Jump to content

Installation of Tacacs+ on Ubuntu


wildweaselmi
 Share

Recommended Posts

This article will describe you how to install a complete solution to manage users that have access to your network devices and also how to automatically backup your network devices configurations with a cvs based storage in order to have diffs on it. You'll also be able to script commands you want to run on your routers/switches to have easier administration.



Introduction




This document is in constant evolution, do not hesitate to check it sometimes. If you see something that have to be added/corrected, feel free to contact me.
Follow this document step by step and it will work without problems, do not jump a section, read it carefully.

  • Tacacs+ : is an authentication server that will allow you to manage users that have to access network devices and give them different access level (super user or mortal user). You also could have for each user a list of commands he can use.
  • Rancid : is a tool which automatically backup your network devices configuration and store them in text and cvs format. It also allow you to script commands that have to be executed on your network devices using clogin described in this article. clogin is also used to automate the connection to the network devices
  • Cvsweb : will display cvs stored configurations in a web page that will allow you to compare different versions of your configurations.


Note : This document has been written for cisco devices only using IOS software. It should work with other network devices vendor (such as Juniper, Foundry...) but you should read vendor's documentation and rancid one to see how to configure it properly. It also works with Cisco using catos software but no catos commands are provided in this document.



Installation







Tacacs+



First of all you'll need to get the latest version of tacacs+ here :



Note : Don't do an apt-get install tac-plus, it's the cisco version which should not work with the configuration file of this manual. The shrubbery version is also more updated.



This document has been written using tacacs+-F4.0.4.10.



You'll need to install the tcp wrappers and compilation tools if they're not yet installed.



# apt-get install libwrap0-dev gcc make libc6-dev flex bison





Once you've got the tacacs+ archive, you have to uncompress it (in /usr/src for example).

Before installing tacacs+ I kindly advise you to read the INSTALL file in the tacacs+ uncompressed directory if you want more informations.





# cp tacacs+-F4.0.4.10.tar.gz /usr/src


# cd /usr/src


# tar xvfz tacacs+-F4.0.4.10.tar.gz


# cd tacacs+-F4.0.4.10


# ./configure


# make install







Installation directories are the following :

/usr/local/bin
: for the binaries tac_plus and tac_pwd

/usr/local/man
: for the manuals

man tac_plus and man tac_pwd are now available for more informations.



Now we have to create the tacacs configuration file :
/etc/tac_plus.conf






#


# tacacs configuration file


# Pierre-Yves Maunier - 20060713


# /etc/tac_plus.conf




# set the key


key = cle_tacacs




accounting file = /var/log/tac_plus.acct




# users accounts


user = dhosang {


login = cleartext "normal"


enable = cleartext "enable"


name = "Dennis Hosang"


}







For the moment you have an user called "dhosang". His password to get connected on the device is "normal" and the password to get in priviliged mode is "enable".

As his passwords are in clear text, it should be safe to encrypt them, so we use the tool tac_pwd.





# tac_pwd


Password to be encrypted: normal


yrVMIa532Sy.2


# tac_pwd


Password to be encrypted: enable


Elwo6gXCbVulw





So we change dhosang's account like this :





user = dhosang {


login = des "yrVMIa532Sy.2"


enable = des "Elwo6gXCbVulw"


name = "Dennis Hosang"


}





For more security, we change the permissions of the configuration file :


# chmod 600 /etc/tac_plus.conf





Cisco configuration


Now we have to configure the cisco device in order for it to look for users in the tacacs+ server.

Note : We will create a local user on the cisco device which be usable only if the tacacs server is unreachable. This user account will be disabled when the tacacs server is reachable.

In this example, the local user account will be :

username : local_user

password : local_password

enable : local_secret






aaa new-model

aaa authentication login telnet group tacacs+ local

aaa authentication login console group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default if-authenticated none

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

!

enable secret local_secret

!

username local_user secret local_password

!

line con 0

login authentication console

line vty 0 4

login authentication telnet

line vty 5 15

!

tacacs-server host 10.6.56.244

tacacs-server key cle_tacacs



Note : 10.6.56.244 is the ip address of the tacacs+ server






---------- Explainations ----------



Creation of an authentication list

Router(config)# aaa authentication login {default | list-name} method1

list-name is a char string used to give a name to the authentication list. The argument method allow to list the authentication methods that have to be used ('group tacacs+' and 'local' here). The first method will always be used and the second one will be used only if the first method return an error, not if the authentication fails : usefull when you want to have the local authentication only if the tacacs+ server is unreachable.

