06-06-2008 07:02 AM - edited 03-10-2019 03:53 PM
I have a test Linux box running TAC_Plus and a test switch for AAA. The switch is accessing the TACACS+ server just fine. We change the passwords every time someone is released and we have 250+ devices on our network so a local database would be very tedious to manage. This is my first time working with AAA and TACACS+. I just need two accounts one with limited access to commands defined by us and then a full level 15 Admin account. Below is the test setup am I even going the right direction with this or is there a better way?
Summery:
Define Users with different privilege levels(support and admin).
Fall back to line login if TACACS+ is not functional.
!
version 12.2
!
enable secret xxxx.
enable password xxx
!
username test privilege 15 secret xxx
aaa new-model
aaa authentication login telnet group tacacs+ line
aaa authentication login console group tacacs+ line
aaa authentication enable default group tacacs+ enable
!
aaa session-id common
!
tacacs-server host 10.x.x.x
tacacs-server directed-request
tacacs-server key xxx
!
line con 0
password xxx
login authentication console
line vty 0 4
password xxx
login authentication telnet
line vty 5 15
password xxx
!
#####################
### tac_plus.conf file ###
key = testkey
accounting file = /var/log/tac_plus.acct
user = tester {
loging = cleartext "loSpjp7SWwDy6" #logtest
enable = cleartext "N1J88Idk0aNTE" #entest
name = "test"
cmd = show {
permit .*
}
}
Thanks,
Kyle
06-06-2008 11:26 AM
I am not an expert with TACACS+ but I've been using
TACACS+ on linux for the past five years so that I
am quite familiar with this.
First of all, what you should is look in google
for the enable.c file. Replace your enable.c file
with the new one. With this file, it will allow
each user to have his/her own enable password
WITHOUT sharing password. That is the prefer way
of doing thing.
Furthermore, what you're trying to do require
AAA authorization. In other words, I can give
someone level-15 privilege but that does not mean
he/she can reload the router. Here is what you want
aaa authentication login VTY group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
in the tacplus configuration, you need something like this:
group = admin {
default service = permit
}
group = advanced {
cmd = show { permit .* }
cmd = copy { permit flash }
cmd = copy { permit running }
cmd = ping { permit .* }
cmd = configure { permit .* }
cmd = interface { permit .* }
cmd = "no shutdown" { permit .* }
cmd = shutdown { permit .* }
cmd = enable { permit .* }
cmd = disable { permit .* }
cmd = telnet { permit .* }
cmd = disconnect { permit .* }
cmd = where { permit .* }
cmd = set { permit .* }
cmd = clear { permit line }
cmd = exit { permit .* }
}
user = adv {
member = advanced
name = "Advanced User"
login = cleartext "adv123"
# login = des DJVS9kfrcLbus
}
user = $adv$ {
member = advanced
name = "Advanced User"
login = cleartext "adv1234"
# login = des W/3UA7J1cz3sQ
}
user = cciesec {
member = admin
name = "rancid user"
login = cleartext "cciesec"
}
user = $cciesec$ {
member = admin
name = "rancid user"
login = cleartext "cciesec1"
}
This should give something for you to start.
Have fun!!!!!!
CCIE Security
06-09-2008 10:56 AM
Well I have it working sort of, I am running in to a problem of the TACACS server having every user at privilege level 15. Here is what I have, thought the test uers would only be able to do show commands but I could do any even "conf t".
Thanks,
Kyle
aaa new-model
aaa authentication login telnet group tacacs+ line
aaa authentication login console group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization commands 1 default tacacs+ none
aaa authorization commands 15 default tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
tacacs-server host 10.8.7.5
tacacs-server directed-request
tacacs-server key 7 071B245F5A021C1C
!
line con 0
password 7 045802150C2E
login authentication console
line vty 0 4
password 7 02050D4808095E
login authentication telnet
line vty 5 15
password 7 14141B180F0B
### tac_plus.conf file
user = test {
login = cleartext "logtest"
enable = cleartext "entest"
name = "test"
cmd = show {
permit .*
}
}
user = admin {
default service = permit
login = cleartext "logadmin"
enable = cleartext "enadmin"
name = "admin"
}
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: