TACACS

Terminal access controller access-control system plus (TACACS+) is a protocol used for centralized authentication, authorization, and accounting (AAA) for network services. This information covers how to set up a generic TACACS+ server, and how to set up a TACACS+ client on OpenSwitch OPX.

Setting up TACACS+ server

1. Install TACACS+ server.

apt-get install tacacs+

2. Edit the TACACS+ configuration file /etc/tacacs+/tac_plus.conf to include the username and secret key. In the example, user1 is added with password pass1.

accounting file = /var/log/tac_plus.acct
key = testing123
user = user1 {
    global = cleartext pass1
    service = ppp protocol = ip {
        }
    }

3. Start the TACACS+ server.

tac_plus -C /etc/tacacs+/tac_plus.conf -G -g -d 512

Setting up TACACS+ client on OPX

1. Install the PAM TACACS+ authentication package. Ensure that your /etc/apt/sources.list file includes the following line.

deb http://deb.openswitch.net/contrib/stretch stable main

2. Install the TACACS+ PAM package and library.

sudo apt-get -qq update && sudo apt-get -qq install -y libpam-tacplus libtac2-bin

The libpam-tacplus and libtac2-bin packages are hosted in the deb.openswitch.net package repository and are compiled from source. The source can be found at https://github.com/jeroennijhof/pam_tacplus.

3. Add the library files to the LD_LIBRARY_PATH.

echo "export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/root/pam_tacplus-1.5.0-beta.2/.libs" >> /etc/opx/opx-environment.sh

4. Source the environment file or logout/login back for the LD_LIBRARY_PATH to take effect.

source /etc/opx/opx-environment.sh

5. Enable sshd authorization to use TACACS+.

sudo sed -i '/# PAM configuration for the Secure Shell service/ a auth       include      tacacs' /etc/pam.d/sshd

6. Create a new file /etc/pam.d/tacacs for authorization, accounting and authentication and add the following contents: In the server parameter, add the TACACS+ server IP and the service as ‘ppp’ as mentioned in the /etc/tacacs+/tac_plus.conf file in the TACACS+ server.

#%PAM-1.0
auth       sufficient   /root/pam_tacplus-1.5.0-beta.2/.libs/pam_tacplus.so debug server=10.11.14.116 secret=testing123
account    sufficient   /root/pam_tacplus-1.5.0-beta.2/.libs/pam_tacplus.so debug server=10.11.14.116 secret=testing123 service=ppp protocol=ssh
session    sufficient   /root/pam_tacplus-1.5.0-beta.2/.libs/pam_tacplus.so debug server=10.11.14.116 secret=testing123 service=ppp protocol=ssh

7. Restart the sshd service.

systemctl restart sshd 

8. The libtac2 library includes a client program called ‘tacc’, which can be used for testing.

tacc --authenticate --authorize --account --username user1 --password pass1 --server 10.11.14.116 --remote localhost --secret testing123 --service ppp --protocol ip --login pap -y ttyS1
Authentication OK
Authorization OK: (Service granted)
Accounting: START OK
Accounting: STOP OK

Usage

--username: Specified in the tacacs+ server which is user1
--password: Specified in the tacacs+ server which is pass1
--server: TACACS+ server IP address
--secret: Secret key specified in TACACS+ server
--service: PPP service specified in TACACS+ server

9. Create the local user user1 before SSHing to the OPX system. -m option will create a home directory in (i.e., /home/user1).

useradd –m user1

10. SSH from any server to the client using the username from the previous step and the password you specified for that new username. The request will go to TACACS+ server and it will authenticate, authorize and give accounting access.