THE FASCINATING WORLD OF NETWORKING
OPTIMIZED FOR GOOGLE CHROME
PART I: AAA using TACACS+ and GNS3 example
First of all, you have to install Tacacs.net.
Link: http://www.tacacs.net/download.asp
I have installed this program on my computer and it will be linked to GNS3 by using a loopback interface (IP address: 10.0.2.2/30).
During the installation, you must supply a shared secret password to encrypt communications between the TACACS+ server and the network element:
After the installation has finished, go to start menu (if you use Windows XP) and edit the files inside the Configuracion folder:
You have to edit 4 files:
-
authentication
-
authorization
-
tacplus
-
clients
NOTE As you can see, the clients file is not showed in the image. This is because it is a hidden file, so you have to make changes in your operating system.
I recommend you to make a backup of this folder before editing them.
You can open every file with notepad, delete their text and do a copy-paste from my configuration examples:
.............................................................................................................................................................................................................................................
authentication file
..............................................................................................................................................................................................................................................
<?xml version="1.0" encoding="utf-8"?>
<!-- Version 1.2 -->
<Authentication xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<UserGroups>
<UserGroup>
<Name>Privileged</Name>
<AuthenticationType>File</AuthenticationType>
<Users>
<User>
<Name>juantron</Name>
<LoginPassword ClearText="juantron" DES=""> </LoginPassword>
<EnablePassword ClearText="" DES=""></EnablePassword>
<CHAPPassword ClearText="" DES=""> </CHAPPassword>
<OutboundPassword ClearText="" DES=""> </OutboundPassword>
</User>
</Users>
</UserGroup>
<UserGroup>
<Name>No_privileges</Name>
<AuthenticationType>File</AuthenticationType>
<Users>
<User>
<Name>martin</Name>
<LoginPassword ClearText="troncoso" DES=""> </LoginPassword>
<EnablePassword ClearText="manuel" DES=""></EnablePassword>
<CHAPPassword ClearText="" DES=""> </CHAPPassword>
<OutboundPassword ClearText="" DES=""> </OutboundPassword>
</User>
</Users>
</UserGroup>
</UserGroups>
</Authentication>
..............................................................................................................................................................................................................................................
authorization file
..............................................................................................................................................................................................................................................
<?xml version="1.0" encoding="utf-8"?>
<!-- Version 1.2 -->
<Authorizations xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Authorizations>
<Authorization>
<UserGroups>
<UserGroup>Privileged</UserGroup>
</UserGroups>
<ClientGroups>
<ClientGroup>INTERNAL</ClientGroup>
</ClientGroups>
<AutoExec>
<Set>priv-lvl=15</Set> <!--Set a privilege of 15 -->
</AutoExec>
<Shell>
<Permit>.*</Permit> <!--All commands are allowed -->
</Shell>
</Authorization>
<Authorization>
<UserGroups>
<UserGroup>No_privileges</UserGroup>
</UserGroups>
<ClientGroups>
<ClientGroup>INTERNAL</ClientGroup>
</ClientGroups>
<AutoExec>
<Set>priv-lvl=7</Set> <!--Set a privilege of 7 -->
</AutoExec>
<Shell>
<Permit>telnet .*</Permit> <!--Allows telnet -->
<Permit>.*show.*</Permit> <!--Allows ‘show’ commands -->
<Permit>enable</Permit> <!--Allows ‘enable’ command -->
<Deny>.*</Deny> <!--All other commands are prohibited -->
</Shell>
</Authorization>
</Authorizations>
</Authorizations>
..............................................................................................................................................................................................................................................
clients file
..............................................................................................................................................................................................................................................
<?xml version="1.0" encoding="UTF-8"?>
<!-- Version 1.2 -->
<!--This is the configuration file for TACACS+ clients. A TACACS+ client, as defined by the RFC, is the client that is
making a request to the TACACS+ server such as a router, switch, or firewall-->
<Clients xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<ClientGroups>
<ClientGroup Name="INTERNAL">
<Secret ClearText="juanma" DES=""></Secret>
<Clients>
<Client>10.0.0.0/8</Client>
<Client>172.16.0.0/12</Client>
<Client>192.168.0.0/16</Client>
</Clients>
</ClientGroup>
</ClientGroups>
</Clients>
..............................................................................................................................................................................................................................................
NOTE if the ip address of your loopback interface has a different value from these, please add them to this file.
..............................................................................................................................................................................................................................................
tacplus file
..............................................................................................................................................................................................................................................
<?xml version="1.0" encoding="UTF-8"?>
<!-- Version 1.2 -->
<!-- This is the global configuration file for the TACACS+ Server
If you have multiple NICs or IP addresses on this system (including virtual adapters like VMWare or VPN), the server will resolve to the first IP address listed in Ipconfig.
If you have multiple physical or virtual NICs, you will need to manually hard code the IP address in <LocalIP>, disconnect any open sessions, and restart the service. You will also need to use the -s switch in TACTest.
The following logging levels are available: Alert, Critical, Error, Warning, Notice, Information, and Debug.
Debug generates the most information, and Alert generates the least amount of logging information.
-->
<Server xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Port>49</Port>
<LocalIP>10.0.2.2</LocalIP>
<DisabledPrompt>This account has been disabled</DisabledPrompt>
<PasswordPrompt>Password: </PasswordPrompt>
<UserNamePrompt>Username: </UserNamePrompt>
<ExpiredPasswordPrompt>The password for this account has expired</ExpiredPasswordPrompt>
<IncorrectPasswordPrompt>Incorrect Password</IncorrectPasswordPrompt>
<IncorrectUserOrPasswordPrompt>Invalid username or incorrect password</IncorrectUserOrPasswordPrompt>
<SocketTimeoutSecs>30</SocketTimeoutSecs>
<AccountingLog RolloverDays="30" RolloverMB="10" DeleteDays="90" LoggingLevel="Information"> </AccountingLog>
<DebugLog RolloverDays="30" RolloverMB="10" DeleteDays="90" LoggingLevel="Debug"> </DebugLog>
<SystemLog RolloverDays="30" RolloverMB="10" DeleteDays="90" LoggingLevel="Information"> </SystemLog>
<!-- <Syslog Host="127.0.0.1" Port="514" MaxLength="1000" Facility="Local6"> </Syslog> -->
<AccountLockoutTries>6</AccountLockoutTries>
<AccountLockoutperiodMins>30</AccountLockoutperiodMins>
<SessionIdleTimeoutMins>15</SessionIdleTimeoutMins>
<TimedCacheExpirySecs>5</TimedCacheExpirySecs>
<OTPSeparator>*</OTPSeparator>
</Server>
..............................................................................................................................................................................................................................................