Disclaimer:
My humble request, Kindly donot consider me as an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. When you are enslaved by private job & working as one man army, you have to perform many task in which you are not formally trained for. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.
So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and try to help others
TACACS+
Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe) refers to a authentication / authorization related services for cisco switches/routers/firewalls access control through a centralized server. With the help of Tacacs+ you can set up a much more granular level access for the users, groups, subnets or device type etc. Example which user can issue which commands on switches etc.
Hardware Software Components used in this guide:
In this post I have used
- Ubuntu 18 server edition for TACACS+ deployment / IP: 101.11.11.254
- Cisco WS-C3850-24T switch / IOS Version 16.3.9 [Denali]
Quick Notes:
TACACS Server installation
1 | apt-get -y install tacacs+ |
Once the installation is done , we will modify or add the tacacs+ server default config file to to suite our needs. On default installation, the configuration file is found here /etc/tacacs+/tac_plus.conf
1 | nano /etc/tacacs+/tac_plus.conf |
Remove existing configuration, and use below sample config, make sure to change the KEY, id pass as required
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 | # Key is like password or shared secret, make sure to make it strongkey = testing123accounting file = /var/log/tacplus.log#default authentication = file /etc/passwdgroup = admins {default service = permitservice = exec {priv-lvl = 15}}# For support group, we are allowing only specific sets of CMD onlygroup = support {default service = denyservice = shell {priv-lvl = 15}cmd = show {permit version.*permit clock.*permit interface.*permit running-config.*permit logging.*}cmd = configure {permit .*}cmd = interface {permit .*}cmd = vlan {permit .*}cmd = switchport {permit .*}cmd = write {permit .*}}#Create local user hereuser = admin {login = cleartext admin123name = "Admin Group"member = admins}user = support {login = cleartext support123name = "Network Support"member = support}<span style="color:var(--color-text);"> |
& if all configuration is OK , you should get something like below …
* Checking TACACS+ authentication daemon configuration files successful tacacs+
Restart tacacs+ service
1 | /etc/init.d/tacacs_plus restart |
Next up we will make changes to the Cisco switch ,
in this example am using a Cisco switch WS-C3850-24T and the one working configuration look like this:
Note: This is just basic example. It may be not well tuned insecure too but for test it will work fine.
Switch configuration
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 | enableconf taaa new-modelaaa authentication login default group tacacs+ localaaa authentication enable default enableaaa authorization config-commandsaaa authorization commands 1 support group tacacs+ localaaa authorization commands 15 admins group tacacs+ localaaa accounting commands 1 support-act1 start-stop group tacacs+aaa accounting commands 15 admins-act15 start-stop group tacacs+login on-success log# change tacacs IP address / KEY as per your local networktacacs-server host 101.11.11.254tacacs-server key 0 testing123!line con 0exec-timeout 35791 0privilege level 15stopbits 1line aux 0no execstopbits 1line vty 0 3privilege level 15authorization commands 1 supportauthorization commands 15 adminsaccounting commands 1 support-act1accounting commands 15 admins-act15length 0transport input sshline vty 4exec-timeout 35791 0privilege level 15authorization commands 1 supportauthorization commands 15 adminslength 0transport input sshline vty 5 15length 0!do wr |
Done.
Now try to login to switch with support account & execute try to permitted / non-permitted commands.
Result for SUPPORT ACCOUNT
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | login as: supportUsing keyboard-interactive authentication.Password:spare-sw#ping 101.11.11.254Command authorization failed.spare-sw#show clock*10:24:07.527 UTC Mon Dec 16 2019spare-sw#sh interspare-sw#sh interfaces statusPort Name Status Vlan Duplex Speed TypeGi1/0/1 notconnect 1 auto auto 10/100/1000BaseTXGi1/0/2 notconnect 1 auto auto 10/100/1000BaseTXGi1/0/3 notconnect 1 auto auto 10/100/1000BaseTXGi1/0/4 notconnect 1 auto auto 10/100/1000BaseTXGi1/0/5 notconnect 1 auto auto 10/100/1000BaseTXGi1/0/6 notconnect 1 auto auto 10/100/1000BaseTXGi1/0/7 notconnect 1 auto auto 10/100/1000BaseTXGi1/0/8 notconnect 1 auto auto 10/100/1000BaseTXGi1/0/9 notconnect 1 auto auto 10/100/1000BaseTXGi1/0/10 notconnect 1 auto auto 10/100/1000BaseTXGi1/0/11 notconnect 1 auto auto 10/100/1000BaseTXspare-sw# |
