2 Free Tacacs+ Alternatives

These are my notes on configuring and testing a quick implementation of a free tacacs+ authentication and authorization server software on Windows and on Kali Linux.

A quick review of TACACS+

Tacacs+ is used by network devices to authenticate users. Each user that logs on to a network device is checked against the Tacacs+ server database, before a decision is made. The decision can be something like:

  • the user is authenticated but will have limited access to the network device
  • the user is authenticated and will have full rights on the network device,
  • the user is not authorized to access the network device and is kicked off.

Tacacs.Net on Windows

Installation and configuration

Download the software from the official website

Install the software. At some point, the system asks you to configure a shared secret. This key will be used for communications between Tacacs+ clients and the Tacacs+ server.

Configuring authentication

For Windows 7, the configuration files are in the following path: C:\documents and settings\all users\application data\tacacs.net\config
To test the tacacs server, un-comment the Users section, under the UserGroup section.

You can use “tacacsverify” to verify if the modifications you did to the various files is valid or not.

configuring-free-tacacs-plus-server-windows-2016-04-20 19_51_17You can change the IP address of the server to something that can be put on a network, instead of 127.0.0.1. You do that in the “tacplus.xml” file:

configuring-free-tacacs-plus-server-windows-2016-04-20 19_50_42

define the shared secret at installation time. This key will be used by Tacacs clients when authenticating against the server, and even when we want to test the AAA protocol locally. You can change it later in the “clients.xml” file:

configuring-free-tacacs-plus-server-windows-2016-04-20 20_16_08
There is a default user account you can use for testing:
user name: user1
user password: somepassword

configuring-free-tacacs-plus-server-windows-2016-04-20 19_49_11

And the command “tactest” with its parameters. Take a look at the example below:

configuring-free-tacacs-plus-server-windows-2016-04-20 19_48_09

configuring-free-tacacs-plus-server-windows-2016-04-20 19_48_34

Configuring authorization

Authorization defines which levels of access the client is allowed to get. Authorization is configured in the authorization.xml file. If you want to skip all the authorization stuff and just allow “full access” to your authenticated clients, simply change the name of “authentication.xml” “authorization.xml” file.
In my case, I went a little further and put the Deny section as a comment.

configuring-free-tacacs-plus-server-windows-2016-04-20 19_49_47

configuring-free-tacacs-plus-server-windows-2016-04-20 19_50_02

Configuring TACACS+ Authentication on Kali Linux

Using Linux as a server is generally more stable than Windows machines. That is why I considered the Linux alternative too.

Installation

You must have Linux Kali connected to internet to download the package.

apt-get install tacacs+

tacacs-linux

service tacacs+ start
netstat -ltp | grep tac

tacacs-linux

another way to verify it:

lsof -i:49

tacacs-linux

to modify the configuration file:

nano /etc/tacacs+/tac_plus.conf

after each modification you must restart the TACACS+ service:

service tacacs+ restart

Configuration

start with modifying the configuration file with:

nano /etc/tacacs+/tac_plus.conf

Define the shared secret used to communicate between the AAA client and the TACACS+ server:

authentication-authorization-accounting-kali-linux-2017-07-01 17_00_45

Rtr-1(config)#tacacs-server host 192.168.1.250 key Blabla

Rtr-1(config)#aaa authentication login default group tacacs+ local

Define a group

authentication-authorization-accounting-kali-linux-2017-07-01 17_02_41

Define a user as part of the group.

authentication-authorization-accounting-kali-linux-2017-07-01 17_03_29

Rtr-1#deb tacacs authentication
 TACACS+ authentication debugging is on

authentication-authorization-accounting-kali-linux-2017-07-01 17_52_44

authentication-authorization-accounting-kali-linux-2017-07-01 17_52_59

authentication-authorization-accounting-kali-linux-2017-07-01 17_53_11

Configuring authorization with the tacacs+ Debian daemon was just a pain in the ass!

Conclusion

Configuring the AAA protocol on Windows or Linux is doable for sure, but only for a couple of users. It does not scale at all for respected enterprises, which usually implement either ACS or ISE. .

How are you implementing TACACS+ in your company or your home lab?

2 thoughts on “2 Free Tacacs+ Alternatives”

  1. hello,
    am learning the authorization part in more detail.
    however you say this: If you want to skip all the authorization stuff and just allow “full access” to your authenticated clients, simply change the name of “authentication.xml” file. – Surely authentication & authorization are different?

    Reply

Leave a Comment