March 31, 2014 at 10:58

TACACS + on Linux with authentication through Active Directory

The network has many different guides on this topic, but it was not possible to raise the service on Linux and associate it with Active Directory for 30-60 minutes. I propose my own way of solving the problem, with detailed comments.

We proceed to install the service. The OS used is CentOS.

Install the necessary service packages
# yum install gcc
# yum install perl-LDAP
# yum install bind-utils

All operations are performed under "root"
(respectively, the home directory / root)

Installing Tac Plus
# yum install wget
# wget http://www.pro-bono-publico.de/projects/src/DEVEL.tar.bz2
# tar xvfj ./DEVEL.tar.bz2
# cd ./PROJECTS
# ./configure
# make
# make install

Add directories for accounting files
# mkdir /var/log/tac_plus
# mkdir /var/log/tac_plus/access
# mkdir /var/log/tac_plus/acct
# chmod 760 -R /var/log/tac_plus/

Add Tac Plus to startup
# cp /root/PROJECTS/tac_plus/extra/etc_init.d_tac_plus /etc/init.d/tac_plus
# chmod 755 /etc/init.d/tac_plus
# chkconfig --add tac_plus
# chkconfig --level 2345 tac_plus on

Check inclusion in startup
# chkconfig --list | grep tac_plus

Edit the configuration file
# cp /root/PROJECTS/tac_plus/extra/tac_plus.cfg-ads /usr/local/etc/tac_plus.cfg
# chmod 660 /usr/local/etc/tac_plus.cfg

!!! After each change of the config, the service should be restarted (service tac_plus restart)
Example of a working configuration file (you need to replace the contents of tac_plus.cfg, after making corrections in the commented fields)

#!/usr/local/sbin/tac_plus
id = spawnd {
        listen = { port = 49 } #порт, используемый сервисом TACACS
        spawn = {
                instances min = 1
                instances max = 10
        }
        background = yes
}
id = tac_plus {
		# лог файлы
        access log = ">/var/log/tac_plus/access/%Y%m%d.log"
        accounting log = ">/var/log/tac_plus/acct/%Y%m%d.log"
		# блок настройки подключения к Active Directory
        mavis module = external {
                setenv LDAP_SERVER_TYPE = "microsoft"
                setenv LDAP_HOSTS = "ldaps://domain.name:636" # имя домена должно разрешаться DNS-сервером (проверить с помощью nslookup). Вместо имени можно использовать IP адрес
                setenv LDAP_SCOPE = sub
                setenv LDAP_BASE = "dc=domain,dc=name" # где искать пользователей
                setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"
                setenv LDAP_USER = "aduser@domain.name" # служебный юзер для интеграции с AD
                setenv LDAP_PASSWD = "passw0rd" # пароль юзера
                #setenv AD_GROUP_PREFIX = tacacs
                #setenv REQUIRE_TACACS_GROUP_PREFIX = 1
                #setenv USE_TLS = 0
                setenv FLAG_USE_MEMBEROF = 1
                exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
        }
        login backend = mavis
        user backend = mavis
        #pap backend = mavis
        host = world {
                address = ::/0
                welcome banner = ""
                #Crypt password generate by "openssl passwd -1 clear_text_password"
                enable 15 = crypt $1$eqIkg6p0$jzhK5.
                key = "TACACSPASSWORD" #пароль для связки с TACACS-клиентом
        }
		# группу администрирования наделяем правами суперадмина
        group = ADMIN {
            message = "[Admin privileges]"
            default service = permit
            service = shell {
                default command = permit
                default attribute = permit
                set priv-lvl = 15
            }
        }
		# группе голосовых админов даем полный набор привелегий и запрещаем конкретные команды
        group = VOIP {
            message = "[VoIP-admin privileges]"
            default service = permit
            service = shell {
                default command = permit
                default attribute = permit
                set priv-lvl = 15
                cmd = interface {
                    permit "Lo*"
                    permit "Se*"
                    deny .*
                }
                cmd = aaa { deny .* }
                cmd = username { deny .* }
                cmd = line { deny .* }
                cmd = delete { deny .* }
                #cmd = reload { deny .* }
                cmd = boot { deny .* }
                cmd = enable { deny .* }
                cmd = archive { deny .* }
                cmd = router { deny .* }
                cmd = ip {
                    permit "address *"
                    deny .*
                }
                cmd = tacacs-server { deny .* }
                cmd = radius-server { deny .* }
                cmd = privilege { deny .* }
                cmd = erase { deny .* }
                cmd = write {
                    permit "memory"
                    deny .*
                }
                cmd = format { deny .* }
            }
        }
}

We check the correctness of the config (if everything is OK, then nothing will be output)
# /usr/local/sbin/tac_plus -P /usr/local/etc/tac_plus.cfg

We create groups in AD
In Active Directory it is necessary to create 2 groups (proceeding from our config): tacacsadmin and tacacsvoip.
Tac Plus cuts off the prefix “tacacs” with the ratio of the group specified in AD to the group in the config and converts the remaining characters to uppercase.
Thus, tacacsadmin corresponds to ADMIN, and tacacsvoip corresponds to VOIP (you can change this behavior by playing with the attributes: AD_GROUP_PREFIX and REQUIRE_TACACS_GROUP_PREFIX in the config).
Groups are indicated in the config in large letters not by chance!
Add users to the created groups.

Starting and stopping the TACACS service
# service tac_plus start
# service tac_plus stop
# service tac_plus restart

AAA Service Configuration on Cisco Equipment
tacacs server TACSRV1
	!IP-адрес tacacs-сервера
	address ipv4 172.16.2.2
	!ключ должен совпадать с тем, что указан в конфиге на сервере
	key TACACSPASSWORD
	timeout 2
!
aaa new-model
aaa group server tacacs+ TACSERVICE
	server name TACSRV1
aaa authentication login default group TACSERVICE local
aaa authentication login CONSOLE local
aaa authentication enable default group TACSERVICE enable
aaa authorization config-commands
aaa authorization exec default group TACSERVICE local
aaa authorization exec CONSOLE local
aaa authorization commands 15 default group TACSERVICE local
aaa accounting commands 15 default start-stop group TACSERVICE
!
line con 0
	login authentication CONSOLE
line vty 0 15

Debug technique
1. Checking the operation of LDAP modules (should return an empty string without errors). Errors in case of not installed perl-LDAP package.
# env LDAP_HOSTS="172.16.1.1" LDAP_SERVER_TYPE="microsoft" /usr/local/lib/mavis/mavis_tacplus_ldap.pl
2. Проверка связки TACACS - LDAP. Должно вернуть в поле RESULT - ACK. В случае ошибки проверить блок конфига, ответственный за интеграцию с AD.

# /usr/local/bin/mavistest /usr/local/etc/tac_plus.cfg tac_plus TACPLUS

3. Verify that the service is running and listening on tcp 49
# netstat -nlp | grep tac_plus

4. In order to see service calls
# tcpdump -nn port 49

5. Debug requests processed by the service
# /usr/local/sbin/tac_plus -d 4088 -fp /var/run/tac_plus.pid /usr/local/etc/tac_plus.cfg

Thank you for attention!

Sources of information and supporting links:
http://packetroute.wordpress.com/2012/12/12/tacacs-ad-centos-free/
http://www.pro-bono-publico.de/projects/howto-tac_plus- ads.html
http://habrahabr.ru/post/194750/
Tags:

Also popular now: