Back to Home

Setting up TACACS.NET on Windows for Eltex network devices | Guide

Practical guide to deploying TACACS.NET on Windows Server for access control to Eltex equipment. Detailed configuration file setup, solving licensing issues, and testing via tactest.

Practical guide: TACACS.NET on Windows for network security
Advertisement 728x90

# Practical Deployment of TACACS.NET on Windows for Managing Eltex Network Devices

Deploying TACACS.NET on a Windows server addresses centralized access control for Eltex network equipment. Unlike outdated solutions like Cisco ACS 4.2, this modern implementation offers flexible privilege setup and integration with devices via the standard TACACS+ protocol. This article provides a detailed server configuration guide, including bypassing license limits and fine-tuning access rights for operators and administrators.

TACACS.NET Configuration Architecture

TACACS.NET uses a modular approach to configuration through XML files, which requires understanding the interconnections between components. Key configuration files:

  • tacplus.xml — global server parameters
  • clients.xml — network device client definitions
  • authentication.xml — user account management
  • authorization.xml — binding access rights to roles

It's important to note that unlike Linux TACACS+ implementations, where all parameters are in a single file, here multiple configuration files must be synchronized. This adds complexity to initial setup but provides flexibility for managing complex access scenarios.

Google AdInline article slot

Critical Parameters for Startup

Before starting configuration, determine:

  • Server network interface and IP address (e.g., 172.16.1.111)
  • Secret key for device interaction (a simple key is recommended in test environments)
  • Role structure: operator (level 9) and administrator (level 15)
  • List of commands available at each privilege level

Installation and Initial Setup

TACACS.NET 2.1.2 installation requires Windows Server 2008 or later. The process includes:

  • Running the installer with default parameters accepted
  • Specifying the secret key (e.g., 12345678)
  • Checking service status in Windows Services

After installation, configuration files are placed in the hidden directory C:\ProgramData\TACACS.net. To edit:

Google AdInline article slot
  • Open files in Notepad as administrator
  • Remove the "read-only" attribute
  • Save changes in UTF-8 encoding

Network Interface Setup

In the tacplus.xml file, change the <BindAddress> parameter to the server's local IP address:

<BindAddress>172.16.1.111</BindAddress>

This is critical for proper interaction with network devices. An incorrect address will cause the service to fail on startup with a "Cannot bind to address" error.

Synchronizing Configuration Files

The key challenge is aligning parameters across files. Use the following scheme:

Google AdInline article slot
  • In clients.xml, create an INTERNAL group with parameters:
<ClientGroup name="INTERNAL">
  <Client address="172.16.1.0/24" key="12345678" />
</ClientGroup>
  • In authentication.xml, define user groups:
<UserGroup name="OPERATOR">
  <User name="user9" password="password" />
</UserGroup>

<UserGroup name="ADMINISTRATOR">
  <User name="admin" password="GwJQb6xe9+C8Ysosigs5OQ==" />
</UserGroup>
  • In authorization.xml, bind groups to privilege levels:
<Authorization>
  <UserGroup name="OPERATOR">
    <AutoExec priv-lvl="9" />
  </UserGroup>
  <UserGroup name="ADMINISTRATOR">
    <AutoExec priv-lvl="15" />
  </UserGroup>
</Authorization>

Testing the Configuration

After making changes, perform:

  • Syntax check via tacverify
  • Restart of the TACACS.NET service
  • Test connection via tactest

Example command for verification:

tactest -s 172.16.1.111 -k 12345678 -u user9 -author -p password

A correct response should include:

Authorization Status=PassAdd
Args: priv-lvl=9

Common Errors and Fixes

  • Service won't start: Check IP correctness in tacplus.xml and ensure user sections are uncommented
  • Incorrect privilege level: Verify group sync in authorization.xml and authentication.xml
  • Password encryption errors: Use the tacdes utility to generate DES hashes

Integration with Eltex Equipment

For ESR routers, apply this configuration:

privilege root level 9 "show running-config"
aaa authentication login default tacacs local
tacacs-server host 172.16.1.111 key ascii-text 12345678

For MES switches:

privilege exec 9 show running-config
privilege exec 10 configure
tacacs-server host 172.16.1.111 key 12345678
aaa authentication login authorization default tacacs local

Important: The privilege exec 10 configure command shifts configuration mode to level above 9, blocking operator access.

Bypassing License Restrictions

The standard version is limited to 5 devices and 3 users. To expand limits:

  • Generate a license file using the official tool
  • Place the file in C:\ProgramData\TACACS.net\license
  • Restart the service

Alternative for test environments:

  • Create additional client groups in clients.xml
  • Use one IP address with different secret keys
  • Configure equipment to use different keys

Key Points

  • Key Synchronization: The secret key must match in clients.xml, device settings, and tactest command
  • Privilege Levels: Eltex equipment requires explicit command specification via privilege in config
  • tactest Verification: Mandatory step before connecting real equipment
  • Password Encryption: Use tacdes for secure credential storage
  • Logging: Monitor files in C:\ProgramData\TACACS.net\Logs for troubleshooting

Conclusion

Deploying TACACS.NET on Windows provides a flexible solution for managing access to network equipment. Success hinges on understanding interconnections between configuration files and rigorously verifying each setting with built-in utilities. This approach enables a reliable testbed for authentication and authorization scenarios, meeting modern network infrastructure needs.

— Editorial Team

Advertisement 728x90

Read Next