- In terms of open source tacacs, there's free tacacs on Ubuntu machines (tacplus). You'll find a lot of documentation on internet how to install and configure it. I know done colleagues have used a few windows tacacs, but I've never tested it. I personally know very well Cisco servers and TacPlus on Linux.
- Using the tacacs-server host command, you can also configure the following options: Use the single-connection keyword to specify single-connection. Rather than have the router open and close a TCP connection to the daemon each time it must communicate, the single-connection option maintains a single open connection between the router and the daemon.
- Tacplus is a TACACS+ daemon for Linux that is based on the original Cisco TACACS+ source code. Security is paramount to any organization, so hardening the organization’s networking devices add a layer to organization’s security. A security enthusiast once told me that security is.
- Ip tacacs source-interface Loopback0 This sets the source interface the router uses to connect to the server, and thus the address is the primary address of that interface. 192.168.0.1/32, for exmaple.
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter. For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration.
There are a bunch of TACACS+ versions out there, at least two of them happen to have the exact same name which can be confusing.
It has to do with the fact that Cisco created TACACS+ back in the 90s and later released the source code which was called tac_plus.
You may have noticed that on many Linux dists there’s a package called tac_plus, it’s the shrubbery.net version of TACACS+.
I find that version a bit outdated and lacking features such as multiple keys and the ability to use a range of IPs to identify routers, switches etc.
Fortunately there’s another version of tac_plus that supports all of this and much more made by Marc Huber over at http://www.pro-bono-publico.de/projects/tac_plus.html
This version supports a number of backends for user accounts:
LDAP backend such as OpenLDAP and MS Active Directory
PAM backend
System Password backend
Shadow backend
RADIUS backend such as FreeRADIUS
I chose Shadow backend which stores user accounts in a file. The benefit of this method is that it’s easy to maintain and it supports password change and password expiration warning on the routers/switches.
Installing and configuring TACACS+
1. Install Ubuntu Server 13.04 amd64
2. Update the system with apt-get update/upgrade
3. Install dependencies
sudo apt-get install make
sudo apt-get install libgc-dev-amd64
sudo apt-get install libnet-ldap-perl
4. Download the latest source from http://www.pro-bono-publico.de/projects/
5. Untar the file to your home dir or whatever
6. Compile the source
./configure tac_plus
make
sudo make install
Copy the sample configuration file to the config directory
sudo cp /usr/local/etc/mavis/sample/tac_plus.cfg /usr/local/etc
Start tac_plus at system startup
sudo cp /<dir-to-source>/PROJECTS/tac_plus/extra/etc_init.d_tac_plus /etc/init.d/tac_plus
sudo chmod 755 /etc/init.d/tac_plus
sudo update-rc.d tac_plus defaults
You can now start and stop tac_plus with “sudo service tac_plus start/stop/restart”
tac_plus configuration file
id = spawnd { listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10 }
background = yes
Passwords are stored in an auxiliary, /etc/shadow-like ASCII file, one user per line:
username:encryptedPassword:lastChange:minAge:maxAge:expWarn
lastChange is the number of days since 1970-01-01 when the password was last changed, and minAge and maxAge determine whether the password may/may not/needs to be changed. Setting lastChange to 0 enforces a password change upon first login. expWarn controls the number of days before a password expiration warning is issued.
Example shadow file in /usr/local/etc
rogewikl:$1$vBeN7c8V$Tpy9bfonpRC8fq8Ex3PvT1:15866:1:30:7:
plissken:$1$wWyDmqCp$qYYIn/vceiH97ouilsUDS/:15866:1:30:7:
freeman:blah:15866:1:30:7:
You can use openssl to compute password hashes
openssl passwd -1 clear_text_password
Cisco TACACS+ configuration
username localadmin password localpwd
!
enable secret localenablepwd
!
aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
!
tacacs server tac_plus
address ipv4 192.168.1.26
key tacacs_key_here
!
ip tacacs source-interface Loopback0
Be sure to check out the excellent documentation http://www.pro-bono-publico.de/projects/pdf/tac_plus.pdf
There’s also a Google Group forum https://groups.google.com/forum/?fromgroups#!forum/event-driven-servers
Back in 2011, I wrote how to configure tac_plus (TACACS+ daemon) on an Ubuntu server. Then two years ago, I wrote an article about adding two-factor authentication (2FA) to TACACS+. Today, I’m going to talk about deploying TACACS+ on a Docker container.
While I’ve written migrating FreeRADIUS with 2FA to a Docker container article in the past, I’d still consider myself a newbie. I don’t deal with Docker daily to be well-versed.
Since I’m still a newbie, I make mistakes writing a Dockerfile
and sometimes get stuck when the container keeps restarting. Part of the problem is I’m still learning Linux even though I’ve been using it for many years.
