TACACS+

Linux

Prerequisites

Install FreeRADIUS

Install

TACACS+ may either be installed using an RPM and a supported distribution's repository or from source.

• TACACS Source
• TACACS RHEL 7 Repository

CentOS 7 Repository

/etc/yum.repos.d/tacacs.repo

[tacacs-plus]
name=TACACS Plus
baseurl=http://li.nux.ro/download/nux/misc/el7/x86_64/
enabled=1
gpgcheck=1
gpgkey=http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro

sudo dnf update
sudo dnf install tac_plus

Source

wget https://shrubbery.net/pub/tac_plus/tacacs-F4.0.4.28.tar.gz
tar xzvf tacacs-F4.0.4.28.tar.gz
cd tacacs-F4.0.4.28
./configure
make
sudo make install

Configuration

Generate passwd hash using tac_pwd

/etc/tac_plus.conf

accounting file = /var/log/tac_plus.acct
key = <key>

acl = default {
  permit = <subnet>
  
user = <username> {
  name = <name>
  member = <group>
  login = des <hash>

group = <group> {
	default service = permit
	service = exec {
		priv-lvl = 15
		}
	}

Startup

sudo tac_plus -C /etc/tac_plus.conf

Cisco

Server Profile

tacacs server <server>
 address ipv4 <ip>
 key <key>
 timeout <value>
!
aaa group server tacacs+ <group>
 server name <server>
 ip tacacs source-interface <interface>
!
ip tacacs source-interface <interface> 

AAA Profile

aaa new-model
aaa authentication login default local
aaa authentication login <list> group <group> local
aaa authorization exec default if-authenticated
aaa authorization exec <list> group <group> local
aaa authorization network default if-authenticated
aaa authorization commands 15 default local 
aaa authorization commands 15 <list> group <group> local 
aaa accounting commands 15 <list> start-stop group <group>

VTY Login Profile

line vty 0 4
 authorization commands 15 <list>
 authorization exec <list>
 accounting commands 15 <list>
 login authentication <list>
 transport input ssh