TACACS + on Linux with Active Directory authentication

The network has many different guides on this topic, but it was not possible to raise the service on Linux and link it to Active Directory for 30-60 minutes. I propose my own way of solving the problem, with detailed comments.

Let's start installing the service. CentOS is used as the OS.

Install the necessary service packs

# yum install gcc # yum install perl-LDAP # yum install bind-utils 

All operations are performed under the "root"
(Respectively home directory / root)

Tac Plus installation

 # yum install wget # wget http://www.pro-bono-publico.de/projects/src/DEVEL.tar.bz2 # tar xvfj ./DEVEL.tar.bz2 # cd ./PROJECTS # ./configure # make # make install 

Add directories for accounting files

 # mkdir /var/log/tac_plus # mkdir /var/log/tac_plus/access # mkdir /var/log/tac_plus/acct # chmod 760 -R /var/log/tac_plus/ 

We add Tac Plus to autoload

 # cp /root/PROJECTS/tac_plus/extra/etc_init.d_tac_plus /etc/init.d/tac_plus # chmod 755 /etc/init.d/tac_plus # chkconfig --add tac_plus # chkconfig --level 2345 tac_plus on 

Check inclusion in autoload

 # chkconfig --list | grep tac_plus 

Rule configuration file

 # cp /root/PROJECTS/tac_plus/extra/tac_plus.cfg-ads /usr/local/etc/tac_plus.cfg # chmod 660 /usr/local/etc/tac_plus.cfg 

!!! After each configuration change, the service must be restarted (service tac_plus restart)
An example of a working configuration file (it is necessary to replace the contents of tac_plus.cfg, having previously made adjustments to the commented fields)
')

 #!/usr/local/sbin/tac_plus id = spawnd { listen = { port = 49 } #,   TACACS spawn = { instances min = 1 instances max = 10 } background = yes } id = tac_plus { #   access log = ">/var/log/tac_plus/access/%Y%m%d.log" accounting log = ">/var/log/tac_plus/acct/%Y%m%d.log" #     Active Directory mavis module = external { setenv LDAP_SERVER_TYPE = "microsoft" setenv LDAP_HOSTS = "ldaps://domain.name:636" #     DNS- (   nslookup).     IP  setenv LDAP_SCOPE = sub setenv LDAP_BASE = "dc=domain,dc=name" #    setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))" setenv LDAP_USER = "aduser@domain.name" #      AD setenv LDAP_PASSWD = "passw0rd" #   #setenv AD_GROUP_PREFIX = tacacs #setenv REQUIRE_TACACS_GROUP_PREFIX = 1 #setenv USE_TLS = 0 setenv FLAG_USE_MEMBEROF = 1 exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl } login backend = mavis user backend = mavis #pap backend = mavis host = world { address = ::/0 welcome banner = "" #Crypt password generate by "openssl passwd -1 clear_text_password" enable 15 = crypt $1$eqIkg6p0$jzhK5. key = "TACACSPASSWORD" #    TACACS- } #      group = ADMIN { message = "[Admin privileges]" default service = permit service = shell { default command = permit default attribute = permit set priv-lvl = 15 } } #            group = VOIP { message = "[VoIP-admin privileges]" default service = permit service = shell { default command = permit default attribute = permit set priv-lvl = 15 cmd = interface { permit "Lo*" permit "Se*" deny .* } cmd = aaa { deny .* } cmd = username { deny .* } cmd = line { deny .* } cmd = delete { deny .* } #cmd = reload { deny .* } cmd = boot { deny .* } cmd = enable { deny .* } cmd = archive { deny .* } cmd = router { deny .* } cmd = ip { permit "address *" deny .* } cmd = tacacs-server { deny .* } cmd = radius-server { deny .* } cmd = privilege { deny .* } cmd = erase { deny .* } cmd = write { permit "memory" deny .* } cmd = format { deny .* } } } } 

We check the correctness of the config (if everything is OK, then it will not output anything)

 # /usr/local/sbin/tac_plus -P /usr/local/etc/tac_plus.cfg 

Create groups in AD
In Active Directory, you need to create 2 groups (based on our config): tacacsadmin and tacacsvoip.
Tac Plus removes the “tacacs” prefix when the ratio of the group specified in AD is to the group in the config and converts the remaining characters to uppercase.
Thus, tacacsadmin corresponds to ADMIN, and tacacsvoip corresponds to VOIP (you can change this behavior by playing attributes: AD_GROUP_PREFIX and REQUIRE_TACACS_GROUP_PREFIX in the config).
Groups are listed in the config in big letters not by chance!
We add users to the created groups.

Starting and stopping the TACACS service

 # service tac_plus start # service tac_plus stop # service tac_plus restart 

AAA service configuration on Cisco equipment

 tacacs server TACSRV1 !IP- tacacs- address ipv4 172.16.2.2 !    ,       key TACACSPASSWORD timeout 2 ! aaa new-model aaa group server tacacs+ TACSERVICE server name TACSRV1 aaa authentication login default group TACSERVICE local aaa authentication login CONSOLE local aaa authentication enable default group TACSERVICE enable aaa authorization config-commands aaa authorization exec default group TACSERVICE local aaa authorization exec CONSOLE local aaa authorization commands 15 default group TACSERVICE local aaa accounting commands 15 default start-stop group TACSERVICE ! line con 0 login authentication CONSOLE line vty 0 15 

Debugging technique
1. Check the operation of the LDAP modules (should return an empty string without errors). Errors in case of not installed perl-LDAP package.

 # env LDAP_HOSTS="172.16.1.1" LDAP_SERVER_TYPE="microsoft" /usr/local/lib/mavis/mavis_tacplus_ldap.pl 2.   TACACS - LDAP.     RESULT - ACK.      ,     AD. <source lang="bash"> # /usr/local/bin/mavistest /usr/local/etc/tac_plus.cfg tac_plus TACPLUS <login> <password> 

3. Verify that the service is running and listening on the tcp port 49

 # netstat -nlp | grep tac_plus 

4. To see calls to the service.

 # tcpdump -nn port 49 

5. Debug requests processed by the service

 # /usr/local/sbin/tac_plus -d 4088 -fp /var/run/tac_plus.pid /usr/local/etc/tac_plus.cfg 

Thank you for attention!

Sources of information and supporting links:
http://packetroute.wordpress.com/2012/12/12/tacacs-ad-centos-free/
http://www.pro-bono-publico.de/projects/howto-tac_plus-ads.html
http://habrahabr.ru/post/194750/