Another part is I have yet to sit down and read a book about Docker, like this one. The book has a high rating on Amazon and seems like a good buy if you’re trying to learn it.
Yes, I could download someone else’s Docker container. However, I don’t like doing that. When I write the Dockerfile
from scratch, it forces me to learn both Docker and Linux.
Docker Installation
Before we can deploy a TACACS+ container, we need to install the Docker software. Docker’s documentation has the steps on how to do it on your preferred OS. For this tutorial, I’m using the Ubuntu Server 18.04 as my OS of choice.
Alternatively, we can install the Docker version that Ubuntu is using in their repo. Installing from Ubuntu’s repo is the easiest way to install Docker.
Docker Compose installation
I like to use the docker-compose
command to run multiple containers in one syntax. That said, I have that installed on my Ubuntu server. This step is optional, but I highly recommend using it. If you have a different OS, then visit this page.
Dockerfile
I like to separate my files for each Docker containers that I want to deploy. That said, I create a new directory for each of them.
Once I’ve created the directory, it’s time to write the Dockerfile
. Since I’m more familiar with VIM than any other text editor on Linux, that’s what I use. Please feel free to use your favorite Linux text editor.
Once VIM is running, we can now write the contents of our Dockerfile
. Here’s a sample of my TACACSC+ Dockerfile
.
Preliminary steps
Before we can build the TACACS+ Docker container, we need to do some preliminary steps. As you can see from the Dockerfile
, it will copy some files that I already have in the current directory. Without these files, the docker build
command will error out.
Google Authenticator secret key
The first file we need is the .google_authenticator
file. This file contains all the necessary parameters for our TOTP (Time-based One Time Password).
Since I use Google Authenticator at home, I just copied my existing file for this lab. If you don’t have one, you may want to generate one from another host. I covered the generation of the secret key in this article.
Once you’ve generated the secret key, we can now copy the .google_authenticator
file in the home directory. Please copy it to the tacacs directory.
TACACS+ configuration file
The next file we need is the tac_plus.conf
file. This file gets generated when you install tac_plus software. Since I’ve covered this topic before, I already have a configuration file that I can use. If you don’t have one, then you can use my configuration files from here and here.
If you do create this from scratch, make sure the owner and permissions are the same as the one below.
Depending on how you create the file, the owner and permissions are different. For example, I created the tac_plus.conf
file using a non-root account.
There are multiple options to fix this minor issue. One option is by deleting the file and recreating it using the root
account.
Another option is adding some lines to the Dockerfile
to change the owner and permissions. Add the following lines after the COPY tac_plus.conf /etc/tacacs+/tac_plus.conf
line.
Creating a Docker image
Once done with the preliminary steps, we can now create our TACACS+ Docker image. Creating a Docker image is pretty straightforward. All we need to do is issue the command below.
Once the building process is done, you can verify that the Docker image is ready by issuing the command below.
Docker Compose
We’re now ready to run the Docker image. If you prefer to use docker run
syntax, then feel free to use that one. I happen to like to use the docker-compose
command when starting up Docker containers. That said, we need to edit my existing docker-compose.yml
file before we can run the Docker container.
The file should look like the one below.
Now, we’re ready to run our TACACS+ Docker container.
If the status says Restarting, then that means there’s something wrong with the tac_plus.conf
file or Dockerfile
. You might have to spend some time troubleshooting if your config isn’t the same as mine.
Note: The instructions covered here are not recommended for production use since it’s running the container as root.
Verification
Once the Docker container is running, then we’re now ready to verify if our TACACS+ is working as expected. This step assumes that you already have an IOS device with a TACACS+ configuration. If you need a sample configuration, please check out my article.
Note: The example above was done using the CSR 1000v and may not represent what the prompt would look like on regular IOS-based devices.
Final Words
OS-level virtualization, such as Docker, offers a lot of advantages over server virtualization. One of the benefits of OS-level virtualization is that it consumes fewer system resources compared to VMs. It is the major reason why I run containers for my FreeRADIUS and TACACS+ services.
Additionally, if done right, it’s faster for me to deploy something on Docker than provisioning new VMs. Though, with the mistakes I’ve done in the past, I am sure I could’ve provisioned new VMs a lot faster.
Just because everyone is doing Docker containers, doesn’t mean you should follow suit. Make sure to weigh in the pros and cons of running services, such as TACACS+, on Docker.
You might like to read
VMware ESXi Home Lab – Intel NUC (Frost Canyon)
Blocking ads network-wide
How to implement Duo Security MFA
BUY ME COFFEE ☕
Disclosure
Free Tacacs Server
AndrewRoderos.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.