So I recently had to set up a TACACS+ server connected to AD. I decided to go with CentOS 6 x64 as the OS of choice. I have to say it took a lot. Perhaps its because I’m not a Linux guy. Anyway below are all the steps I took to get it working. If you have any questions at all post away. Also make sure you check out https://groups.google.com/forum/?fromgroups#!forum/event-driven-servers if you have any extremely in depth questions. This group has a lot of great posts that really helped me out.
The following installs the TACACS+ server on a Centos 6 64 VM. It allows the ability to restrict access to groups of individuals according to their Active Directory membership. The current script setup uses the user domain credentials for both the username and password and the enable password.
NOTE: The user guide can be found at http://www.pro-bono-publico.de/projects/unpacked/doc/tac_plus.txt.
Install Dependencies
1. yum install gcc
2. yum install g++
3. yum install perl-IO-Socket-SSL
4. yum install pam-devel
5. yum install ld-linux.so.2
6. wget http://search.cpan.org/CPAN/authors/id/G/GB/GBARR/perl-ldap-0.39.tar.gz
7. tar –xzvf perl-ldap-0.39.tar.gz
8. cd perl-ldap-0.39
9. perl Makefile.PL // say yes to everything
10. perl -e “use IO::Socket::SSL”
11. perl -e “use Net::SSLeay”
12. cpan
a. > Install Net::LDAP // select yes to everything
13. Yum install perl-LDAP
Install Tac_Plus
1. wget http://www.pro-bono-publico.de/projects/src/DEVEL.tar.bz2
2. bzip2 -dc DEVEL.tar.bz2 | tar xvfp –
3. cd PROJECTS
4. su
5. ./configure
6. Make
7. Make install
Install tac_plus.cfg file
1. cd /usr/local/etc/
2. vi tac_plus.cfg
3. cp /usr/local/sbin/tac_plus /etc/init.d/
4. cd /etc/init.d/
5. ll | grep tac_plus //make sure that permissions are set -rwxr-xr-x
6. tac_plus /usr/local/etc/tac_plus.cfg //verify the config file
7. env LDAP_HOSTS=”<LDAP IP>” /usr/local/lib/mavis/mavis_tacplus_ldap.pl
//insert IP of LDAP server
8. vi resolve.conf
a. add this line to the file:
nameserver <ip of AD>
Add AD to hosts file to enable LDAPS
1. vi /etc/hosts
2. add <IP Address> <Full Domain Name>
Example:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.10.10.10. xxxxx.xxxx.local
3. wq
The following installs the TACACS+ server on a Centos 6 64 VM. It allows the ability to restrict access to groups of individuals according to their Active Directory membership. The current script setup uses the user domain credentials for both the username and password and the enable password.
NOTE: The user guide can be found at http://www.pro-bono-publico.de/projects/unpacked/doc/tac_plus.txt.
