blog/ posts/ TACACS+NG configuration splitting
EXOS enable tacacs-authorization command | posts | IOS interactive AAA configuration testing
  1. TACACS+
      1. devices dir
      2. group dir
      3. users dir
  2. TACACS+NG configuration
  3. Verify
  4. References

Configuration described here is one file only. This is netlab purpose only. The TACACS+ daemon has no connections to LDAP/AD/RADIUS etc. Backends are optional and can be added easy any time.

To keep this simple one file configuration modular and manageable over time. The tac_plus-ng.cfg configuration will be split up in following parts:

  • devices
  • groups
  • users

Includes described in the docs - 4.2. Configuration directives. This way the configuration could be automated. Easier to manage small bits and pieces, not a hudge file.

Directory structure created in the tac_plus main directory /etc/tac_plus-ng/

user % tree -L 1 -d

. ├── devices ├── groups └── users

This is much like the what you would do using ansible too.

Configuration directory view:

user % tree -L 2

. ├── group │   └── group.cfg ├── devices │   └── IPv4only.cfg ├── tac_plus-ng.cfg └── users └── 99-cisco.cfg

TACACS+

This netlab is using the TAC_PLUS-NG deamon project from Event-driven servers.

Version of TACACS+NG:

user % tac_plus-ng -v tac_plus-ng version 7a7ba236b34171b085fa13fb3560c4d009b21e81/PCRE2

The configuration used in this example is from previous netlab 05 - Configuring TACACS+NG authentication for freeRtr.

Using previouos netlab configuration example create following:

devices dir

The devices dir has one file:

user % tree -L 1 devices

devices └── IPv4only.cfg

This is the only configuration file, matching all incoming AAA requests.

user % more devices/IPv4only.cfg 
device IPv4only {
    address = 0.0.0.0/0
    welcome banner = "\n Welcome to TACACS+NG\n\n"
    key = 123-my_tacacs_key
}
📘 Note
The previously used host or hosts variable is now device or devices.

Please change that. I do not know where I have picked this variable. It is not in the documentation. Still if host has worked, swap it to device.

group dir

The group dir has one config file

user % tree -L 1 group

group └── group.cfg

Groups configured, these are 3 example groups. Currently only NET-exp is used:

user % more group/group.cfg 
group NET-exp
group NET-pro
group NET-ent

users dir

Create users directory:

user % tree -L 1 users

users └── 99-cisco.cfg

This is how the user configuration file looks for the user cisco, note the member setting. Previous netadmin group has been renamed to NET-exp:

user % more users/99-cisco.cfg 
user dos {
        password {
                login = crypt $2y$10$6PDonNyRrHqlXp.k9lxAXO77H2PrjWm9KxvODaCBc/RwGK.OUjA7m
                pap = crypt $2y$10$g5UKt2VWoJfi2NXWW5yniOc4ZS0CTONFhtQbyJ.Q9172bqNYJQClG
        }
        member = NET-exp
}

Profile settings are kept the main configuration file. Putting all together the resulting tac_plus-ng.cfg. CHAP authentication is unused at the current moment, it is removed.

TACACS+NG configuration

The resulting tac_plus-ng.cfg, using includes:

#!/usr/sbin/tac_plus-ng
id = spawnd {
    listen = { address = 0.0.0.0 port = 49 }
    listen = { address = 0.0.0.0 port = 4949 }
}

id = tac_plus-ng {
    include = devices/*.cfg

    profile 3rd-level {
            script {
                if (service == shell) {
                    if (cmd == "") { 
                    permit 
                }
                permit
            }
        }
    }

    include = group/*.cfg
    include = users/*.cfg

    ruleset {
        rule {
            script {
                if (member == NET-exp) { profile = 3rd-level permit }
                }
            }
    }
}

Resulting in a nice and small, easy to overview, manageable configuration file for the TACACS+NG deamon.

Verify

Verify the resulting configuration

user % tac_plus-ng -P tac_plus-ng.cfg -d2 6064: 18:40:53.539 0/00000000: - exit status=0

Exist status 0. Finished.

References

Related TACACS+NG posts: