Install and configure Tacacs.net

A customer asked me for a central management point for switch and router logins. Also they want the option of accounting these logins.

The first option that comes in mind is Cisco ACS, but that should have been to easy. The customer told me it had to be a cost efficient solution.
After searching the internet I came across Tacacs.net, after reading the configuration guide I came to the conclusion that this piece of software had all the features the customer was asking for. Tacacs.net is able to perform authentication, authorization and accounting. Tacacs.net has also the ability to use a Microsoft active directory for credential authorization.
Tacas.net is fully build in xml, so configuring is not that difficult. Although there is a configuration guide available, there are some tricky parts.
So below a walktrough for configuring tacacs.net
  • First download the tacas.net zip file from http://www.tacacs.net
  • Tacas.net can be installed on all windows platforms starting at windows 2000 server, for this customer I chose Windows 2008 R2.
  • Follow the instructions and for most customers the standard installation is sufficient. While installing tacacs.net asks for a tacacs key. Choose a random string of numbers and/or letters and write it down somewhere. This key is needed when configuring the network equipment
  • After installaling check if the tacacs.net service is running, it can be checked by start–>run–>services.msc
  • After checking this the real configuration can start
  • First check the tacplus.xml file. Change the ip address from 127.0.0.1 to the local ip address. This is not really necessary if there is only one network interface. But it is always recommended to configure it manually.
  • Now open the authentication.xml. The customer want to connect tacacs.net to their active directory. Make sure the section under “Active Directory configuration” looks like the configuration below:

<UserGroup>

<Name>Network Operations</Name>

<AuthenticationType>Windows_Domain</AuthenticationType>

<LDAPServer>{ip address of DC:389</LDAPServer>

​  <LDAPUserDirectorySubtree>OU=<group>,OU=<group>,OU=<group>,OU=<group>,DC=<domain>,DC=<domain></LDAPUserDirectorySubtree>

​  <LDAPGroupName>{AD group name with tacacs users}</LDAPGroupName>

​  <LDAPAccessUserName>{user with domain admin rights}</LDAPAccessUserName>

​  <LDAPAccessUserPassword ClearText=”{password in clear text}” DES=”{password in DES format”></LDAPAccessUserPassword>

​ </UserGroup>

  • To make this configuration to work you need to configure a DES format password. This is just the clear text password in encrypted format. The DES password can created by starting TACDES. This program is in de default tacacs.net installation. Start it by clicking start–>program files–>tacacs.net–>tacdes.
  • Type at the command prompt “tacdes <cleartext password>, copy the outcome in the above configuration at the DES section.
  • Now click save and close the authentication.xml file.
Open up the clients.xml and make sure the configuration looks like below

<ClientGroup Name=”INTERNAL”>

<Secret ClearText=”{tacacs password in cleartext}” DES=”{tacacs password in DES format}”> </Secret>

<Clients>

<Client>{ip address or subnet}</Client>

</Clients>

</ClientGroup>

Now the basic configuration of the tacacs server is done and is fully functional after restarting the tacacs.net service and configuring the switches or routers.
The tacacs.net service can be stopped and started again with the following commands:
start–>run–>cmd–>net stop tacacs.net and net start tacacs.net
On the switch, router or firewall the following lines have to be configured. Before you configure this, make sure you configure a local user and password in case the tacacs server fails. If the tacacs server fails the switch can still be reached with the local credentials.
!
aaa new-model
aaa authentication login default group tacacs local
aaa authentication enable default group tacacs+ enable
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 3 default start-stop group tacacs+
aaa accounting commands 5 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
tacacs-server host <ip address tacacs server>
tacacs-server key 0 <tacacs password>
!
!
To check the accounting, login to the tacacs.net server and go to C:\ProgramData\TACACS.net\Logs and open up accounting.txt.
The output will look something like below:

