General Purpose Lab Server

I have a number of servers in the lab, but my main server is a jumpbox that straddles the lab and our network named TLTS1. I wanted to be able to really test authentication in the lab so I decided to set up TACACS+ and FreeRADIUS. Here are the steps I followed.

FreeRADIUS

First install the FreeRadius rpm.

yum install freeradius freeradius-utils freeradius-doc

Edit the configuration file.

vim /etc/raddb/clients.conf

Here is my clients.conf file.

cat clients.conf | grep -v \# | awk 'NF'cat clients.conf | grep -v \# | awk 'NF'
client localhost {
   ipaddr = *
   proto = *
   secret = LAB
   require_message_authenticator = no
   nas_type = other
   limit {
      max_connections = 16
      lifetime = 0
      idle_timeout = 30
   }
}
client localhost_ipv6 {
   ipv6addr = ::1
   secret = LAB
}

client LAB {
   ipaddr = 192.168.2.0/24
   secret = LAB
   nas_type = cisco
   shortname = CSR1
}

 

Add a user that will be authenticated in the /etc/raddb/users file. First we will do some simple authentication, then we will setup a router. The “me” user is to test from localhost to make sure everything is working, the “cisco” user is for testing from a router in the lab.

"me" Cleartext-Password := "CCNP"
Framed-IP-Address = 192.168.1.210,
Reply-Message = "Hello, %{User-Name}"</code>

"cisco" Cleartext-Password := "CCIE"
Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=15"

Start the RADIUS server in debugging mode.

radiusd -x

Test the RADIUS server with “me” as a user from localhost.

radtest me CCNP 192.168.2.101 1813 LAB
Sending Access-Request Id 169 from 0.0.0.0:45874 to 192.168.2.101:1812
User-Name = 'me'
User-Password = 'CCNP'
NAS-IP-Address = 172.22.100.21
NAS-Port = 1813
Message-Authenticator = 0x00
Received Access-Accept Id 169 from 192.168.2.101:1812 to 192.168.2.101:45874 length 37
Framed-IP-Address = 192.168.1.210
Reply-Message = 'Hello, me'

Now test the RADIUS server from a router in the lab.

aaa new-model

radius server RAD
address ipv4 192.168.2.101 auth-port 1812 acct-port 1813
key LAB

aaa group server radius RAD
server name RAD

aaa authentication login default group RAD local
aaa authentication enable default group RAD none

line vty 0 4
login authentication default

Test the login from CSR2 to CSR1.

CSR2#telnet 192.168.2.1
Trying 192.168.2.1 ... Open

User Access Verification

Username: cisco
Password:

CSR1>exit

TACACS+
Download the sources from here.

Install the dependencies.

yum -y install flex flex-devel bison bison-devel tcp_wrappers-devel

Make and install into /usr/local/bin

tar -xvzf tacacs-F4.0.4.28.tar.gz
cd tacacs-F4.0.4.28
./configure
make
make install

Check they are installed correctly:

ls /usr/local/bin/ | grep tac && ls /usr/local/sbin/ | grep tac
tac_pwd
tac_plus

man tac_pwd
man tac_plus

Much of the rest of this post is a re-hash from FreeLinuxTutorials. I have been burned before, therefore I will take the time document my steps.

Create the configuration directory and configuration file:

mkdir /etc/tacacs
touch /etc/tacacs/tac_plus.conf

Here is a sample Tacacs+ configuration file:

# KEY
key = "LAB"

# USERS
user = cisco {
   default service = permit
   member = admin
   login = cleartext CCIE
}

# GROUP
group = admin {
   default service = permit
   service = exec {
      priv-lvl = 15
   }
}

# Enable Password
user = $enable$ {
   login = cleartext CCIE
}

accounting file = /var/log/tacacs.log

Change the permissions on the file:

chmod 600 /etc/tacacs/tac_plus.conf

Start the TACACS+ server:

tac_plus -G -C /etc/tacacs/tac_plus.conf -B 192.168.2.101 -d 4 -l /var/log/tacacs.log -p 49

Check that the TACACS+ server is running:

netstat -na | grep 49
tcp        0      0 192.168.2.101:49        0.0.0.0:*               LISTEN

Test the TACACS+ server from a Cisco IOS device:

aaa new-model
tacacs-server host 192.168.2.101
tacacs-server key LAB</code>

aaa group server tacacs+ TACS
server 192.168.2.101

aaa authentication login default group TACS local
aaa authentication enable default group TACS none

line vty 0 4
login authentication default

From a second router in the lab:

CSR2#telnet 192.168.2.1
Trying 192.168.2.1 ... Open

User Access Verification

Username: cisco
Password:

Sources:
RADIUS
https://mellowd.co.uk/ccie/?p=2777
http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/116291-configure-freeradius-00.html
http://yustanto.com/freeradius.pdf
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-731907.html

TACACS+
https://rmohan.com/?p=2653
http://freelinuxtutorials.com/tutorials/installation-setup-of-free-tacacs-server-in-linux/
http://www.shrubbery.net/tac_plus/
https://networklessons.com/uncategorized/how-to-install-tacacs-on-linux-centos/
http://blog.marquis.co/configuring-tacacs-server-on-ubuntu-14-04lts/%5B

This entry was posted in CCIE, Linux. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s