Installing and configuring Tacacs server on Windows Server 2012 and CISCO router

Posted: July 24, 2015 in CISCO

Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe)  is a security application that provides centralized validation of users attempting to gain access to a router or network access server. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network.

TACACS+, administered through the AAA security services, provides following services:

Authentication—Prompts user for username and password in order to allow access to the router

Authorization—Provides fine-grained control what user can/can’t perorm during the session, including but not limited to setting autocommands, access control,etc.We can also restrict user to what commands he may execute with the TACACS+ authorization feature.

Accounting-Audit user activity.Accounting records include user identities, start and stop times, executed commands,number of packets, and number of bytes.

 I used free TACACS+ server http://www.tacacs.net/download.asp

Topology used in this example:

Untitled5

I installed TACACS+ server on Windows server 2012 with IP address 192.168.5.3

During installation you are asked for secret,we will change it a little bit later

Untitled

When installation is done,we must first remove read-only atributes from config files,otherwise,we won’t be able to edit it!

From powershell prompt type:

Set-ItemProperty "C:\ProgramData\TACACS.net\config\authentication.xml" -name isreadonly $false
Set-ItemProperty "C:\ProgramData\TACACS.net\config\clients.xml" -name isreadonly $false
Set-ItemProperty "C:\ProgramData\TACACS.net\config\authorization.xml" -name isreadonly $false
Set-ItemProperty "C:\ProgramData\TACACS.net\config\tacplus.xml" -name isreadonly $false

 

 

Integrating TACACS server with Active Directory

 

We will create AD user and allow him access to CISCO router

 

First,create security group in which our user will be stored:

 

new-adgroup -name "tacacs" -groupscope "Global" -Groupcategory "Security"

Create user named domain_user:

 

new-aduser -name "domain_user" -userpincipalname "domain_user@bigfirm.biz" -samaccountname "domain_user" -accountpassword (convertto-secure string "Zemun2013" -asplaintxt -force) -changepasswordatlogon $false  -enabled $true

Add newly created user in Local Admin group,(this is very important!!!),and to tacacs AD group:

 

Add-ADGroupMember Administrators domain_user
Add-ADGroupMember tacacs domain_user

 

First,obtain data for user from AD (bolded will be used in authentication.xml):

 

PS C:\Users\Administrator> Get-ADUser -Identity "domain_user"  -Properties memberof | select *

DistinguishedName  : CN=domain_user,CN=Users,DC=bigfirm,DC=biz
Enabled            : True
GivenName          : domain_user
MemberOf           : {CN=tacacs,CN=Users,DC=bigfirm,DC=biz, CN=Administrators,CN=Builtin,DC=bigfirm,DC=biz}
Name               : domain_user
ObjectClass        : user
ObjectGUID         : 4ff83aff-0e83-4032-8c59-e82f2f5fc488
SamAccountName     : domain_user
SID                : S-1-5-21-2862681942-1448928181-3724733179-1105
Surname            :
UserPrincipalName  : domain_user@bigfirm.biz
PropertyNames      : {DistinguishedName, Enabled, GivenName, MemberOf...}
AddedProperties    : {}
RemovedProperties  : {}
ModifiedProperties : {}
PropertyCount      : 11

 

 

Create encrypted password:

C:\Program Files (x86)\TACACS.net>tacdes Zemun2013
Encrypted Zemun2013 is uTWkimSCBH1j8ZJB/5LPKA==

 

Now edit C:\ProgramData\TACACS.net\config\authentication.xml file:

 

<!-- ACTIVE DIRECTORY EXAMPLE -->

<!--This is an example is of a Windows Active Directory group.
This group will authenticate using a Windows Domain Controller.
LDAPUserDirectorySubtree is the distinguished name of the subtree that contains all users.
The LDAPGroupName should point to the name of the AD group.
LDAPAccessUserName and LDAPAccessUserPassword are optional elements and should be specified if the active directory server
does not allow anonymous access to the active directory for authentication.
This username must have read/write access to Active Directory.

