1. Overview
Tacacs Plus is a identity access management with the protocol for AAA services which are , authentication, authorization, accounting. It is used as a centralized authentication and identity access management to network devices.
It is the security protocols that can provide a specific authorization and centralized access to particular user to work with network devices. With accounting, it gives a mandatory audit logs or event log monitoring by logging all actions executed by privileged users.
2. Prerequisites
In this article of how to install Tacac+ identity management solutions, it is presumed that:
a. You have already install RHEL/CentOS 7 Linux dedicated server up and running. In case that you don’t, you would probably like to read this link. Minimal RHEL/CentOS 7 Installation With Logical Volume Manager (LVM).
b. You have already done the initial server setup. Please refer to this link Minimal RHEL/CentOS 7 Initial Server Setup.
3. Installing Tacacs Plus
First of all we need to create a new Yum repository file where we can grab tac_plus,identity access management, packet, so we don’t need to compiling the source code.
# cd /etc/yum.repos.d/
# vim tacacs-plus.repo[tacacs-plus]
name=Tacacs Plus
baseurl=http://li.nux.ro/download/nux/misc/el6/x86_64/
enabled=0
gpgcheck=1
gpgkey=http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
Now we can start to install tac_plus packet by using the following command.
# yum --enablerepo=tacacs-plus install tac_plus
4. Join Tacacs Plus Server to Domain Controller
First, we need to install all below mandatory packages.
# yum -y install realmd sssd oddjob oddjob-mkhomedir adcli samba-common
# yum -y install oddjob oddjob-mkhomedir sssd samba-common-tools
Now let try if we can discover the Active Directory Domain identity management software.
# realm discover techspacekh.local
techspacekh.local
type: kerberos
realm-name: TECHSPACEKH.LOCAL
domain-name: techspacekh.local
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
Now our Tacacs Plus identity management solutions server can discover Active Directory Domain identity management software, so we can join it to the Domain Controller.
# realm join --user=administrator techspacekh.local
Password for administrator:
Now our Tacacs Plus identity management solutions server is a member of the Active Directory Domain identity management software, we can test to get an AD user info as the following.
# id administrator@techspacekh.local
uid=30200500(administrator@techspacekh.local) gid=30200513(domain users@techspacekh.local) groups=30200513(domain users@techspacekh.local),30200520(group policy creator owners@techspacekh.local),30200572(denied rodc password replication group@techspacekh.local),30200518(schema admins@techspacekh.local),30200519(enterprise admins@techspacekh.local),30200512(domain admins@techspacekh.local)
We can omit the domain name for AD user by editing file /etc/sssd/sssd.conf as the following.
# vim /etc/sssd/sssd.conf
#use_fully_qualified_names = True
use_fully_qualified_names = False# systemctl restart sssd
Now we should be able to find user accounts without specifying the domain as below.
# id administrator
uid=30200500(administrator) gid=30200513(domain users) groups=30200513(domain users),30200520(group policy creator owners),30200518(schema admins),30200512(domain admins),30200572(denied rodc password replication group),30200519(enterprise admins)# id netadmin01
uid=30201107(netadmin01) gid=30200513(domain users) groups=30200513(domain users)
# id netadmin02
uid=30201106(netadmin02) gid=30200513(domain users) groups=30200513(domain users)
# id techadmin01
uid=30201108(techadmin01) gid=30200513(domain users) groups=30200513(domain users)
5. Configuring Tacacs Plus
Below is the configuration requirement. There are two groups. The first group name is “netadmins” with full privilege on the network devices and the second group name is “guestusers” who have the centralized access to only execute command show view the configuration but not be able to make any change on the network devices.
Authentication | Authorization Commands | Accounting | |
Group Name | Group Member | ||
netadmins | netadmin01 | Full privileges | /var/log/tac.acct |
netadmin02 | |||
guestusers | techadmin01 | show | |
exit | |||
end |
In Active Directory database program, there are two groups. The first group name is “NetAdmin” and this group will be assigned with full privilege to configure the network devices.
The second group is “TechAdmin” and this group will be able to execute command show only to view the configuration but not be able to make any change on the network devices.
We can start editing Tacacs Plus identity management solutions configuration file as the following.
# vim /etc/tac_plus.conf
key = “VK@123”
accounting file = /var/log/tac.acct
## Groups Definition ##group = netadmins {
default service = permit
login = PAM
service = exec {
priv-lvl = 15
}}
group = guestusers {
default service = deny
login = PAMservice = exec {
priv-lvl = 15
}
cmd = show {
permit .*
}
cmd = exit {
permit .*
}
cmd = quit {
permit .*
}
cmd = end {
permit .*
}}
## Users Definition ##user = netadmin01 {
member = netadmins
}
user = netadmin02 {
member = netadmins
}user = techadmin01 {
member = guestusers
}
Finally, we need to start tac_plus service and enable it to start after systems reboot
# system restart tac_plus
# chkconfig tac_plus on
We can view tac_plus port with the following command.
# nmap localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2017-05-25 22:19 +07
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000080s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
49/tcp open tacacsNmap done: 1 IP address (1 host up) scanned in 0.10 second
Now we need to open the firewall for tac_plus port.
# vim /etc/sysconfig/iptables
-A INPUT -p tcp -m state –state NEW -m tcp –dport 49 -j ACCEPT# systemctl restart iptables
# iptables -L -v -n
6. Conclusion
This is how to configure Tacacs+ identity management solutions on RHEL/CentOS 7. Tacacs+ is the only security protocols used to provide centralized access into networks. Hopefully, you can understand and be able to install and configure for authenticating with Active Directory users now. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them. Thank you and have a great day.