Internet User Authentication with TACACS

At my place of employment, for TACACS authentication of dial-up Internet users (who are connecting to our modem pool which are in turn connected to a couple of Cisco 250x access servers), we are using the Vikas version of “xtacacsd”.

After compiling and installing the Vikas package (latest versions are available from ftp://ftp.navya.com/pub/vikas; I don't believe the package is available in RPM format), you should add the following entries to the ``/etc/inetd.conf'' file so that the daemon will be loaded by the inetd daemon whenever a TACACS request is received.

# TACACS is a user authentication protocol used for Cisco Router products.
tacacs dgram udp wait root /etc/xtacacsd xtacacsd -c /etc/xtacacsd-conf

Next, you should edit the ``/etc/xtacacsd-conf'' file and customize it, as necessary, for your system (however you will probably be able to use the default settings as-is).

Note

Note: If you are using shadow passwords (see the section called Linux Password & Shadow File Formats in Chapter 6 for details), you will have some problems with this package. Unfortunately, PAM (Pluggable Authentication Module), which Red Hat uses for user authentication, is not supported by this package. One workaround that I use is to keep a separate ``passwd'' file in ``/usr/local/xtacacs/etc/'' which matches the one in /etc/ but is non-shadowed. This is a bit of a hassle, and if you choose to do this make sure you set permissions on the other password file to make sure it is only readable by root:

chmod a-wr,u+r /usr/local/xtacacs/etc/passwd

If you do indeed use shadow, you will most certainly need to edit the ``/etc/xtacacsd-conf'' file and location of the non-shadowed password file (assuming you are using the workaround I have suggested above).

The next step is to configure your access server(s) to authenticate logins for the desired devices (such as dial-up modems) with TACACS. Here is a sample session on how this is done:

mail:/tftpboot# telnet xyzrouter

Escape character is '^]'.
User Access Verification
Password: ****
xyzrouter> enable
Password: ****
xyzrouter# config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
xyzrouter(config)# tacacs-server attempts 3
xyzrouter(config)# tacacs-server authenticate connections
xyzrouter(config)# tacacs-server extended
xyzrouter(config)# tacacs-server host 123.12.41.41
xyzrouter(config)# tacacs-server notify connections
xyzrouter(config)# tacacs-server notify enable
xyzrouter(config)# tacacs-server notify logouts
xyzrouter(config)# tacacs-server notify slip
xyzrouter(config)# line 2 10
xyzrouter(config-line)# login tacacs
xyzrouter(config-line)# exit
xyzrouter(config)# exit
xyzrouter# write
Building configuration...
[OK]  
xyzrouter# exit

Connection closed by foreign host.

All TACACS activity log messages will be recorded in ``/var/log/messages'' for your perusal.