If we use default instead of an named list, the default authentication list will be used for all 'line' that don't have the configuration line 'login authentication {list-name}'.





Router(config)# aaa authentication enable default method1


NOTE:The same as above but for the privilege mode password, we look in the tacacs+ server and the local authentication is used only if the tacacs+ server is unreachable.



For more informations about Cisco AAA (very good docs) :





---------- End of Explainations ----------




Now we launch the tacacs+ server :



# tac_plus -C /etc/tac_plus.conf





Now the device should use the tacacs+ server for the authentication, we can use the users created in the tacacs+ configuration file.






# telnet 10.6.63.65

Trying 10.6.63.65...

Connected to switch.

Escape character is '^]'.

User Access Verification

Username: dhosang

Password: // password : normal

switch>en

Password: // password : enable

switch#



If you have any problem, use the command "debug aaa authentication" on the cisco to troubleshoot the tacacs server and verify what happens when you try to connect.

You can also try :



# tail -f /var/log/tac_plus.acct
[/code]

[/indent]





Link to comment
Share on other sites

  • 1 year later...

Debug Cisco IOS Tacacs





debug condition username



Sets conditional debugging for a specific user and generates output debugs related to the user





debug aaa authentication



Displays authentication information with TACACS+ client/ server interaction





debug aaa authorization



Displays authorization information with TACACS+ client/ server interaction





debug aaa accounting



Displays accounting information with TACACS+ client/server interaction





debug tacacs



Displays TACACS+ interaction between the IOS client and the AAA server





debug ppp negotiation



Sees if a client is passing PPP negotiation





debug ppp authentication



Sees if a client is passing authentication





debug ppp error



Displays protocol errors and error statistics associated with PPP connection negotiation and operation





no debug all



Turns off Debugging



Link to comment
Share on other sites

I'm having a difficult time here getting tacacs to work. I can get it to authenticate but never do any restrictions. I verified my IOS is above 11.1 (its actually 12.x)





I followed these instructions which are pretty close to yours





STEP 1:



Login to the ubuntu server and run the command as sudo (installing dependency packages)



sudo apt-get install gcc flex bison










STEP 2:



download the tacplus package from ftp://ftp.shrubbery.net/pub/tac_plus







STEP 3:



I am using the stable version tacacs+-F4.0.4.26.tar.gz



transfer the file to any directory inside your ubuntu server



untar the file



tar xvf tacacs+-F4.0.4.26.tar.gz[/code]




This creates a folder tacacs+-F4.0.4.26







STEP 4:



Building tacplus



First get in the directory where you extracted all those files



'
'.str_replace('
', '', 'cd tacacs+-F4.0.4.26').'
'






Then initiate the tac plus build script



'
'.str_replace('
', '', './configure').'
'






Then run the command that will compile tacacs source files



'
'.str_replace('
', '', 'make install').'
'










STEP 5:



Setting up the configuration files for Tac Plus



Create a folder tacacs under /etc/



'
'.str_replace('
', '', 'mkdir /etc/tacacs').'
'






Create a file tac_plus.conf under /etc/tacacs



'
'.str_replace('
', '', 'touch tac_plus.conf').'
'






Copy the below to your new tac_plus.conf your just created















#setting the tacacs key"



key = "cle_tacacs"







# Set the accounting file location.



accounting file = /var/log/tac-plus/tacacs.log







#user accounts--here user details are defined



#user1 user@gmail.com



user = netadm1n {



default service = permit



member = admingroup



login = des ADbSbYqKyU7oA



}







#user 2 dennis@mywiseguys.com



user = dennis {



default service = permit



member = admingroup



login = des 5rsMIuWkIU.hE



}











#readonly - account used for readonly user



user = user3 {



default service = deny



member = readonly



login = des OO4SoQ2tgtjo2



}







#contractor- account used for contractor user



user = user4 {



default service = permit



member = contractor



login = des Dw.DJrk9hHe5Y



enable = des 8HStCZank7D3.



}















#####################################################################



#group details are defined here







# admin group can do anything on network gear



group = admingroup {



default service = permit



service = exec {



priv-lvl = 15



}



}







# contractor group for contract admins



group = contractor {



default service = permit



service = exec {



priv-lvl = 15



}



}







group =readonly {



default service = deny



service = exec {



priv-lvl = 0



}



cmd = show {



permit .*



}



cmd=enable {



permit .*



}



cmd=exit {



permit .*



}



}















#Enable password setup for all users:



user = $enable$ {



login = des GHW.0OUwMy2ds



}








Defined 4 users







2 users with full access



1 user who will be having only read only privilege who can just run show commands



1 user with full access meanwhile having a different enable password.







For all the users except user4 enable password will be the same.







Update with your DES passwords by running



'
'.str_replace('
', '', 'sudo /usr/local/bin/tac_pwd').'
'










Create a file tac_plus under /etc/init.d/ and make it executable
'
'.str_replace('
', '', '


touch /etc/init.d/tac_plus


chmod 755 tac_plus').'
'






(This command will give execute previlege for the tac_plus file for the root user)



Copy the below contents to /etc/init.d/tac_plus







#!/bin/sh



#



### BEGIN INIT INFO



# Provides: tac-plus



# Required-Start: $network



# Required-Stop:



# Default-Start: 2 3 4 5



# Default-Stop: S 0 1 6



# Short-Description: Start tac-plus server.



# Description: Run the tac-plus server listening for



# AAA ( access, acounting and autorization request )



# from routers or RAS (remote access servers) via



# tacacs+ protocol



### END INIT INFO



PATH=/sbin:/bin:/usr/sbin:/usr/bin



DAEMON=/usr/local/bin/tac_plus



NAME=tac_plus



DESC="Tacacs+ server"



OTHER_OPTS="-d 256" # Default, if no /etc/default/tac-plus available



CONFIG_FILE="/etc/tacacs/tac_plus.conf" # Default, if no /etc/default/tac-plus available



test -f $DAEMON || exit 0



if ; then



. /etc/default/tac_plus



fi



DAEMON_OPTS="-C $CONFIG_FILE $OTHER_OPTS"



case "$1" in



start)



echo -n "Starting $DESC: " start-stop-daemon --start --quiet --pidfile /var/run/$NAME.pid --exec $DAEMON -- $DAEMON_OPTS



echo "$NAME."



;;



stop)



echo -n "Stopping $DESC: "



start-stop-daemon --stop --quiet --pidfile /var/run/$NAME.pid --exec $DAEMON



echo "$NAME."



;;



*)



N=/etc/init.d/$NAME



echo "Usage: $N {start|stop}" >&2



exit 1



;;



esac



exit 0








Create a file tac_plus under /etc/default
'
'.str_replace('
', '', '


touch /etc/default/tac_plus


chmod 755 tac_plus').'
'






(This command will give execute previlege for the tac_plus file for the root user)



Copy the contents below to /etc/default/tac_plus







CONFIG_FILE="/etc/tacacs/tac_plus.conf"



OTHER_OPTS="-d 16 -L"




tac_plus options defined







'
'.str_replace('
', '', '


-d


Value Meaning


2 configuration parsing debugging


4 fork(1) debugging


8 authorization debugging


16 authentication debugging


32 password file processing debugging


64 accounting debugging


128 config file parsing & lookup


256 packet transmission/reception


512 encryption/decryption


1024 MD5 hash algorithm debugging


2048 very low level encryption/decryption


32768 max session debugging


65536 lock debugging').'
'










Create a file tacacs.log under /var/log/tac-plus to log all the aaa activities
'
'.str_replace('
', '', '


mkdir /var/log/tac-plus


touch /var/log/tac-plus/tacacs.log').'
'






OTHER TAC_PLUS FILES




FILES



/var/log/tac_plus.acct Default accounting file.







/var/log/tac_plus.log Default log file used when the -d option is used.







/var/run/tac_plus.pid Pid file. If the -B option is used, ".bind_address" is appended. If the -p



option is used, ".port_number" is appended.








STEP 6:



Starting and Stopping Tac Plus







To start tacacs:



'
'.str_replace('
', '', 'sudo /etc/init.d/tac_plus start ').'
'






or







'
'.str_replace('
', '', 'sudo tac_plus -C /etc/tacacs/tac_plus.conf').'
'










To stop tacacs:



'
'.str_replace('
', '', '/etc/init.d/tac_plus stop').'
'










STEP 7:



Verify tacacs is running by looking at



listening on TCP Port 49?



