Updated: 2006/11/23
Here is one of a series of installation procedures for an Open Source monitoring tool.
Tacacs is used for authenticating users in to (mostly) Cisco devices. The Shrubbery.net's
version is used here.
Installation
Login into www.shrubbery.net's
ftp server and retrieve
tac_plus into /usr/src. Use 'tar -zxvf' to expand out the file and then cd into the newly expanded
directory.
You'll need a couple of prerequisites:
apt-get install libwrap0
apt-get install libwrap-devel
You'll need to configure the Makefile:
./configure \
--bindir=/usr/local/bin \
--sbindir=/usr/local/sbin \
--localstatedir=/var/local/tacacs \
--sysconfdir=/etc \
--with-logfile=/var/log/tacacs/tacacs \
--with-pidfile=/var/run/tacacs.pid \
--with-acctfile=/var/log/tacacs/acctfile
Then perform the build and install:
make
make install
mkdir /var/local/tacacs
Update /etc/logrotate.conf:
/var/log/tacacs/acctfile /var/log/tacacs/tacacs {
rotate 10
daily
compress
}
Here is an example simple configuration file for /etc/tacacs.conf:
key = yourkey
user = outech {
member = admin
login = cleartext apassword
}
user = lastresort {
member = admin
login = cleartext apassword
}
user = webadmin {
member = level1
login = cleartext apassword
}
user = $enab15$ {
login = cleartext apassword
}
group = admin {
default service = permit
}
group = level1 {
cmd = show {
deny run
permit .*
}
}
In the device use a configuration similar to:
conf t
username lastresort secret apassword
ip tacacs source-interface Loopback0
enable secret apassword
aaa new-model
!
tacacs-server host 10.10.10.10 timeout 3
tacacs-server directed-request
tacacs-server key yourkey
aaa session-id common
aaa new-model
aaa authentication login default group tacacs+ local enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
line vty 0 15
no pass
login authen default
end
Then start the service with:
tac_plus -C /etc/tacacs.conf
This configuration places a unique 'lastresort' username, secret, and enable into the
device. If the tacacs server becomes unavailable, those are the credentials you use for
gaining access to the device. When tacacs is available, the username, secret, and
enable credentials as found in the tacacs config file are used.
Further Information
A page showing how to automatically assign privilege levels:
http://www.cisco.com/en/US/partner/tech/tk59/technologies_tech_note09186a008009465c.shtml