FreeBSD TACACS+ GNS3 and Cisco 3700 Router

TACACS+ – (Terminal Access Controller Access Control System plus) — is a session protocol developed by Cisco.

Security(encryption) of the Protocol has improved. TACACS+ is a separately handles authentication, authorization, and accounting (AAA) services.

Used resources:

  1. FreeBSD 9.2 x64 (VM, IP:
  2. GNS3 (Router 3700, IP:
  3. Windows LoopBACK_Adapter (IP:

Flow structure will be as follows:
FreeBSD x64 => LoopBACK Adapter ( => GNS Cloud => Cisco Router

Network topology will be as follows:

Start the server configuration

Note: As virtual machine I used VmWare Workstation.

Before connect FreeBSD virtual port to LoopBack adapter update all ports and reboot thee server.
portsnap fetch extract update

cd /usr/ports/net/tac_plus4 # Go to the tac_plus4 port
make install clean # install
rehash # Update binary database

Add tac_plus to startup.
cat /etc/rc.conf
ifconfig_em0=”inet netmask″
tac_plus_enable=”YES” # StartUP tac_plus
tac_plus_flags=”-d 8 -d 16 -d 32 -d 64 -C /usr/local/etc/tac_plus.conf”
-d‘ – debuging
8 – authorization debugging
16 – authentication debugging
32 – crypt file debugging
64 – accounting debugging
-C‘ – ‘/usr/local/etc/tac_plus.conf‘ configuration file

The configuration file will be as follows:
cat /usr/local/etc/tac_plus.conf
# Path for accounting file
accounting file = /var/log/tac_plus.acct

# Pre-shared key which will be used between Cisco device and TACACS server
key = “freebsd

# Groups
# Create groups with names ‘admin‘ and ‘service‘ and give access to this groups.
group = admin {
default service = permit # Allow all by default.
service = exec { # Privilege level is 15
priv-lvl = 15

group = service {
default service = deny # Deny by default.
service = exec { # Privilege level is 15
priv-lvl = 15

# Users
# Create users, add users to already created groups. Filter user commands.
user = jamal { # Create user by name ‘jamal
member = admin # and add to ‘admin‘ group.
login = des NQU3rObo2Ntoc # Crypt password with ‘des‘ algorithm (About crypt password with ‘tac_pwd‘ we will speak later)

user = auditor { # Create user by name ‘auditor‘,
member = admin # and add to ‘admin‘ group. Deny command list below.
cmd = configure {
deny .*
cmd = enable {
deny .*
cmd = clear {
deny .*
cmd = reload {
deny .*
cmd = write {
deny .*
cmd = copy {
deny .*
cmd = erase {
deny .*
cmd = delete {
deny .*
cmd = archive {
deny .*
login = cleartext secret # Password for ‘auditor‘ user we wrote as ‘cleartext‘.
user = event_manager { # ‘event_manager‘ user is member of,
member = service # ‘service‘ group(By default everything is deny for this group)
cmd = clear { # Here are allowed to use only the following commands.
permit .*
cmd = tclsh {
permit .*
cmd = squeeze {
permit .*
cmd = event {
permit .*
cmd = more {
permit .*
cmd = show {
permit version
cmd = delete {
permit .*
cmd = “delete /force” {
permit .*
cmd = “enable” {
permit .*
login = des 07xU3lvh1hC3I # Of course and here we encrypting password with ‘des‘ algorithm.

Qeyd: If we don’t want to see our passwords as cleartext, we must encrypt our passwords with ‘des‘ algorithm. For this we will use ‘tac_pwd‘ command.

tac_pwd # Just write this command and press the ENTER button. Then write password which you need, and press the ENTER button. Then copy ‘des‘ encrypted new line. You will use this encrypted password in ‘login = des‘ directive.

touch /var/log/tac_plus.acct # Create tacacs accounting file for logs.
chown tacacs /var/log/tac_plus.acct # Change owner to tacacs.
chmod 755 /var/log/tac_plus.acct # Give access to file.
/usr/local/etc/rc.d/tac_plus start # restart the service

netstat -a | grep tac # Check the daemon listener
tcp4 0 0 *.tacacs *.* LISTEN

Configure Cisco Router in GNS3.

conf t # Go to global mode.
interface fastEthernet 0/0 # Configure interface connected to cloud
ip address # Set the IP address.

aaa new-model # Enter the AAA model
tacacs-server host key 0 freebsd # Set IP address of tacacs server ‘‘ and write pre-shared key ‘freebsd‘.
tacacs-server timeout 2 # Login timeout will be 2 second
tacacs-server directed-request # Request will be directly
aaa group server tacacs+ tac-int # Create aaa tacacs+ group with ‘tac-int‘ name
server # And add ‘‘ tacacs server to this list.

Add all aaa to tac-int admin group:
aaa authentication login admin group tac-int local
aaa authorization exec admin group tac-int local
aaa authorization commands 15 admin group tac-int local
aaa accounting update newinfo
aaa accounting commands 15 admin start-stop group tac-int

Apply admin login to terminal sessions between 0 and 4:
line vty 0 4
authorization commands 15 admin
authorization exec admin
accounting commands 15 admin
login authentication admin

For debug Router we can use the following commands.

Debug for AAA:
debug aaa per-user
debug aaa authentication
debug aaa authorization
debug aaa accounting

Debug for tacacs we can use the following commands:
debug tacacs authentication
debug tacacs authorization
debug tacacs accounting
debug tacacs events
debug tacacs packet

At the end from our Windows7 desktop connect to our router:

If you will see lines as follow then TACACS is working:
User Access Verification


If you will see line as follow then, something is wrong and go to debug.



2 thoughts on “FreeBSD TACACS+ GNS3 and Cisco 3700 Router

  1. First of all I want to say excellent blog! I had a quick question that I’d like to ask if you don’t mind.
    I was curious to find out how you center yourself and clear your thoughts prior
    to writing. I’ve had a tough time clearing my thoughts in getting my ideas out.

    I truly do take pleasure in writing but it just seems like the
    first 10 to 15 minutes are lost just trying
    to figure out how to begin. Any recommendations or hints?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s