'
'.str_replace('
', '', 'sudo netstat -na | grep 49').'
'






Tacacs runs on TCP Port 49 and the expected output should be







'
'.str_replace('
', '', 'tcp 0 0 0.0.0.0:49 0.0.0.0:* LISTEN').'
'










log files have output



'
'.str_replace('
', '', 'sudo tail -f /var/log/tac-plus/tacacs.log').'
'



Please go through the logs and look for tac plus software related errors





STEP 8:



Configure your Cisco Switches









tacacs-server host 10.6.56.244 (server ip will be entered here)



tacacs-server host x.x.x.x (second server ip will be entered here if its there)



tacacs-server directed-request



tacacs-server key cle_tacacs





aaa new-model



aaa authentication login default group tacacs+ local



aaa authentication enable default group tacacs+ enable



aaa authorization commands 1 default group tacacs+ local



aaa authorization commands 15 default group tacacs+ local



aaa accounting commands 0 default start-stop group tacacs+



aaa accounting commands 1 default start-stop group tacacs+



aaa accounting commands 7 default start-stop group tacacs+



aaa accounting commands 15 default start-stop group tacacs+



aaa accounting network 15 start-stop group tacacs+



aaa accounting connection 15 start-stop group tacacs+



Link to comment
Share on other sites

  • 2 weeks later...

Some more troubleshooting I've been doing. I have debug going on my switch to capture what the heck is going on.



USER:



telnet 10.6.63.70


User Access Verification



Username:













SWITCH:




1w6d: AAA: parse name=tty2 idb type=-1 tty=-1



1w6d: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0



1w6d: AAA/MEMORY: create_user (0x2F330D8) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='10.6.56.244' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)



1w6d: AAA/AUTHEN/START (1413112787): port='tty2' list='telnet' action=LOGIN service=LOGIN



1w6d: AAA/AUTHEN/START (1413112787): found list telnet



1w6d: AAA/AUTHEN/START (1413112787): Method=tacacs+ (tacacs+)



1w6d: TAC+: send AUTHEN/START packet ver=192 id=1413112787



1w6d: TAC+: Using default tacacs server-group "tacacs+" list.



1w6d: TAC+: Opening TCP/IP to 10.6.56.244/49 timeout=5



1w6d: TAC+: Opened TCP/IP handle 0x30A9A90 to 10.6.56.244/49



1w6d: TAC+: periodic timer started



1w6d: TAC+: 10.6.56.244 req=30AA900 Qd id=1413112787 ver=192 handle=0x30A9A90 expire=5 AUTHEN/START/LOGIN/ASCII queued



1w6d: TAC+: 10.6.56.244 (1413112787) AUTHEN/START/LOGIN/ASCII queued



1w6d: TAC+: 10.6.56.244 id=1413112787 wrote 35 of 35 bytes



1w6d: TAC+: 10.6.56.244 req=30AA900 Qd id=1413112787 ver=192 handle=0x30A9A90 expire=4 AUTHEN/START/LOGIN/ASCII sent



1w6d: TAC+: 10.6.56.244 read=12 wanted=12 alloc=12 got=12



1w6d: TAC+: 10.6.56.244 read=55 wanted=55 alloc=55 got=43



1w6d: TAC+: 10.6.56.244 received 55 byte reply for 30AA900



1w6d: TAC+: req=30AA900 Tx id=1413112787 ver=192 handle=0x30A9A90 expire=4 AUTHEN/START/LOGIN/ASCII processed



1w6d: TAC+: (1413112787) AUTHEN/START/LOGIN/ASCII processed



1w6d: TAC+: periodic timer stopped (queue empty)



1w6d: TAC+: ver=192 id=1413112787 received AUTHEN status = GETUSER



1w6d: AAA/AUTHEN (1413112787): status = GETUSER







**************************************************************







USER:



user4[/code]

[/size]







SWITCH:




1w6d: AAA/AUTHEN (2810233228): Method=tacacs+ (tacacs+)



1w6d: TAC+: send AUTHEN/CONT packet id=2810233228



1w6d: TAC+: periodic timer started



1w6d: TAC+: 10.6.56.244 req=3054130 Qd id=2810233228 ver=192 handle=0x17C6968 expire=5 AUTHEN/CONT queued



1w6d: TAC+: 10.6.56.244 (2810233228) AUTHEN/CONT queued



1w6d: TAC+: 10.6.56.244 id=2810233228 wrote 22 of 22 bytes



1w6d: TAC+: 10.6.56.244 req=3054130 Qd id=2810233228 ver=192 handle=0x17C6968 expire=4 AUTHEN/CONT sent



