Network Security Using TACACS – Part 2

Where to find TACACS+ server?

In the first part of this series, we had a brief introduction to the TACACS protocol and how it helps in centralizing and securing access to network devices.  This post will be a continuation and will be discussing the options we have available for implementing TACACS+ and will contain an example of how to use one of the free TACACS+ servers to implement the AAA functions we have talked about earlier.  In this post i will be using TACACS and TACACS+ interchangeably when referring to the protocol.

TACACS+ can be implemented using commercially available solutions such as Cisco’s widely deployed Access Control Server (ACS) or using freely available open-source implementations.  During my research, i found out that there are limited choices when it comes to TACACS+ software whether commercial or free as compared to other products.  Below i am posting the links to some of the sites i have come across for commercial solutions and open source or free implementations.

Commercial

Open Source/ Free

TACACS Demonstration

In this post, i have decided to try TACACS+ from TACACS.net installed on a Windows 7 machine for the simple reason of its simplicity and ease of installation and configuration.  The folks at TACACS.net have provided plenty of documentation on just about everything related to installation and configuration of their software.  I highly recommend reading the guides especially if advanced configurations are required.

For the client i have used a Cisco 1801 router since i have one at hand to play with.  The free open-source Cisco simulation software GNS or the virtual router Vyatta can also be used as a client if you can’t find a real router or switch for testing.  Below is a diagram showing the setup i have used for this post.

TACACS Implementation

The steps i have followed are downloading and installing the TACACS server on a windows 7 machine, configuring the TACACS server, configuring the Cisco 1801 router, testing authentication to the router via the TACACS server, and finally checking the accounting functionality of the TACACS server.  The TACACS users used for this test will be locally configured on the TACACS server again for the sake of simplicity.

TACACS Installation & Configuration

Installation

The installation of the TACACS server is a straight forward process made easy by an installation wizard.  Clicking through a few steps will get the software installed and ready for configuration.  During the installation, as shown below, we need to specify a pre-shared key that will be used between the TACACS server and the clients.  The purpose of this key is to encrypt the communication channel between the server and the client so that credentials are securely transmitted between the two.

Screenshot-2014-09-22_10.03.00

After the installation is complete, you can verify if the installation was correct in couple of ways. One way is by checking whether the TACACS service is installed and its status is running. The other way is to open a command prompt and use the ” netstat -abn” command to check if the server has opened a TCP port numbered 49 and is listening for connections.

Services-Tacacs

Netstat

Server Configuration

By default, the server is configured to use the localhost IP address 127.0.0.1 of the computer for accepting connections as shown above. We need to change this so that the server listens on the IP address required. Open the file “tacplus.xml” located in  %ALLUSERSPROFILE%\TACACS.net\config\ using notepad or wordpad and locate the “Local IP” section and change the IP to reflect the IP address of the real IP address of the server.  For sake of clarity, i recommend using Notepad++ which has so many added features to open the files mentioned here.  In my setup, the IP address of the server will be 192.168.244.124.  Besides the IP address, there are a number of other options that can be changed about the server configuration but for the purpose of this post i have kept all other options at their default.  After applying and saving the change, the TACACS service needs to be restarted to reflect the changes.  Once you verify the IP address you have assigned is listening on TCP port 49 by checking netstat, we can do further test by using Telnet to connect to that port from the same computer or a different machine.  If you are not able to connect then you will need to check if there is a firewall blocking the connection.

tacplus config file

Screenshot-2014-09-21_14.54.43

User Configuration

Now that the TACACS server is up and listening for TACACS requests on the IP address we have assigned, we need to configure the users who will be authenticated.  There are number of ways TACACS users credentials can be configured. The credentials can be locally configured using the configuration file provided by the installation or can be pulled from an Active Directory or LDAP Server. User accounts on the local system from where the users are connecting can also be used. The configuration file by default also enables users in the local administrators group access as a fallback option. This is when a user can not remember their password or the TACACS server becomes unavailable. For the purpose of this post, we will be using locally configured accounts in configuration file.  An example of each of user type is given within the configuration file.

