
# "level 2" users who cannot "debug" or "config"
#
group = l2_tacacs_users {
default service = permit
login = file /etc/passwd
enable = file /etc/passwd
service = exec {
priv-lvl = 15
}
cmd = configure {
deny "."
}
cmd = debug {
deny "."
}
}
#
# "level 2" users with full privileges
#
group = netops {
default service = permit
login = file /etc/passwd
enable = file /etc/passwd
service = exec {
priv-lvl = 15
}
}
#
# group member with entry in password fileapt-
#
user = sysadm {
member = netops
}
#
# group member not in password file
# use tac_pwd command to encode password
#
user = rancid {
member = netops
login = des GAxtUcNh5DBFQ
}
$ sudo service tacacs_plus check
You should see a response like:
* Checking TACACS+ authentication daemon configuration files successful tacacs+
$ sudo service tacacs_plus restart
Enter configuration mode:
tacacs-server host 10.10.9.1
tacacs-server key TacacsPassword
(Later versions of IOS (15...)have an alternative mechanism for defining these parameters but this can be used on all systems for now.)
Check that you can reach the tacacs server and authenticate correctly:
test aaa group tacacs+ sysadm <password> port 49 legacy
You should see a response like:
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication login NSRCCONSOLE local-case
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ none
aaa accounting delay-start
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
! This lets us login via the console even if tacacs isn't working
username NSRCCONSOLE password 0 tpyPo9dT
line con 0
exec-timeout 15 0
login authentication NSRCCONSOLE
Router#show aaa sessions
Router#show aaa users all