1w6d: TAC+: 10.6.56.244 read=12 wanted=12 alloc=12 got=12



1w6d: TAC+: 10.6.56.244 read=28 wanted=28 alloc=28 got=16



1w6d: TAC+: 10.6.56.244 received 28 byte reply for 3054130



1w6d: TAC+: req=3054130 Tx id=2810233228 ver=192 handle=0x17C6968 expire=4 AUTHEN/CONT processed



1w6d: TAC+: (2810233228) AUTHEN/CONT processed



1w6d: TAC+: periodic timer stopped (queue empty)



1w6d: TAC+: ver=192 id=2810233228 received AUTHEN status = GETPASS



1w6d: AAA/AUTHEN (2810233228): status = GETPASS



[/size]



**************************************************************







USER:



'
'.str_replace('
', '', '
loginpass').''










SWITCH:




1w6d: TAC+: Closing TCP/IP 0x17C6968 connection to 10.6.56.244/49



1w6d: tty2 AAA/AUTHOR/EXEC (614050778): Port='tty2' list='' service=EXEC



1w6d: AAA/AUTHOR/EXEC: tty2 (614050778) user='user4'



1w6d: tty2 AAA/AUTHOR/EXEC (614050778): send AV service=shell



1w6d: tty2 AAA/AUTHOR/EXEC (614050778): send AV cmd*



1w6d: tty2 AAA/AUTHOR/EXEC (614050778): found list "default"



1w6d: tty2 AAA/AUTHOR/EXEC (614050778): Method=IF_AUTHEN



1w6d: AAA/AUTHOR (614050778): Post authorization status = PASS_ADD



1w6d: AAA/AUTHOR/EXEC: Authorization successful



1w6d: AAA/ACCT/EXEC/START User user4, port tty2



1w6d: AAA/ACCT/EXEC: Found list "default"



1w6d: AAA/ACCT/EXEC/START User user4, Port tty2,



task_id=46 timezone=EST service=shell



1w6d: AAA/ACCT: user user4, acct type 0 (1207243741): Method=tacacs+ (tacacs+)



1w6d: TAC+: using previously set server 10.6.56.244 from group tacacs+



1w6d: TAC+: Opening TCP/IP to 10.6.56.244/49 timeout=5



1w6d: TAC+: Opened TCP/IP handle 0x30A9BF8 to 10.6.56.244/49



1w6d: TAC+: Opened 10.6.56.244 index=1



1w6d: TAC+: periodic timer started



1w6d: TAC+: 10.6.56.244 req=2535ED8 Qd id=1207243741 ver=192 handle=0x30A9BF8 expire=5 ACCT/REQUEST/START queued



1w6d: TAC+: 10.6.56.244 (1207243741) ACCT/REQUEST/START queued



1w6d: TAC+: 10.6.56.244 id=1207243741 wrote 79 of 79 bytes



1w6d: TAC+: 10.6.56.244 req=2535ED8 Qd id=1207243741 ver=192 handle=0x30A9BF8 expire=4 ACCT/REQUEST/START sent



1w6d: TAC+: 10.6.56.244 read=12 wanted=12 alloc=12 got=12



1w6d: TAC+: 10.6.56.244 read=17 wanted=17 alloc=17 got=5



1w6d: TAC+: 10.6.56.244 received 17 byte reply for 2535ED8



1w6d: TAC+: req=2535ED8 Tx id=1207243741 ver=192 handle=0x30A9BF8 expire=4 ACCT/REQUEST/START processed



1w6d: TAC+: (1207243741) ACCT/REQUEST/START processed



1w6d: TAC+: periodic timer stopped (queue empty)



1w6d: TAC+: (1207243741): received acct response status = SUCCESS



1w6d: TAC+: Closing TCP/IP 0x30A9BF8 connection to 10.6.56.244/49







**************************************************************







USER:



'
'.str_replace('
', '', '
enable').''










SWITCH:




1w6d: AAA/MEMORY: dup_user (0x30AC6D8) user='user4' ruser='NULL' ds0=0 port='tty2' rem_addr='10.6.56.244' authen_type=ASCII service=ENABLE priv=15 source='AAA dup enable'



1w6d: AAA/AUTHEN/START (1692258724): port='tty2' list='' action=LOGIN service=ENABLE



1w6d: AAA/AUTHEN/START (1692258724): using "default" list



1w6d: AAA/AUTHEN/START (1692258724): Method=tacacs+ (tacacs+)



1w6d: TAC+: send AUTHEN/START packet ver=192 id=1692258724



1w6d: TAC+: Opening TCP/IP to 10.6.56.244/49 timeout=5



1w6d: TAC+: Opened TCP/IP handle 0x30A9BF8 to 10.6.56.244/49



1w6d: TAC+: Opened 10.6.56.244 index=1



1w6d: TAC+: periodic timer started



1w6d: TAC+: 10.6.56.244 req=30AA900 Qd id=1692258724 ver=192 handle=0x30A9BF8 expire=5 AUTHEN/START/LOGIN/ASCII queued



1w6d: TAC+: 10.6.56.244 (1692258724) AUTHEN/START/LOGIN/ASCII queued



1w6d: TAC+: 10.6.56.244 id=1692258724 wrote 40 of 40 bytes



1w6d: TAC+: 10.6.56.244 req=30AA900 Qd id=1692258724 ver=192 handle=0x30A9BF8 expire=4 AUTHEN/START/LOGIN/ASCII sent



1w6d: TAC+: 10.6.56.244 read=12 wanted=12 alloc=12 got=12



1w6d: TAC+: 10.6.56.244 read=28 wanted=28 alloc=28 got=16



1w6d: TAC+: 10.6.56.244 received 28 byte reply for 30AA900



1w6d: TAC+: req=30AA900 Tx id=1692258724 ver=192 handle=0x30A9BF8 expire=4 AUTHEN/START/LOGIN/ASCII processed



1w6d: TAC+: (1692258724) AUTHEN/START/LOGIN/ASCII processed



1w6d: TAC+: periodic timer stopped (queue empty)



1w6d: TAC+: ver=192 id=1692258724 received AUTHEN status = GETPASS



1w6d: AAA/AUTHEN (1692258724): status = GETPASS







**************************************************************







USER:



'
'.str_replace('
', '', '
enablepass').''










SWITCH:




1w6d: AAA/AUTHEN/CONT (1692258724): continue_login (user='user4')



1w6d: AAA/AUTHEN (1692258724): status = GETPASS



1w6d: AAA/AUTHEN (1692258724): Method=tacacs+ (tacacs+)



1w6d: TAC+: send AUTHEN/CONT packet id=1692258724



1w6d: TAC+: periodic timer started



1w6d: TAC+: 10.6.56.244 req=30AA900 Qd id=1692258724 ver=192 handle=0x30A9BF8 expire=5 AUTHEN/CONT queued



1w6d: TAC+: 10.6.56.244 (1692258724) AUTHEN/CONT queued



1w6d: TAC+: 10.6.56.244 id=1692258724 wrote 26 of 26 bytes



1w6d: TAC+: 10.6.56.244 req=30AA900 Qd id=1692258724 ver=192 handle=0x30A9BF8 expire=4 AUTHEN/CONT sent



1w6d: TAC+: 10.6.56.244 read=12 wanted=12 alloc=12 got=12



1w6d: TAC+: 10.6.56.244 read=18 wanted=18 alloc=18 got=6



1w6d: TAC+: 10.6.56.244 received 18 byte reply for 30AA900



1w6d: TAC+: req=30AA900 Tx id=1692258724 ver=192 handle=0x30A9BF8 expire=4 AUTHEN/CONT processed



1w6d: TAC+: (1692258724) AUTHEN/CONT processed



1w6d: TAC+: periodic timer stopped (queue empty)



1w6d: TAC+: ver=192 id=1692258724 received AUTHEN status = PASS



1w6d: AAA/AUTHEN (1692258724): status = PASS



1w6d: TAC+: Closing TCP/IP 0x30A9BF8 connection to 10.6.56.244/49



1w6d: AAA/MEMORY: free_user (0x30AC6D8) user='user4' ruser='NULL' port='tty2' rem_addr='10.6.56.244' authen_type=ASCII service=ENABLE priv=15







**************************************************************







USER:



'
'.str_replace('
', '', '
config t').''










SWITCH:




1w6d: AAA/AUTHOR: config command authorization not enabled



1w6d: %SYS-5-CONFIG_I: Configured from console by user4 on vty1 (10.6.56.244)







**************************************************************







USER:



'
'.str_replace('
', '', '
int gi1/0/1').''










SWITCH:



1w6d: AAA/AUTHOR: config command authorization not enabled




**************************************************************







USER:



'
'.str_replace('
', '', '
logout').''





SWITCH:



1w6d: AAA/ACCT/ACCT_DISC: Found list "default"



1w6d: tty2 AAA/DISC: 1/"User Request"



1w6d: AAA/ACCT/ACCT_DISC: Found list "default"



1w6d: tty2 AAA/DISC/EXT: 1020/"User Request"



1w6d: AAA/ACCT/ACCT_DISC: Found list "default"



1w6d: tty2 AAA/DISC: 9/"NAS Error"



1w6d: AAA/ACCT/ACCT_DISC: Found list "default"



1w6d: tty2 AAA/DISC/EXT: 1002/"Unknown"



1w6d: AAA/ACCT: no attribute "elapsed_time" to replace, adding it



1w6d: AAA/ACCT/EXEC/STOP: cannot retrieve modem speed



1w6d: AAA/ACCT/EXEC/STOP User user4, Port tty2:



task_id=46 timezone=EST service=shell disc-cause=1 disc-cause-ext=1020 connect-progress=101 elapsed_time=553 nas-rx-speed=0 nas-tx-speed=0



1w6d: AAA/ACCT: user user4, acct type 0 (609200452): Method=tacacs+ (tacacs+)



1w6d: TAC+: using previously set server 10.6.56.244 from group tacacs+



1w6d: TAC+: Opening TCP/IP to 10.6.56.244/49 timeout=5



1w6d: TAC+: Opened TCP/IP handle 0x30A7AA8 to 10.6.56.244/49



1w6d: TAC+: Opened 10.6.56.244 index=1



1w6d: TAC+: periodic timer started



1w6d: TAC+: 10.6.56.244 req=3054130 Qd id=609200452 ver=192 handle=0x30A7AA8 expire=5 ACCT/REQUEST/STOP queued



1w6d: TAC+: 10.6.56.244 (609200452) ACCT/REQUEST/STOP queued



1w6d: TAC+: 10.6.56.244 id=609200452 wrote 180 of 180 bytes



1w6d: TAC+: 10.6.56.244 req=3054130 Qd id=609200452 ver=192 handle=0x30A7AA8 expire=4 ACCT/REQUEST/STOP sent



1w6d: TAC+: 10.6.56.244 read=12 wanted=12 alloc=12 got=12



1w6d: TAC+: 10.6.56.244 read=17 wanted=17 alloc=17 got=5



1w6d: TAC+: 10.6.56.244 received 17 byte reply for 3054130



1w6d: TAC+: req=3054130 Tx id=609200452 ver=192 handle=0x30A7AA8 expire=4 ACCT/REQUEST/STOP processed



1w6d: TAC+: (609200452) ACCT/REQUEST/STOP processed



1w6d: TAC+: periodic timer stopped (queue empty)



1w6d: TAC+: (609200452): received acct response status = SUCCESS



1w6d: TAC+: Closing TCP/IP 0x30A7AA8 connection to 10.6.56.244/49



1w6d: AAA/MEMORY: free_user (0x2F330D8) user='user4' ruser='NULL' port='tty2' rem_addr='10.6.56.244' authen_type=ASCII service=LOGIN priv=1





**************************************************************





So as you can see, I still can enter configure terminal mode and configure everything even though I set the priv-lvl to less than 15. Any ideas?



Link to comment
Share on other sites

For some reason I could never figure out the setting of the priv-lvl either but I went about it a different way to deny anyone in my contractor group from configuring my switches. You may want to try this instead:








#setting the tacacs key"


key = "cle_tacacs"



# Set the accounting file location.


accounting file = /var/log/tac-plus/tacacs.log



#prompt = "Authorized Access Only\nTACACS+ Authentication & Authorization\n"



#user accounts--here user details are defined


#user1 network@mywiseguys.com


user = netadm1n {


default service = permit


member = admingroup


login = des ADbSbYqKyU7oA


}



#user2 dennis@mywiseguys.com


user = dennis {


default service = permit


member = admingroup


login = des 5rsMIuWkIU.hE


}




#readonly - account used for readonly user


user = user3 {


default service = deny


member = readonly


login = des OO4SoQ2tgtjo2


}



#modelbranch- account used for modeluser user


user = cisco {


default service = permit


member = contractor


login = des Dw.DJrk9hHe5Y


enable = des 8HStCZank7D3.


}



#contractor- account used for non-MyWiseGuys users


user = user4 {


default service = deny


member = contractor


login = des OO4SoQ2tgtjo2


enable = des wDHJZl9terVjs


}





#####################################################################


#group details are defined here



# admin group can do anything on network gear


group = admingroup {


default service = permit


service = exec {


priv-lvl = 15


}


}



# contractor group for contract admins


group = contractor {


default service = deny


service = exec {


priv-lvl=0


}


cmd = show {


permit .*


}


}



group =readonly {


default service = deny


service = exec {


priv-lvl = 0


}


cmd = show {


permit .*


}


cmd=enable {


permit .*


}


cmd=exit {


permit .*


}


}



#Enable password setup for all users:


user = $enable$ {


login = des GHW.0OUwMy2ds


}










Also I like to have information get entered into my syslog server so I crank up my logging





logging history debugging


logging trap debugging


logging facility local7


debug aaa accounting


debug aaa authorization[/code]








Also don't forget to setup your failover for authentication in the event the switch can't reach the tacacs server
'
'.str_replace('
', '', '


aaa authentication login default group tacacs+ local


aaa authorization exec default group tacacs+ local


username netadmin privilege 15 secret MySecretPassword


line console 0


login authentication default


line vty 0 15


login authentication default').'
'


Link to comment
Share on other sites

Here is a snapshot of the configuration script I use on my Cisco switches which works great (which means I copy all of this and paste onto any Cisco IOS in my network to configure it for my Ubuntu TACACS (tac_plus) server.)










copy running-config startup-config




reload in 15




config t



enable secret sUperS3creT_71!


!


username netadm1n privilege 15 secret sUperS3creT_71!


!


no service pad


service tcp-keepalives-in


service tcp-keepalives-out


service timestamps debug datetime msec localtime show-timezone


service timestamps log datetime msec localtime show-timezone


service password-encryption


service sequence-numbers



logging buffered 32000 informational


no logging console


no logging monitor



aaa new-model


!


!


aaa authentication attempts login 6


!


aaa authentication login default group tacacs+ local


aaa authentication enable default group tacacs+ enable



aaa authorization console


aaa authorization config-commands


aaa authorization exec default group tacacs+ if-authenticated


aaa authorization commands 15 default group tacacs+ none


aaa accounting exec default start-stop group tacacs+


aaa accounting commands 5 default stop-only group tacacs+


aaa accounting commands 15 default start-stop group tacacs+


aaa accounting network default stop-only group tacacs+


aaa accounting connection default start-stop group tacacs+


aaa accounting system default start-stop group tacacs+


!



aaa session-id common


clock timezone EST -5



system mtu routing 1500


ip subnet-zero


no ip source-route


no ip domain-lookup


ip domain-name mywiseguys.com


ip name-server 10.46.81.68


ip name-server 10.46.81.70


ip name-server 192.56.50.7


!


no ip http server


no ip http secure-server


!


ip ftp username confback


ip ftp password cisco2011


logging 10.58.128.39



access-list 12 permit 10.6.0.136


access-list 12 permit 10.6.0.135


access-list 12 permit 10.6.56.244


access-list 90 permit 10.6.0.136


access-list 90 permit 10.6.0.135


access-list 90 permit 10.58.128.39


access-list 90 permit 10.6.56.244


snmp-server community n0tPUBLIC RO 90


snmp-server location Lab Grand Blanc, MI


snmp-server contact Dennis Hosang



privilege exec level 1 traceroute


privilege exec level 1 ping


privilege exec level 1 show configuration


privilege exec level 1 terminal monitor


privilege exec level 1 terminal


privilege exec level 1 dir



line con 0


session-timeout 15


password sUperS3creT_71!


line vty 0 4


session-timeout 15


access-class 12 in


exec-timeout 15 0


password sUperS3creT_71!


transport input telnet


line vty 5 15


session-timeout 15


access-class 12 in


exec-timeout 15 0


password sUperS3creT_71!


transport input telnet


!


tacacs-server host 10.6.56.244


tacacs-server directed-request


tacacs-server timeout 10


tacacs-server key cle_tacacs[/code]



Open a seperate telnet session and verify you can login with a tacacs ID with admin rights to your box. type reload cancel to stop the reload of your device.





NOTE:



A very big mistake I found was I had a space after my passwords so tacacs wouldn't accept what I thought was the password.



Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...