SysAdmins Tech logo

Install an configure tacacs+ on Debian 8 – part 2

Let’s connect our Cisco switch with our Debian 8 tacacs+ server The first step is to connect to the ASA device and gain privilege exec access. Th global configuration mode is needed and can be obtained using “configure terminal”. From global configuration mode the rest of the commands to setup TACACS+ will be issued. #…

Let’s connect our Cisco switch with our Debian 8 tacacs+ server

The first step is to connect to the ASA device and gain privilege exec access.

Th global configuration mode is needed and can be obtained using “configure terminal”.
From global configuration mode the rest of the commands to setup TACACS+ will be issued.

# configure terminal

Create a backup account to gain access to the device in the event that the TACACS+ system is unavailable.

# username backup.account privilege 15 password secret_password_here

The next step is to specify all of the server information and key.

tacacs-server host <server_ip>
tacacs-server key secret_TACACS+_key_here

Setup  the AAA information that the TACACS+ server will handle.
Below is a list of the commands:

# aaa new-model
# aaa authentication login default group tacacs+ local none
# aaa authorization exec default group tacacs+ local none
# aaa authorization commands 0 default group tacacs+ local none
# aaa authorization commands 15 default group tacacs+ local none
# aaa accounting exec default start-stop group tacacs+
# aaa accounting commands 0 default start-stop group tacacs+
# aaa accounting commands 15 default start-stop group tacacs+

Explanation about the commands used above:

  • The first stanza creates a AAA model.
  • The second line is used to tell the switch/router that it should check all login attempts against the TACACS+ server first and if the server isn’t available check the locally configured user database.
  • The authorization lines tell the network device to contact the TACACS+ server to determine if the user is allowed to run particular commands at that particular privilege level.
  • The accounting lines tell the network device to log activity to the TACACS+ server.

Now you should be able to configure your network device for SSH access, using the following commands:

# ip domain-name <some.domain.name>
# crypto key generate rsa - This will prompt the user for the key size, set this to a number larger than 2048
# line vty 0 15
# transport input ssh

NOTE:

Depending of your CISCO machine (it could be one of those without SSH support), you may use different instructions for connecting that device to a TACACS+ server.

To test it log completely out of the switch and then attempt to SSH into the switch using the username configured earlier on the TACACS+ server.
On Linux systems, this can be done via the command:

# ssh <tacacs_username>@<server_ip>

If access is granted to the switch/router, congratulations!
Your TACACS+ server is working just fine.

Final notes:

  • You should read the full documentation on tac_plus and fine tune the setup, the password, the encryption method … etc.
  • Keep in mind this is a simple setup. You can do much more if the system is correctly understood.

 

Marin

I’m a tech enthusiast who loves exploring open-source software and playing around with Linux setups. When I’m not diving into observability or cloud infrastructure, you’ll probably find me building simple, functional websites from scratch with PHP, HTML, CSS, and MySQL. For fun, I write little PHP CLI or bash scripts to automate tasks, experiment, and see what else I can make my Linux box do. Whether it’s setting up Docker clusters or trying out new tech tools, I enjoy keeping things hands-on and discovering what’s possible.

Previous
Next

Related Posts