<102> 2012-12-05 14:36:02 [<ip address>:28691] 12/05/2012 14:36:02 NAS_IP=<ip address> Port=tty1 rem_addr=<ip address> User=<user> Flags=TAC_PLUS_ACCT_FLAG_STOP task_id=36 timezone=CET service=shell priv-lvl=15 cmd=show running-config <cr>
<102> 2012-12-05 14:36:14 [<ip address>:22679] 12/05/2012 14:36:14 NAS_IP=<ip address> Port=tty1 rem_addr=<ip address> User=<user> Flags=TAC_PLUS_ACCT_FLAG_STOP task_id=37 timezone=CET service=shell priv-lvl=15 cmd=show running-config <cr>
<102> 2012-12-05 14:36:17 [<ip address>:64422] 12/05/2012 14:36:17 NAS_IP=<ip address> Port=tty1 rem_addr=<ip address> User=<user> Flags=TAC_PLUS_ACCT_FLAG_STOP task_id=38 timezone=CET service=shell priv-lvl=15 cmd=configure terminal <cr>
<102> 2012-12-05 14:36:36 [<ip address>:58260] 12/05/2012 14:36:36 NAS_IP=<ip address> Port=tty1 rem_addr=<ip address> User=<user> Flags=TAC_PLUS_ACCT_FLAG_STOP task_id=39 timezone=CET service=shell priv-lvl=15 cmd=aaa accounting commands 0 default start-stop group tacacs+ <cr>
<102> 2012-12-05 14:36:41 [<ip address>:33050] 12/05/2012 14:36:41 NAS_IP=<ip address> Port=tty1 rem_addr=<ip address> User=<user> Flags=TAC_PLUS_ACCT_FLAG_STOP task_id=40 timezone=CET service=shell priv-lvl=15 cmd=aaa accounting commands 3 default start-stop group tacacs+ <cr>
<102> 2012-12-05 14:36:42 [<ip address>:38303] 12/05/2012 14:36:42 NAS_IP=<ip address> Port=tty1 rem_addr=<ip address> User=<user> Flags=TAC_PLUS_ACCT_FLAG_STOP task_id=41 timezone=CET service=shell priv-lvl=0 cmd=end <cr>

Advertisements

17 Responses to Install and configure Tacacs.net

  1. Nice, goes onto the list of testing with wireless environments! Curious if it can be tricked into doing user + computer authentication.

  2. Kyu says:

    Thanks for your detailed information. It works great with switch and router.
    I am working with NMS (Cisco Prime Infrastructure 1.2)
    It asks

    server address : 192.168.7.100
    Port: 49
    Share Secret Format: ASII
    Shared Secret: IloveTacacs
    Confirm secret:
    authentication type (PAP or CHAP)
    Local Interface IP: 192.168.7.50

    It looks like everything right, but didn’t work. I spoke with cisco TAC. no help !!

    If anyone has same issue, plz share it

  3. Jeff says:

    This is great, but I keep getting when I test it. User does not belong to specified group. Is there somewhere in the configuration that I’m missing?

    • heggel4 says:

      This can be either your authentication.xml configuration or your switch configuration. Please send me both so I can take a look.

      • Jeff says:

        ITAdmin
        Windows_Domain
        127.0.0.1:389
        CN=user,OU=Domain_Users,DC=domain,DC=net
        CN=ITAdmin,OU=Domain_Groups,DC=domain,DC=net
        user

      • Jeff says:

        I only get it when I run the test on the server itself to make sure it is working.

  4. E says:

    Hello, I am having some issue on the configuration file. could you please help ?

  5. Greg says:

    Hi,

    In my configuration I have 2 AD groups in authentication.xml. Regardless of what I seem to do only the group which is listed first in authentication.xml is checked against. So if a user is a member of only the second group in authentication.xml file they get the error ‘User does not belong to specified group’.

    Any idea what could be causing this? If I enter a wrong password, then the second AD group is checked (according to the debug log), but if the credentials are correct only the first group is queried.

    Thanks for any help.

  6. Steve says:

    Can someone tell me whether or not TACACS.net supports parser views? The documentation around configuring the shell for specific users or groups is sparse at best.

  7. sandeep says:

    Hi All,
    I am trying to install Tacas on windows.after configuration getting error like “encryption enabled but no key is set.length passed does not match source length

  8. Vinayak Pandit says:

    Thanks for the detailed information. Same has been implemented and configured with AD authentication which is working fine on windows 2008 for Switches, Now I have added 1 of load balancer in the same which is authenticated with same AD group which is configured for Switches. Just wanted to know that how to configure multiple AD groups for Firewalls and Switches as per the required access.

  9. Spaedie says:

    Something to add when using Windows_Domain authentication:
    Just use only the domain part as LDAP server instead of server.domainname.
    I.e. example.com:389
    This will make sure that all domain controllers will be checked instead of only the one configured.

    Might also work on LDAP authentication against a Windows domain.

  10. Saurabh says:

    Hi,
    How can a user change his password on the router when we are using TACACS.net . In general TACACS should have the feature to ask user to enter new password when we hit a blank password

  11. Ray Savage says:

    To fix the “User does not belong to specified group” issue i had to put the specific AD user account into the local administrators group. It didnt matter that I added ANY other AD group the user was a member of into the local admin, I had to explicitly add the AD account before the auth would happen. I noticed in the logs it would deny any access after NOT finding the user in the local admin froup regardless of the fact that AD auth was what I was after.

  12. Brian says:

    Hi All,
    I am trying to install Tacas on windows.after configuration getting error like “encryption enabled but no key is set

  13. Jeffrey Chen says:

    Hey Rob, did you ever get tacacs.net working with NX OS? If so, can I take a look at your authentication.xml?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: