-
Notifications
You must be signed in to change notification settings - Fork 35
TACACS
Terminal access controller access-control system plus (TACACS+) is a protocol used for centralized authentication, authorization, and accounting (AAA) for network services. This information covers how to setup a generic TACACS+ server, and how to setup a TACACS+ client on OPX.
1. Install TACACS+ server.
apt-get install tacacs+
2. Edit the TACACS+ configuration file /etc/tacacs+/tac_plus.conf
to include the username and secret key. In the example, user1
is added with password pass1
.
accounting file = /var/log/tac_plus.acct
key = testing123
user = user1 {
global = cleartext pass1
service = ppp protocol = ip {
}
}
3. Start the TACACS+ server.
tac_plus -C /etc/tacacs+/tac_plus.conf -G -g -d 512
1. Install the PAM TACACS+ authentication package. Ensure that your /etc/apt/sources.list
file includes this line.
deb http://deb.openswitch.net/contrib/stretch stable main
2. Install the TACACS+ PAM package and library.
sudo apt-get -qq update && sudo apt-get -qq install -y libpam-tacplus libtac2-bin
The libpam-tacplus
and libtac2-bin
packages are hosted in the deb.openswitch.net
package repository and are compiled from source. The source can be found at https://github.com/jeroennijhof/pam_tacplus.
3. Add the library files to the LD_LIBRARY_PATH
.
echo "export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/root/pam_tacplus-1.5.0-beta.2/.libs" >> /etc/opx/opx-environment.sh
4. Source the environment file or logout/login back for the LD_LIBRARY_PATH
to take effect.
source /etc/opx/opx-environment.sh
5. Enable sshd
authorization to use TACACS+.
sudo sed -i '/# PAM configuration for the Secure Shell service/ a auth include tacacs' /etc/pam.d/sshd
6. Create a new file /etc/pam.d/tacacs
for authorization, accounting and authentication and add these contents:
In the server parameter, add the TACACS+ server IP and the service as ‘ppp’ as mentioned in the /etc/tacacs+/tac_plus.conf
file in the TACACS+ server.
#%PAM-1.0
auth sufficient /root/pam_tacplus-1.5.0-beta.2/.libs/pam_tacplus.so debug server=10.11.14.116 secret=testing123
account sufficient /root/pam_tacplus-1.5.0-beta.2/.libs/pam_tacplus.so debug server=10.11.14.116 secret=testing123 service=ppp protocol=ssh
session sufficient /root/pam_tacplus-1.5.0-beta.2/.libs/pam_tacplus.so debug server=10.11.14.116 secret=testing123 service=ppp protocol=ssh
7. Restart the sshd
service.
systemctl restart sshd
8. The libtac2
library includes a client program called tacc, which can be used for testing.
tacc --authenticate --authorize --account --username user1 --password pass1 --server 10.11.14.116 --remote localhost --secret testing123 --service ppp --protocol ip --login pap -y ttyS1
Authentication OK
Authorization OK: (Service granted)
Accounting: START OK
Accounting: STOP OK
--username: Specified in the tacacs+ server which is user1
--password: Specified in the tacacs+ server which is pass1
--server: TACACS+ server IP address
--secret: Secret key specified in TACACS+ server
--service: PPP service specified in TACACS+ server
9. Create the local user user1
before SSHing to the OPX system. -m
option will create a home directory in (for example, /home/user1
).
useradd –m user1
10. SSH from any server to the client using the username from the previous step and the password you specified for that new username. The request will go to TACACS+ server and it will authenticate, authorize and give accounting access.
© 2019 OpenSwitch project. All information is contributed to and made available by OPX under the Creative Commons Attribution 4.0 International License (available at http://creativecommons.org/licenses/by/4.0/).
- Home
- System overview
- Software releases
- Hardware support
- FAQs
- Install
- Build
- Configure
- Develop
- Administer
- Troubleshoot
- Software compatibility
- Contribute
- DevOps
- Join