TACACS+ for First-time Users

This document is intended to assist the first-time TACACS+ user in setting up and debugging a TACACS+ configuration. It is not an exhaustive description of TAC+ capabilities.
 

Authentication

  1. Make sure you have compiled TACACS+ (TAC+) code on the UNIX server. The server configurations here assume you are using the Cisco TAC+ server code; the router configurations should work whether or not the server code is Cisco's. The code (which we will call tac_plus_executable) may have come pre-compiled:
    2. TAC+ must be run as root; su to root if necessary.
     
     
  2. Copy the test_file at the end of this document, place it on the TAC+ server, and name it "test_file". Check to be sure the tac_plus_executable daemon will start with test_file; in the following command, the -P option checks for compile errors but does not start the daemon:

    3.  

      

      tac_plus_executable -P -C test_file
    You may see the contents of test_file scroll down the screen, but you should not see messages such as "cannot find file", "cleartext expected--found cleartext", or "unexpected }". If there are errors, check paths to test_file, re-check your typing, and re-test before continuing.
     
     
  3. On the router, start configuring TAC+.


    4.  Enter enable mode and type conf t before the command set.

     The following syntax will ensure that you will not be locked out of the router initially, providing the tac_plus_executable is not running:
     
      

       ! Turn on Tac+
   aaa new-model
   enable password whatever

   ! These are lists of authentication methods,
   ! i.e. 'linmethod', 'vtymethod', 'conmethod' are
   ! names of lists, and the methods listed on the same lines are
   ! the methods in the order to be tried.  As used here, if authentication
   ! fails due to the tac_plus_executable not being started, the enable
   ! password will be accepted because it is in each list       
        
   aaa authentication login linmethod tacacs+ enable
   aaa authentication login vtymethod tacacs+ enable
   aaa authentication login conmethod tacacs+ enable

   ! Point the router to the server, i.e. #.#.#.# is server ip address
                
   tacacs-server host #.#.#.#
   line con 0
        <dir>password whatever          

        ! no time-out to prevent being locked out during debugging              

        exec-timeout 0 0
        login authentication conmethod</dir>
   line 1 8
        <dir>login authentication linmethod
        modem InOut
        transport input all
        rxspeed 38400
        txspeed 38400
        flowcontrol hardware </dir>

   line vty 0 4
        <dir>password whatever

        ! no time-out to prevent being locked out during debugging      
        
        exec-timeout 0 0
        login authentication vtymethod</dir>
  4. Test to be sure you can still access the router via Telnet and through the console port before continuing. Because the tac_plus_executable is not running, the enable password should be accepted.


    5.  NOTE:   Keep the console port session active and remain in enable mode; this session should not time out. We are starting to limit access to the router at this point, and you need to be able to make configuration changes without locking yourself out.

     To see server-to-router interaction at the router:
     
      

      term mon
  debug aaa authentication
  5. As root, start TAC+ on the server:
    6.   tac_plus_executable -C test_file -d 16
  6. Check to be sure TAC+ started:

    7.  

      

      ps -aux | grep tac_plus_executable
    Or, 
      ps -ef | grep tac_plus_executable
    If TAC+ does not start, it is usually a problem with syntax in the test_file. Return to Step 1 to correct.
     
     
  7. To see router-to-server interaction at the server, type:
    8.   tail -f /var/tmp/tac_plus.log
    NOTE: The -d 16 option in Step 5 sends output of all transactions to the /var/tmp/tac_plus.log.
     
     
  8. Telnet (VTY) users should now have to authenticate through TAC+.


    9. With debug going on the router and the server (steps 4 and 7), telnet into the router from another part of the network.

     The router should produce a username and password prompt, to which you reply:

     'authenuser'   (username from test_file)
    'admin'   (password from test_file)

     where user 'authenuser' is in group 'admin', which has password 'admin'.

     Watch the server and the router where you should see the TAC+ interaction–what's being sent where, responses, requests, etc. Correct any problems before continuing.
     
     

  9. If you also want for your users to authenticate through TAC+ to get into enable mode, make sure your console port session is still active and add the following command to the router:

    10.  

      

      ! For enable mode, list 'default' looks to TAC+ then enable  password if TAC+ not running

  aaa authentication enable default tacacs+ enable
    Users should now have to enable through TAC+.
     
     
  10. With debug going on the router and the server (steps 4 and 7), telnet into the router from another part of the network. The router should produce a username and password prompt, to which you reply:

    11.  

     

    'authenuser'   (username from test_file)
    'admin'   (password from test_file)

     When entering enable mode, the router will request a password, to which you reply:

     'cisco'    ($enable$ password from test_file)

     Watch the server and the router where you should see the TAC+ interaction – what's being sent where, responses, requests, etc. Correct any problems before continuing.
     
     

  11. Bring down the TAC+ process on the server while still connected to the console port to be sure that your users can still access the router if TAC+ is down:

    12.  

      

      ps -aux | grep tac_plus_executable
    Or, 
      ps -ef | grep tac_plus_executable)
  kill -9 pid_of_tac_plus_executable
    Repeat the Telnet and enable of the previous step. The router should realize that the TAC+ process is not responding and allow users to log in and enable with the default passwords.
     
     
  12. Check for authentication of your console port users through TAC+ by bringing up the TAC+ server again (steps 5-6), and establishing a Telnet session to the router (which should authenticate through TAC+).


    13. Remain connected via telnet into the router in enable mode until you are sure you can log in to the router through the console port.

     Log out of your original connection to the router through the console port, then reconnect to the console port. Console port authentication to log in and enable using userIDs and passwords (shown in step 10) should now be through TAC+.
     
     

  13. While remaining connected through either a Telnet session or the console port and with debug going on the router and the server (steps 4 and 7), establish a modem connection to line 1.


    14.  Line users should now have to log in and enable through TAC+.

     The router should produce a username and password prompt, to which you reply:

     'authenuser'   (username from test_file)
    'admin'   (password from test_file)

     When entering enable mode, the router will request a password.

     Reply:

    'cisco'   ($enable$ password from test_file)

     Watch the server and the router where you should see the TAC+ interaction – what's being sent where, responses, requests, etc. Correct any problems before continuing.
     
     

Users should now have to enable through TAC+.
 
 

Adding Authorization (optional)

  1. The router can be configured to authorize commands through TAC+ at all or some levels. The following router configuration allows all users to have per-command authorization set up on the server. Here we authorize all commands through TAC+, but if the server is down, no authorization is necessary, hence the 'none'. Replacing 'none' with 'enable' in an actual router is a good idea so that the 'enable password' will still be required if the server is down.

    2.  

      

      aaa authorization commands 0 tacacs+ none
  aaa authorization commands 1 tacacs+ none
  aaa authorization commands 15 tacacs+ none
  2. While the TAC+ server is running, telnet into the router with userid 'authenuser'. Because 'authenuser' has 'default service = permit' in test_file, this user should be able to perform all functions.


    3. While in the router, enter enable mode, and turn on authorization debugging:
     
      

      term mon
  debug aaa authorization
  3. Telnet into the router with userid authoruser and password operator.


    4.  This user should be able to do two show commands: traceroute and logout (see test_file).

     Watch the server and the router where you should see the TAC+ interaction, i.e., what's being sent where, responses, requests, etc. Correct any problems before continuing.
     
     

  4. If you want to configure a user for an autocommand, eliminate the commented-out user 'transient' in the test_file, and put a valid IP address destination in place of the #.#.#.#.


    5.  Stop and start the TAC+ server.

     On the router:
     
      

      aaa authorization exec tacacs+
    Telnet to the router with userid transient and password transient. The telnet #.#.#.# will execute and user transient will be sent to the other location.
     
     

Adding Accounting (optional)

Reference to the accounting file is in test_file – accounting file = /var/log/tac.log. But accounting does not take place unless configured in the router (provided the router is running a version of Cisco IOS greater than 11.0).
 
 
  1. First enable accounting in the router:

    2.  

      

      aaa accounting exec start-stop tacacs+
  aaa accounting connection start-stop tacacs+
  aaa accounting network start-stop tacacs+
  aaa accounting system start-stop tacacs+
    NOTE:    AAA accounting doesnt do per-command accounting in some versions. A workaround is to use per-command authorization and log the occurrence in the accounting file. (See Bug ID CSCdi44140.) If you are using an image in which this is fixed is being used [11.2(1.3)F, 11.2(1.2), 11.1(6.3), 11.1(6.3)AA01, 11.1(6.3)CA as of September 24, 1997] you can also enable command-accounting.
     
     
  2. With TAC+ running on the server, to see the entries going into the accounting file, enter on the server:
    3.   tail -f /var/log/tac.log
    Then log into and out of the router, telnet out of the router, etc.

     If necessary, on the router enter:
     
      

      term mon
  debug aaa accounting

test_file

 - - - - - - - - - - - - - - - - - - - - - - (cut here) - - - - - - - - - - - - - - - - - - - - - - -

# Set up accounting file if enabling accounting on NAS
accounting file = /var/log/tac.log

# Enable password setup for everyone:
user = $enable$ {
        login = cleartext "cisco"
        }
# Group listings must be first:
group = admin {
# Users in group 'admin' have cleartext password
    login = cleartext "admin"
    expires = "Dec 31 1999"
}
group = operators {
# Users in group 'operators' have cleartext password
    login = cleartext "operator"
    expires = "Dec 31 1999"
}
group = transients {
# Users in group 'transient' have cleartext password
    login = cleartext "transient"
    expires = "Dec 31 1999"
}
# This user is a member of group 'admin' & uses that group's password to log in.
# The $enable$ password is used to enter enable mode. The user can perform all commands.
user = authenuser {
    default service = permit
    member = admin
}
# This user is limitted in allowed commands when aaa authorization is enabled:
user = telnet {
    login = cleartext "telnet"
    cmd = telnet { permit .* }
    cmd = logout { permit .* } }
# user = transient {
# member = transients
# service = exec {
# When transient logs on to the NAS, he's immediately
# zipped to another site # autocmd = "telnet #.#.#.#" # } # }
# This user is a member of group 'operators' # & uses that group's password to log in
user = authenuser {
    member = operators
# Since this user does not have 'default service = permit' when command
# authorization through TACACS+ is on at the router, this user's commands
# are limited to:
    cmd = show { permit ver permit ip }
    cmd = traceroute { permit .* }
    cmd = logout { permit .* }
}

 - - - - - - - - - - - - - - - - - - - - - - (end cut here) - - - - - - - - - - - - - - - - - - - - - - -
Copyright 1997 Cisco Systems, Inc.