Setting up a TACACS+ server to provide centralized authentication for your lab devices is surprisingly easy. I'm using a Ubuntu 14 server for my lab PC, and it was a simple matter of installing the tacacs+ package:
sudo apt-get install tacacs+
On Ubuntu the TACACS+ configuration file is in /etc/tacacs+/tac_plus.conf
We only need to change a few things:
key = superseekret
Obviously we'll set this whatever key we'd like to use.
default authentication = file /etc/passwd
For the most basic configuration, this line just tells TACACS+ to use the accounts we've defined on our Linux box already.
We can verify that TACACS+ is running:
linux:/$ netstat -l | grep tacacs
tcp 0 0 *:tacacs *:* LISTEN
tcp 0 0 *:tacacs *:* LISTEN
and if necessary, insert an iptables rule to allow incoming TACACS+ traffic:
We should remember port 49 from our CCNA studies, if only vaguely!
Next, we configure our Cisco device:
sudo iptables -A INPUT -p tcp -s [lab network] --dport 49 -j ACCEPT
We should remember port 49 from our CCNA studies, if only vaguely!
Next, we configure our Cisco device:
oakland(config)#aaa new-model
oakland(config)#tacacs-server host 10.16.0.49
oakland(config)#tacacs-server key superseekret
oakland(config)#aaa authentication login default group tacacs+ local
oakland(config)#tacacs-server host 10.16.0.49
oakland(config)#tacacs-server key superseekret
oakland(config)#aaa authentication login default group tacacs+ local
Assuming we have ssh set up, we can now try out our login:
oakland#ssh -l me 10.16.0.1
Password:
oakland>
Password:
oakland>
We're logged in with our Linux account. But there's a lot more to useful authentication than this basic configuration - consider what happens when you try 'enable' now?
oakland>enable
% Error in authentication.
% Error in authentication.
More on that later...
No comments:
Post a Comment