how to configure Ubuntu to connect to a TACACS server

I have two Ubuntu workstations which I want to configure to use our TACACS+ server for logon rather than their local accounts. How do I configure the workstation to use the tacacs servers?

6

4 Answers

There, I found interesting project - tacacsGUI.com. It is self-hosted front-end UI for tac_plus configuration. My installation was easy, try it. Plus it has some advantages like Backup Maker for auto backup, Subnet searcher for subnets collection etc. Good luck!

I hope you don't mind but I'd just like to add this info for others...

I was able to get xtacacs Version 4.0 working for authentication on a Ubuntu 12.04.02 LTS 64 bit system, with a Cisco AS2511 only after I compiled it in 32bit mode (gcc -m32 ...). If I compiled it to the default 64bit target, it got all sorts of weird errors, like syslog showing that username 'chris' was transposed to 'hcris'.

Of course I had to load the 32bit system libraries (sudo apt-get install ia32-libs) and the 32bit header files (sudo apt-get install gcc-multilib) first.

See ServerFault Post Authenticate Linux sshd with TACACS+ (Cisco ACS)

Install the server

  1. Add the linux server's hostname / ip address into Cisco ACS and restart the Cisco ACS service
  2. Download the tacacs+ PAM module from SourceForge.
  3. Install pam development package for your linux distro. RHEL / CentOS call it pam-devel; Debian / Ubuntu call it libpam-dev (a virtual package name for libpam0g-dev).
  4. Untar the tacacs+ pam module into a temporary working directory
  5. cd into the new folder created by tar.
  6. As root: ./configure; make; make install
  7. As root, edit /etc/pam.d/sshd, and add this line as the first entry in the file:

    auth include tacacs

  8. As root, create a new file called /etc/pam.d/tacacs:

 #%PAM-1.0 auth sufficient /usr/local/lib/security/pam_tacplus.so debug server=192.0.2.27 secret=d0nttr3@d0nm3 account sufficient /usr/local/lib/security/pam_tacplus.so debug server=192.0.2.27 secret=d0nttr3@d0nm3 service=shell protocol=ssh session sufficient /usr/local/lib/security/pam_tacplus.so debug server=192.0.2.27 secret=d0nttr3@d0nm3 service=shell protocol=ssh

Per-Server / Per-user Instructions

As root on each server, create a local linux user account that matches the tacacs+ username for all required users. The users can optionally use passwd to set their local password to whatever they like as a last resort; however, if they set a local password, they will be able to login locally at any time without tacacs+ even if the service is available.

pam_tacplus Service information

The details of how the pam_tacplus.so module works are in this pam-list archived email

Below config is usefull to user authenticate without having users in linux machine.

auth sufficient pam_unix.so try_first_pass nullok
auth required pam_krb5.so use_first_pass no_user_check
account sufficient pam_unix.so
account required pam_krb5.so no_user_check
account optional pam_permit.so
account required pam_time.so
password sufficient pam_unix.so try_first_pass nullok sha512 shadow
password required pam_krb5.so use_authtok no_user_check
session required pam_limits.so
session optional pam_permit.so

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like