Thursday, November 6, 2014

Lab Services: Adding a TACACS+ Server

We can set up local user accounts on each of our devices, but making changes is then a bit tedious and error-prone. One alternative is to set up AAA, and control user accounts from our lab server.

Setting up a TACACS+ server to provide centralized authentication for your lab devices is surprisingly easy. I'm using a Ubuntu 14 server for my lab PC, and it was a simple matter of installing the tacacs+ package:

sudo apt-get install tacacs+

On Ubuntu the TACACS+ configuration file is in /etc/tacacs+/tac_plus.conf

We only need to change a few things:

key = superseekret  

Obviously we'll set this whatever key we'd like to use.

default authentication = file /etc/passwd

For the most basic configuration, this line just tells TACACS+ to use the accounts we've defined on our Linux box already.

We can verify that TACACS+ is running:

linux:/$ netstat -l | grep tacacs
tcp        0      0 *:tacacs                *:*                     LISTEN

and if necessary, insert an iptables rule to allow incoming TACACS+ traffic:

sudo iptables -A INPUT -p tcp -s [lab network] --dport 49 -j ACCEPT 

We should remember port 49 from our CCNA studies, if only vaguely!

Next, we configure our Cisco device:

oakland(config)#aaa new-model
oakland(config)#tacacs-server host 10.16.0.49
oakland(config)#tacacs-server key superseekret
oakland(config)#aaa authentication login default group tacacs+ local

Assuming we have ssh set up, we can now try out our login:

oakland#ssh -l me 10.16.0.1

Password: 

oakland>

We're logged in with our Linux account. But there's a lot more to useful authentication than this basic configuration - consider what happens when you try 'enable' now?

oakland>enable
% Error in authentication.

More on that later...

Posted by at No comments:

Ready, Set, Go! My CCNP Lab

This blog is intended to be a diary of my studies in preparation for the CCNP (Cisco Certified Network Professional) exam.

I don't intend for a large audience (or any audience, for that matter), but it is my hope that someday someone might find a post or two here useful.

My home networking lab has grown significantly since I first set it up for my CCNA studies:

Beyond the upgrade to a four-post rack, one of the best changes I have made is having all my devices connected to a DIGI CM 32 Serial Console Server. No more reaching around to plug and unplug those blue Cisco rollover cables! I purchased it on eBay for about $60, which is a pretty good deal considering they are listed on CDW for $2500. Crazy.
Posted by at No comments:
Subscribe to: Comments (Atom)