Open the file named “authentication.xml” under the C:\ProgramData\TACACS.net\config\ directory and add the lines shown in the screenshot below. The easiest way for adding the user configuration is to copy the examples found in the file and editing the fields. In this example i copied the example group “Network Engineering” and it associated users and renamed the group to “Net Admins” and the two users accounts as “User1” and “User2” with a clear Login & Enable password of “P@ssw0rd”. We can insert a DES encrypted version of the password also in the password field for added security.  In the production environment, we need to harden the TACACS server, put it behind firewall to limit who can connect to it, and must ensure the sensitive files are protected and monitored.  If you decide to copy from the examples given, make sure you remove the comment section of the XML file which are denoted by “<!–” for beginning and “–>” for ending.

Screenshot-2014-09-18_10.22.16

Testing

TACACS.NET provides two tools for testing your configuration called Tacverify & Tactest.  Tacverify is used for checking errors in the server configuration files while Tactest checks to see if you can connect to the TACACAS server using credentials. They are both found under the TACACS installation folder which in our example is located at C:\Program Files (x86)\TACACS.net. To list the available options relating to the tools we can issue -? with the commands.

Screenshot-2014-09-18_10.37.23

Screenshot-2014-09-18_10.42.05
As shown from the results of the commands above, Tacverify shows our server configuration is okay and the authentication test done by Tactest was successful.  We now should be ready to configure our clients to use the TACACS server for authentication, authorization, and accounting.

Client Configuration

TACASCS configuration on clients is different from one client to another depending on the manufacturer.  For the purposes of this demonstration, we are using Cisco 1801 router as a client. The commands required for enabling TACACS are shown in the screen shots below.  A TACACS authentication list called “use-tacacs” is configured and applied on the VTY lines of the router.  Also as mentioned above, we need to specify the TACACS pre-shared key entered at the server.

Screenshot-2014-09-18_11.10.39

Screenshot-2014-09-18_11.10.15

Screenshot-2014-09-18_11.09.36

Authentication Test

Once the configuration of the Cisco router is ready, we are now ready for testing TACACS authentication. Using the users that we have configured above when we try to connect to the terminal line of the router using Putty,  we are asked to provide for TACACS username. After pressing enter, we will be asked for the password of the username just entered. If the username exists in the configuration and the password supplied is valid, the user is granted access to the operational mode of the router. Typing enable command and entering the enable password earlier configured in the configuration file will allow access to the privilege mode of the router.

Screenshot-2014-09-18_11.26.17 Screenshot-2014-09-18_11.26.27 Screenshot-2014-09-18_11.26.38 Screenshot-2014-09-18_11.26.49

Screenshot-2014-09-18_11.27.09

 Accounting Test

From the previous post we have learned that the accounting module of TACACS takes care of documenting about the TACACS session and what the TACACS users have done.  To test this functionality, a few commands were entered in the configration mode after logging into the client router using the credential for User1.  As shown below, User1 went into the loopback interface configuration, removed the IP address and shutdown the interface.  If no log archiving is configured on the router, then these commands entered by User1 cannot be recalled back.  But thanks to the Accounting module of the TACACS server all commands are captured as we shall see below.

Screenshot-2014-09-22_12.41.17

The logs for the TACACS.net server are kept C:\ProgramData\TACACS.net\Logs folder.  By opening the latest log file for accounting we see that the commands entered above have been recorded along with who the user was, the IP address of the User, the IP address of the network device, and the time stamp.  This kind of information becomes very important when troubleshooting an issue or investigating an incident.

Screenshot-2014-09-22_12.43.09

As we have seen from this post, it is relatively easy to install and configure a free TACACS+ server and use it for securing your network devices.  In addition to authenticating users, we have seen also how all commands executed on network devices can be recorded for later investigative purposes.  Furthermore, we can also implement an Authorization module which restricts what users can or can not do once they are authenticated.

Update 1

I have noticed on a couple of occasions after the installation of Tacacs.net is done, the service installed is not started by default and clicking on the start services will start and stop the service immediately.  After some investigation, i checked the logs in the event viewer and noticed that the service did not start because it encountered some XML errors.  I checked the tacplus.xml file and found there were improperly placed statements.  I fixed the statements and the service started properly.  I found this issue occurs if previous configuration files are existing when installing the software.  Just check the error message which most of the time tells you the line number to go and check where the problem is.

 

Screenshot-2015-02-15_11.33.29Screenshot-2015-02-15_11.06.25

Advertisements

20 thoughts on “Network Security Using TACACS – Part 2

  1. firifo says:

    Thanks so much for the assist.

