TACACs+ Server on Ubuntu
Informational
Step 1: Run command: sudo apt-get install tacacs+
Step 2: Edit the tac_plus.conf file but before that we must backup to original file to refer to in case anything breaks.
Step 3: Create a file on which the accounting information will be written to. This is done with the help of below command.
touch /var/log/tac_plus.acct
Step 5: In this step we will edit the tac_plus.conf file at below location.
sudo nano /etc/tacacs+/tac_plus.conf
The tac_plus.conf file looks like below:
lab@lab_VM1:~$ cat /etc/tacacs+/tac_plus.conf
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details
# Define where to log accounting data, this is the default.
accounting file = /var/log/tac_plus.acct
# This is the key that clients have to use to access Tacacs+
key = testing123
# We also can define local users and specify a file where data is stored.
# That file may be filled using tac_pwd
#Defining the users, we have two users defined one admin and other limiteduser.
user= Administrator {
login = cleartext Cisco
member = “admin”
}
user = limiteduser {
login = cleartext “cisco”
enable = cleartext “cisco”
member = readonly
}
#Defining the groups now to which members have been assigned above. Two groups are created admin and readonly.
group = admin {
default service = permit
service = exec {
default attribute = permit
priv-lvl = 15
}
}
group = readonly {
default service = deny
service = exec {
default attribute = permit
priv-lvl = 15
}
}
cmd = show {
# permit show commands
permit .*
}
# permit traceroute command
cmd = traceroute {
permit .*
}
# permit ping command
cmd = ping {
permit .*
}
We have created two TACACs+ users.
User Administrator has the complete access and the user limiteduser has limited access and can run only the show commands, traceroute and ping commands.
Once you’re finished with everything you can run service tacacs_plus check to make sure the syntax is correct and if you get any errors you will need to restart the daemon using service tacacs_plus restart.