Open Source Tacacs+ Linux



Open Source Tacacs+ Linux

This guide will walk you through the setup of a Linux based TACACS+ Authentication Server, using Ubuntu 18.04 (tested on Ubuntu 16.04 as well) that authenticates against a Windows Active Directory LDAP(S).

This guide assumes that you are familiar with installing and configuring a Ubuntu Server and can deploy or have already deployed a Windows Active Directory infrastructure.

Solved: Hello is there a feasible open source TACACS server to use for our switch/router AAA logins or is really the only option to go with Cisco ACS? Note I am certainly not a Linux expert. Open source software, exemplified by the Linux operating system, is a revolutionary approach to software that is being adopted by many companies. Its advantages are well known: lower software and hardware costs and more stability, flexibility and security. However, the filing of a lawsuit by SCO Group against IBM in March 2003, asserting ownership of key parts of Linux, and SCO's increasing threats against corporate users of Linux, have revealed risks previously overlooked.

Prerequisites

  • Windows Server 2016 with Active Directory Services (Domain Controller or Read-Only Domain Controller)
  • Ubuntu Server (tested on 16.04 LTS or 18.04 LTS)

Basic Network Topology

Below is an example network topology commonly found in a small to medium sized network.

Open

Windows Active Directory Requirements

First, we will setup the required items in our Active Directory system.

  1. Create a service account that TACACS will use to bind and authenticate to our AD infrastructure. Be sure to use a secure password (16 characters or longer).
    This is needed because Active Directory does not allow anonymous bindings by default and will not allow you to search the AD tree if you are not authenticated.
    The user does not need any special permissions or group memberships.
  2. Create two security groups that TACACS will match against to identify what users and permission levels to assign authenticated users. In this example, we will create two security roles. The first being “ADMIN” level permissions, and the second being “TECHNICIAN” level permissions.
  3. Now create two user accounts, one for each type of user security level and add them to the security group associated with their account.
    Username “test.admin” is a member of security group “R_ADMINS” and Username “test.tech” is a member of security group “R_TECHS” in our example

TACACS Server Installation

Lets move on to the TACACS Server installation on our Ubuntu Server. First, SSH into your Ubuntu Server and install the required packages.

Next, we are going to download the TACACS+ Server packages that includes the MAVIS (LDAP) authentication packages. This is provided by Marc Huber at pro-bono-publico.de.

Now, we will configure and build the tac_plus packages on our server.

We now need to create the logging directories on our server because the package build process does not build these out for us. We will also make sure to set the permission on these directories so that our TACACS Server software can write to them.

You can verify that the permissions were set correctly by running the following command:

We now need to verify that our MAVIS packages are working correctly. To do this execute the below command. You should see output as exampled.

If there are error messages saying “Can’t locate Net/LDAP.pm in @INC”, you need to double-check the configure and make commands at the beginning of the guide. Make sure they all completed successfully without any errors.

If your output above matches, then we can continue with adding the configuration for the TACACS server. Create a file tac_plus.cfg in the /etc/tac_plus folder.
Once created, we will open that file to add our configuration template.

Next, we will copy and paste in the below template configuration into the tac_plus.cfg file. You will need to replace the variables that are specific to your configuration. These are identified by {{VARIABLE-NAME}} in the template configuration.

Here is an example of our working tac_plus.cfg file on our lab servers.

Now we need to validate the configuration file. After you have saved and exited the tac_plus.cfg file, run the following command to verify everything was setup correctly.

If tac_plus reports any errors, you will need to edit the tac_plus.cfg file again and correct the errors. Do not proceed further until you have corrected all the reported errors. See http://www.pro-bono-publico.de/projects/tac_plus.html for a complete configuration reference. You may also want to view the file /usr/local/lib/mavis/mavis_tacplus_ldap.pl for a detailed explanation of the available LDAP variables.

Now we need to create a SystemD service startup script for our TACACS server. Copy/Paste the below command into your SSH session. It will automatically create the required service startup script.

Now you can enable the service for auto-startup and manually start the service.

To verify that the service started, you can run the following two commands.

We are now ready to verify that the TACACS services are authentication against our Active Directory server. Run the below commands on your Ubuntu server. You should get output similar to our example.

From the output above, look specifically at the RESULT output and the TACMEMBER output. These should be “ACK” in the RESULT field, which means Active Directory responded and was successful, and the TACMEMBER value should match the security group associated with the user account. If you got NACK, BFD, or ERR in the RESULT field, that means something went wrong. You’ll want to double-check your Active Directory environment variables in the tac_plus.cfg file.

For those that want to see what the traffic looks like, below is a PCAP (packet capture) of the LDAP communication between our TACACS Server and our Windows Active Directory Controller. The communication in this capture was done using none SSL based connections, which means everything is transmitted in CLEAR TEXT.

It is highly recommended that you enable SSL on the Active Directory Controller and the TACACS configuration before you implement this into a production environment. Using LetsEncrypt, you can enable SSL certificates for free. We use the application Certify the Web on Windows Servers to generate SSL certificates.

A handy Windows tool that may help you correctly configure the environment variables in LDAP is the Softerra LDAP Browser.

Do not continue further until you can run the above tests and get a valid response from the user authentication.

Juniper (JunOS) Device Configuration

We are now ready to configure one of our Juniper devices for TACACS authentication. For a full en-depth understanding on setting up Juniper TACACS Authentication, we would recommend that you read the Juniper documentation for your specific device and version of software. To learn more about the different permissions flags and users classes, we would recommend reading the Junos OS Login Classes documentation. ~ In this example, we will be using a Juniper vMX Router running JunOS v14.1

First, we will configure our Juniper device to utilize the TACACS authentication server as the primary source for account authorizations, with the standard “password” (local user accounts) as a fall-back in the event the TACACS server is offline or networking is unavailable. You will need to replace the variables that are specific to your configuration. These are identified by {{VARIABLE-NAME}} in the template configuration.

Open source tacacs+ linux command

Here is an example configuration from our lab equipment.

Next, we need to add the configuration to the Juniper device that map the user account to the user class. This portion is very important and miss-understood very easily. The “user class” attributes can be built out however works best for your organization. However, you need to pay special attention to the “login user” accounts that are created.

The “login user” accounts that are created are NOT the “usernames” for every user that will be logging into the devices. These “names” are the direct mapping names that match what was created in the tac_plus.cfg GROUP attributes. This is where the “magic” happens on the username > group mappings.

Open Source Tacacs+ Linux Command

Add the following configuration to your Juniper device. If you named your security groups differently, then you will have to adjust the configuration to match your changes.

Once you have your configuration changes added to your device, commit them.

You are now ready to test your TACACS authentication with the different user accounts. SSH into your Juniper device on the management address and enter the username / password that you setup. For this example, we will be using “test.admin” and “test.tech”.

Upon a successful login, your TACACS server should be recording the accounting packets sent from the Juniper device. These accounting logs are located in /var/log/tac_plus/*

I have also provided a PCAP of the TACACS authentication request between the Juniper device and the TACACS server. This PCAP also includes the SSH traffic from the client to the Juniper device.

Cisco Device Configuration

We are now ready to configure one of our Cisco devices for TACACS authentication. For a full en-depth understanding on setting up Cisco AAA / TACACS Authentication, we would recommend that you read the Cisco Documentation for your specific device and version of software. Unfortunately, Cisco has done a very poor job on standardizing the configuration of the AAA settings per version and again per device type. ~ In this example, we will be using a Cisco IOS Router running version 15.4(1)T

Open Source Tacacs+ Linux Operating System

First, we will configure our Cisco device to utilize the TACACS authentication server as the primary source for account authorizations, with the “local” user account as a fall-back in the event the TACACS server is offline or networking is unavailable. You will need to replace the variables that are specific to your configuration. These are identified by {{VARIABLE-NAME}} in the template configuration.

Upon a successful login, your TACACS server should be recording the accounting packets sent from the Cisco device. These accounting logs are located in /var/log/tac_plus/*

Cisco Command Access Control

Below is a tac_plus.cfg configuration file that includes settings to allow restrictive ( permit | deny ) commands for the R_TECHS access group. This was put together to show how to restrict or permit access to specific commands to users.

Log in

Your Red Hat account gives you access to your member profile and preferences, and the following services based on your customer status:

  • Customer Portal
  • Red Hat Connect for Business Partners
Open source tacacs+ linux distroRegister now

Not registered yet? Here are a few reasons why you should be:

  • Browse Knowledgebase articles, manage support cases and subscriptions, download updates, and more from one place.
  • View users in your organization, and edit their account information, preferences, and permissions.
  • Manage your Red Hat certifications, view exam history, and download certification-related logos and documents.
Edit your profile and preferences

Your Red Hat account gives you access to your member profile, preferences, and other services depending on your customer status.

For your security, if you're on a public computer and have finished using your Red Hat services, please be sure to log out.

Open source tacacs+ linux operating systemLog out