These are my notes on configuring and testing a quick implementation of a free tacacs+ authentication and authorization server software on Windows and on Kali Linux.
A quick review of TACACS+
Tacacs+ is used by network devices to authenticate users. Each user that logs on to a network device is checked against the Tacacs+ server database, before a decision is made. The decision can be something like:
- the user is authenticated but will have limited access to the network device
- the user is authenticated and will have full rights on the network device,
- the user is not authorized to access the network device and is kicked off.
Tacacs.Net on Windows
Installation and configuration
Download the software from the official website
Install the software. At some point, the system asks you to configure a shared secret. This key will be used for communications between Tacacs+ clients and the Tacacs+ server.
Configuring authentication
For Windows 7, the configuration files are in the following path: C:\documents and settings\all users\application data\tacacs.net\config
To test the tacacs server, un-comment the Users section, under the UserGroup section.
You can use “tacacsverify” to verify if the modifications you did to the various files is valid or not.
You can change the IP address of the server to something that can be put on a network, instead of 127.0.0.1. You do that in the “tacplus.xml” file:
define the shared secret at installation time. This key will be used by Tacacs clients when authenticating against the server, and even when we want to test the AAA protocol locally. You can change it later in the “clients.xml” file:
There is a default user account you can use for testing:
user name: user1
user password: somepassword
And the command “tactest” with its parameters. Take a look at the example below:
Authorization defines which levels of access the client is allowed to get. Authorization is configured in the authorization.xml file. If you want to skip all the authorization stuff and just allow “full access” to your authenticated clients, simply change the name of “authentication.xml” “authorization.xml” file.
In my case, I went a little further and put the Deny section as a comment.
Configuring TACACS+ Authentication on Kali Linux
Using Linux as a server is generally more stable than Windows machines. That is why I considered the Linux alternative too.
Installation
You must have Linux Kali connected to internet to download the package.
apt-get install tacacs+
service tacacs+ start
netstat -ltp | grep tac
another way to verify it:
lsof -i:49
to modify the configuration file:
nano /etc/tacacs+/tac_plus.conf
after each modification you must restart the TACACS+ service:
service tacacs+ restart
Configuration
start with modifying the configuration file with:
nano /etc/tacacs+/tac_plus.conf
Define the shared secret used to communicate between the AAA client and the TACACS+ server:
Rtr-1(config)#tacacs-server host 192.168.1.250 key Blabla Rtr-1(config)#aaa authentication login default group tacacs+ local
Define a group
Define a user as part of the group.
Rtr-1#deb tacacs authentication TACACS+ authentication debugging is on
Configuring authorization with the tacacs+ Debian daemon was just a pain in the ass!
Conclusion
Configuring the AAA protocol on Windows or Linux is doable for sure, but only for a couple of users. It does not scale at all for respected enterprises, which usually implement either ACS or ISE. .
How are you implementing TACACS+ in your company or your home lab?
2 Comments
neil · January 2, 2019 at 5:55 pm
hello,
am learning the authorization part in more detail.
however you say this: If you want to skip all the authorization stuff and just allow “full access” to your authenticated clients, simply change the name of “authentication.xml” file. – Surely authentication & authorization are different?
Keyboard Banger · January 6, 2019 at 7:37 pm
I think I made a Typo. I meant “authorization.xml” instead of “authentication.xml”. Thanks for pointing that out Neil!