Is TACACS+ still relevant?
TACACS+ remains relevant for legacy systems and certain enterprise environments requiring network authentication. While not as prevalent as modern protocols like RADIUS or SAML, it’s still used where granular control over user privileges is critical. Here’s how to install and configure TACACS+ on a modern Linux distribution (e.g., Ubuntu 22.04 or RHEL 9).
Installing TACACS+
Update the installation section with modern package managers and repositories:
- Ubuntu/Debian:
sudo apt update sudo apt install tacacs+ tacacs+ server
- RHEL/CentOS:
sudo dnf install tacacs-plus
If TACACS+ isn’t available in the base repository for some Linux distros, use EPEL or a third-party source.
Configuring TACACS+
The configuration file for TACACS+ still resides at /etc/tac_plus.conf. Here’s an updated configuration to align with modern use cases and secure defaults:
# Example tac_plus.conf for a secure modern setup
key = "supersecret"
accounting file = /var/log/tacacs/acct.log
access log = /var/log/tacacs/tacacs.log
user = example {
default service = permit
service = exec {
priv-lvl = 15
}
}
group = admin {
default service = permit
service = exec {
priv-lvl = 15
}
}
Ensure proper logging and privilege separation by using the priv-lvl parameter effectively.
Starting TACACS+
Leverage systemctl for modern service management:
sudo systemctl enable tacacs+ sudo systemctl start tacacs+
To check its status:
sudo systemctl status tacacs+
Firewall and Security
In modern Linux environments, firewalld and iptables may still be in use. Be sure to allow TACACS+ traffic:
sudo firewall-cmd --add-service=tacacs --permanent sudo firewall-cmd --reload
Advanced TACACS+ Configurations
While the basic setup of TACACS+ allows for central user management, more advanced configurations are needed for larger infrastructures or heightened security requirements. Let’s dive into role-based access control, integration with LDAP, and setting up TACACS+ failover mechanisms.
Role-Based Access Control (RBAC)
Define user groups for more specific access control using TACACS+ in modern deployments:
group = readonly {
default service = deny
service = exec {
priv-lvl = 1
}
}
user = guest {
member = readonly
service = exec {
priv-lvl = 1
}
}
Integrating TACACS+ with LDAP
Many modern environments integrate TACACS+ with LDAP for centralized authentication. Using PAM (Pluggable Authentication Modules), you can configure this integration:
- Install the necessary packages:
sudo apt install libpam-ldapd
- Edit
/etc/pam.d/tac_plusto configure PAM:
auth required pam_ldap.so account required pam_ldap.so
This setup allows you to leverage existing LDAP infrastructure for TACACS+ authentication, which is common in hybrid environments.
Failover and Redundancy
In modern network environments, redundancy is crucial. TACACS+ supports multiple authentication servers for failover:
server = tacacs1.domain.com {
key = "secret1"
timeout = 5
}
server = tacacs2.domain.com {
key = "secret2"
timeout = 5
}
Logging and Auditing
Modern security demands granular logging and auditing. Ensure TACACS+ logs are shipped to a central logging solution like ELK or Grafana Loki:
- Edit
/etc/rsyslog.confto forward TACACS+ logs:
if $programname == 'tac_plus' then @@logserver.domain.com:514
- Restart rsyslog:
sudo systemctl restart rsyslog
Conclusion:
Although TACACS+ might seem outdated, it remains a powerful tool in certain network infrastructures. Updating your system with modern packages, integration, and redundancy techniques ensures it remains viable for today’s security needs.