Install Dependencies
1. yum install gcc
2. yum install g++
3. yum install perl-IO-Socket-SSL
4. yum install pam-devel
5. yum install ld-linux.so.2
6. wget http://search.cpan.org/CPAN/authors/id/G/GB/GBARR/perl-ldap-0.39.tar.gz
7. tar –xzvf perl-ldap-0.39.tar.gz
8. cd perl-ldap-0.39
9. perl Makefile.PL // say yes to everything
10. perl -e “use IO::Socket::SSL”
11. perl -e “use Net::SSLeay”
12. cpan
a. > Install Net::LDAP // select yes to everything
13. Yum install perl-LDAP
Install Tac_Plus
1. wget http://www.pro-bono-publico.de/projects/src/DEVEL.tar.bz2
2. bzip2 -dc DEVEL.tar.bz2 | tar xvfp –
3. cd PROJECTS
4. su
5. ./configure
6. Make
7. Make install
Install tac_plus.cfg file
1. cd /usr/local/etc/
2. vi tac_plus.cfg
3. cp /usr/local/sbin/tac_plus /etc/init.d/
4. cd /etc/init.d/
5. ll | grep tac_plus //make sure that permissions are set -rwxr-xr-x
6. tac_plus /usr/local/etc/tac_plus.cfg //verify the config file
7. env LDAP_HOSTS=”<LDAP IP>” /usr/local/lib/mavis/mavis_tacplus_ldap.pl
//insert IP of LDAP server
8. vi resolve.conf
a. add this line to the file:
nameserver <ip of AD>
Add AD to hosts file to enable LDAPS
1. vi /etc/hosts
2. add <IP Address> <Full Domain Name>
Example:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.10.10.10. xxxxx.xxxx.local
3. wq
id = spawnd {
listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = yes
}
id = tac_plus {
access log = /var/log/tac_plus/access/%Y%m%d.log
accounting log = /var/log/tac_plus/acct/%Y%m%d.log
mavis module = external {
script out = {
# Require group membership:
if (undef($TACMEMBER) && $RESULT == ACK) set $RESULT = NAK
# Don.t cache passwords:
if ($RESULT == ACK) set $PASSWORD_ONESHOT = 1
}
setenv LDAP_SERVER_TYPE = “microsoft”
setenv LDAP_HOSTS = “ldaps://<AD domain>:636” #Insert domain name of AD server
setenv LDAP_SCOPE = sub
setenv LDAP_BASE = “dc=lab,dc=local”
setenv LDAP_FILTER = “(&(objectclass=user)(sAMAccountName=%s))”
setenv LDAP_USER = “XXXXXX@xxxxx.local” # <AD Admin name>@<Domain>
setenv LDAP_PASSWD = “XXXXXXXX” #AD Password
setenv REQUIRE_TACACS_GROUP_PREFIX = 1
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
login backend = mavis
user backend = mavis
pap backend = mavis
host = labswitch4 { #Defines host or group of hosts
address = ::/0 #insert address for specific host or ::/0 for all
prompt = ”
————-
W A R N I N G
————-
Unauthorized access prohibited
Authorized access only
This system is the property of Tenable Network Security.
Disconnect IMMEDIATELY if you are not an authorized user!
Contact ITS for help.\n ”
failed authentication banner = ”
———————————————————
NOTICE
%M%D-%%c-%%C-%%u
Failed authentication will be logged and reported
———————————————————”
enable 15 = clear <some password> #global enable Password
key = <some key> #host tacacs key
}
group = admin {
enable = login
default service = permit
message =”\n You are logged in with Admin Privs\n”
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
group = servicedesk {
enable = login
message = “\n You are logged in with Service Desk Privs\n”
service = shell {
cmd = enable {permit “.*”}
cmd = show {
permit “running-config .*”
permit “ip .*”
permit “version .*”
deny “.*”
message deny = ”
*************************************************************
*You do not have the privilege level to execute this command*
*************************************************************
”
}
}
}
group = serv {
message = “\n You are logged in with Server Group Privs\n”
enable = login
service = shell {
cmd = enable {permit “.*”}
cmd = show {
permit “running-config .*”
permit “ip .*”
permit “version .*”
deny “.*”
message deny = ”
*************************************************************
*You do not have the privilege level to execute this command*
*************************************************************
”
}
}
}
group = security {
message = “\n You are logged in with Security Group Privs\n”
enable = login
service = shell {
cmd = enable {permit “.*”}
cmd = show {
permit “running-config .*”
permit “ip .*”
permit “version .*”
deny “.*”
message deny = ”
*************************************************************
*You do not have the privilege level to execute this command*
*************************************************************
”
}
}
}
}
Cisco AAA configuration
aaa new-model
!
!
aaa authentication login CONSOLE local
aaa authentication login TACSERV group tacacs+
aaa authentication enable default group tacacs+
aaa authorization config-commands
aaa authorization exec TACSERV group tacacs+ if-authenticated
aaa authorization commands 0 TACSERV group tacacs+
aaa authorization commands 1 TACSERV group tacacs+
aaa authorization commands 15 TACSERV group tacacs+ if-authenticated
aaa authorization configuration TACSERV group tacacs+
!
!
!
aaa session-id common
line con 0
login authentication CONSOLE
line vty 0 4
authorization commands 0 TACSERV
authorization commands 1 TACSERV
authorization commands 15 TACSERV
authorization exec TACSERV
login authentication TACSERV
transport input ssh
Setting up Active Directory Security Groups
1. Create 4 security groups in Active Directory named:
a. tacacsadmin
b. tacacssecurity
c. tacacsserv
d. tacacsservicedesk
NOTE: Tac_Plus truncates the TACACS portion of the above groups. The tacacs portion is used as an identifier.
2. Assign users to each security group to give them access to a restricted set of commands
Starting and Stopping the server
NOTE: Every time a change must be made to the configuration (tac_plus.cfg) script located in /usr/local/etc the server must be restarted for changes to take effect.
1. Starting the server
a. /etc/init.d/tac_plus start
2. Stopping the server
a. /etc/init.d/tac_plus stop
3. Restarting the server
a. /etc/init.d/tac_plus restart
Troubleshooting
1. LINUX: Netstat –lp | grep tac //verify that TACACS is listening on port 49
2. LINUX: Tcpdump –nn port 49 //view authentication or authorization traffic
3. LINUX: /usr/local/bin/mavistest –d -1 /usr/local/etc/tac_plus.cfg tac_plus TAC_PLUS <USERNAME> <PASSWORD>
Ex./usr/local/bin/mavistest –d -1 /usr/local/etc/tac_plus.cfg tac_plus TAC_PLUS jsmith passW0rd
NOTE: Will return output displaying active directory queries.
4. CISCO: debug aaa authentication //displays the aaa authentication attempts and successes
5. CISCO: debug aaa authorization //displays the aaa authorization attempts and successes
Cisco AAA configuration
aaa new-model
!
!
aaa authentication login CONSOLE local
aaa authentication login TACSERV group tacacs+
aaa authentication enable default group tacacs+
aaa authorization config-commands
aaa authorization exec TACSERV group tacacs+ if-authenticated
aaa authorization commands 0 TACSERV group tacacs+
aaa authorization commands 1 TACSERV group tacacs+
aaa authorization commands 15 TACSERV group tacacs+ if-authenticated
aaa authorization configuration TACSERV group tacacs+
!
!
!
aaa session-id common
line con 0
login authentication CONSOLE
line vty 0 4
authorization commands 0 TACSERV
authorization commands 1 TACSERV
authorization commands 15 TACSERV
authorization exec TACSERV
login authentication TACSERV
transport input ssh
Setting up Active Directory Security Groupsa
NOTE: Make sure that Certificate Services is installed if using Ldaps.
1. Create 4 security groups in Active Directory named:
a. tacacsadmin
b. tacacssecurity
c. tacacsserv
d. tacacsservicedesk
NOTE: Tac_Plus truncates the TACACS portion of the above groups. The tacacs portion is used as an identifier.
2. Assign users to each security group to give them access to a restricted set of commands
Starting and Stopping the server
NOTE: Every time a change must be made to the configuration (tac_plus.cfg) script located in /usr/local/etc the server must be restarted for changes to take effect.
1. Starting the server
a. /etc/init.d/tac_plus start
2. Stopping the server
a. /etc/init.d/tac_plus stop
3. Restarting the server
a. /etc/init.d/tac_plus restart
Troubleshooting
1. LINUX: Netstat –lp | grep tac //verify that TACACS is listening on port 49
2. LINUX: Tcpdump –nn port 49 //view authentication or authorization traffic
3. LINUX: /usr/local/bin/mavistest –d -1 /usr/local/etc/tac_plus.cfg tac_plus TAC_PLUS <USERNAME> <PASSWORD>
Ex./usr/local/bin/mavistest –d -1 /usr/local/etc/tac_plus.cfg tac_plus TAC_PLUS jsmith passW0rd
NOTE: Will return output displaying active directory queries.
4. CISCO: debug aaa authentication //displays the aaa authentication attempts and successes
5. CISCO: debug aaa authorization //displays the aaa authorization attempts and successes