1 getting the tacacs+ server configured

$ sudo apt-get install tacacs+
$ sudo groupadd -r cisco
$ sudo editor /etc/tacacs+/tac_plus.conf

1.1 change the following settings

• we want to set the shared key for routers who want to use our service to TacacsPassword
• We also want to limit access for users based on groups. For this example we will use settings in tac_plus.conf

1.2 change this line

key = TacacsPassword

In the real world we'd choose a much stronger shared key e.g.

$ pwgen -s 64  1
BRSWUWgJLkuxyqfmwfrlRC8JW54bpm3a2rMEe1IWwwpupwGBreGCXGTdbqkMGo2F

1.3 ... then at the end of the file .... add:

#
# "level 2" users who cannot "debug" or "config"
#
group = l2_tacacs_users {
    default service = permit
    login = file /etc/passwd
    enable = file /etc/passwd
    service = exec {
        priv-lvl = 15
    }
    cmd = configure {
        deny "."
    }
    cmd = debug {
        deny "."
    }
}
#
# group member not in password file
# use 'tac_pwd -m' command to encode password
# this generates an MD5 password but it's still
# labelled 'des' to show it's not cleartext
#
user = rancid {
    member = l2_tacacs_users
    login = des $1$8B$BqD7RHsYdCOy96kh05PDe0
}

#
# "level 2" users with full privileges
#
group = netops {
    default service = permit
    login = file /etc/passwd
    enable = file /etc/passwd
    service = exec {
        priv-lvl = 15
    }
}
#
# group member with entry in password file
# delete user here to deny access to devices
#
user = sysadm {
    member = netops
}

1.3.1 check tacacs_plus config

$ sudo service tacacs_plus check

You should see a response like:

 * Checking TACACS+ authentication daemon configuration files successful tacacs+

1.3.2 restart tacacs_plus to pick up the new settings

$ sudo service tacacs_plus restart

2 getting a cisco device to talk to your tacacs

Connect to your router, enter configuration mode, then add the following configuration lines: (replace 10.10.X.X with your server's IP address)

tacacs-server host 10.10.X.X
tacacs-server key TacacsPassword

(Later versions of IOS (15...)have an alternative mechanism for defining these parameters but this can be used on all systems for now.)

Check that you can reach the tacacs server and authenticate correctly:

test aaa group tacacs+ sysadm <password> port 49 legacy

You should see a response like:

Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.

2.1 Now you can finish configuring the router to use tacacs for login control:

In configuration mode:

aaa new-model

aaa authentication login default group tacacs+ enable
aaa authentication login NSRCCONSOLE local-case
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ none
aaa authorization commands 15 default group tacacs+
aaa accounting delay-start
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

! This lets us login via the console even if tacacs isn't working
username NSRCCONSOLE password 0 tpyPo9dT
line con 0
 exec-timeout 15 0
 login authentication NSRCCONSOLE

3 Try logging into you router again

While keeping the current session open, make another ssh connection to your router. Check that you can login using the "sysadm" user and password. Note that you should go straight into enable mode.

Enter configuration mode (conf t) and exit it. We want to see if this is logged.

3.1 Check logs

Logs for the tacacs+ daemon operation are stored in /var/log/daemon.log

However, more interesting is the accounting log file, which contains a record of all the actions which users have performed on your devices. You can view the last 10 lines of this file using:

tail /var/log/tac_plus.acct

Can you can see the record of the conf t command you did just now?

3.2 Login as the rancid user

Try logging in as the rancid user. You should be able to do "show run". However if you try to enter configuration mode it should fail:

rtrX#conf t
Command authorization failed.

rtrX#