Ubuntu Tacacs+ Server
Tacacs+ is a TCP based entirely new protocol used for AAA nowadays. This new protocol is not compatible with its previous versions like Tacacs and Xtacacs. With the help of Tacacs+ you can set up much more granular level access for the users, groups, subnets or device type etc.
Tacacs+ is an open-standard protocol compatible across various networking equipment vendor platforms.
Related – TACACS VS TACACS+
If you are one of the guys wanting to test some access restriction with Tacacs+ in a lab but don’t have a licensed product, then we will help you set up a Tacas+ server on your Linux-based Ubuntu machine by editing the tac_plus.conf file.
On the newer version of Ubuntu, you can easily install tacacs+ package from the apt-get repository which will also install libtacacs+1.
Step 1: Run command: sudo apt-get install tacacs+
[sudo] password for lab:
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following extra packages will be installed:
libtacacs+1
The following NEW packages will be installed
libtacacs+1 tacacs+
Step 2: Once the package is installed successfully you can view the location of the tac_plus.conf file using command
root 1220 1 0 12:37 ? 00:00:00 /usr/sbin/tac_plus -C /etc/tacacs+/tac_plus.conf lab 22730 2682 0 14:55 pts/0 00:00:00 grep –color=auto tac_plus
Step 3: Now we will proceed to edit the tac_plus.conf file but before that we must backup to original file to refer to in case anything breaks.
Step 4: Next we have to create a file on which the accounting information will be written to. This is done with the help of below command.
Step 5: In this step we will edit the tac_plus.conf file at below location.
The tac_plus.conf file looks like below:
lab@lab_VM1:~$ cat /etc/tacacs+/tac_plus.conf
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details
# Define where to log accounting data, this is the default.
accounting file = /var/log/tac_plus.acct
# This is the key that clients have to use to access Tacacs+
# We also can define local users and specify a file where data is stored.
# That file may be filled using tac_pwd
#Defining the users, we have two users defined one admin and other ipwithease. Admin will have full access while another user will have limited access.
login = cleartext Cisco member = “admin” } user = ipwithease { login = cleartext “cisco” enable = cleartext “cisco” member = readonly }
#Defining the groups now to which members have been assigned above. Two groups are created admin and readonly.
default service = permit service = exec { default attribute = permit priv-lvl = 15 } } group = readonly { default service = deny service = exec { default attribute = permit priv-lvl = 15 } } cmd = show { # permit show commands permit .* } # permit traceroute command cmd = traceroute { permit .* } # permit ping command cmd = ping { permit .* }
Hence in the above file, we have created two TACACs+ users.
User Administrator has the complete access and the user ipwithease has limited access and can run only the show commands, traceroute and ping commands.
Once you’re finished with everything you can run service tacacs_plus check to make sure the syntax is correct and if you get any errors you will need to restart the daemon using service tacacs_plus restart.