  2. Ike says:

    You my friend just saved me from going insane. I had this server all set up and I could not figure out why it just WOULD NOT connect with my network devices. I didnt realize I needed to change out the 127.0.0.1 statement! works like a charm. Thank you so much for taking the time to write this up! Ike

  3. liyakath says:

    Tacacs+ is possible for port authentication in switch

    • wahibblog says:

      I am not sure if i understood the question correctly but if you are asking if Tacacs+ can be used for switch authentication, then the answer is yes if the switch supports it. If the question is if Tacacs+ can be applied to secure individual ports on a switch (port security), then i don’t believe Tacacs+ is designed for that. As far as i know, Tacacs+ is used to provide AAA functions to the vty lines and console of networking devices.

  4. secure son says:

    Thanks for the article.I have a problem about log file.Everything works but can not see log file under TACACS.net folder.Would you assist to me where the problem is it?

    • wahibblog says:

      You are welcome and thanks for visiting my blog. As per the Tacacs.net documentation below, the log files are usually found in C:\ProgramData\Application Data\TACACS.net\Logs if the application is installed on the C: drive on Windows 2000 and XP machines or C:\ProgramData\TACACS.net\Logs for machines running Vista, 2003, and 2008 Windows. I hope this helps.
      • The Accounting and System logs can be found at %ALLUSERSPROFILE%\Application data\TACACS.net\logs on Windows 2000 or XP.
      • The Accounting and System logs can be found at %ALLUSERSPROFILE%\TACACS.net\logs in Windows 2003 Server, 2008 or Vista.

  5. secure son says:

    Hi again.thanks for the reply.

    The server restarted some reason.After that tacacs service never starts.Manually or Automaticly. Operating system says system started and stopped. I found this error messages in the event logs. Is there any way to fix it?

    This event is not displayed correctly because the underlying XML is not well formed. Below is the raw text of the event.

    System.ApplicationException: Configuration file could not be validated.
    Exiting… at ..() at ..() at ..() at ..(String[] ) at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

    Best regards.

    • wahibblog says:

      You are welcome. It seems that there is a syntax issue in your configuration files. Did you run the tacverify tool? The tool goes through the four configuration files and will tell you if all is okay. If your server is a fresh install, you can copy the configuration file which has a mistake from the Tacacs.net website into the respective folder and start again.

  6. Mehmet Halil says:

    Good article, thank you. My question is about log files. I dont want to corelation logs i want to see all log is understandable user friendly interface in web interface or something. Is that possible?

    Regards.

    • wahibblog says:

      You are welcome Mehmet. The logs can be either opened locally on the TACACS server or you can send them to a SYSLOG server. To see the logs in another tool like SIEM, then you can use the SYSLOG facility to send the logs and do the SIEM tool can then parse them for you in user friendly manner. That is what we are doing in my work place. We collect logs from several devices and applications using SYSLOG and then parse them and do other things such as correlation and alerting.

  7. greg says:

    Is it possible to configure a vendor-specific attribute such as priv-level that is set on a per-user basis? The sample authorization.xml file contains a foundry-privlvl=5 entry within the Services node, but I don’t know how to turn this into a per-user setting.

  8. Ramg says:

    I am trying to do Multi-Factor Authentication per the document and getting below error message…. Appreciate your support and assistant

    C:\Program Files (x86)\TACACS.net>tacverify.exe

    Reading: C:\ProgramData\TACACS.net\Config\tacplus.xml
    _______________________________________________

    Reading: C:\ProgramData\TACACS.net\Config\authentication.xml

    There is an error in XML document (44, 43).

    Error details:Unknown element ‘MFAProvider’ found at (44,43)

    Errors were found in configuration files. Please fix these errors and try again.

    • wahibblog says:

      Hi Ramg, I haven’t tried MFA as of yet so i can’t help you at the moment. Maybe i will try it in my lab and post it on my blog.

  9. Gray says:

    Could you do a blog on setting it up with AD Credentials? Do I use the Authorization or Authentication XML file for AD? We are hoping for our ORG group to be the main login for routers and switches. We also want to go directly into enable mode and skip of having to type that.

    • wahibblog says:

      Hi Gray,

      Thanks for visiting my blog. You need to use the authentication file for integration with AD. The authorization file will be used for what your admins are allowed to do or not to do once they are authenticated. I will try to simulate AD setup in my lab and also your requirement for going to enable mode directly.

  10. BWMfan says:

    Nice Blog. Can you tell me, what should is do to autoenable my session if i logged in with my tacacs credentials?

    Greetings

    Daniel

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: