Tacacs+ Server for Cisco Devices Authentication

TACACS+ Server for Cisco Devices

(Linux Raspbian / Raspberry Pi)

PayozonLAB-RT01#test aaa group tacacs+ new-code
Sending password
User successfully authenticated

USER ATTRIBUTES

username             "user01"
reply-message        "Password: "
PayozonLAB-RT01#

PayozonLAB-RT01#
PayozonLAB-RT01#test aaa group tacacs+ payozon tacacs legacy          
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.

PayozonLAB-RT01#

And how to do it? In Raspi start terminal and install tacacs+

sudo apt install tacacs+
sudo service tacacs_plus status

 sudo nano /etc/tacacs+/tac_plus.conf 

Now we need to add auth_key, users and passwords - prepend the text below to the end of the file tac_plus.conf and comment all above:

# This is the key that clients have to use to access Tacacs+
key = test@Key123

# User - Basic Settings
 user = root {
default service = permit
name = “Administrator”
login = cleartext admin
service = exec {
priv-lvl = 15
}
}

  sudo service tacacs_plus restart

tail /var/log/tac_plus.acct

Then you can switch to your Cisco switch or router and test it!

test aaa group tacacs+ admin admin legacy

ssh -c aes256-cbc admin@172.16.255.103 

Everythin' OK? Let's continue...

In global configuration mode issue the commands below:

aaa new-model
aaa authentication login default local group tacacs+
aaa authentication enable default group tacacs+ enable
aaa accounting commands 15 default
action-type start-stop
group tacacs+

tacacs-server host 192.168.15.62
tacacs-server key test@Key123

So, above is older method. The new one:

 tacacs server TACACS+

address ipv4 192.168.1.38

timeout 15

aaa authentication login TACACS+ group tacacs+

login authentication TACACS+

aaa authentication password-prompt TACACS+Password:

aaa authentication attempts login 5

aaa authentication username-prompt TACACS+Username:

And the last begginer's task is to configure TACACS+ banner and password / user prompt.

(config)#aaa authentication banner X
Enter TEXT message.  End with the character 'X'.
*****************************************************************
*                                                               *
*      PRIVATE PROPERTY -- YOU ARE MONITORED! LEAVE NOW!        *
* ------------------------------------------------------------- *
*    THIS COMPUTER SYSTEM, INCLUDING ALL RELATED EQUIPMENT,     *
*                 NETWORKS AND NETWORK DEVICES                  *
*           (SPECIFICALLY INCLUDING INTERNET ACCESS)            *
*   ARE PROVIDED ONLY FOR AUTHORIZED USE. USE OF THIS SYSTEM    *
* AUTHORIZED OR UNAUTHORIZED, CONSTITUTES CONSENT TO MONITORING *
*                                                               *
*    UNAUTHORIZED USE MAY SUBJECT YOU TO CRIMINAL PROSECUTION   *
* EVIDENCE OF UNAUTHORIZED USE COLLECTED DURING MONITORING MAY  *
* BE USED FOR ADMINISTRATIVE, CRIMINAL OR OTHER ADVERSE ACTION  *
*                                                               *
*    USE OF THIS SYSTEM CONSTITUTES CONSENT TO MONITORING.      *
*                                                               *
*****************************************************************
                                                                
X
(config)#


-- for more secure usage use tac_pwd
to generate a DES encrypted password

-- in tac_plus.conf use
login = des 8L/6PsZWYZzjk 

MagLab-phys-R01#test aaa group tacacs+ admin admin legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.