The first step in setting up this new TACACS+ server will be to acquire the software from the repositories :
root@debian-tacacs:~# apt-get install tacacs+ -y
This file is where all the TACACS specifications should reside (user permissions, access control lists, host keys, etc). The first thing that needs to be created is a key for the network devices. edit file /etc/tacacs+/tac_plus.conf. The following configuration created for multipe Vendor ( Cisco IOS, Cisco NXOS, Junos, F5, HP Comware, Brocade ICX, Brocade VDX )
group = admin {
default service = permit
service = exec {
priv-lvl = 15
optional brcd-role = admin
}
pap = PAM
service = ppp protocol = ip {
F5-LTM-User-Info-1 = resource
F5-LTM-User-Console = 1
F5-LTM-User-Role = 20
}
cmd = system-view {
permit .*
}
cmd = display {
permit .*
}
}
group = netoperator {
default service = deny
service = exec {
priv-lvl = 15
}
pap = PAM
service = ppp protocol = ip {
F5-LTM-User-Info-1 = operator
F5-LTM-User-Console = 1
F5-LTM-User-Role = 400
}
cmd = show {
permit .*
}
cmd = write {
permit .*
}
cmd = copy {
permit .*
}
cmd = exit {
permit .*
}
cmd = display {
permit current-configuration
}
cmd = display {
permit interface
}
cmd = display= {
permit version
}
cmd = save {
permit .*
}
}
group = netguest {
default service = deny
service = exec {
priv-lvl = 15
}
pap = PAM
service = ppp protocol = ip {
F5-LTM-User-Info-1 = guest
F5-LTM-User-Console = 1
F5-LTM-User-Role = 700
F5-LTM-User-Partition = all
}
cmd = show {
permit runn.*
}
cmd = exit {
permit .*
}
cmd = display {
permit current-configuration
}
}
user = groupuser { login = des TbLklpSxuUBdQ pap = des TbLklpSxuUBdQ member = netguest }
user = groupoperator { login = des TbLklpSxuUBdQ pap = des TbLklpSxuUBdQ member = netoperator }
user = groupadmin{ login = des TbLklpSxuUBdQ pap = des TbLklpSxuUBdQ member = netadmin }
Example manually generated DES encryption password using tac_pwd
root@debian-tacacs:~# tac_pwd
Password to be encrypted: awasadakabel
TDp8zyr/csMO
root@debian-tacacs:~#
AAA Configuration on BIGIP F5
auth tacacs system-auth {
protocol ip
secret $M$4g$wSz5Qw7SXT2guZVejcY1Eg==
servers { 192.168.100.100 } # IP Tacacs+ Server
service ppp
}
auth remote-role {
role-info {
netadmin {
attribute F5-LTM-User-Info-1=resource
line-order 1
role resourceadmin
user-partition All
}
netguest {
attribute F5-LTM-User-Info-1=guest
line-order 5
role guest
user-partition All
}
netoperator {
attribute F5-LTM-User-Info-1=operator
line-order 2
role operator
user-partition All
}
}
AAA Configuration on HP Comware v7
#hwtacacs scheme tac
primary authentication
192.168.100.100
primary authorization 192.168.100.100
primary authorization
192.168.100.100
key authentication simple @password@
key authorization simple @password@
key accounting simple @
password@
user-name-format without-domain
#domain system
authentication login hwtacacs-scheme tac local
authorization login hwtacacs-scheme tac local
accounting login hwtacacs-scheme tac local
authorization command hwtacacs-scheme tac local
accounting command hwtacacs-scheme tac
#domain defaultenable system
role default-role enable
authentication-mode scheme
superauthentication-mode scheme local
line vty 063
authentication-mode scheme
command authorization
AAA Configuration on Brocade VDX (NOS)
aaa authentication login tacacs+ local-auth-fallback
aaa accounting exec default start-stop tacacs+
aaa accounting commands default start-stop tacacs+
tacacs-server host 172.16.69.29 use-vrf default-vrf
protocol pap
key BukaLapak
encryption-level 7
retries 100
!
AAA Configuration on Brocade ICX
aaa authentication login default tacacs+ enable
aaa authentication login privilege-mode
aaa authorization commands 0 default tacacs+
aaa authorization exec default tacacs+
aaa accounting commands 0 default start-stop tacacs+
aaa accounting exec default start-stop tacacs+
aaa accounting system default start-stop tacacs+
enable aaa console
tacacs-server host 192.168.100.100
tacacs-server key @password@
AAA Configuration on Cisco IOS XE
aaa new-model
aaa authentication login default group tacacs+ local-case
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host 192.168.100.100
tacacs-server key @password@