To see the user directory subtree name, you can execute the following dsquery command on windows server:
Note: The command DSQUERY is only available on Windows Server.
C:\>dsquery user -samid USERNAME

To see the list of AD groups the user belongs to, use:
C:\>dsquery user -samid USERNAME | dsget user -memberof -expand
You can use the complete DN of the group or just the AD name of the group in the LDAPGroupName configuration parameter.

-->
<!--
<UserGroup>
<Name>tacacs</Name>
<AuthenticationType>Windows_Domain</AuthenticationType>
<LDAPServer>192.168.5.1:389</LDAPServer>
<LDAPUserDirectorySubtree>CN=Users,DC=bigfirm,DC=biz</LDAPUserDirectorySubtree>
<LDAPGroupName>tacacs</LDAPGroupName>
<LDAPAccessUserName>domain_user</LDAPAccessUserName>
<LDAPAccessUserPassword ClearText="" DES="uTWkimSCBH1j8ZJB/5LPKA=="></LDAPAccessUserPassword>
</UserGroup>
-->
<!-- / ACTIVE DIRECTORY EXAMPLE -->


<LDAPServer>192.168.5.1:389</LDAPServer> is IP address of Domain controller on which Tacacs server is installed,port 389 (the best practice is to install Tacacs server on domain member server,but for demonstration purpose this will be just fine),so Tacacs can query
AD for specific user
<LDAPUserDirectorySubtree>CN=Users,DC=bigfirm,DC=biz</LDAPUserDirectorySubtree> distinguished name of the subtree that contains domain_user acount.
<LDAPGroupName>tacacs</LDAPGroupName> -AD group we’ve just created and put domain_user in
<LDAPAccessUserName>domain_user</LDAPAccessUserName> the name of the AD user which will have access to router

uTWkimSCBH1j8ZJB/5LPKA==
is encrypted password created by tacdes tool

If you wish to change shared secret set during install,edit C:\ProgramData\TACACS.net\config\clients.xml file:

<!-- INTERNAL GROUP
 
The INTERNAL Group is added by default. This group will
enable all non-routeable IP addresses to be TACACS+
clients without having to explicitly define them.
This is useful in an internal NAT or lab network.-->
<ClientGroup Name="INTERNAL">
<Secret ClearText="sharedsecret" DES=""> </Secret>
<Clients>
<Client>10.0.0.0/8</Client>
<Client>172.16.0.0/12</Client>
<Client>192.168.*</Client>
</Clients>
</ClientGroup>
<!-- DEFAULT GROUP

 

In this section you can also define network range for clients which can “negotiate” with Tacacs server using defined secret

 

To configure port and IP address on which Tacacs server will listen on,we need to edit C:\ProgramData\TACACS.net\config\tacplus.xml file.

Here we can  set logging (name, location, logging level, and rollover settings for the logs.Available logging levels: Alert, Critical, Error, Warning, Notice, Information, and Debug. Debug generates the most information, and Alert generates the least amount of info.
RolloverDays specifies how many days to keep logs before starting a new log. RolloverMB specifies the maximum size the log file can get before rolling over, and DeleteDays specifies how many days to keep files before automatically deleting them. ).Syslog  is used if you need to log to an external Syslog server.

 

<!– Version 1.2 –><!– This is the global configuration file for the TACACS+ Server

–><Server><Port>49</Port>
<LocalIP>192.168.5.3</LocalIP>
<DisabledPrompt>This account has been disabled</DisabledPrompt>
<PasswordPrompt>Password: </PasswordPrompt>
<UserNamePrompt>Username: </UserNamePrompt>
<ExpiredPasswordPrompt>The password for this account has expired</ExpiredPasswordPrompt>
<IncorrectPasswordPrompt>Incorrect Password</IncorrectPasswordPrompt>
<IncorrectUserOrPasswordPrompt>Invalid username or incorrect password</IncorrectUserOrPasswordPrompt><SocketTimeoutSecs>30</SocketTimeoutSecs>
<AccountingLog RolloverDays=”30″ RolloverMB=”10″ DeleteDays=”90″ LoggingLevel=”Information”>  </AccountingLog>
<DebugLog RolloverDays=”30″ RolloverMB=”10″ DeleteDays=”90″ LoggingLevel=”Debug”>  </DebugLog>
<SystemLog RolloverDays=”30″ RolloverMB=”10″ DeleteDays=”90″ LoggingLevel=”Information”>  </SystemLog>
<!– <Syslog Host=”127.0.0.1″ Port=”514″ MaxLength=”1000″ Facility=”Local6″> </Syslog> -><AccountLockoutTries>6</AccountLockoutTries>
<AccountLockoutperiodMins>30</AccountLockoutperiodMins>
<SessionIdleTimeoutMins>15</SessionIdleTimeoutMins>
<TimedCacheExpirySecs>5</TimedCacheExpirySecs>
<OTPSeparator>*</OTPSeparator></Server>

 

It’s now time to check config files for typo or syntax errors using tacverify tools (C:\Program Files (x86)\TACACS.net folder if you installed on X64 OS version):

Untitled2

 

Restart tacacs.net service:

net stop tacacs.net && net start tacacs.net
The TACACS.net service was stopped successfully.
The TACACS.net service is starting.
The TACACS.net service was started successfully.

 

Open port 49 in Windows firewall:

netsh advfirewall firewall add rule name="Open port 49" dir=in action=allow protocol=tcp localport=49

From Tacacs server,test access:

 

C:\Program Files (x86)\TACACS.net>tactest.exe -k sharedsecret -u domain_user -s
192.168.5.3 -p Zemun2013


Total Commands  .....................  1
Successes  ..........................  1
Failures  ...........................  0
No Results  .........................  0
Time Taken for commands  ............  0.132 secs
Avg Possible Transactions/Second  ...  7
Network Time per command  ...........  0.076 secs
Total Network time  .................  0.076 secs
<87> 2015-07-24 00:29:12 Sent Transactions/Second  ...........  6.3

 

 Setting Authorization

 

To determine level of access we need to edit  C:\ProgramData\TACACS.net\config\authorization.xml file.

For users in AD group tacacs (domain_user), we’ll set privilege level 7 and allow him to run telnet,show and enable commands and deny others:

<?xml version=”1.0″ encoding=”utf-8″?>
<!– Version 1.2 –>
<Authorizations xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance&#8221; xmlns:xsd=”http://www.w3.org/2001/XMLSchema”&gt;
<Authorizations>
<Authorization>
<!–This entry will only be processed in the times given below–>
<!–<Time>MTWRFSN,04:00-21:00</Time>–>
<!–This authorization section applies to the following user groups. In case of conflicting authorization entries for the same group, the entry which appears first in the file is used.–>
<UserGroups>
<UserGroup>Network Engineering</UserGroup>
</UserGroups>
<!–This authorization section applies to the following client groups. In case of conflicting authorization entries for the same client group, the entry which appears first in the file is used.–>
<!–If no client groups are specified then the settings are applied to the specified usergroups irrespective of the clients they come from–>
<ClientGroups>
<ClientGroup>LOCALHOST</ClientGroup>
<ClientGroup>INTERNAL</ClientGroup>
</ClientGroups>
<AutoExec>

<!–<Set>priv-lvl=15</Set>–>
</AutoExec>

<Shell>

<Permit>.*show.*</Permit> <!–This will allow all show commands –>

</Shell>
<Services>
<!– <Service>
<Set>service=ppp</Set>
<Set>protocol=ip </Set> –>
<!–these groups can run IP over PPP only if they use one of the following mandatory addresses. If they supply no address, the first one here will be mandated–>
<!–<Set>addr=10.1.1.1</Set>–> <!–mandatory argument–>
<!–Their  mandatory input access list number is 5–>
<!–<Set>inacl=5</Set>–>
<!–We will suggest an output access list of 10 but the NAS may choose to ignore or override it–>
<!–<SetOptional>outacl=10</SetOptional>–>
<!–These are examples of vendor specific attributes(VSAs)–>
<!–<Set>foundry-privlvl=5</Set>–>
<!– </Service> –>
</Services>
</Authorization>

