FreeBSD TACACS+ GNS3 and Cisco 3700 Router

TACACS+ – (Terminal Access Controller Access Control System plus) — is a session protocol developed by Cisco.

Security(encryption) of the Protocol has improved. TACACS+ is a separately handles authentication, authorization, and accounting (AAA) services.

Used resources:

  1. FreeBSD 9.2 x64 (VM, IP: 10.0.0.10)
  2. GNS3 (Router 3700, IP: 10.0.0.100)
  3. Windows LoopBACK_Adapter (IP: 10.0.0.1)

Flow structure will be as follows:
FreeBSD x64 10.0.0.10 => LoopBACK Adapter (10.0.0.1) => GNS Cloud => Cisco Router 10.0.0.100

Network topology will be as follows:
Tac-3700

Start the server configuration

Note: As virtual machine I used VmWare Workstation.

Before connect FreeBSD virtual port to LoopBack adapter update all ports and reboot thee server.
portsnap fetch extract update

cd /usr/ports/net/tac_plus4 # Go to the tac_plus4 port
make install clean # install
rehash # Update binary database

Add tac_plus to startup.
cat /etc/rc.conf
ifconfig_em0=”inet 10.0.0.10 netmask 255.255.255.0″
hostname=”tacacs.az”
sshd_enable=”YES”
tac_plus_enable=”YES” # StartUP tac_plus
tac_plus_flags=”-d 8 -d 16 -d 32 -d 64 -C /usr/local/etc/tac_plus.conf”
-d‘ – debuging
8 – authorization debugging
16 – authentication debugging
32 – crypt file debugging
64 – accounting debugging
-C‘ – ‘/usr/local/etc/tac_plus.conf‘ configuration file

The configuration file will be as follows:
cat /usr/local/etc/tac_plus.conf
# Path for accounting file
accounting file = /var/log/tac_plus.acct

# Pre-shared key which will be used between Cisco device and TACACS server
key = “freebsd

# Groups
# Create groups with names ‘admin‘ and ‘service‘ and give access to this groups.
group = admin {
default service = permit # Allow all by default.
service = exec { # Privilege level is 15
priv-lvl = 15
}
}

group = service {
default service = deny # Deny by default.
service = exec { # Privilege level is 15
priv-lvl = 15
}
}

# Users
# Create users, add users to already created groups. Filter user commands.
user = jamal { # Create user by name ‘jamal
member = admin # and add to ‘admin‘ group.
login = des NQU3rObo2Ntoc # Crypt password with ‘des‘ algorithm (About crypt password with ‘tac_pwd‘ we will speak later)
}

user = auditor { # Create user by name ‘auditor‘,
member = admin # and add to ‘admin‘ group. Deny command list below.
cmd = configure {
deny .*
}
cmd = enable {
deny .*
}
cmd = clear {
deny .*
}
cmd = reload {
deny .*
}
cmd = write {
deny .*
}
cmd = copy {
deny .*
}
cmd = erase {
deny .*
}
cmd = delete {
deny .*
}
cmd = archive {
deny .*
}
login = cleartext secret # Password for ‘auditor‘ user we wrote as ‘cleartext‘.
}
user = event_manager { # ‘event_manager‘ user is member of,
member = service # ‘service‘ group(By default everything is deny for this group)
cmd = clear { # Here are allowed to use only the following commands.
permit .*
}
cmd = tclsh {
permit .*
}
cmd = squeeze {
permit .*
}
cmd = event {
permit .*
}
cmd = more {
permit .*
}
cmd = show {
permit version
}
cmd = delete {
permit .*
}
cmd = “delete /force” {
permit .*
}
cmd = “enable” {
permit .*
}
login = des 07xU3lvh1hC3I # Of course and here we encrypting password with ‘des‘ algorithm.
}

Qeyd: If we don’t want to see our passwords as cleartext, we must encrypt our passwords with ‘des‘ algorithm. For this we will use ‘tac_pwd‘ command.

tac_pwd # Just write this command and press the ENTER button. Then write password which you need, and press the ENTER button. Then copy ‘des‘ encrypted new line. You will use this encrypted password in ‘login = des‘ directive.

touch /var/log/tac_plus.acct # Create tacacs accounting file for logs.
chown tacacs /var/log/tac_plus.acct # Change owner to tacacs.
chmod 755 /var/log/tac_plus.acct # Give access to file.
/usr/local/etc/rc.d/tac_plus start # restart the service

netstat -a | grep tac # Check the daemon listener
tcp4 0 0 *.tacacs *.* LISTEN

Configure Cisco Router in GNS3.

conf t # Go to global mode.
interface fastEthernet 0/0 # Configure interface connected to cloud
ip address 10.0.0.100 255.255.255.0 # Set the IP address.

aaa new-model # Enter the AAA model
tacacs-server host 10.0.0.10 key 0 freebsd # Set IP address of tacacs server ‘10.0.0.10‘ and write pre-shared key ‘freebsd‘.
tacacs-server timeout 2 # Login timeout will be 2 second
tacacs-server directed-request # Request will be directly
aaa group server tacacs+ tac-int # Create aaa tacacs+ group with ‘tac-int‘ name
server 10.0.0.10 # And add ‘10.0.0.10‘ tacacs server to this list.

Add all aaa to tac-int admin group:
aaa authentication login admin group tac-int local
aaa authorization exec admin group tac-int local
aaa authorization commands 15 admin group tac-int local
aaa accounting update newinfo
aaa accounting commands 15 admin start-stop group tac-int

Apply admin login to terminal sessions between 0 and 4:
line vty 0 4
authorization commands 15 admin
authorization exec admin
accounting commands 15 admin
login authentication admin

For debug Router we can use the following commands.

Debug for AAA:
debug aaa per-user
debug aaa authentication
debug aaa authorization
debug aaa accounting

Debug for tacacs we can use the following commands:
debug tacacs authentication
debug tacacs authorization
debug tacacs accounting
debug tacacs events
debug tacacs packet

At the end from our Windows7 desktop connect to our router:
telnet 10.0.0.100

If you will see lines as follow then TACACS is working:
User Access Verification

Username:

If you will see line as follow then, something is wrong and go to debug.

Password:

Advertisements

2 thoughts on “FreeBSD TACACS+ GNS3 and Cisco 3700 Router

  1. First of all I want to say excellent blog! I had a quick question that I’d like to ask if you don’t mind.
    I was curious to find out how you center yourself and clear your thoughts prior
    to writing. I’ve had a tough time clearing my thoughts in getting my ideas out.

    I truly do take pleasure in writing but it just seems like the
    first 10 to 15 minutes are lost just trying
    to figure out how to begin. Any recommendations or hints?
    Thanks!

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s