General Purpose Lab Server

Posted on July 10, 2017 by Judson Bishop

I have a number of servers in the lab, but my main server is a jumpbox that straddles the lab and our network named TLTS1. I wanted to be able to really test authentication in the lab so I decided to set up TACACS+ and FreeRADIUS. Here are the steps I followed.

FreeRADIUS

First install the FreeRadius rpm.
[code]
yum install freeradius freeradius-utils freeradius-doc
[/code]

Edit the configuration file.
[code]
vim /etc/raddb/clients.conf
[/code]

Here is my clients.conf file.
[code]
cat clients.conf | grep -v \# | awk ‘NF’cat clients.conf | grep -v \# | awk ‘NF’
client localhost {
ipaddr = *
proto = *
secret = LAB
require_message_authenticator = no
nas_type = other
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
secret = LAB
}

client LAB {
ipaddr = 192.168.2.0/24
secret = LAB
nas_type = cisco
shortname = CSR1
}
[/code]
 

Add a user that will be authenticated in the /etc/raddb/users file. First we will do some simple authentication, then we will setup a router. The “me” user is to test from localhost to make sure everything is working, the “cisco” user is for testing from a router in the lab.
[code]
"me" Cleartext-Password := "CCNP"
Framed-IP-Address = 192.168.1.210,
Reply-Message = "Hello, %{User-Name}"</code>

"cisco" Cleartext-Password := "CCIE"
Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=15"
[/code]

Start the RADIUS server in debugging mode.
[code]
radiusd -x
[/code]

Test the RADIUS server with “me” as a user from localhost.
[code]
radtest me CCNP 192.168.2.101 1813 LAB
Sending Access-Request Id 169 from 0.0.0.0:45874 to 192.168.2.101:1812
User-Name = ‘me’
User-Password = ‘CCNP’
NAS-IP-Address = 172.22.100.21
NAS-Port = 1813
Message-Authenticator = 0x00
Received Access-Accept Id 169 from 192.168.2.101:1812 to 192.168.2.101:45874 length 37
Framed-IP-Address = 192.168.1.210
Reply-Message = ‘Hello, me’
[/code]

Now test the RADIUS server from a router in the lab.
[code]
aaa new-model

radius server RAD
address ipv4 192.168.2.101 auth-port 1812 acct-port 1813
key LAB

aaa group server radius RAD
server name RAD

aaa authentication login default group RAD local
aaa authentication enable default group RAD none

line vty 0 4
login authentication default
[/code]

Test the login from CSR2 to CSR1.
[code]
CSR2#telnet 192.168.2.1
Trying 192.168.2.1 … Open

User Access Verification

Username: cisco
Password:

CSR1>exit
[/code]

TACACS+
Download the sources from here.

Install the dependencies.
[code]
yum -y install flex flex-devel bison bison-devel tcp_wrappers-devel
[/code]

Make and install into /usr/local/bin
[code]
tar -xvzf tacacs-F4.0.4.28.tar.gz
cd tacacs-F4.0.4.28
./configure
make
make install
[/code]

Check they are installed correctly:
[code]
ls /usr/local/bin/ | grep tac && ls /usr/local/sbin/ | grep tac
tac_pwd
tac_plus

man tac_pwd
man tac_plus
[/code]

Much of the rest of this post is a re-hash from FreeLinuxTutorials. I have been burned before, therefore I will take the time document my steps.

Create the configuration directory and configuration file:
[code]
mkdir /etc/tacacs
touch /etc/tacacs/tac_plus.conf
[/code]

Here is a sample Tacacs+ configuration file:
[code]
# KEY
key = "LAB"

# USERS
user = cisco {
default service = permit
member = admin
login = cleartext CCIE
}

# GROUP
group = admin {
default service = permit
service = exec {
priv-lvl = 15
}
}

# Enable Password
user = $enable$ {
login = cleartext CCIE
}

accounting file = /var/log/tacacs.log
[/code]

Change the permissions on the file:

[code]
chmod 600 /etc/tacacs/tac_plus.conf
[/code]

Start the TACACS+ server:
[code]
tac_plus -G -C /etc/tacacs/tac_plus.conf -B 192.168.2.101 -d 4 -l /var/log/tacacs.log -p 49
[/code]

Check that the TACACS+ server is running:
[code]
netstat -na | grep 49
tcp 0 0 192.168.2.101:49 0.0.0.0:* LISTEN
[/code]

Test the TACACS+ server from a Cisco IOS device:
[code]
aaa new-model
tacacs-server host 192.168.2.101
tacacs-server key LAB</code>

aaa group server tacacs+ TACS
server 192.168.2.101

aaa authentication login default group TACS local
aaa authentication enable default group TACS none

line vty 0 4
login authentication default
[/code]

From a second router in the lab:
[code]
CSR2#telnet 192.168.2.1
Trying 192.168.2.1 … Open

User Access Verification

Username: cisco
Password:
[/code]

Sources:
RADIUS
https://mellowd.co.uk/ccie/?p=2777
http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/116291-configure-freeradius-00.html

Click to access freeradius.pdf

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-731907.html

TACACS+
https://rmohan.com/?p=2653
http://freelinuxtutorials.com/tutorials/installation-setup-of-free-tacacs-server-in-linux/
http://www.shrubbery.net/tac_plus/
https://networklessons.com/uncategorized/how-to-install-tacacs-on-linux-centos/
http://blog.marquis.co/configuring-tacacs-server-on-ubuntu-14-04lts/%5B

This entry was posted in CCIE, Linux. Bookmark the permalink.

Leave a Reply