Install and configure Tacacs.net

A customer asked me for a central management point for switch and router logins. Also they want the option of accounting these logins.

The first option that comes in mind is Cisco ACS, but that should have been to easy. The customer told me it had to be a cost efficient solution.
After searching the internet I came across Tacacs.net, after reading the configuration guide I came to the conclusion that this piece of software had all the features the customer was asking for. Tacacs.net is able to perform authentication, authorization and accounting. Tacacs.net has also the ability to use a Microsoft active directory for credential authorization.
Tacas.net is fully build in xml, so configuring is not that difficult. Although there is a configuration guide available, there are some tricky parts.
So below a walktrough for configuring tacacs.net
  • First download the tacas.net zip file from http://www.tacacs.net
  • Tacas.net can be installed on all windows platforms starting at windows 2000 server, for this customer I chose Windows 2008 R2.
  • Follow the instructions and for most customers the standard installation is sufficient. While installing tacacs.net asks for a tacacs key. Choose a random string of numbers and/or letters and write it down somewhere. This key is needed when configuring the network equipment
  • After installaling check if the tacacs.net service is running, it can be checked by start–>run–>services.msc
  • After checking this the real configuration can start
  • First check the tacplus.xml file. Change the ip address from 127.0.0.1 to the local ip address. This is not really necessary if there is only one network interface. But it is always recommended to configure it manually.
  • Now open the authentication.xml. The customer want to connect tacacs.net to their active directory. Make sure the section under “Active Directory configuration” looks like the configuration below:

<UserGroup>

<Name>Network Operations</Name>

<AuthenticationType>Windows_Domain</AuthenticationType>

<LDAPServer>{ip address of DC:389</LDAPServer>

​  <LDAPUserDirectorySubtree>OU=<group>,OU=<group>,OU=<group>,OU=<group>,DC=<domain>,DC=<domain></LDAPUserDirectorySubtree>

​  <LDAPGroupName>{AD group name with tacacs users}</LDAPGroupName>

​  <LDAPAccessUserName>{user with domain admin rights}</LDAPAccessUserName>

​  <LDAPAccessUserPassword ClearText=”{password in clear text}” DES=”{password in DES format”></LDAPAccessUserPassword>

​ </UserGroup>

  • To make this configuration to work you need to configure a DES format password. This is just the clear text password in encrypted format. The DES password can created by starting TACDES. This program is in de default tacacs.net installation. Start it by clicking start–>program files–>tacacs.net–>tacdes.
  • Type at the command prompt “tacdes <cleartext password>, copy the outcome in the above configuration at the DES section.
  • Now click save and close the authentication.xml file.
Open up the clients.xml and make sure the configuration looks like below

<ClientGroup Name=”INTERNAL”>

<Secret ClearText=”{tacacs password in cleartext}” DES=”{tacacs password in DES format}”> </Secret>

<Clients>

<Client>{ip address or subnet}</Client>

</Clients>

</ClientGroup>

Now the basic configuration of the tacacs server is done and is fully functional after restarting the tacacs.net service and configuring the switches or routers.
The tacacs.net service can be stopped and started again with the following commands:
start–>run–>cmd–>net stop tacacs.net and net start tacacs.net
On the switch, router or firewall the following lines have to be configured. Before you configure this, make sure you configure a local user and password in case the tacacs server fails. If the tacacs server fails the switch can still be reached with the local credentials.
!
aaa new-model
aaa authentication login default group tacacs local
aaa authentication enable default group tacacs+ enable
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 3 default start-stop group tacacs+
aaa accounting commands 5 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
tacacs-server host <ip address tacacs server>
tacacs-server key 0 <tacacs password>
!
!
To check the accounting, login to the tacacs.net server and go to C:\ProgramData\TACACS.net\Logs and open up accounting.txt.
The output will look something like below:

<102> 2012-12-05 14:36:02 [<ip address>:28691] 12/05/2012 14:36:02 NAS_IP=<ip address> Port=tty1 rem_addr=<ip address> User=<user> Flags=TAC_PLUS_ACCT_FLAG_STOP task_id=36 timezone=CET service=shell priv-lvl=15 cmd=show running-config <cr>
<102> 2012-12-05 14:36:14 [<ip address>:22679] 12/05/2012 14:36:14 NAS_IP=<ip address> Port=tty1 rem_addr=<ip address> User=<user> Flags=TAC_PLUS_ACCT_FLAG_STOP task_id=37 timezone=CET service=shell priv-lvl=15 cmd=show running-config <cr>
<102> 2012-12-05 14:36:17 [<ip address>:64422] 12/05/2012 14:36:17 NAS_IP=<ip address> Port=tty1 rem_addr=<ip address> User=<user> Flags=TAC_PLUS_ACCT_FLAG_STOP task_id=38 timezone=CET service=shell priv-lvl=15 cmd=configure terminal <cr>
<102> 2012-12-05 14:36:36 [<ip address>:58260] 12/05/2012 14:36:36 NAS_IP=<ip address> Port=tty1 rem_addr=<ip address> User=<user> Flags=TAC_PLUS_ACCT_FLAG_STOP task_id=39 timezone=CET service=shell priv-lvl=15 cmd=aaa accounting commands 0 default start-stop group tacacs+ <cr>
<102> 2012-12-05 14:36:41 [<ip address>:33050] 12/05/2012 14:36:41 NAS_IP=<ip address> Port=tty1 rem_addr=<ip address> User=<user> Flags=TAC_PLUS_ACCT_FLAG_STOP task_id=40 timezone=CET service=shell priv-lvl=15 cmd=aaa accounting commands 3 default start-stop group tacacs+ <cr>
<102> 2012-12-05 14:36:42 [<ip address>:38303] 12/05/2012 14:36:42 NAS_IP=<ip address> Port=tty1 rem_addr=<ip address> User=<user> Flags=TAC_PLUS_ACCT_FLAG_STOP task_id=41 timezone=CET service=shell priv-lvl=0 cmd=end <cr>

Advertisements