Tag Archives: tacacs+

Cisco Nexus TACACS config

According to the team where I work, our standard Catalyst TACACS+ config didn’t work properly. Here is the snippet they used to get going again:

user = DEFAULT {
default service = permit
service = exec {
shell:roles*"network-admin vdc-admin"
}
}

User based role authorisation didn’t work well either apparently.

The * rather than the = means it’s an optional attribute so should be ignored by switches which aren’t compatible.

Thanks to Emma Cardinal-Richards for the snippet.

TACACS+ on MRV LX4000T Console Servers

In this forth post in the TACACS+ series, I’ll look at using TACACS+ for access to the console port of an IOS device via an MRV console server.

MRV LX4000T Console Servers

Configure TACACS+ for authentication and accounting.  The “local subscriber” means that if a username is defined locally, it can be authenticated by TACACS+ and use the properties defined locally.

TOUCS:0 >>config
Config:0 >>aaa
AAA:0 >>tacacs+ primary authentication server address <IP>
AAA:0 >>tacacs+ primary authentication server secret ...    
AAA:0 >>tacacs+ secondary authentication server address <IP2>
AAA:0 >>tacacs+ secondary authentication server secret ...   
AAA:0 >>tacacs+ primary accounting server address <IP>
AAA:0 >>tacacs+ primary accounting server secret ...   
AAA:0 >>tacacs+ secondary accounting server address <IP2>  
AAA:0 >>tacacs+ secondary accounting server secret ...   
AAA:0 >>tacacs+ local subscriber enable

Enable authentication and accounting on the ethernet interfaces.  The fallback statement allows the local authentication database to be used if the TACACS+ servers are unreachable.

TOUCS:0 >>config
Config:0 >>interface 1
Warning Interface active
Intf 1-1:0 >>authentication tacacs+ enable
Intf 1-1:0 >>tacacs+ accounting enable
Intf 1-1:0 >>authentication fallback attempts 3 
Intf 1-1:0 >>exit 
Config:0 >>interface 2
Warning Interface active
Intf 2-2:0 >>authentication tacacs+ enable
Intf 2-2:0 >>tacacs+ accounting enable
Intf 2-2:0 >>authentication fallback attempts 3 
Intf 2-2:0 >>end

Confirm our configuration

TOUCS:0 >>show tacacs+ characteristics
 Time:                                          Mon, 21 Jun 2010 14:22:58 UTC
 Primary TACACS+ Authentication Server:
 IP Address:              <IP>  TACACS+ Auth. TCP Port:            49
 Secret:                    Configured  Timeout:                            5
 Retry:                              3
 Secondary TACACS+ Authentication Server:
 IP Address:               <IP2>  TACACS+ Auth. TCP Port:            49
 Secret:                    Configured  Timeout:                            5
 Retry:                              3
 Primary TACACS+ Authorization Server:
 IP Address:                   0.0.0.0  TACACS+ Author. TCP Port:          49
 Secret:                Not configured  Timeout:                            5
 Retry:                              3
 Secondary TACACS+ Authorization Server:
 IP Address:                   0.0.0.0  TACACS+ Author. TCP Port:          49
 Secret:                Not configured  Timeout:                            5
 Retry:                              3
 Primary TACACS+ Accounting Server:   
 IP Address:              <IP>  TACACS+ Acct. TCP Port:            49
 Secret:                    Configured  Timeout:                            5
 Retry:                              3
 Secondary TACACS+ Accounting Server: 
 IP Address:               <IP2>  TACACS+ Acct. TCP Port:            49
 Secret:                    Configured  Timeout:                            5
 Retry:                              3
 Superuser Request:           Disabled  Accounting Server Period:           5
 Local Subscriber:             Enabled  Source Interface:                   1
 Command Authorization:       Disabled  Command Logging:             Disabled
 Command Authorization Fallback:                                     Disabled
 TACACS+ Authentication Serial Ports:
 TACACS+ Authentication Interfaces: 1
 TACACS+ Accounting Serial Ports:
 TACACS+ Accounting Interfaces: 1

TACACs+ on Cisco WLCs

In this third post in the TACACS+ series, I’ll cover using TACACS+ for administering a Cisco WLC device.

Cisco WLC

Server Config

			
group = wlc {
  service = ciscowlc {
    role1 = ALL
  } 
}

group = wlc-read-only {
  cmd = show {
    permit .*
  }
  cmd = ping {
    permit .*
  }
  cmd = traceroute {
    permit .*
  }
  service = exec {
    priv-lvl = 15
  }   
  service = ciscowlc {
    role1 = ALL
  }   
}

Client Config

This is fairly trivial and best done through the GUI. Just go to security->tacacs+ and add the servers and keys for Authentication and Authorization. I didn’t find the Accounting data very useful so left that off. To work out the server settings I ran the daemon in debugging mode and looked at what the WCS was sending. Something like:

# tac_plus -C /path/to/tac_plus.conf -g -d <level>

TACACS+ on Cisco ASAs

In this second post in the TACACS+ series, I’ll cover using TACACS+ for administering an ASA via SSH and ASDM, as well as for SSL VPN access.

Cisco ASA 5500 Series

  • After you ssh in, you’ll need to enable.
  • You can use your TACACS+ password to do this
  • Users with privilege level 5 are read only

Server Config

# Groups
group = asa {
  default service = permit
  service = exec {
    priv-lvl = 15
  }
}
group = asa-read-only {
  default service = permit
  service = exec {
    priv-lvl = 5
  }
}
# Users
user = admin {
  member = all
  login = des <snip>
  enable = des <snip>
}
user = read-only {
  member = asa-read-only
  login = des <snip>
}

Client Config

# To generate an RSA key pair, which is required for SSH, enter the following command:
crypto key generate rsa modulus 2048
# Give the device a hostname / domain name
!
hostname foo
domain-name bar.domain
!
# Add local AAA users
username user1 password <snip>
enable password <snip>
!
# Set up the management interface
interface Management0/0
 nameif manage
 security-level 50
 ip address 192.168.1.254 255.255.255.0
!
# ACL which selects who should use tacacs for AAA
access-list LOGIN extended permit tcp 192.168.1.0 255.255.255.0 interface manage eq ssh
access-list LOGIN extended permit tcp 192.168.1.0 255.255.255.0 interface manage eq https
!
# Set a default route for management access
route manage 0.0.0.0 0.0.0.0 192.168.1.254 1
!
# Set up tacacs
aaa-server data-tacacs protocol tacacs+
aaa-server data-tacacs (manage) host [ip] key <snip>
aaa authentication match LOGIN manage data-tacacs
aaa authentication ssh console data-tacacs LOCAL
# Console access local auth - optional
# aaa authentication enable console LOCAL
aaa authentication http console data-tacacs LOCAL
aaa authentication enable console data-tacacs
aaa authorization command data-tacacs LOCAL
aaa accounting command data-tacacs
aaa accounting enable console data-tacacs
aaa accounting ssh console data-tacacs
!
# Enable ASDM
http server enable
# ACL for ASDM
http 192.168.1.0 255.255.255.0 manage
!
# Allow ssh in for management subnet
ssh 192.168.1.0 255.255.255.0 manage
!
# You'll need NTP for TACACS to work - best have > 1
ntp server ntp0.domain source outside prefer
ntp server ntp1.domain source outside
ntp server ntp2.domain source outside
!

If your want to use tacacs+ as the auth mechanism for an SSL VPN running on an ASA:

tunnel-group DefaultRAGroup general-attributes
 authentication-server-group data-tacacs

Be careful if you run command authorisation on an ASA and have two TACACS+ servers. The default reactivation-mode is timed so if the networking on your device fails you can lock yourself out of it.

WARNING: 
If fallback authentication is configured with this server and reactivation mode is set to timed. 
Multiple aaa servers may prevent the appliance from ever invoking the fallback auth mechanism.
*** Output from config line 126, " reactivation-mode timed"
WARNING: 
Fallback authentication is configured, but reactivation mode is set to timed. Multiple aaa servers 
may prevent the appliance from ever invoking the fallback auth mechanism.

If you do have two servers available the answer is to do this:

asa(config-aaa-server-group)# reactivation-mode ?
aaa-server-group mode commands/options:
    depletion Failed servers will remain inactive until all other servers in this group are inactive
    timed Failed servers will be reactivated after 30 seconds of down time
asa(config-aaa-server-group)# reactivation-mode depletion

TACACS+ on IOS devices

In this first post in the TACACS+ series, I’ll look at some general server stuff and then configuring TACACS+ on IOS devices. I’ll cover ASAs, WLCs and MRV LX-4000T console servers in later posts.

Packaging

These days I used the stock Debian package. A few years ago I hand rolled an RPM based on the Shrubbery Networks code. You can download that here:tac_plus-F4.0.4-15.i386.rpm.

Generating a password for the config file

htpasswd -nd <username>

A script to parse and email the logs

I use a script I wrote called tac_logmail to dump a summary of the logs in our RT queue every day. It assumes you use syslog-ng to dump your tacacs logs to a central syslog server.

On tacacs+ servers:

source s_tacacs {
file("/var/log/tacacs" follow_freq(1) flags(no-parse));
};
destination d_remote {
tcp("syslog.domain", localip([% hostname %]), destport());
};

On central server:

template t_isotemplate { 
    template("$S_ISODATE $HOST_FROM $MSGHDR$MSG\n");    
    template_escape(no); 
};
# === Tacacs+ 
filter f_tacacs_plus_host {
    host ("foo") or host("bar");
};
destination d_tacacs_plus {
    file("/var/log/remote/tacacs+/tacacs+-$YEAR-$MONTH-$DAY" template(t_isotemplate));
};
log {
    source(s_tcp);
    source(s_udp);
    filter(f_tacacs_plus_host);
    destination(d_tacacs_plus);
};

Cisco IOS Switch / Router Configuration

Server Config

		
group = ios {
  default service = permit
  service = exec {
    priv-lvl = 15
  }
}

Client Config

aaa new-model
!
aaa authentication login default local group tacacs+
aaa authentication enable default enable group tacacs+
aaa authorization console
aaa authorization exec default local group tacacs+ if-authenticated 
aaa authorization commands 15 default local group tacacs+ if-authenticated 
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
!
ip tacacs source-interface [int]
!
tacacs-server host [ip] key [foo]
tacacs-server directed-request
!
line con 0
authorization exec default
line vty 0 [n]
login authentication default
!
# You'll need NTP for TACACS to work - best have > 1
ntp server [ip] key 0