Basic Cisco Tacacs+ Configuration With Free Tacacs+ Software for Windows - Part 2 - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Thursday, February 12, 2015

Basic Cisco Tacacs+ Configuration With Free Tacacs+ Software for Windows - Part 2

Part 1 has shown how to install the software Tacacs+ on a windows 2008 server and some fastest configuration to get it working with your Windows server administrators group.

In this part 2 post, more configuration will be presented to explain how some other function or feature works.

After installation, four configuration files will be generated under C:\ProgramData\\config folder. Please keep in mind, different OS will have different location to hold those files. Please create a backup copy in case you want to recover them.

1. authentication.xml

1.1 Local Service (File Group) Users

Tacacs+ Software supports different authentication methods such as Local Service (File Group) Users, Localhost Users and AD users.

This is the second part to configure cisco switch to work with a Free Tacacs+ Software from
If you want to use some local Tacacs File group, you could find following configuration in the file authentication.xml. You will only need to remove both <!-- and --> comment symbol in that part. Just like the configuration shows below:

There are two users , user1 and user2 , pre-configured to be used. For example, the user1 's login password is somepassword, and no password for enable.

<!-- This is an example of a File User group.
The File User groups can be used to define users that only exist
within the TACACS+ server. -->
      <Name>Local Tacacs Server Group</Name>
 <LoginPassword ClearText="somepassword" DES=""> </LoginPassword>
 <EnablePassword ClearText="" DES=""></EnablePassword>
 <CHAPPassword ClearText="" DES=""> </CHAPPassword>
 <OutboundPassword ClearText="" DES=""> </OutboundPassword>
 <LoginPassword ClearText="somepassword" DES=""> </LoginPassword>
 <EnablePassword ClearText="" DES=""></EnablePassword>
 <CHAPPassword ClearText="" DES=""> </CHAPPassword>
 <OutboundPassword ClearText="" DES=""> </OutboundPassword>

1.2 Localhost Users

Localhost users is the local users and groups in the windows 2008 server itself. In the part 1, there are some steps already shows how to use Localhost users.

Basically find out following configuration in the authentication.xml, Local System Administrators groups have been permitted. Only thing you will need to do is to add new users into local administrators group in windows 2008 Tacacs server as shown in part 1. There is no need to set up Enable Password, since your localhost user's password will be enable password too.
<!-- This is an example of a Windows Localhost group.
This group will authenticate using the users and groups
configured on the local computer. -->

      <Name>Local System Administrators</Name>

1.3 AD authentication

AD authentication and LDAP authentication has been detailed documented in the configuration guide. Please check it from there.

2. authorization.xml

By default, if you log in your network devices with Tacacs+ software default configuration with your local file users or local server's administrators group account, you will not be able to get into enable mode. Following error will be shown to you after you type enable command:
The command 'enable <cr>' is not authorized for user user1 
That is because the authorization.xml did not authorize you to use enable command.

By adding <Permit>enable</Permit> into following configuration, you will be able to use enable command. Keep in mind, the enable password is same as your login password when you use Local Server's administrators group or AD users.
<UserGroup>Local System Administrators</UserGroup>
<!--No client group provided so this authorization section applies to the above user groups from all the clients -->
<!--this group is allowed to telnet everywhere except from addresses beginning with 161.-->
<!--<deny>telnet 161\.*</deny>
<Permit>telnet .*</Permit>-->
<!--this will allow this group to run enable command -->
<Permit>.*show.*</Permit> <!--This will allow all show commands -->
<Deny>.*</Deny>           <!--This will deny all other commands -->

3. Client Configuration

Until here, a functional Tacacs+ server will be fully up and running. You should be able to use local file users and local administrators group to log into your network device. The client (network devices) configuration for Tacacs+, you should be able to find it from Part 1. Following commands should get you basic ideas how the configuration looks like.
Router(config)# aaa new-model
Router(config)# tacacs-server host key mysharedsecret
Router(config)# aaa authentication login default group tacacs+ local
Router(config)# aaa authorization exec default group tacacs+ local
Router(config)# line console 0
Router(config-line)# login authentication default
Router(config)# line vty 0 15
Router(config-line)# login authentication default


There are a couple of useful tools installed as well , and those are for troubleshooting / testing purpose. You could find it from Start -> All Programs -> menu:

  • TACDES - Used to Encrypt your password in your configuration files
  • TACTest - Used for testing your authentication
  • TACVerify - USed to verify your configuration files. Each time, after you changed your configuration files, do not forget to run it to validate them. If there is anything wrong in those files, your service won't be able to start.


1 comment: