Config 220318
Config 220318
Config 220318
netTM
Installation & Configuration Guide
Table of Contents
1. Introduction .................................................................................................................................3
2. System Requirements ...................................................................................................................3
2.1. Base System Requirements ....................................................................................................3
2.2. For Best Results.....................................................................................................................3
3. Installation...................................................................................................................................3
3.1. Installation Wizard .................................................................................................................4
3.2. Confirming Your Installation ...................................................................................................4
3.3. Starting and Stopping Services ...............................................................................................4
4. Configuration ...............................................................................................................................5
4.1. Global Configuration ..............................................................................................................5
4.1.1. Port................................................................................................................................5
4.1.2. LocalIP ...........................................................................................................................5
4.1.3. Customizable Prompts .....................................................................................................5
4.1.4. Logging ..........................................................................................................................5
4.1.5. Syslog ............................................................................................................................6
4.1.6. IPv6 ...............................................................................................................................6
4.2. Authentication .......................................................................................................................6
4.2.1. Configuring Authentication Using Local Service (File Group) Users .....................................6
4.2.2. Configuring Authentication Using Localhost Users .............................................................7
4.2.3. Configuring Authentication Using Active Directory .............................................................7
4.2.4. Configuring Authentication Using Active Directory and LDAPS ............................................9
4.2.5. Configuring Authentication Using LDAP.............................................................................9
4.2.6. Configuring Authentication Using TACACS+ Proxy ........................................................... 10
4.2.7. Configuring Authentication Using RADIUS Proxy ............................................................. 10
4.2.8. The DEFAULT User Group .............................................................................................. 11
4.2.9. Creating Encrypted Passwords ....................................................................................... 11
4.3. Clients ................................................................................................................................ 12
4.3.1. Default Client Groups .................................................................................................... 13
4.3.2. Configuring your router or switch. .................................................................................. 13
4.4. Authorization ....................................................................................................................... 14
4.4.1. Name ........................................................................................................................... 14
4.4.2. Time ............................................................................................................................ 14
4.4.3. User Groups ................................................................................................................. 14
4.4.4. Client Groups ................................................................................................................ 14
4.4.5. AutoExec ...................................................................................................................... 14
4.4.6. Shell............................................................................................................................. 15
4.4.7. Services........................................................................................................................ 15
4.4.8. RemAddrs..................................................................................................................... 15
4.4.9. The Local System Administrators Profile ......................................................................... 15
4.4.10. The DEFAULT Authorization Profile ............................................................................. 15
5. Testing the Server ...................................................................................................................... 15
5.1. TACVerify ............................................................................................................................ 15
5.2. TACTest .............................................................................................................................. 16
5.2.1. TACTest Examples ........................................................................................................ 18
6. Windows Firewall ....................................................................................................................... 18
7. Optimizing Performance .............................................................................................................. 19
8. Feature Enhancements ............................................................................................................... 20
1. Introduction
Thank you for choosing the TACACS.net TACACS+ Server! TACACS.net is the simplest, easiest, most
flexible, and most cost efficient TACACS+ server for Windows PCs and Servers. This software was
designed by network administrators for network administrators and can be used in SOHO, SMB,
Enterprise, WAN, or lab environments for setting granular access policies to network devices. For more
information and documentation, visit our web site at www.TACACS.net.
2. System Requirements
2.1. Base System Requirements
1
Windows XP, Windows 2000 Workstation or Server or later.
1 GHz CPU
256 MB RAM
500 MB HDD free
3. Installation
TACACS.net was designed from the bottom up to be easy to use and configure. In most cases, you
should be up and running within 10 minutes!
1. Download the software from www.tacacs.net.
2. Extract the installer from the .zip file.
3. