Basic AAA tacacs+ with tac_plus daemon

Summary
tac_plus is a linux daemon you can run up as a basic TACACS+ AAA server.

I have used this application to secure and centralised access to routers and switches in a production network that previously only rely on local username/passwords.
Another motivation for tac_plus is to run it up in a lab for testing and to verify tacacs+ configuration before deploying them on a live network.

rtr-tacplus

tac_plus runs on Linux but as every Linux installation has subtle differences, I assume you understand that the configuration is likely to require your own tweaks to make it run on your machine.

The aim is to introduce concepts and tied some real detail to aid understanding.

To truly secure a production network you will have look into the more advance parameters and bespoke it to meet your requirements. tac_plus is not a commercial offering but free software but it does a good enough job for small networks that do not have heavy security compliance requirements.

Authentication
With tac_plus the easiest (but not the most secure) way to set up your users in the Linux user file.

For a test-lab setup this is the most convenient way of creating users with familiar linux useradd and passwd commands.

Using linux PAM modules will also improve user security and gives you more flexibility.
tac_plus will also support DES encryption for your passwords.
tac_plus also lets you expire passwords requiring users to change their password peridically for added security.

User groups and command authorisation
While authentication is the first step in enforcing AAA, TACACS+ protocol really shine when it is applied to control which commands you allow a user to run.

Network administrators will find that being able to enforce role based access can be extremely useful.

For example, you can group users who are allowed access as follows:

* engineers – granted full read and write access including reset, reload etc
* consultants – granted read only access but allowed to run more advanced commands e.g. clear ip bgp *, show running-config but prevented from making configuration changes
* operators – restricted to read only access and less intrusive commands

The tacplus+ software lets you set up these groups and assign users and grant rights depending on their role.

Accounting and tracking access to your devices
As a network administrator you want to be able to audit who and when someone logins into a network device.

tac_plus will record session times and the user who access the device.
If you have set up command accounting , tac_plus also stores and records the commands that a user invokes during his sesssion.
All entries are timestamped and in clear text making them easy to understand and follow.

The tac_plus configuration file
Like any linux daemon tac_plus uses a “tac_plus.conf” file which you can set up to your requirements.

Here is an example tac_plus file. The logic is easy to follow when reading this configuration file.

# asterisk * is a wildcard
key = hard2guess
accounting file = /var/log/tac_plus.log
default authentication = file /etc/passwd
default service = permit

# restrict access to devices with these ip addresses
acl = default {
permit = 10\.1\.3\.
}

# Group that is allowed full read and write access
group = engineers {
expires = “Jan 1 2030”
service = exec {
priv-lvl = 15
}
}

# Group with read only access including reading the configuration file
group = consultants {
service = exec {
priv-lvl = 15
}
cmd = show {
permit .*
}
cmd = ping {
permit .*
}
cmd = traceroute {
permit .*
}
cmd = exit {
permit .*
}
cmd = logout {
permit .*
}
}

# A group with limited read only access
# related to host-side network configuration
group = operators {
service = exec {
priv-lvl = 15
}
cmd = show {
deny run.*
}
cmd = show {
deny star.*
}
cmd = show {
permit .*
}
cmd = exit {
permit .*
}
}

# Add users to groups
user = tacacsuser-rw {
default service = permit
member = engineers
}

user = tacacsuser-ero {
default service = permit
member = consultants
}

user = tacacsuser-ro {
default service = permit
member = operators
)

Starting, stopping and checking status of tac_plus
Use the appropriate command to start, check status and stop tac_plus daemon.

If you make changes to your tac_plus.conf file you should always stop and then restart the service for the changes to take effect.
You must have sufficient rights to run tac_plus – usually means “sudoer”.

[johns@centossupp-unx ~]$ /sbin/service tac_plus restart
Restarting tac_plus (via systemctl): [ OK ]

[johns@centossupp-unx ~]$ /sbin/service tac_plus status
/etc/init.d/tac_plus: line 31: [: =: unary operator expected
tac_plus.service – LSB: TACACS+ server based on Cisco source release
Loaded: loaded (/etc/rc.d/init.d/tac_plus)
Active: active (running) since Thu 2016-10-13 18:01:48 EST; 18s ago
Process: 19575 ExecStop=/etc/rc.d/init.d/tac_plus stop (code=exited, status=0/SUCCESS)
Process: 19631 ExecStart=/etc/rc.d/init.d/tac_plus start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/tac_plus.service
+-19636 /usr/bin/tac_plus -C /etc/tac_plus.conf -l /var/log/tacacs -d 16

[johns@centossupp-unx ~]$ /sbin/service tac_plus stop
Stopping tac_plus (via systemctl): [ OK ]

Example device tacacs set up on a Cisco router
Once your tac_plus is configured you are ready to configure tacacs+ on your network devices.
Please refer to your vendor documentation for setting up tacacs+ on your managed device.

Below is a simple example for controlling remote login to a Cisco router.

hostname R1
!
username johns privilege 15 secret 5 $1$zjjfghrfKW$Z5xz5g64EL2ux/VUuHRTT/
!
aaa new-model
aaa authentication login VTYUSER group tacacs+ local
aaa authorization exec VTYUSER group tacacs+ local
aaa accounting exec VTYUSER start-stop group tacacs+
aaa accounting commands 15 VTYUSER start-stop tacacs+
!
interface FastEthernet0/0
ip address 10.1.3.241 255.255.255.240
!
tacacs server PRIMARY
address ipv4 10.1.3.253
key hard2guess
!
line con 0
exec-timeout 0 0
login local
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
authorization exec VTYUSER
login authentication VTYUSER