TACACS+ Installation and Configuration
Summary
This document provides the steps necessary to complete the download and configuration of the TACACS+ CentOS 7 VM.
The TACACS+ configuration already contains configuration for the most common use cases including AD/LDAP integration, privilege levels and per-command authorization. The configuration can be customized to meet the specific requirements of the environment.
TACACS+ OVA Download
Navigate to the URL below and initiate the download of the TACACS+ CentOS 7 OVA. Import the OVA into your existing ESXi infrastructure. The OVA was built on ESXi6.5 and VM Hardware Version 13.
https://nac-downloads.opswat.com/IE/tacacs/OPSWAT-TACACS+-VM.ova
The VM image requires 4Gig of dedicated memory with 40Gig thin provisioned storage partition and 2 vCPUs.
TACACS+ VM Configuration
The default username and password are below:
user = root
password = P@55w0rD
It is highly recommended that you change the default password. To do this type passwd and hit enter. You will be prompted to type in the new password.
Configure networking:
# vi /etc/sysconfig/network-scripts/ifcfg-ens160
Change the following fields to the desired setting for your network
# systemctl restart network.service
Configure the desired hostname for the server:
# hostnamectl set-hostname hostname.your.domain
Reboot for the hostname change to take effect.
TACACS+ Configuration - AD/LDAP
# vi /usr/local/etc/tac_plus.cfg
id = spawnd { listen = { port = 49 } spawn = { instances min = 1 instances max = 10 } background = yes}id = tac_plus { access log = /var/log/tac_plus/access/%Y%m%d.log accounting log = /var/log/tac_plus/acct/%Y%m%d.log authentication log = /var/log/tac_plus/authentication/%Y%m%d.log authorization log = /var/log/tac_plus/authorization/%Y%m%d.log #debug = ALL mavis module = external { script out = { # Require group membership: if (undef($TACMEMBER) && $RESULT == ACK) set $RESULT = NAK # Don.t cache passwords: if ($RESULT == ACK) set $PASSWORD_ONESHOT = 1 } setenv LDAP_SERVER_TYPE = "microsoft" ################################################### # Comment/uncomment below to select LDAP or LDAPS # ################################################### #setenv LDAP_HOSTS = "ldap:// x.x.x.x:389" setenv LDAP_HOSTS = "ldaps:// x.x.x.x:636" setenv LDAP_BASE = "dc=your,dc=domain,dc=here" setenv LDAP_USER = "user@your.domain.here" setenv LDAP_PASSWD = "your_ldap_password" setenv REQUIRE_TACACS_GROUP_PREFIX = 1 exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl } login backend = mavis user backend = mavis pap backend = mavis host = world { address = ::/0 ################################################# # Adjust prompt below to preferred login banner # ################################################# prompt = "\nUnauthorized Access Is Prohibited\n\n" enable 15 = clear your_enable_secret key = “your_tacacs_key” }TACACS+ Configuration - Privilege Level Concept
################################################################################## The following can be used to assign a privilege level to users based on group ## Note: AD groups need to be prefaced with “TACACS” when created on the AD ## server, e.g. TACACSNetEngPriv in AD, NetEngPriv in tac_plus.cfg. ################################################################################## group = NetEngPriv { enable = login default service = permit service = shell { default command = permit default attribute = permit set priv-lvl = 15 } } group = NetAdminPriv { default service = permit service = shell { default command = permit default attribute = permit set priv-lvl = 1 } }TACACS+ Configuration - Per Command Authorization
################################################################################### As an alternative to privilege levels, the following configuration can be used ## to assign specific commands that a user is allowed to issue ## Note: Privilege level defaults to 1 ################################################################################### group = NetAdminCmd { default service = deny service = shell { default command = deny default attribute = deny cmd = ping { permit .* } cmd = show { permit .* } cmd = traceroute { permit .* } cmd = terminal { permit [length].* } cmd = exit } }TACACS+ Configuration - Validation
Once the desired changes have been made to the configuration, the tac_plus configuration will need to be verified and the service restarted in order for the changes to take effect.
################################################################################# If changes have been made to this file, the tac_plus service must be ## restarted in order for them to take effect ## ## Pre-flight check - /usr/local/sbin/tac_plus -P /usr/local/etc/tac_plus.cfg ## Make sure there are no errors returned ## ## Restart the service ## systemctl restart tac_plus.service ## ## Make sure that the service is running ## systemctl status tac_plus.service –l #################################################################################Device Configuration - Cisco Example
Note – In the event the device is unable to connect to the TACACS+ server, the device will resort back to using the local access credentials after a default or specified time-out period.
End-to-End - Validation
In order to validate the result on the switch, log in as a user in one of the TACACS+ AD groups and issue the show privileges command for privilege level concept or “?” for per command authorization.
Privilege Level Concept
Per-Command Authorization
TACACS+ Logging Examples
Access log:
Accounting log:
Authentication log:
Authorization log:
