Raspberry Pi – Installing Tacacs+ (Part 1)

For those pursuing the Cisco Certification path, getting experience with Tacacs+ is a little easier with a Rapsberry Pi and not having to spend several thousands of dollars for a copy of Cisco’s ACS Tacacs solution. In the video accompanying this post, I will walk you through the process of getting Tacacs+ up and running

The first thing you will need to do is make that you are have the latest repository listings on your RPi. Use the following command for this –

sudo apt-get update

When you don’t know the exact package name to use, you can do a search. In this case you can use a command similar to the following so help find the package name to use –
[youtube]http://youtu.be/GmtFgOgErN4[/youtube]
sudo apt-cache search tacac

Once you have the package name, we can get Tacacs+ installed –

sudo apt-get install tacacs+

Once Tacacs+ installed, we can verify the status of the process to see if it is running –

sudo service tacacs_plus status

We need to add a key to use for all Tacacs communications between your network devices and the Tacacs+ server by editing this file –

sudo nano /etc/tacacs+/tac_plus.conf

By default, the following key is in the config file and is a good one to test with but be sure to change it once you have verified that things are working.

# This is the key that clients have to use to access Tacacs+
key = testing123

We need to create a Tacacs account to test with. The following is a basic account to get you up and running. You will want to use a better password but again, this is a proof of concept at this point.

user = admin {
default service = permit
name = “Admin User”
login = cleartext admin
service = exec {
priv-lvl = 15
}
}

After making changes to Tacacs, remember to do

sudo service tacacs_plus restart

You can do the following command on a Cisco device to test for proper AAA configuration on both the Cisco device and Tacacs+ on your RPi- test aaa group tacacs+ admin admin legacy. Be sure to replace the admin username and admin password with what you are actually using.

This response indicates a problem with the username or password on the Tacacs server –
Attempting authentication test to server-group tacacs+ using tacacs+
User authentication request was rejected by server.

If you get this after you have created the users on your Tacacs server, remember to restart tacacs on RPI after you have made a config change

This response indicates that everything is working as expected –
Cisco1811W#test aaa group tacacs+ admin admin legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.

To see more of the configuration possible with Tacacs+ please check the Tacacs help file – man tac_plus.conf

You can see some of what Tacacs is keeping track of by looking at the accounting file – tail /var/log/tac_plus.acct

I have several more posts planned for Tacacs to come in the following days.

To see more of my posts about the Raspberry Pi, please go to http://www.ronnutter.com/category/raspberry-pi/

Send to Kindle
This entry was posted in Blog Entries, Cisco, Juniper, Raspberry Pi and tagged , , . Bookmark the permalink.