Simple Install Tacacs+ Server On Ubuntu Jaunty

Posted On 31 August 2009

Filed under Linux

Comments Dropped one response

On this sunny morning, Let’s try to install a simple server tacacs. I use my work PC, the Ubuntu Desktop Jaunty. I had wanted to integrate tacacs with ldap, but have not succeeded for me, gan. This is my source for this instalation. So, this is the first …

Download the latest Tac_Plus Packet
#cd /home/rahman/linux
#wget http://www.gazi.edu.tr/tacacs/get.php?src=tac_plus_v9a.tar.gz

Extract Tacacs packet
#tar -zxvf tac_plus_v9a.tar.gz
#cd /home/rahman/linux/tac_plus_v9a

Install compiler that needed to install Tacacs+ packet
#apt-get install g++

Configure and compile Tacacs
#./configure –with-ldap
#make tac_plus

We’ll get error (static declaration of nopasswd_str follows non-static declaration). We have to edit file config.c and remove static modifier from nopassword_str.

Before

static char *authen_default = NULL; /* top level authentication default */
static int authen_default_method = 0; /*For method check */
static char *nopasswd_str = “nopasswd” ;

After

static char *authen_default = NULL; /* top level authentication default */
static int authen_default_method = 0; /*For method check */
char *nopasswd_str = “nopasswd” ;

#make tac_plus
#make install

Next, we’ll make directory and file for tacacs configuration.

#mkdir /etc/tac-plus
#vim /etc/tac-plus/tacacs.conf

# comment while debug
#Set up accounting if enableing on NAS
accounting file = /var/log/tac-plus/account.txt

#NAS key below
key = chayank123

user = p3mu74 {
login = cleartext 123
member = NOC
}

group = NOC {
member = ALL_STAFF
}

group = ALL_STAFF {
}

#Enable password setup for everyone:
user = $enable$ {
global = cleartext “login”
}

And then, Create init script for running tacacs service.
#vim /etc/init.d/tac-plus

#!/bin/sh
#
### BEGIN INIT INFO
# Provides: tac-plus
# Required-Start: $network
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: S 0 1 6
# Short-Description: Start tac-plus server.
# Description: Run the tac-plus server listening for
# AAA ( access, acounting and autorization request )
# from routers or RAS (remote access servers) via
# tacacs+ protocol
### END INIT INFO

PATH=/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/local/sbin/tac_plus
NAME=tac_plus
DESC=”Tacacs+ server”
OTHER_OPTS=”-d 248″
CONFIG_FILE=”/etc/tac-plus/tacacs.conf”

test -f $DAEMON || exit 0

if [ -r /etc/default/tac-plus ] ; then
. /etc/default/tac-plus
fi

DAEMON_OPTS=”-C $CONFIG_FILE $OTHER_OPTS”
#set -e

case “$1” in
start)
echo -n “Starting $DESC: “
start-stop-daemon –start –quiet –pidfile /var/run/$NAME.pid \
–exec $DAEMON — $DAEMON_OPTS
echo “$NAME.”
;;
stop)
echo -n “Stopping $DESC: “
start-stop-daemon –stop –quiet –pidfile /var/run/$NAME.pid \
–exec $DAEMON
echo “$NAME.”
;;
#reload)
#
# The daemon AFAIK have problems reloading its
# config files on the fly. When sending the signal
# it dies trying to bind again to the socket.
# So it has been disabled.
# echo “Reloading $DESC configuration files.”
# start-stop-daemon –stop –signal FIXME –quiet –pidfile \
# /var/run/$NAME.pid –exec $DAEMON
#;;
restart|force-reload)
#
echo -n “Restarting $DESC: “
start-stop-daemon –stop –quiet –pidfile \
/var/run/$NAME.pid –exec $DAEMON
sleep 1
start-stop-daemon –start –quiet –pidfile \
/var/run/$NAME.pid –exec $DAEMON — $DAEMON_OPTS
echo “$NAME.”
;;
*)
N=/etc/init.d/$NAME
# echo “Usage: $N {start|stop|restart|reload|force-reload}” >&2
echo “Usage: $N {start|stop|restart|force-reload}” >&2
exit 1
;;
esac

exit 0

#chmod u+x /etc/init.d/tac-plus

Make Tacacs+ service start when OS booting
#update-rc.d tac-plus start 30 2 3 4 5 . stop 70 0 1 6 .

Set for tacacs+ logging
#mkdir /var/log/tac-plus
#touch /var/log/tac-plus/account.txt

Starting tacacs+
#/etc/init.d/tac-plus start

Check tacacs service
#netstat -pln | grep tac
tcp 0 0 0.0.0.0:49 0.0.0.0:* LISTEN 9497/tac_plus
_____________________________________________________________________________________________________________

Alright! we’ll test this tacacs authentication server with the real router. My tacacs+ IP is 202.47.70.253/248 and router IP is 202.47.66.253/248.

Let’s figure it out…

TACACS+ Conf
==========
Key for NAS : chayank123
Username : p3mu74
Password : 123
enable pass : login

Router Conf
==========
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
——————————
interface FastEthernet0/0
ip address 202.47.66.253 255.255.255.248
duplex auto
speed auto
——————————
tacacs-server host 202.47.74.253
tacacs-server directed-request
tacacs-server key 7 070C294D5708170E464058 > chayank123

I’ll try login into router 202.47.66.253.

ts@ts04-surahman:~$ telnet 202.47.66.253
Trying 202.47.66.253…
Connected to 202.47.66.253.
Escape character is ‘^]’.

User Access Verification

Username: p3mu74 > my username
Password: > 123

Router>ena
Password: > login
Router#

We have success login into router with Tacacs authentication. Next time, I’ll learn to make it up with database system.

Thank You For all

One Response to “Simple Install Tacacs+ Server On Ubuntu Jaunty”

  1. muklis

    Great tut bro, keep share,,,,,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s