These are my notes is about configuring and testing a quick implementation of a free Tacacs+ software: Tacacs.net. The software runs on Windows.
Tacacs+ is used by network devices to authenticate users. Each user that logs on to a network device is checked against the Tacacs+ server database, before a decision is made. The decision can be something like:
- the user is authenticated but will have limited access to the network device
- the user is authenticated and will have full rights on the network device,
- the user is not authorized to access the network device and is kicked off.
Tacacs.net Installation and configuration
Download the software from the official website: www.tacacs.net
Install the software. At some point, the system asks you to configure a shared secret. This key will be used for communications between Tacacs+ clients and the Tacacs+ server.
Configuring Tacacs+ authentication
The configuration files are in the following path (windows 7): C:\documents and settings\all users\application data\tacacs.net\config
To test the tacacs server, un-comment the Users section, under the UserGroup section.
you can use “tacacsverify” to verify if the modifications you did to the various files is valid or not.
You can change the IP address of the server to something that can be put on a network, instead of 127.0.0.1. You do that in the “tacplus.xml” file:
define the shared secret at installation time. This shared key will be used by Tacacs clients when authenticating against the server, and even when we want to test Tacacs+ locally. You can change it later in the “clients.xml” file:
There is a default user account you can use to test Tacacs+ working:
user name: user1
user password: somepassword
to test tacacs+, use the command “tactest” with its parameters. Take a look at the example below.
Authorization defines which levels of access the client is allowed to get. Authorization is configured in the authorization.xml file. If you want to skip all the authorization stuff and just allow “full access” to your authenticated clients, simply change the name of “authentication.xml” file.
In my case, I went a little further and put the Deny section as a comment.