How to install TACACS+ on Linux CentOS

I’m not sure, I have only used the CLI version myself.

Hi,

Any Idea how to enforce password changing at first logon using tacacs+ PAM authentication ?

I am able to login using the Tacacs+ Pam authentication successfully.

Is there a way to make it work for ipv6 ? I’ve tried all possibilities with no luck !!! hope you have experimented it before !

I took a quick look and it seems it’s possible but I never tried it myself before…

i have configure the Tacacs sucessfully and is working but there are a few things i need to know:

First, my cisco device is using the local user on the cisco device for authentication and i dont know why,

second how can I check the authentication logs and the configuration logs?

Hi Russet,

The default log files on Centos are probably in the /var/log folder.

Is your router able to reach the Tacacs server? Try a debug AAA authentication on the router. It should give you some useful information why it doesn’t use the server for authentication.

Rene

Hi rene, im currently studying CCNP route and this is one of the topics, my question is, on the exam do we need to configure the TACACS+ server? cause i dont have a linux, i cant simulate this one. or do we only need to understand how TACACS+ works? thank you

Hi John,

For CCNP ROUTE you only need to know how to configure TACACS+ on Cisco devices, no need to worry about the server.

Rene

Got this set up on a raspberry pi fairly easily. Thanks!

19 posts were merged into an existing topic: How to install TACACS+ on Linux CentOS

Hi,
Why you are given priv-lvl = 15 to all groups ?

What I need to do get the enable mode ( priv lvl 15) once they enter user name and password
Thanks

Hello Sims

You can adjust the privilege level to whatever you want. In the example in the lesson, a privilege level of 15 is given to all users, but you can change that for whatever users you want.

A privilege level of 15 will bypass any use of the enable password to get to privilege executive mode.

I hope this has been helpful!

Laz

Hi,
Keeping privilege level 15 and limiting certain commands only for a particular group
and what is default service = permit

Thanks

Hello Sims

If you look at the lesson, you will see that there is a group called “admin” that is configured at priv-lvl 15 and has specific commands such as “username” “enable” and “configure” that are allowed. Similarly, you have the “sysadmin” group which is also at priv-lvl 15 but has a more limited set of commands. For example, take a look at the following limitation:

    cmd = interface {
            permit FastEthernet.*
            permit GigabitEthernet.*

This set of commands only allows this group to access the FastEthernet and GigabitEthernet interface configurations, and not serial, loopback, TenGigabit, or VLAN interfaces. In contrast, the “admin” group had the following for this section:

    cmd = interface {
            permit .*

which essentially means permit everything.

Now the key to all of this is the “default service = permit” command, as you mentioned. By default, the TACACS+ server implicitly denies all commands. You can however use the default service = permit command to change this default behaviour so TACACS+ will permit any commands that you don’t explicitly deny.

In the lesson, the admin group has this set while the sysadmin does not. And for this reason, you can see how the commands listed are dealt with in a different manner.

I hope this has been helpful!

Laz

Hi,
can you tell where we use “default attribute = permit” and what does it mean

Thanks

Hello Sims

The “default attribute” syntax specifies the default attribute permission for a particular service authorization.

Some actions when authorizing services (e.g. when matching attributes are not found) depend on how the default is configured. This particular command changes the default from deny to permit for the particular user and service.

I hope this has been helpful!

Laz

Hi,
Incase if tacacs server fails , the authentication and command authorization also fails ,
how to overcome this .

  1. is it possible permit "router ospf command " only inside the vrf ?

Thanks

Hi,
What is "single-connection port " is in tacacas configuration and when to use it ?
Thanks

Hi can you give an example for this ?
Thanks

Hello Sims

The “single-connection” keyword in the configuration of the TACACS server host command is used to maintain a single open TCP connection between the router and the server, rather than have the router open and close a TCP connection each time it must communicate. This improves the efficiency in the communication between the router and the server. more info on this can be found at the following Cisco documentation:

As for the default attribute syntax, you can see several examples in this TACACs documentation. Take a look at the section titled CONFIGURING DEFAULT AUTHORIZATION.

I hope this has been helpful!

Laz