Cisco AAA using TACACS+ with syslog and PAM support for CentOS/RedHat

Table of content

  • Context
  • TACACS+ Server installation
  • TACACS+ Server Configuration
  • Running TACACS+

Context

In order to provide centralized authentication to network devices, radius is commonly used and works very well. It is generic and be used as a “proxy” to any kind of authentication backend which is great. If you have a very strict security policy or are running network devices in a very strict environment (PCI-DSS is a good example) it is mandatory to provides audit logs of all actions executed by privileged users and if possible, by anyone.

If ever your company is working with Cisco equipments, then it appears it is not possible to use radius for accounting and you have to use … TACACS… While you are stuck with a proprietary solution, the “good” news is that you can plug TACACS with PAM and use it for every A in AAA: authentication, authorization and accouting. Here’s how:

TACACS+ Server installation

It is important to have pam-devel installed during the compilation so that tac_plus is compiled with PAM support.
Verify in your ./configure output that PAM support has been enabled.

cd /usr/local/src/
wget ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.27a.tar.gz
tar xvzf tacacs+-F4.0.4.27a.tar.gz
cd tacacs+-F4.0.4.27a

yum install flex bison tcp_wrappers-devel tcp_wrappers-lib gcc pam-devel

./configure --prefix=/opt/tacacs+
make
make install
chmod 750 /opt/tacacs+
mkdir /opt/tacacs+/etc/

yum remove flex bison tcp_wrappers-devel tcp_wrappers-lib gcc cpp mpfr ppl cloog-ppl pam-devel

TACACS+ Server Configuration

  • /opt/tacacs+/etc/tac_plus.conf:
key = XXXXXXXX

accounting syslog
logging = local2

# read only group
# not sure it works, haven't used it yet
group = readonly {
    default service = deny
    service = exec {
            priv-lvl = 0
    }
    cmd=show {
            permit .*
    }
    cmd=enable {
                permit .*
    }
    cmd=exit {
                permit .*
    }
}

# admin group
group = admins {
        default service = permit
        login = PAM
        service = exec {
             priv-lvl = 15
        }
}

# Create a block for every admin user you have
user = fcrouzat {
        member = admins
}
  • /etc/pam.d/tac_plus:
    #%PAM-1.0
    auth       include      system-auth
    account    required     pam_nologin.so
    account    include      system-auth
    password   include      system-auth
    session    optional     pam_keyinit.so force revoke
    session    include      system-auth
    session    required     pam_loginuid.so

Next step is to open firewalling between your Cisco(s) and your TACACS+ server(s) for the TCP/49 port.
Now back to the system, we must configuration rsyslogd /etc/rsyslog.d/tacacs.conf

if $app-name == 'tac_plus' then /var/log/tacacs.log
& stop

… and logrotate /etc/logrotate.d/tacacs

/var/log/tacacs.log {
    weekly
    rotate 4
    create 0640 root root
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2>/dev/null` 2>/dev/null || true
    endscript
}

Client configuration (Cisco)

! use tacacs+ for authentication
aaa authentication login default local group tacacs+
! authorization if authenticated hence with tacacs+
aaa authorization exec default if-authenticated

! accounting with tacacs+
aaa accounting commands 0 default
 action-type start-stop
 group tacacs+
!
! accounting with tacacs+
aaa accounting commands 1 default
 action-type start-stop
 group tacacs+
!
! accounting with tacacs+
aaa accounting commands 15 default
 action-type start-stop
 group tacacs+
!
! tacacs+ server configuration
tacacs server logrelay01xxx
 address ipv4 192.168.XX.YY
 key XXXXXXXXX
!

Running TACACS+

Finally you can run the server in debug mode:

/opt/tacacs+/bin/tac_plus -C /opt/tacacs+/etc/tac_plus.conf -L -p 49 -d128 -g

… or use the very basic following initscript[1] which works for EL6:

wget -O /etc/init.d/tac_plus http://files.floriancrouzat.net/tac_plus
restorecon -RvF /etc/init.d/tac_plus
chmod 755 /etc/init.d/tac_plus
chkconfig tac_plus on
chkconfig --list tac_plus
service tac_plus start

Finally, you can tail the TACACS+ server logs and complete the setup by logging on a Cisco and verify that authentication happen, then authorization and finally accounting are working:

[...]
Feb 22 15:38:13 tac.example.com tac_plus[25833]: 10.1.2.11    fcrouzat    tty1    192.168.2.1    stop    task_id=124    timezone=UTC    service=shell    start_time=1456152071    priv-lvl=1    cmd=show vlan brief 
Feb 22 15:38:17 tac.example.com tac_plus[25834]: connect from 10.1.2.11 [10.1.2.11]
Feb 22 15:38:17 tac.example.com tac_plus[25834]: 10.1.2.11    fcrouzat    tty1    192.168.2.1    stop    task_id=125    timezone=UTC    service=shell    start_time=1456152076    priv-lvl=1    cmd=show interfaces trunk 
[...]

[1] – http://files.floriancrouzat.net/tac_plus

3 comments so far.

  1. wow simply super…………..

    i am struggling this tacacs issue from one week, great post.
    now i can able to see tacacs logs ….

    Thank you ….

  2. Thank you very much!! it was really usefull!!

  3. Hello,
    I cannot use the PAM user after joining window ADS. I checked every realm command options and don’t know what’s wrong.
    Thanks

Share your thoughts

*