Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe) is a security application that provides centralized validation of users attempting to gain access to a router or network access server. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network.
TACACS+, administered through the AAA security services, provides following services:
Authentication—Prompts user for username and password in order to allow access to the router
Authorization—Provides fine-grained control what user can/can’t perorm during the session, including but not limited to setting autocommands, access control,etc.We can also restrict user to what commands he may execute with the TACACS+ authorization feature.
Accounting-Audit user activity.Accounting records include user identities, start and stop times, executed commands,number of packets, and number of bytes.
I used free TACACS+ server http://www.tacacs.net/download.asp
Topology used in this example:
I installed TACACS+ server on Windows server 2012 with IP address 192.168.5.3
During installation you are asked for secret,we will change it a little bit later
When installation is done,we must first remove read-only atributes from config files,otherwise,we won’t be able to edit it!
From powershell prompt type:
Set-ItemProperty "C:\ProgramData\TACACS.net\config\authentication.xml" -name isreadonly $false Set-ItemProperty "C:\ProgramData\TACACS.net\config\clients.xml" -name isreadonly $false Set-ItemProperty "C:\ProgramData\TACACS.net\config\authorization.xml" -name isreadonly $false Set-ItemProperty "C:\ProgramData\TACACS.net\config\tacplus.xml" -name isreadonly $false
Integrating TACACS server with Active Directory
We will create AD user and allow him access to CISCO router
First,create security group in which our user will be stored:
new-adgroup -name "tacacs" -groupscope "Global" -Groupcategory "Security"
Create user named domain_user:
new-aduser -name "domain_user" -userpincipalname "domain_user@bigfirm.biz" -samaccountname "domain_user" -accountpassword (convertto-secure string "Zemun2013" -asplaintxt -force) -changepasswordatlogon $false -enabled $true
Add newly created user in Local Admin group,(this is very important!!!),and to tacacs AD group:
Add-ADGroupMember Administrators domain_user Add-ADGroupMember tacacs domain_user
First,obtain data for user from AD (bolded will be used in authentication.xml):
PS C:\Users\Administrator> Get-ADUser -Identity "domain_user" -Properties memberof | select *
DistinguishedName : CN=domain_user,CN=Users,DC=bigfirm,DC=biz
Enabled : True
GivenName : domain_user
MemberOf : {CN=tacacs,CN=Users,DC=bigfirm,DC=biz, CN=Administrators,CN=Builtin,DC=bigfirm,DC=biz}
Name : domain_user
ObjectClass : user
ObjectGUID : 4ff83aff-0e83-4032-8c59-e82f2f5fc488
SamAccountName : domain_user
SID : S-1-5-21-2862681942-1448928181-3724733179-1105
Surname :
UserPrincipalName : domain_user@bigfirm.biz
PropertyNames : {DistinguishedName, Enabled, GivenName, MemberOf...}
AddedProperties : {}
RemovedProperties : {}
ModifiedProperties : {}
PropertyCount : 11
Create encrypted password:
C:\Program Files (x86)\TACACS.net>tacdes.exe Zemun2013 Encrypted Zemun2013 is uTWkimSCBH1j8ZJB/5LPKA==
Now edit C:\ProgramData\TACACS.net\config\authentication.xml file:
<!-- ACTIVE DIRECTORY EXAMPLE --> <!--This is an example is of a Windows Active Directory group. This group will authenticate using a Windows Domain Controller. LDAPUserDirectorySubtree is the distinguished name of the subtree that contains all users. The LDAPGroupName should point to the name of the AD group. LDAPAccessUserName and LDAPAccessUserPassword are optional elements and should be specified if the active directory server does not allow anonymous access to the active directory for authentication. This username must have read/write access to Active Directory. To see the user directory subtree name, you can execute the following dsquery command on windows server: Note: The command DSQUERY is only available on Windows Server. C:\>dsquery user -samid USERNAME To see the list of AD groups the user belongs to, use: C:\>dsquery user -samid USERNAME | dsget user -memberof -expand You can use the complete DN of the group or just the AD name of the group in the LDAPGroupName configuration parameter. --> <!-- <UserGroup> <Name>tacacs</Name> <AuthenticationType>Windows_Domain</AuthenticationType> <LDAPServer>192.168.5.1:389</LDAPServer> <LDAPUserDirectorySubtree>CN=Users,DC=bigfirm,DC=biz</LDAPUserDirectorySubtree> <LDAPGroupName>tacacs</LDAPGroupName> <LDAPAccessUserName>domain_user</LDAPAccessUserName> <LDAPAccessUserPassword ClearText="" DES="uTWkimSCBH1j8ZJB/5LPKA=="></LDAPAccessUserPassword> </UserGroup> --> <!-- / ACTIVE DIRECTORY EXAMPLE -->
<LDAPServer>192.168.5.1:389</LDAPServer> is IP address of Domain controller on which Tacacs server is installed,port 389 (the best practice is to install Tacacs server on domain member server,but for demonstration purpose this will be just fine),so Tacacs can query
AD for specific user
<LDAPUserDirectorySubtree>CN=Users,DC=bigfirm,DC=biz</LDAPUserDirectorySubtree> distinguished name of the subtree that contains domain_user acount.
<LDAPGroupName>tacacs</LDAPGroupName> -AD group we’ve just created and put domain_user in
<LDAPAccessUserName>domain_user</LDAPAccessUserName> the name of the AD user which will have access to router
uTWkimSCBH1j8ZJB/5LPKA==
is encrypted password created by tacdes tool
If you wish to change shared secret set during install,edit C:\ProgramData\TACACS.net\config\clients.xml file:
<!-- INTERNAL GROUP The INTERNAL Group is added by default. This group will enable all non-routeable IP addresses to be TACACS+ clients without having to explicitly define them. This is useful in an internal NAT or lab network.--> <ClientGroup Name="INTERNAL"> <Secret ClearText="sharedsecret" DES=""> </Secret> <Clients> <Client>10.0.0.0/8</Client> <Client>172.16.0.0/12</Client> <Client>192.168.*</Client> </Clients> </ClientGroup> <!-- DEFAULT GROUP
In this section you can also define network range for clients which can “negotiate” with Tacacs server using defined secret
To configure port and IP address on which Tacacs server will listen on,we need to edit C:\ProgramData\TACACS.net\config\tacplus.xml file.
Here we can set logging (name, location, logging level, and rollover settings for the logs.Available logging levels: Alert, Critical, Error, Warning, Notice, Information, and Debug. Debug generates the most information, and Alert generates the least amount of info.
RolloverDays specifies how many days to keep logs before starting a new log. RolloverMB specifies the maximum size the log file can get before rolling over, and DeleteDays specifies how many days to keep files before automatically deleting them. ).Syslog is used if you need to log to an external Syslog server.
<!– Version 1.2 –><!– This is the global configuration file for the TACACS+ Server
–><Server><Port>49</Port>
<LocalIP>192.168.5.3</LocalIP>
<DisabledPrompt>This account has been disabled</DisabledPrompt>
<PasswordPrompt>Password: </PasswordPrompt>
<UserNamePrompt>Username: </UserNamePrompt>
<ExpiredPasswordPrompt>The password for this account has expired</ExpiredPasswordPrompt>
<IncorrectPasswordPrompt>Incorrect Password</IncorrectPasswordPrompt>
<IncorrectUserOrPasswordPrompt>Invalid username or incorrect password</IncorrectUserOrPasswordPrompt><SocketTimeoutSecs>30</SocketTimeoutSecs>
<AccountingLog RolloverDays=”30″ RolloverMB=”10″ DeleteDays=”90″ LoggingLevel=”Information”> </AccountingLog>
<DebugLog RolloverDays=”30″ RolloverMB=”10″ DeleteDays=”90″ LoggingLevel=”Debug”> </DebugLog>
<SystemLog RolloverDays=”30″ RolloverMB=”10″ DeleteDays=”90″ LoggingLevel=”Information”> </SystemLog>
<!– <Syslog Host=”127.0.0.1″ Port=”514″ MaxLength=”1000″ Facility=”Local6″> </Syslog> -><AccountLockoutTries>6</AccountLockoutTries>
<AccountLockoutperiodMins>30</AccountLockoutperiodMins>
<SessionIdleTimeoutMins>15</SessionIdleTimeoutMins>
<TimedCacheExpirySecs>5</TimedCacheExpirySecs>
<OTPSeparator>*</OTPSeparator></Server>
It’s now time to check config files for typo or syntax errors using tacverify tools (C:\Program Files (x86)\TACACS.net folder if you installed on X64 OS version):
Restart tacacs.net service:
net stop tacacs.net && net start tacacs.net The TACACS.net service was stopped successfully. The TACACS.net service is starting. The TACACS.net service was started successfully.
