Wednesday, March 13, 2013

Howto TACACS+ on CentOS6.x

Here to describe howto install/configure TACACS+ on CentOS6.x on step by step.

Step1. Download rpm:
wget ftp://ftp.muug.mb.ca/mirror/redhat/contrib/libc6/i386/tac_plus-4.0.3-2.i386.rpm

Step2. Install:
rpm -ivh tac_plus-4.0.3-2.i386.rpm

Step3. Configure user in TACACS+:
vi /etc/tacacs/tac_plus.cfg
# Created by Devrim SERAL(devrim@tef.gazi.edu.tr)
# It's very simple configuration file
# Please read user_guide and tacacs+ FAQ to more information to do more
# complex tacacs+ configuration files.
#
# Put your NAS key below
key = "testing123"
# Use /etc/passwd.loc file to do authentication
# it's must be in passwd file format. So you must mix shadow-passwd files to do it
#default authentication = file /etc/passwd.loc
user = lawrence {        login = cleartext 123456}

# Where is the accounting records to go
accounting file = /var/log/tacacs.log
# Permit all authorization request
default authorization = permit
# End config file

# The user lawrence with password 123456 will be created.


Step4. Start TACACS+ daemon:

[root@server1 tmp]# /etc/init.d/tacacs start
Starting tacacs+:
[root@server1 tmp]# netstat -tupln | grep 49
tcp        0      0 0.0.0.0:49                  0.0.0.0:*                   LISTEN      9027/tac_plus

Done~

Update1, small snapshot from user guide:


At the service authorization level i.e. inside the braces of a
service declaration, arguments in an authorization request are
processed according to the algorithm described later. Some actions
when authorizing services (e.g. when matching attributes are not
found) depend on how the default is configured. The following
declaration changes the default from deny to permit for this user and
service.

user = lol {
    service = exec {
        default attribute = permit
    }
}

Howto debug:

DEBUGGING A RUNNING SERVER
--------------------------

There is a myriad of debugging values that can be used in conjunction
with the -d flag to produce debugging output in /var/tmp/tac_plus.log.

For example, starting the daemon with

        tac_plus -C CONFIG -d 16

will put authentication debugging into /var/tmp/tac_plus.log. You can
view this information by using the tail command.

        tail -f /var/tmp/tac_plus.log

See the man page for more information.