Create Free TACACs+ Server on Ubuntu Machine Step by Step Guide

Leave a Comment / By /
SARAN | Blog,BUZZ,Config & Troubleshoot,Services and Applications
Advertisements

Ubuntu Tacacs+ Server

Tacacs+ is a TCP based entirely new protocol used for AAA nowadays. This new protocol is not compatible with its previous versions like Tacacs and Xtacacs. With the help of Tacacs+ you can set up much more granular level access for the users, groups, subnets or device type etc.

Tacacs+ is an open-standard protocol compatible across various networking equipment vendor platforms.

Related – TACACS VS TACACS+

Advertisements

If you are one of the guys wanting to test some access restriction with Tacacs+ in a lab but don’t have a licensed product, then we will help you set up a Tacas+ server on your Linux-based Ubuntu machine by editing the tac_plus.conf file.

On the newer version of Ubuntu, you can easily install tacacs+ package from the apt-get repository which will also install libtacacs+1.

Step 1

Run command: sudo apt-get install tacacs+ 

lab@lab_VM1:~$ sudo apt-get install tacacs+
[sudo] password for lab:

Reading package lists… Done

Building dependency tree

Reading state information… Done

The following extra packages will be installed:

libtacacs+1

The following NEW packages will be installed

libtacacs+1 tacacs+

Step 2

Once the package is installed successfully you can view the location of the tac_plus.conf file using command

lab@lab_VM1:~$ ps -ef | grep tac_plus
root      1220     1  0 12:37 ?        00:00:00 /usr/sbin/tac_plus -C /etc/tacacs+/tac_plus.conf

lab 22730  2682  0 14:55 pts/0    00:00:00 grep –color=auto tac_plus

Step 3

Now we will proceed to edit the tac_plus.conf file but before that we must backup to original file to refer to in case anything breaks.

lab@lab_VM1:~$ sudo cp /etc/tacacs+/tac_plus.conf /etc/tacacs+/tac_plus.conf.old

Step 4

Next we have to create a file on which the accounting information will be written to. This is done with the help of below command.

sudo touch /var/log/tac_plus.acct

Step 5

In this step we will edit the tac_plus.conf file at below location.

sudo nano /etc/tacacs+/tac_plus.conf

The tac_plus.conf file looks like below:

sudo nano /etc/tacacs+/tac_plus.conf

# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)

# See man(5) tac_plus.conf for more details

# Define where to log accounting data, this is the default.

accounting file = /var/log/tac_plus.acct

# This is the key that clients have to use to access Tacacs+

key = testing123

# We also can define local users and specify a file where data is stored.

# That file may be filled using tac_pwd

#Defining the users, we have two users defined one admin and other ipwithease. Admin will have full access while another user will have limited access.

user= Administrator {
 login = cleartext Cisco

 member = “admin”

}

 user = ipwithease {

 login = cleartext “cisco”

 enable = cleartext “cisco”

 member = readonly

}

 #Defining the groups now to which members have been assigned above. Two groups are created admin and readonly.

group = admin {
 default service = permit

 service = exec {

 default attribute = permit

 priv-lvl = 15

 }

}

 group = readonly {

  default service = deny

  service = exec {

     default attribute = permit

     priv-lvl = 15

    }

}

  cmd = show {

           # permit show commands

           permit .*

  }

       # permit traceroute command

    cmd = traceroute {

               permit .*

    }

       # permit ping command

    cmd = ping {

               permit .*

    }

Hence in the above file, we have created two TACACs+ users.

User Administrator has the complete access and the user ipwithease has limited access and can run only the show commands, traceroute and ping commands.

Once you’re finished with everything you can run service tacacs_plus check to make sure the syntax is correct and if you get any errors you will need to restart the daemon using service tacacs_plus restart.

Installation and Configuration Issues

How do I install the TACACS+ server on Ubuntu?

  • Ensure you have the necessary repositories added.
  • Use sudo apt-get install tacacs+ to install the server.
  • Check the installation with tac_plus -v.

How do I configure the TACACS+ server?

  • Edit the configuration file located at /etc/tacacs+/tac_plus.conf.
  • Ensure you define users, groups, and key parameters correctly.

How do I start or restart the TACACS+ service?

  • Use sudo systemctl start tacacs+ to start.
  • Use sudo systemctl restart tacacs+ to restart.
  • Check the status with sudo systemctl status tacacs+.

    Authentication Issues

    Why are my users unable to authenticate?

    • Check if the users are correctly defined in /etc/tacacs+/tac_plus.conf.
    • Verify the shared secret between the client device and TACACS+ server.
    • Ensure the client device’s IP address is allowed in the configuration.

    How do I debug authentication issues?

    • Enable logging in the TACACS+ configuration file.
    • Check the log files usually located at /var/log/tac_plus.log.What could cause authentication timeouts?
    • Network connectivity issues between the client and the server.
    • High server load causing delays.
    • Incorrect shared secret causing repeated failed attempts.

      Permissions and Access Control Issues

      How do I set up command authorization?

      • Define cmd attributes under each user or group in /etc/tacacs+/tac_plus.conf.
      • Example:
      user = example {
    service = exec {
        priv-lvl = 15
    }
    cmd = show {
        permit .*
    }
    cmd = configure {
        permit terminal
    }
}

      Why are my command authorizations not working?

      • Ensure the syntax in the configuration file is correct.
      • Verify that the user’s privilege level matches the command requirements.
      • Restart the TACACS+ service after making changes.

      Network and Connectivity Issues

      How do I check if the TACACS+ server is reachable?

      • Use ping to check connectivity.
      • Use telnet or nc to test connectivity on port 49 (default TACACS+ port).

      What can cause the TACACS+ server to be unreachable?

      • Firewall settings blocking port 49.
      • Network issues such as routing problems.
      • The TACACS+ service is not running.

      Logging and Monitoring

      How do I enable detailed logging?

      • In the configuration file, set accounting file = /var/log/tac_plus.acct.
      • Use debug options for more detailed logs:
      debug = file /var/log/tac_plus.debug

            Where are the TACACS+ logs stored?

            • By default, logs can be found in /var/log/tac_plus.log or as specified in the configuration file.

            General Issues

            How do I check the TACACS+ server version?

            • Use tac_plus -v to check the version.

            How do I upgrade the TACACS+ server?

            • Use sudo apt-get update followed by sudo apt-get upgrade tacacs+.

            How do I troubleshoot general TACACS+ issues?

            • Check system logs using journalctl -u tacacs+.
            • Verify configuration syntax using tac_plus -C /etc/tacacs+/tac_plus.conf.

                ABOUT THE AUTHOR


                Related Posts

                Leave a Comment

                Your email address will not be published. Required fields are marked *

                Shopping Cart