Open port 49 in Windows firewall:
netsh advfirewall firewall add rule name="Open port 49" dir=in action=allow protocol=tcp localport=49
From Tacacs server,test access:
C:\Program Files (x86)\TACACS.net>tactest.exe -k sharedsecret -u domain_user -s 192.168.5.3 -p Zemun2013 Total Commands ..................... 1 Successes .......................... 1 Failures ........................... 0 No Results ......................... 0 Time Taken for commands ............ 0.132 secs Avg Possible Transactions/Second ... 7 Network Time per command ........... 0.076 secs Total Network time ................. 0.076 secs <87> 2015-07-24 00:29:12 Sent Transactions/Second ........... 6.3
Setting Authorization
To determine level of access we need to edit C:\ProgramData\TACACS.net\config\authorization.xml file.
For users in AD group tacacs (domain_user), we’ll set privilege level 7 and allow him to run telnet,show and enable commands and deny others:
<?xml version=”1.0″ encoding=”utf-8″?>
<!– Version 1.2 –>
<Authorizations xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xmlns:xsd=”http://www.w3.org/2001/XMLSchema”>
<Authorizations>
<Authorization>
<!–This entry will only be processed in the times given below–>
<!–<Time>MTWRFSN,04:00-21:00</Time>–>
<!–This authorization section applies to the following user groups. In case of conflicting authorization entries for the same group, the entry which appears first in the file is used.–>
<UserGroups>
<UserGroup>Network Engineering</UserGroup>
</UserGroups>
<!–This authorization section applies to the following client groups. In case of conflicting authorization entries for the same client group, the entry which appears first in the file is used.–>
<!–If no client groups are specified then the settings are applied to the specified usergroups irrespective of the clients they come from–>
<ClientGroups>
<ClientGroup>LOCALHOST</ClientGroup>
<ClientGroup>INTERNAL</ClientGroup>
</ClientGroups>
<AutoExec>
<!–<Set>priv-lvl=15</Set>–>
</AutoExec>
<Shell>
<Permit>.*show.*</Permit> <!–This will allow all show commands –>
</Shell>
<Services>
<!– <Service>
<Set>service=ppp</Set>
<Set>protocol=ip </Set> –>
<!–these groups can run IP over PPP only if they use one of the following mandatory addresses. If they supply no address, the first one here will be mandated–>
<!–<Set>addr=10.1.1.1</Set>–> <!–mandatory argument–>
<!–Their mandatory input access list number is 5–>
<!–<Set>inacl=5</Set>–>
<!–We will suggest an output access list of 10 but the NAS may choose to ignore or override it–>
<!–<SetOptional>outacl=10</SetOptional>–>
<!–These are examples of vendor specific attributes(VSAs)–>
<!–<Set>foundry-privlvl=5</Set>–>
<!– </Service> –>
</Services>
</Authorization>
<Authorization>
<UserGroup>
<Name>tacacs</Name>
</UserGroup>
<!–No client group provided so this authorization section applies to the above user groups from all the clients –>
<!–this group is allowed to telnet everywhere except from addresses beginning with 161.–>
<AutoExec>
<Set>priv-lvl=7</Set> <!–Set a privilege of 7 –>
</AutoExec>
<Shell>
<Permit>telnet .*</Permit> <!–Allows telnet –>
<Permit>.*show.*</Permit> <!–Allows ‘show’ commands –>
<Permit>enable</Permit> <!–Allows ‘enable’ command –>
<Deny>.*</Deny> <!–All other commands are prohibited —>
</Shell>
</Authorization>
<!– DEFAULT PROFILE –>
<!– The DEFAULT Authorization Profile is added by default with the Server
installation and is used to enable ALL Users full access to ALL Clients.
This group should be removed or commented out before deploying the Server
in a production environment.
–>
<Authorization>
<Shell>
<Permit>.*show.*</Permit> <!–This will allow all show commands –>
<Deny>.*</Deny> <!–This will deny all other commands –>
</Shell>
</Authorization>
</Authorizations>
</Authorizations>
Restart again Tacasc.net service
Configuring CISCO Router
First create local user in case if Tacacs server is unavailable,enter in config mode (config t):
username admin privilege 15 secret cisco
Enable AAA (Authorization,Authentication,Accounting)
aaa new-model
Now configure router that,for authentication,first check Tacacs server for credentials,if Tacacs is unvailable then search local database (user admin).so we need to create AAA Method list.The method list defines the types of authentication to be performed and the sequence in which they will be performed (Tacacs server and local database in our example)
aaa authentication login default group tacacs+ local
For (AAA) to determine if a user can access the privileged command level (enable command),we need to use the aaa authentication enable default command
aaa authentication enable default group tacacs+ enable
As in previous example,router will first contact Tacacs server,if it’s unavailable,then use local database:
aaa authorization exec default group tacacs+ local
Because in this example we will implement AAA in console level,we need to configure console to use AAA authorization
aaa authorization console
Allows user to start a CLI session (a command shell). Without it, command prompt isn’t available:
aaa authorization exec default group tacacs+ local
Runs authorization for all commands at the privilege level 1 and 15
aaa authorization commands 1 default group tacacs+ local aaa authorization commands 15 default group tacacs+ local
Configures accounting for EXEC shell session:
aaa accounting exec default start-stop group tacacs+
Set tatacas server and key.
tacacs-server host 192.168.5.3 !Our tacacs server tacacs-server key sharedsecret !(We set a key in clients.xml file)
Testing
Before testing enable debuging for authentication and authorization
debug aaa accounting debug aaa authorization debug tacacs+
Log off from router and try to log on as domain_user:
We can see that credentials for domain_users are accepted and that privilege level 7 was set:
You wan’t be able to execute commands not allowed in authorization.xml file:
R1#config t ^ % Invalid input detected at '^' marker.
geekdudes 
Hello,
nice Tutorial. What i should know is what i have to do to login on our Switch and ASA in enable mode (autoenable).
Best Regards
Daniel
LikeLike
I really wouldn’t recommend it
http://forums.anandtech.com/showthread.php?t=2124335
LikeLike
I made the same configuration like this tuto, but all think are working very find when I’m doing test with domain user.
C:\Program Files (x86)\TACACS.net>tactest -s TacasServerIP -k Brigittetacas -u domainuser1 -p domainuser1pass
Performing LoginASCII with reine,Kbrigitte@1,True
Trying to open connection to TacasServerIP:49
Received Body:
Authentication AuthReply:
Status=Pass
Flags=Debug
UserMsg=
Data=
Command Pass status = True, Message=,
——————
SUMMARY STATISTICS
——————
Total Commands ………………… 1
Successes …………………….. 1
Failures ……………………… 0
No Results ……………………. 0
Time Taken for commands ………… 2,312 secs
Avg Possible Transactions/Second … 0
Network Time per command ……….. 1,256 secs
Total Network time …………….. 1,256 secs
Sent Transactions/Second ……….. 0,4
C:\Program Files (x86)\TACACS.net>
But when I test on the router I have the error: “No authoritative response from any server”
Router# test aaa group tacacs+ domainuser1 domainuser1pass legacy
Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server
Router#
The debug on the router give this details:
Router#
*Feb 18 16:54:12.199: AAA/BIND(00000004): Bind i/f
*Feb 18 16:54:12.199: AAA/ACCT/EVENT/(00000004): CALL START
*Feb 18 16:54:12.199: Getting session id for NET(00000004) : db=673EB7E0
*Feb 18 16:54:12.199: AAA/ACCT(00000000): add node, session 14
*Feb 18 16:54:12.199: AAA/ACCT/NET(00000004): add, count 1
*Feb 18 16:54:12.199: Getting session id for NONE(00000004) : db=673EB7E0
*Feb 18 16:54:12.199: TPLUS: Queuing AAA Authentication request 4 for processing
*Feb 18 16:54:12.199: TPLUS: processing authentication start request id 4
*Feb 18 16:54:12.199: TPLUS: Authentication start packet created for 4()
*Feb 18 16:54:12.199: TPLUS: Using server TacasServerIP
*Feb 18 16:54:12.199: TPLUS(00000004)/0/NB_WAIT/671868BC: Started 5 sec timeout
*Feb 18 16:54:12.347: TPLUS(00000004)/0/NB_WAIT: socket event 2
*Feb 18 16:54:12.347: TPLUS(00000004)/0/NB_WAIT: wrote entire 37 bytes request
*Feb 18 16:54:12.347: TPLUS(00000004)/0/READ: socket event 1
*Feb 18 16:54:12.351: TPLUS(00000004)/0/READ: Would block while reading
*Feb 18 16:54:17.199: TPLUS(00000004)/0/READ/671868BC: timed out
*Feb 18 16:54:17.199: TPLUS: Authentication start packet created for 4()
*Feb 18 16:54:17.199: TPLUS(00000004)/0/READ/671868BC: timed out, clean up
*Feb 18 16:54:17.199: TPLUS(00000004)/0/671868BC: Processing the reply packet
*Feb 18 16:54:25.779: TPLUS: Queuing AAA Authentication request 4 for processing
*Feb 18 16:54:25.783: TPLUS: processing authentication start request id 4
*Feb 18 16:54:25.787: TPLUS: Authentication start packet created for 4()
*Feb 18 16:54:25.787: TPLUS: Using server TacasServerIP
*Feb 18 16:54:25.795: TPLUS(00000004)/0/NB_WAIT/65CBCC04: Started 5 sec timeout
*Feb 18 16:54:25.895: TPLUS(00000004)/0/NB_WAIT: socket event 2
*Feb 18 16:54:25.899: TPLUS(00000004)/0/NB_WAIT: wrote entire 37 bytes request
*Feb 18 16:54:25.899: TPLUS(00000004)/0/READ: socket event 1
*Feb 18 16:54:25.903: TPLUS(00000004)/0/READ: Would block while reading
*Feb 18 16:54:30.795: TPLUS(00000004)/0/READ/65CBCC04: timed out
*Feb 18 16:54:30.795: TPLUS: Authentication start packet created for 4()
*Feb 18 16:54:30.799: TPLUS(00000004)/0/READ/65CBCC04: timed out, clean up
*Feb 18 16:54:30.799: TPLUS(00000004)/0/65CBCC04: Processing the reply packet
Router#
Someone can help me please for troubleshooting this uses.
LikeLike
Great post. Thanks for sharing
LikeLike
Hello! Do you use Twitter? I’d like to follow you if that would
be ok. I’m undoubtedly enjoying your blog and look forward
to new updates.
LikeLike
HI,
no, i have no twitter
LikeLike
I like the valuable information you provide in your articles.
I’ll bookmark your weblog and check again here regularly.
I am quite certain I will learn many new stuff right here!
Best of luck for the next!
LikeLike
I am having a problem with encrypting the password and getting the encrypted plaintext such as “Encrypted Zemun2013 is uTWkimSCBH1j8ZJB/5LPKA==”
How can I do this? Thanks
LikeLike
There’s a flaw in the sample code in the original article for using the tacdec program. The article lists the command to run as “tacdesmun2013” when you should run “tacdes.exe Zemun2013” instead. Try it, and you should get the appropriate DES response.
LikeLiked by 1 person
hi , I am having problem in login with AD user credentials . I have checked the with local user created in the machine running tacacs.net working perpectly but domain user not allowed .I am getting error “users not belong to the specified group”. Please anyone help.
LikeLike