Linux

So I recently had to set up a TACACS+ server connected to AD. I decided to go with CentOS 6 x64 as the OS of choice. I have to say it took a lot. Perhaps its because I’m not a Linux guy. Anyway below are all the steps I took to get it working. If you have any questions at all post away. Also make sure you check out https://groups.google.com/forum/?fromgroups#!forum/event-driven-servers if you have any extremely in depth questions. This group has a lot of great posts that really helped me out.

The following installs the TACACS+ server on a Centos 6 64 VM. It allows the ability to restrict access to groups of individuals according to their Active Directory membership. The current script setup uses the user domain credentials for both the username and password and the enable password.

NOTE: The user guide can be found at http://www.pro-bono-publico.de/projects/unpacked/doc/tac_plus.txt.

Install Dependencies

1. yum install gcc

2. yum install g++

3. yum install perl-IO-Socket-SSL

4. yum install pam-devel

5. yum install ld-linux.so.2

6. wget http://search.cpan.org/CPAN/authors/id/G/GB/GBARR/perl-ldap-0.39.tar.gz

7. tar –xzvf perl-ldap-0.39.tar.gz

8. cd perl-ldap-0.39

9. perl Makefile.PL // say yes to everything

10. perl -e “use IO::Socket::SSL”

11. perl -e “use Net::SSLeay”

12. cpan

a. > Install Net::LDAP // select yes to everything

13. Yum install perl-LDAP

Install Tac_Plus

1. wget http://www.pro-bono-publico.de/projects/src/DEVEL.tar.bz2

2. bzip2 -dc DEVEL.tar.bz2 | tar xvfp –

3. cd PROJECTS

4. su

5. ./configure

6. Make

7. Make install

Install tac_plus.cfg file

1. cd /usr/local/etc/

2. vi tac_plus.cfg

3. cp /usr/local/sbin/tac_plus /etc/init.d/

4. cd /etc/init.d/

5. ll | grep tac_plus //make sure that permissions are set -rwxr-xr-x

6. tac_plus /usr/local/etc/tac_plus.cfg //verify the config file

7. env LDAP_HOSTS=”<LDAP IP>” /usr/local/lib/mavis/mavis_tacplus_ldap.pl

//insert IP of LDAP server

8. vi resolve.conf

a. add this line to the file:

nameserver <ip of AD>

Add AD to hosts file to enable LDAPS

1. vi /etc/hosts

2. add <IP Address> <Full Domain Name>

Example:

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4

::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

10.10.10.10. xxxxx.xxxx.local

3. wq

NOTE: The user guide can be found at http://www.pro-bono-publico.de/projects/unpacked/doc/tac_plus.txt.

Install Dependencies

1. yum install gcc

2. yum install g++

3. yum install perl-IO-Socket-SSL

4. yum install pam-devel

5. yum install ld-linux.so.2

6. wget http://search.cpan.org/CPAN/authors/id/G/GB/GBARR/perl-ldap-0.39.tar.gz

7. tar –xzvf perl-ldap-0.39.tar.gz

8. cd perl-ldap-0.39

9. perl Makefile.PL // say yes to everything

10. perl -e “use IO::Socket::SSL”

11. perl -e “use Net::SSLeay”

12. cpan

a. > Install Net::LDAP // select yes to everything

13. Yum install perl-LDAP

Install Tac_Plus

1. wget http://www.pro-bono-publico.de/projects/src/DEVEL.tar.bz2

2. bzip2 -dc DEVEL.tar.bz2 | tar xvfp –

3. cd PROJECTS

4. su

5. ./configure

6. Make

7. Make install

Install tac_plus.cfg file

1. cd /usr/local/etc/

2. vi tac_plus.cfg

3. cp /usr/local/sbin/tac_plus /etc/init.d/

4. cd /etc/init.d/

5. ll | grep tac_plus //make sure that permissions are set -rwxr-xr-x

6. tac_plus /usr/local/etc/tac_plus.cfg //verify the config file

7. env LDAP_HOSTS=”<LDAP IP>” /usr/local/lib/mavis/mavis_tacplus_ldap.pl

//insert IP of LDAP server

8. vi resolve.conf

a. add this line to the file:

nameserver <ip of AD>

Add AD to hosts file to enable LDAPS

1. vi /etc/hosts

2. add <IP Address> <Full Domain Name>

Example:

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4

::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

10.10.10.10. xxxxx.xxxx.local

3. wq

id = spawnd {

listen = { port = 49 }

spawn = {

instances min = 1

instances max = 10

}

background = yes

}

id = tac_plus {

access log = /var/log/tac_plus/access/%Y%m%d.log

accounting log = /var/log/tac_plus/acct/%Y%m%d.log

mavis module = external {

script out = {

# Require group membership:

if (undef($TACMEMBER) && $RESULT == ACK) set $RESULT = NAK

# Don.t cache passwords:

if ($RESULT == ACK) set $PASSWORD_ONESHOT = 1

}

setenv LDAP_SERVER_TYPE = “microsoft”

setenv LDAP_HOSTS = “ldaps://<AD domain>:636” #Insert domain name of AD server

setenv LDAP_SCOPE = sub

setenv LDAP_BASE = “dc=lab,dc=local”

setenv LDAP_FILTER = “(&(objectclass=user)(sAMAccountName=%s))”

setenv LDAP_USER = “XXXXXX@xxxxx.local” # <AD Admin name>@<Domain>

setenv LDAP_PASSWD = “XXXXXXXX” #AD Password

setenv REQUIRE_TACACS_GROUP_PREFIX = 1

exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl

}

login backend = mavis

user backend = mavis

pap backend = mavis

host = labswitch4 { #Defines host or group of hosts

address = ::/0 #insert address for specific host or ::/0 for all

prompt = ”

————-

W A R N I N G

————-

Unauthorized access prohibited

Authorized access only

This system is the property of Tenable Network Security.

Disconnect IMMEDIATELY if you are not an authorized user!

Contact ITS for help.\n ”

failed authentication banner = ”

———————————————————

NOTICE

%M%D-%%c-%%C-%%u

Failed authentication will be logged and reported

———————————————————”

enable 15 = clear <some password> #global enable Password

key = <some key> #host tacacs key

}

group = admin {

enable = login

default service = permit

message =”\n You are logged in with Admin Privs\n”

service = shell {

default command = permit

default attribute = permit

set priv-lvl = 15

}

}

group = servicedesk {

enable = login

message = “\n You are logged in with Service Desk Privs\n”

service = shell {

cmd = enable {permit “.*”}

cmd = show {

permit “running-config .*”

permit “ip .*”

permit “version .*”

deny “.*”

message deny = ”

*************************************************************

*You do not have the privilege level to execute this command*

*************************************************************

”

}

}

}

group = serv {

message = “\n You are logged in with Server Group Privs\n”

enable = login

service = shell {

cmd = enable {permit “.*”}

cmd = show {

permit “running-config .*”

permit “ip .*”

permit “version .*”

deny “.*”

message deny = ”

*************************************************************

*You do not have the privilege level to execute this command*

*************************************************************

”

}

}

}

group = security {

message = “\n You are logged in with Security Group Privs\n”

enable = login

service = shell {

cmd = enable {permit “.*”}

cmd = show {

permit “running-config .*”

permit “ip .*”

permit “version .*”

deny “.*”

message deny = ”

*************************************************************

*You do not have the privilege level to execute this command*

*************************************************************

”

}

}

}

}

Cisco AAA configuration

aaa new-model

aaa authentication login CONSOLE local

aaa authentication login TACSERV group tacacs+

aaa authentication enable default group tacacs+

aaa authorization config-commands

aaa authorization exec TACSERV group tacacs+ if-authenticated

aaa authorization commands 0 TACSERV group tacacs+

aaa authorization commands 1 TACSERV group tacacs+

aaa authorization commands 15 TACSERV group tacacs+ if-authenticated

aaa authorization configuration TACSERV group tacacs+

aaa session-id common

line con 0

line vty 0 4

authorization commands 0 TACSERV

authorization commands 1 TACSERV

authorization commands 15 TACSERV

authorization exec TACSERV

transport input ssh

Setting up Active Directory Security Groups

1. Create 4 security groups in Active Directory named:

a. tacacsadmin

b. tacacssecurity

c. tacacsserv

d. tacacsservicedesk

NOTE: Tac_Plus truncates the TACACS portion of the above groups. The tacacs portion is used as an identifier.

2. Assign users to each security group to give them access to a restricted set of commands

Starting and Stopping the server

NOTE: Every time a change must be made to the configuration (tac_plus.cfg) script located in /usr/local/etc the server must be restarted for changes to take effect.

1. Starting the server

a. /etc/init.d/tac_plus start

2. Stopping the server

a. /etc/init.d/tac_plus stop

3. Restarting the server

a. /etc/init.d/tac_plus restart

Troubleshooting

1. LINUX: Netstat –lp | grep tac //verify that TACACS is listening on port 49

2. LINUX: Tcpdump –nn port 49 //view authentication or authorization traffic

3. LINUX: /usr/local/bin/mavistest –d -1 /usr/local/etc/tac_plus.cfg tac_plus TAC_PLUS <USERNAME> <PASSWORD>

Ex./usr/local/bin/mavistest –d -1 /usr/local/etc/tac_plus.cfg tac_plus TAC_PLUS jsmith passW0rd

NOTE: Will return output displaying active directory queries.

4. CISCO: debug aaa authentication //displays the aaa authentication attempts and successes

5. CISCO: debug aaa authorization //displays the aaa authorization attempts and successes