<Authorization>
   <UserGroup>
      <Name>tacacs</Name>
           </UserGroup>
<!–No client group provided so this authorization section applies to the above user groups from all the clients –>

<!–this group is allowed to telnet everywhere except from addresses beginning with 161.–>
<AutoExec>
<Set>priv-lvl=7</Set> <!–Set a privilege of 7 –>
</AutoExec>
<Shell>
  <Permit>telnet .*</Permit>  <!–Allows telnet –>
                                   <Permit>.*show.*</Permit> <!–Allows ‘show’ commands –>
                                   <Permit>enable</Permit>   <!–Allows ‘enable’ command –>
                                   <Deny>.*</Deny>                <!–All other commands are prohibited —>
</Shell>
</Authorization>

<!– DEFAULT PROFILE –>

<!– The DEFAULT Authorization Profile is added by default with the Server
installation and is used to enable ALL Users full access to ALL Clients.
This group should be removed or commented out before deploying the Server
in a production environment.
–>

<Authorization>
<Shell>
<Permit>.*show.*</Permit> <!–This will allow all show commands –>
<Deny>.*</Deny>           <!–This will deny all other commands –>
</Shell>
</Authorization>

</Authorizations>
</Authorizations>

 

Restart again Tacasc.net service

 

 

 Configuring CISCO Router

 

First create local user in case if Tacacs server is unavailable,enter in config mode (config t):

username admin privilege 15 secret cisco

Enable AAA (Authorization,Authentication,Accounting)

aaa new-model

 

Now configure router that,for authentication,first check Tacacs server for credentials,if Tacacs is unvailable then search local database (user admin).so we need to create AAA Method list.The method list defines the types of authentication to be performed and the sequence in which they will be performed (Tacacs server and local database in our example)

 

aaa authentication login default group tacacs+ local

For  (AAA) to determine if a user can access the privileged command level (enable command),we need to use the aaa authentication enable default command

aaa authentication enable default group tacacs+ enable

As in previous example,router will first contact Tacacs server,if it’s unavailable,then use local database:

aaa authorization exec default group tacacs+ local

Because in this example we will implement AAA in console level,we need to configure console to use AAA authorization

aaa authorization console

Allows user to start a CLI session (a command shell). Without it, command prompt isn’t available:

aaa authorization exec default group tacacs+ local

 

Runs authorization for all commands at the privilege level 1 and 15

aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

Configures accounting for EXEC shell session:

aaa accounting exec default start-stop group tacacs+

Set tatacas server and key.

tacacs-server host 192.168.5.3 !Our tacacs server
tacacs-server key sharedsecret !(We set a key in clients.xml file)

 

Testing

Before testing enable debuging for authentication and authorization

debug aaa accounting
debug aaa authorization
debug tacacs+

Log off from router and try to log on as domain_user:

Untitled1

We can see that credentials for domain_users are accepted and that privilege level 7 was set:

Untitled3

You wan’t be able to execute commands not allowed in authorization.xml file:

R1#config t
^
% Invalid input detected at '^' marker.

 

 

 

 

 

Advertisements
Comments
  1. BMWfan says:

    Hello,

    nice Tutorial. What i should know is what i have to do to login on our Switch and ASA in enable mode (autoenable).

    Best Regards

    Daniel

    Like

  2. Wougy says:

    I made the same configuration like this tuto, but all think are working very find when I’m doing test with domain user.
    C:\Program Files (x86)\TACACS.net>tactest -s TacasServerIP -k Brigittetacas -u domainuser1 -p domainuser1pass
    Performing LoginASCII with reine,Kbrigitte@1,True
    Trying to open connection to TacasServerIP:49

    Received Body:
    Authentication AuthReply:
    Status=Pass
    Flags=Debug
    UserMsg=
    Data=
    Command Pass status = True, Message=,

    ——————
    SUMMARY STATISTICS
    ——————
    Total Commands ………………… 1
    Successes …………………….. 1
    Failures ……………………… 0
    No Results ……………………. 0
    Time Taken for commands ………… 2,312 secs
    Avg Possible Transactions/Second … 0
    Network Time per command ……….. 1,256 secs
    Total Network time …………….. 1,256 secs
    Sent Transactions/Second ……….. 0,4

    C:\Program Files (x86)\TACACS.net>

    But when I test on the router I have the error: “No authoritative response from any server”
    Router# test aaa group tacacs+ domainuser1 domainuser1pass legacy
    Attempting authentication test to server-group tacacs+ using tacacs+
    No authoritative response from any server
    Router#

    The debug on the router give this details:
    Router#
    *Feb 18 16:54:12.199: AAA/BIND(00000004): Bind i/f
    *Feb 18 16:54:12.199: AAA/ACCT/EVENT/(00000004): CALL START
    *Feb 18 16:54:12.199: Getting session id for NET(00000004) : db=673EB7E0
    *Feb 18 16:54:12.199: AAA/ACCT(00000000): add node, session 14
    *Feb 18 16:54:12.199: AAA/ACCT/NET(00000004): add, count 1
    *Feb 18 16:54:12.199: Getting session id for NONE(00000004) : db=673EB7E0
    *Feb 18 16:54:12.199: TPLUS: Queuing AAA Authentication request 4 for processing
    *Feb 18 16:54:12.199: TPLUS: processing authentication start request id 4
    *Feb 18 16:54:12.199: TPLUS: Authentication start packet created for 4()
    *Feb 18 16:54:12.199: TPLUS: Using server TacasServerIP
    *Feb 18 16:54:12.199: TPLUS(00000004)/0/NB_WAIT/671868BC: Started 5 sec timeout
    *Feb 18 16:54:12.347: TPLUS(00000004)/0/NB_WAIT: socket event 2
    *Feb 18 16:54:12.347: TPLUS(00000004)/0/NB_WAIT: wrote entire 37 bytes request
    *Feb 18 16:54:12.347: TPLUS(00000004)/0/READ: socket event 1
    *Feb 18 16:54:12.351: TPLUS(00000004)/0/READ: Would block while reading
    *Feb 18 16:54:17.199: TPLUS(00000004)/0/READ/671868BC: timed out
    *Feb 18 16:54:17.199: TPLUS: Authentication start packet created for 4()
    *Feb 18 16:54:17.199: TPLUS(00000004)/0/READ/671868BC: timed out, clean up
    *Feb 18 16:54:17.199: TPLUS(00000004)/0/671868BC: Processing the reply packet
    *Feb 18 16:54:25.779: TPLUS: Queuing AAA Authentication request 4 for processing
    *Feb 18 16:54:25.783: TPLUS: processing authentication start request id 4
    *Feb 18 16:54:25.787: TPLUS: Authentication start packet created for 4()
    *Feb 18 16:54:25.787: TPLUS: Using server TacasServerIP
    *Feb 18 16:54:25.795: TPLUS(00000004)/0/NB_WAIT/65CBCC04: Started 5 sec timeout
    *Feb 18 16:54:25.895: TPLUS(00000004)/0/NB_WAIT: socket event 2
    *Feb 18 16:54:25.899: TPLUS(00000004)/0/NB_WAIT: wrote entire 37 bytes request
    *Feb 18 16:54:25.899: TPLUS(00000004)/0/READ: socket event 1
    *Feb 18 16:54:25.903: TPLUS(00000004)/0/READ: Would block while reading
    *Feb 18 16:54:30.795: TPLUS(00000004)/0/READ/65CBCC04: timed out
    *Feb 18 16:54:30.795: TPLUS: Authentication start packet created for 4()
    *Feb 18 16:54:30.799: TPLUS(00000004)/0/READ/65CBCC04: timed out, clean up
    *Feb 18 16:54:30.799: TPLUS(00000004)/0/65CBCC04: Processing the reply packet
    Router#

    Someone can help me please for troubleshooting this uses.

    Like

  3. Theofilos says:

    Great post. Thanks for sharing

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s