Monthly Archives: janvier 2016

Linux tacacs+ authentication for Cisco devices

Prerequisite :
– you have already defined a local fallback user on your cisco device in case authentication does not work
– in this case I have already configured ssh access

Part 1: configure tacacs+ server on debian linux

Install package:

apt-get install tacacs+

Configure tacacs+, edit file /etc/tacacs+/tac_plus.conf

###########################################################
# Default Config
###########################################################
# Key, very important
key = mysuperkeypriv
# Use /etc/passwd file to do authentication
default authentication = file /etc/passwd
# Accounting records log file
accounting file = /var/log/tacacs/tac_acc.log

###########################################################
# Groups
###########################################################
group = netadmin {
 default service = permit
 service = exec {
 priv-lvl = 15
 }
}
group = users {
 default service = deny
 service = exec {
 priv-lvl = 1
 }
}

###########################################################
# Netadmin users
###########################################################
user = superadmin {
 member = netadmin
}

###########################################################
# Unprivileged Users
###########################################################
user = albert {
 member = users
 cmd = show {
 deny ip
 deny tacacs
 permit .*
 }
 cmd = quit {
 permit .*
 }
 cmd = exit {
 permit .*
 }
 cmd = logout {
 permit .*
 }
 cmd = ssh {
 permit 192\.168\.1\.[0-9]+
 deny .*
 }
}

Part 2: configure the Cisco device to user the tacacs+ server

Now configure authentication:

tacacs-server host 192.168.1.12
tacacs-server key mysuperkeypriv
aaa new-model
aaa authentication login default group tacacs+ local enable
aaa authorization exec default group tacacs+ local none
aaa authorization commands 0 default group tacacs+ local none
aaa authorization commands 1 default group tacacs+ local none
aaa authorization commands 15 default group tacacs+ local none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

That’s done !

Cisco switch put a port in a VLAN

These are the command lines to put ports 7 to 12 in VLAN 2.
You will connect hosts on these ports.

Switch(config)#conf t
Switch(config)#interface range fastEthernet 0/7-12
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 2
Switch(config-if-range)#no shut
Switch(config-if-range)#exit