Raspberry Pi – Installing Tacacs+ (Part 2)

This post is the second in a series where I show one way of setting up Tacacs on a Cisco device. What I am showing here is a basic setup and just one way of doing so. In a later post, I will show how to setup command level authorization where the commands that a user can or cannot use are specified.

Note: This cisco config will consult for the existence of a local account on the cisco device before going to tacacs. If you put tacacs first and it is offline, you probably won’t be able to get in.

This is the local account that should be on every device. This is your “backdoor” account in the event that the tacacs+ server is down, unresponsive or otherwise unreachable.

username cisco privilege 15 secret cisco
YouTube Preview Image
This is the config that gets the process started. aaa new-model is what lets you enter the other commands. The next line that follows first tells the Cisco device to try the login name locally before trying it with the tacacs server.

aaa new-model
aaa authentication login default local group tacacs+
aaa authentication enable default group tacacs+ enable
aaa accounting commands 15 default
action-type start-stop
group tacacs+

This next line is the ip address of the Tacacs+ server. There are two ways to handle the key for the tacacs server. This example will use the same key for all of the tacacs-server lines in the config. It is a good idea in any size network to have at least a secondary Tacacs server. You can have a different key for each tacacs server. You do this by putting the key keyword following by the key string after the ip address of the tacacs server. Most of the tacacs configurations I have come across use a common key string to keep the configuration and troubleshooting to a minimum.

tacacs-server host 192.168.15.62
tacacs-server key testing123

The privilege lines is something that I like to do when possible. This allows the user to automatically be placed into privileged mode as soon as they are authenticated by your tacacs+ server.

line con 0
privilege level 15
line vty 0 4
privilege level 15

It is a good idea to use service password-encryption to encrypt tacacs password to help keep it known only to those that need to be aware of it.

When troubleshooting a tacacs+ problem, here are the three commands that I use on the Cisco device to see what it thinks is going on –

debug aaa authentication
debug aaa authorization
debug aaa accounting

the following is the output from a successful login –

Username: admin
Password:
Apr 18 01:39:03.964: TPLUS: Queuing AAA Authentication request 14 for processing
Apr 18 01:39:03.964: TPLUS: processing authentication start request id 14
Apr 18 01:39:03.964: TPLUS: Authentication start packet created for 14(admin)
Apr 18 01:39:03.964: TPLUS: Using server 192.168.15.62
Apr 18 01:39:03.964: TPLUS(0000000E)/0/NB_WAIT/853779F0: Started 5 sec timeout
Apr 18 01:39:03.964: TPLUS(0000000E)/0/NB_WAIT: socket event 2
Apr 18 01:39:03.964: TPLUS(0000000E)/0/NB_WAIT: wrote entire 34 bytes request
Apr 18 01:39:03.964: TPLUS(0000000E)/0/READ: socket event 1
Apr 18 01:39:03.964: TPLUS(0000000E)/0/READ: Would block while reading
Apr 18 01:39:03.972: TPLUS(0000000E)/0/READ: socket event 1
Apr 18 01:39:03.972: TPLUS(0000000E)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Apr 18 01:39:03.972: TPLUS(0000000E)/0/READ: socket event 1
Apr 18 01:39:03.972: TPLUS(0000000E)/0/READ: read entire 28 bytes response
Apr 18 01:39:03.972: TPLUS(0000000E)/0/853779F0: Processing the reply packet
Apr 18 01:39:03.972: TPLUS: Received authen response status GET_PASSWORD (8)

Cisco1811W#
Apr 18 01:39:12.165: TPLUS: Queuing AAA Authentication request 14 for processing
Apr 18 01:39:12.165: TPLUS: processing authentication continue request id 14
Apr 18 01:39:12.165: TPLUS: Authentication continue packet generated for 14
Apr 18 01:39:12.165: TPLUS(0000000E)/0/WRITE/853779F0: Started 5 sec timeout
Apr 18 01:39:12.165: TPLUS(0000000E)/0/WRITE: wrote entire 22 bytes request
Apr 18 01:39:12.165: TPLUS(0000000E)/0/READ: socket event 1
Apr 18 01:39:12.165: TPLUS(0000000E)/0/READ: read entire 12 header bytes (expect 6 bytes data)
Apr 18 01:39:12.165: TPLUS(0000000E)/0/READ: socket event 1
Apr 18 01:39:12.165: TPLUS(0000000E)/0/READ: read entire 18 bytes response
Apr 18 01:39:12.165: TPLUS(0000000E)/0/853779F0: Processing the reply packet
Apr 18 01:39:12.165: TPLUS: Received authen response status PASS (2)
Apr 18 01:39:12: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: 0.0.0.0] [localport: 0] at 20:39:12 cdt Wed Apr 17 2013

To see more of my posts about the Raspberry Pi, please go to http://www.ronnutter.com/category/raspberry-pi/

Send to Kindle
This entry was posted in Blog Entries, Cisco, Raspberry Pi and tagged . Bookmark the permalink.