AAA with TACACS+ Linux server setting privilege levels.

Unanswered Question
Jun 6th, 2008

I have a test Linux box running TAC_Plus and a test switch for AAA. The switch is accessing the TACACS+ server just fine. We change the passwords every time someone is released and we have 250+ devices on our network so a local database would be very tedious to manage. This is my first time working with AAA and TACACS+. I just need two accounts one with limited access to commands defined by us and then a full level 15 Admin account. Below is the test setup am I even going the right direction with this or is there a better way?

Summery:

Define Users with different privilege levels(support and admin).

Fall back to line login if TACACS+ is not functional.

!

version 12.2

!

enable secret xxxx.

enable password xxx

!

username test privilege 15 secret xxx

aaa new-model

aaa authentication login telnet group tacacs+ line

aaa authentication login console group tacacs+ line

aaa authentication enable default group tacacs+ enable

!

aaa session-id common

!

tacacs-server host 10.x.x.x

tacacs-server directed-request

tacacs-server key xxx

!

line con 0

password xxx

login authentication console

line vty 0 4

password xxx

login authentication telnet

line vty 5 15

password xxx

!

#####################

### tac_plus.conf file ###

key = testkey

accounting file = /var/log/tac_plus.acct

user = tester {

loging = cleartext "loSpjp7SWwDy6" #logtest

enable = cleartext "N1J88Idk0aNTE" #entest

name = "test"

cmd = show {

permit .*

}

}

Thanks,

Kyle

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cisco24x7 Fri, 06/06/2008 - 11:26

I am not an expert with TACACS+ but I've been using

TACACS+ on linux for the past five years so that I

am quite familiar with this.

First of all, what you should is look in google

for the enable.c file. Replace your enable.c file

with the new one. With this file, it will allow

each user to have his/her own enable password

WITHOUT sharing password. That is the prefer way

of doing thing.

Furthermore, what you're trying to do require

AAA authorization. In other words, I can give

someone level-15 privilege but that does not mean

he/she can reload the router. Here is what you want

aaa authentication login VTY group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec notac none

aaa authorization exec VTY group tacacs+ if-authenticated none

aaa authorization commands 0 VTY group tacacs+ if-authenticated none

aaa authorization commands 1 VTY group tacacs+ if-authenticated none

aaa authorization commands 15 VTY group tacacs+ if-authenticated none

aaa authorization network VTY group tacacs+ if-authenticated none

in the tacplus configuration, you need something like this:

group = admin {

default service = permit

}

group = advanced {

cmd = show { permit .* }

cmd = copy { permit flash }

cmd = copy { permit running }

cmd = ping { permit .* }

cmd = configure { permit .* }

cmd = interface { permit .* }

cmd = "no shutdown" { permit .* }

cmd = shutdown { permit .* }

cmd = enable { permit .* }

cmd = disable { permit .* }

cmd = telnet { permit .* }

cmd = disconnect { permit .* }

cmd = where { permit .* }

cmd = set { permit .* }

cmd = clear { permit line }

cmd = exit { permit .* }

}

user = adv {

member = advanced

name = "Advanced User"

login = cleartext "adv123"

# login = des DJVS9kfrcLbus

}

user = $adv$ {

member = advanced

name = "Advanced User"

login = cleartext "adv1234"

# login = des W/3UA7J1cz3sQ

}

user = cciesec {

member = admin

name = "rancid user"

login = cleartext "cciesec"

}

user = $cciesec$ {

member = admin

name = "rancid user"

login = cleartext "cciesec1"

}

This should give something for you to start.

Have fun!!!!!!

CCIE Security

lifeforce4 Mon, 06/09/2008 - 10:56

Well I have it working sort of, I am running in to a problem of the TACACS server having every user at privilege level 15. Here is what I have, thought the test uers would only be able to do show commands but I could do any even "conf t".

Thanks,

Kyle

aaa new-model

aaa authentication login telnet group tacacs+ line

aaa authentication login console group tacacs+ line

aaa authentication enable default group tacacs+ enable

aaa authorization commands 1 default tacacs+ none

aaa authorization commands 15 default tacacs+ none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

!

tacacs-server host 10.8.7.5

tacacs-server directed-request

tacacs-server key 7 071B245F5A021C1C

!

line con 0

password 7 045802150C2E

login authentication console

line vty 0 4

password 7 02050D4808095E

login authentication telnet

line vty 5 15

password 7 14141B180F0B

### tac_plus.conf file

user = test {

login = cleartext "logtest"

enable = cleartext "entest"

name = "test"

cmd = show {

permit .*

}

}

user = admin {

default service = permit

login = cleartext "logadmin"

enable = cleartext "enadmin"

name = "admin"

}

Actions

This Discussion