Configuration described here is one file only. This is netlab purpose only. The TACACS+ daemon has no connections to LDAP/AD/RADIUS etc. Backends are optional and can be added easy any time.
To keep this simple one file configuration modular and manageable over time. The tac_plus-ng.cfg
configuration will be split up in following parts:
- devices
- groups
- users
Includes described in the docs - 4.2. Configuration directives. This way the configuration could be automated. Easier to manage small bits and pieces, not a hudge file.
Directory structure created in the tac_plus main directory /etc/tac_plus-ng/
. ├── devices ├── groups └── users
This is much like the what you would do using ansible
too.
Configuration directory view:
. ├── group │ └── group.cfg ├── devices │ └── IPv4only.cfg ├── tac_plus-ng.cfg └── users └── 99-cisco.cfg
TACACS+
This netlab is using the TAC_PLUS-NG deamon project from Event-driven servers.
Version of TACACS+NG:
The configuration used in this example is from previous netlab 05 - Configuring TACACS+NG authentication for freeRtr.
Using previouos netlab configuration example create following:
devices dir
The devices dir has one file:
devices └── IPv4only.cfg
This is the only configuration file, matching all incoming AAA requests.
device IPv4only {
address = 0.0.0.0/0
welcome banner = "\n Welcome to TACACS+NG\n\n"
key = 123-my_tacacs_key
}
The previously used
host
or hosts
variable is now device
or devices
.Please change that. I do not know where I have picked this variable. It is not in the documentation. Still if host has worked, swap it to device.
group dir
The group dir has one config file
group └── group.cfg
Groups configured, these are 3 example groups. Currently only NET-exp
is used:
group NET-exp
group NET-pro
group NET-ent
users dir
Create users directory:
users └── 99-cisco.cfg
This is how the user configuration file looks for the user cisco
, note the member setting. Previous netadmin
group has been renamed to NET-exp
:
user dos {
password {
login = crypt $2y$10$6PDonNyRrHqlXp.k9lxAXO77H2PrjWm9KxvODaCBc/RwGK.OUjA7m
pap = crypt $2y$10$g5UKt2VWoJfi2NXWW5yniOc4ZS0CTONFhtQbyJ.Q9172bqNYJQClG
}
member = NET-exp
}
Profile settings are kept the main configuration file. Putting all together the resulting tac_plus-ng.cfg
. CHAP authentication is unused at the current moment, it is removed.
TACACS+NG configuration
The resulting tac_plus-ng.cfg
, using includes:
#!/usr/sbin/tac_plus-ng
id = spawnd {
listen = { address = 0.0.0.0 port = 49 }
listen = { address = 0.0.0.0 port = 4949 }
}
id = tac_plus-ng {
include = devices/*.cfg
profile 3rd-level {
script {
if (service == shell) {
if (cmd == "") {
permit
}
permit
}
}
}
include = group/*.cfg
include = users/*.cfg
ruleset {
rule {
script {
if (member == NET-exp) { profile = 3rd-level permit }
}
}
}
}
Resulting in a nice and small, easy to overview, manageable configuration file for the TACACS+NG deamon.
Verify
Verify the resulting configuration
Exist status 0
. Finished.
References
Related TACACS+NG posts:
- 01 - TAC PLUS-NG-Configuring basic authentication
- 02 - TACACS+NG PAP-CHAP authentication for AOS-CX
- 03 - Configuring TACACS+NG authentication for EXOS
- 04 - Configuring TACACS+NG authentication for VRP
- 05 - Configuring TACACS+NG authentication for VRP
- 05 - Configuring TACACS+NG authentication for freeRtr