Another tacacs +

I think about tacacs + its settings, policies, ACL and others said, and even more so written more than enough. But, that always bothered me in tacas + - something was always missing. Some incompleteness of something ...
For example, you can not set a banner on the entrance to a group of hosts, you can only by separation. You cannot apply identical settings to a group of hosts, you can only individually. And it will be typed from heels of such cavils. Maybe I don’t know something, but for now, that’s how it is for me.
At the previous work, I saw an unusual tacacs +, which was completely different from the standard one. And now, after some time, I found it. And not just found, but implemented in a small desk.
It will be about the project: www.pro-bono-publico.de/projects/tac_plus.html . The article will be somewhat in the spirit of "How-to" , I hope someone it will be useful.

Initial data:
The server, with debian wheezy on board, which already has tacacs + and tftp installed by me from the repositories.

We proceed to the installation and configuration of the new tacacs + (of course, remove the old tacacs +).
We will collect it using checkinstall. We need some libraries and gcc-multilib . We put:
apt-get install flex bison libtool gcc-multilib checkinstall
Preparing for assembly:
./configure
And collect:
checkinstall

From the first time to collect will not work, as the compiler will swear at the missing directories. Therefore, create them immediately:

 mkdir /home/USER/tacacs-sourse/PROJECTS/build/linux-3.2.0-4-amd64-x86_64 mkdir /home/USER/tacacs-sourse/PROJECTS/build/linux-3.2.0-4-amd64-x86_64/mavis mkdir /usr/local/etc/mavis 

tacacs-sourse is the directory where we unpacked the sources.

')
At the end we will receive a package that will be safely installed in the system and the kittens will be alive will not spoil any dependencies.

Next, the most interesting part is the configuration .
On the network, I used tacacs + for cisco , juniper , zelax , qutech .

But, let's proceed to the configuration of tacacs + itself:
To begin with, it is worth creating a directory where the configuration file will be stored, I have this / etc / tacacs + / . Next, create the configuration file itself, I have tacacs.conf . We set 600 permissions on the folder and file so that no outsider can peep the config.

Further, I will give a simple example of a configuration file with comments:

 #!/usr/local/sbin/tac_plus id = spawnd { listen = { port = 49 } ## tacacs   49  } id = tac_plus { accounting log = /var/log/tacacs/tac_plus.log ##    (, ,    ),     600   logrotate mavis module = external ## mavis  (    ).  ,       ldap. { exec = /usr/local/lib//mavis/mavis_tacplus_passwd.pl } login backend = mavis ###       host = world { welcome banner = "\nWe are watching you! We know your ip: %%c\n" failed authentication banner ="\nYou are the %%u?\n" motd banner = "\nHello %%u. Today is %A!" key = WeryLongAndSequreKey ##  address = 0.0.0.0/0 } ###     -  ...  #  group = admin { default service = permit service = exec { set priv-lvl = 15 } service = junos-exec { set local-user-name = remote-super-users } #  juniper,   } #     group = noob { default service = deny service = exec { set priv-lvl = 15 } service = junos-exec { set local-user-name = remote-read-only } service = shell { cmd = show { permit .* } cmd = ping { permit .* } cmd = traceroute { permit .* } } } ### ACL     ,     tacacs+.   ,  ACL       192.168.0.5.      bad password. acl = noobilo { nas = 192.168.0.5 } ###   user = prootik { member = admin login = crypt bla-bla-bla service = shell { set priv-lvl = 15 } } user = noob { acl = noobilo member = noob login = crypt la-la-la service = shell { set priv-lvl = 15 } } } 

User passwords are stored encrypted in md5 or DES. According to the documentation, this can be done as follows:

 openssl passwd -1 <clear_text_password> openssl passwd -crypt 

As you have noticed, all users are given privileges of 15 level by default (cisco). However, users of the noob group will still be able to execute only commands that they explicitly allow. It seems to me convenient, it is not necessary to constantly enter the password to the privileged mode.

The possibilities of ACL are wider here than in standard tacacs +, but the syntax is great. For a more detailed study, you should smoke man. In this article, I will not dwell on the ACL.

And so, we got quite a working tacas +. Let's try to run it:

tac_plus /etc/tacacs+/tacacs.conf &

In the processes we will see something like this:
71745 ? Ss 0:00 tac_plus: 0 connections, accepting up to 480 more
71746 ? Ss 0:00 tac_plus: 0 connections
71747 ? Ss 0:00 tac_plus: 0 connection

It is really convenient to see how many users currently use the system (especially when you want to stop it)?

On the website www.pro-bono-publico.de . There is an example init script, I changed it a little to fit my needs:

 #!/bin/sh # # Start-stop script for tac_plus # # (C)2001-2010 by Marc Huber <Marc.Huber@web.de> # $Id: etc_init.d_tac_plus,v 1.1 2011/07/22 17:04:03 marc Exp $ # # chkconfig: 2345 99 99 # description: Starts and stops the tac_plus server process. # <code>PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/sbin/ export PATH DEFAULT=/etc/default/tacplus-tac_plus PROG=/usr/local/sbin/tac_plus CONF=/etc/tacacs+/tacacs.conf PIDFILE=/var/run/tac_plus.pid NAME=tac_plus [ -f "$DEFAULT" ] && . "$DEFAULT" for FILE in $PROG $CONF ; do if ! [ -f "$FILE" ] ; then echo $FILE does not exist. DIE=1 fi done if [ "$DIE" != "" ] ; then echo Exiting. exit 1 fi start () { /bin/echo -n "Starting $NAME: " if $PROG -bp $PIDFILE $CONF then echo "done." else echo "failed." fi } restart () { PID=`cat $PIDFILE 2>/dev/null` /bin/echo -n "Restarting $NAME: " if [ "x$PID" = "x" ] then echo "failed (service not running)" else kill -1 $PID 2>/dev/null echo "initiated." fi } stop () { PID=`cat $PIDFILE 2>/dev/null` /bin/echo -n "Stopping $NAME: " if [ "x$PID" = "x" ] then echo "failed ($NAME is not running)" else kill -9 $PID 2>/dev/null rm -f $PIDFILE echo "done." fi } case "$1" in stop) stop ;; status) PID=`cat $PIDFILE 2>/dev/null` if [ "x$PID" = "x" ] then echo "$NAME is not running." exit 1 fi if ps -p $PID 2>/dev/null >&2 then echo "$NAME ($PID) is running." exit 0 fi echo "$NAME ($PID) is not running but pid file exists." ;; start|restart|force-reload|reload) if $PROG -P $CONF ;then if [ "$1" = "start" ] then stop 2>/dev/null >&2 start else restart fi else cat <<EOT ******************************************************************************** * Unable to $1 $NAME ... please fix the configuration problem * indicated above. ******************************************************************************** EOT exit 1 fi ;; *) echo "Usage: $0 {start|stop|restart|force-reload|reload|status}" exit 1 ;; esac exit 0 

We give the script execution rights (chmod + x). Call him for example tac_plus and throw in /etc/init.d . Everything. Now you can stop, start, restart tacas + using service tac_plus start / stop / restart .

And for the complete Feng Shui we add tacacs + to the autoload:
update-rc.d tac_plus defaults .

The server part is ready. Let's move on to setting up active equipment. In fact, everything is simple, only juniper distinguished himself. For cisco, I think there is no sense in citing (for zelax and qutech it is almost identical), but for juniper I will give it. By the way, the documentation describes how to make friends juniper and tacacs +. At one time, I had a great tinker with it.

Config for juniper:

 set system authentication-order tacplus set system authentication-order password set system tacplus-server <ip > port 49 set system tacplus-server <ip > secret WeryLongAndSequreKey set system tacplus-server <ip > timeout 10 set system accounting events login set system accounting events change-log set system accounting events interactive-commands set system accounting destination tacplus server <ip > secret WeryLongAndSequreKey #      ,   juniper         / set system login user remote-super-users full-name "User template for remote super-users" uid 2013 class super-user set system login user remote-read-only full-name "User template for remote read-only" uid 2014 class read-only #       , : set system login class remote-getconf permissions [ view-configuration configure ] set system login user remote-getconfig full-name "User template for remote getconf" uid 2015 class remote-getconf 

Even with tacacs + enabled, you can get to juniper as root. This is done so that you can get into the shell. By tacacs + account, you get right into cli.

Also, I strongly recommend to allocate a control subnet and hang ACLs on all devices, with access only from this subnet.

And now, here are some screenshots:





ZY To the issue of stability. In the past, the system used a bunch of administrators and there were several thousand devices. Everything was, in principle, good.
At the current location - a few dozen devices and five users, everything is fine.