I haven't had a lot of stuff to put on this new blog for some time. My time has been spent on my new blog over here: http://mellowd.co.uk/ccie/

Comments now work! Feel free to pop by to take a look.

D

Why a mini HOWTO? Well I'm going to explain how I set up a simple TACACS+ server on a Linux box. If you want any sort of AD integration you'll need to look elsewhere.

I recently got given the project of installing a new linux box with a number of services. One of them was to replace the old TACACS+ server that has been claiming it's pension already for a number of years.

Server Configuration

The server I have running in a virtual machine is running RedHat Enterprise 5. However the instructions should work for any rpm-based distro.

Debian/Ubuntu distro's will be slightly different to install, but I would assume the config is identical. I'll expand this another time when I get the chance.

I'm using Cisco's free tac_plus server. You can find it here: ftp://ftpeng.cisco.com/pub/tacacs/

As you can see, Cisco provides only the source code. No binaries to be found. I attempted to compile the code but they've really made it difficult as you need to configure the makefile yourself :(

You can make your life a LOT easier by just downloading a compiled rpm. If you enjoy pain then knock yourself out installing from source.

By habit I do everything in /tmp/ so cd to that folder.

Download the rpm:
wget ftp://ftp.muug.mb.ca/mirror/redhat/contrib/libc6/i386/tac_plus-4.0.3-2.i386.rpm

Of course if you're using a Debian/Ubuntu based distro, you'll be looking for a .deb file or at least a repository that has tac_plus on it.

Install the rpm now:
rpm -i tac_plus-4.0.3-2.i386.rpm

TACACS+ is now installed and should be working fine. You can check this by running:
ps -ef | grep tac_plus

You should see something like the following:

root 6134 1 0 Aug02 ? 00:00:00 /usr/local/sbin/tac_plus -C /etc/tacacs/tac_plus.cfg
root 18325 18283 0 21:30 pts/0 00:00:00 grep tac_plus


The output also gives us a clue as to where the config file is. Go ahead and run this:
vi /etc/tacacs/tac_plus.cfg

I personally cleared this file out and started it from scratch. I believe this makes it easier for me and all the fluff is out. tac_plus gives us the option

of loading any file as a test. This is pretty handy. If you're still in /tmp/ create a new file called new_test

This is my initial config. Paste this into this new file and save (I'll go through what everything means later)

# Put your NAS key below
key = bl@hbl@hwh@t3v3r

# Accounting File
accounting file = /var/log/tac_accounting.log

# * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
# * USERS *
# * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


user = mellowd {
login = cleartext southafrica
#mellowd is a member of group NOC
member = NOC
}

user = foo {
login = cleartext bar
#foo is a member of group NOC
member = NOC
}

user = elvis {
#elvis is a member of group F_OPS
member = F_OPS
}



# * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
# * GROUPS *
# * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

group = NOC {
#NOC is a member of group ALL_STAFF
member = ALL_STAFF
}

group = F_OPS {
#F_OPS is a member of group ALL_STAFF
member = ALL_STAFF
}

group = ALL_STAFF {
}

# End config file


A pretty simple config right? I have defined 3 users: mellowd; foo and elvis. mellowd and foo are both part of the NOC group. elvis is a member of the F_OPS group. The groups themselves are part of a group called ALL_STAFF. A user will get all the benefits of their group. Groups also pick up all attributes of groups they belong to. Currently there is no config here, but this will change later.

Note that user level settings will override group settings. i.e. if I put a setting both under group and the user, the users setting will override the group setting.

Right at the top you have a key currently set as bl@hbl@hwh@t3v3r. This isn't needed but I would recommend having it. This same key would need to be on your routers and switches (We'll get to that config later)

There is also an accounting file set up. We'll get more into this later.


Now remember this file is currently saved as /tmp/new_test. How do we actually run this and test it out? First of all tac_plus allows us to check the syntax of the file which I recommend doing. You can do it like so:
tac_plus -P -C /tmp/new_test

If you have any errors it'll tell you on what line it is. (Real world tip. Open the file in vi and type :set number - This will show you line numbers)

If it passes without error it'll just show you your config and you'll be back at the prompt. This means all is okay so far.

In order to test out this file you'll need to stop the daemon from running:
[root@Log2 ~]# /etc/init.d/tacacs stop
Shutting down tacacs+: [ OK ]

Now run the daemon forcing it to both use your new file and to send out debug output as well:
[root@Log2 tmp]# tac_plus -C /tmp/new_test -d 16

I'd now tail the log file to ensure all is okay when logging on via a router:
[root@Log2 tmp]# tail -f /var/tmp/tac_plus.log
Tue Aug 4 22:54:13 2009 [18632]: Reading config
Tue Aug 4 22:54:13 2009 [18632]: Version F4.0.3.alpha Initialized 1
Tue Aug 4 22:54:13 2009 [18632]: tac_plus server F4.0.3.alpha starting
Tue Aug 4 22:54:13 2009 [18633]: Backgrounded
Tue Aug 4 22:54:13 2009 [18634]: uid=0 euid=0 gid=0 egid=0 s=0


Router configuration

Now for the router itself. I've got here a standard 2612XM. The config has been wiped. The only initial config I've done is to configure one of the interfaces so it's on the same network as my TACACS+ server.

You'll need to tell the router that it needs to use TACACS+ as authentication:

Router#conf t
Router(config)#aaa new-model
Router(config)#aaa authentication login default group tacacs+ local
Router(config)#tacacs-server host x.x.x.x
Router(config)#tacacs-server key 0 bl@hbl@hwh@t3v3r
Here we have told the router the IP address of our TACACS+ server as well as the server key that we configured on the server earlier. We have also told the router that it needs to login via TACACS+ first. I recommend allowing authentication locally after that, as if your server is down you still want to have access to your network. It’ll only check the local database if the TACACS+ server is unreachable. If authentication fails via TACACS+ the router will NOT allow you to log in.

Telnet to your router and test:
User Access Verification
Username: mellowd
Password:
Router>

If you’re still tailing on the server you should see this:
Tue Aug 4 22:55:05 2009 [18637]: login query for 'mellowd' tty66 from x.x.x.x accepted

If you’re not seeing this then there is some sort of non-connectivity between the router and the server. Make sure port 49 incoming is open on the server (check iptables)

You can also console into the router at the same time and run this and then telnet in:
Router#debug tacacs

That should give you all the information you need to figure out the problem.

Server config again
If everything is okay you need to copy your TACACS+ config file on the server over to the actual live daemon config:
[root@Log2 tmp]# cp /tmp/new_test /etc/tacacs/tac_plus.cfg

This will require a restart of the daemon itself:
[root@Log2 tmp]# # /etc/init.d/tacacs restart



That’s pretty much it done. I’d like to add a few things later. For example I’ll show the configuration on a Foundry switch/router to use TACACS+. I’ll also show you how to encrypt the passwords in the configuration file.

Ever changed a line of config only for the application to spit out:

FATAL: Bungled squid.conf line 716: icp_access allow localnet

How to quickly find line 716? Open your file in vi or vim and type:

:set number

This setting is not saved when you exit so the next time you open a file it'll be gone. If you need the line numbers to dissapear while still in the file type:

:set nonumber

So you've got a .mdf file and you need to convert it to iso? No problem!

There is a handy utility called mdf2iso that will do it for you. To install it first type the following:

sudo aptitude update
sudo aptitude install mdf2iso

Now all you need to do is the following:

mdf2iso /folder/file.mdf /folder/file.iso

Substitute folder and file for whichever folder and file you need.

Easy!

So you need to upgrade your 8.04 server version to 8.10? Easy!

First of all, I wouldn't suggest you try any upgrade unless your server is fully backed up, BACK IT UP!

You'll need to first install the update manager (it might already be installed)

sudo aptitude install update-manager-core

As 8.04 is a LTS version, we need to let ubuntu know that we want to move out of lts and into the regular branch. Do that by editing this file:

sudo vi /etc/update-manager/release-upgrades

Look for the line the says, prompt=lts. Change it to this:

Prompt=normal

Save the file (:wq!)

Now finally, type this:

sudo do-release-upgrade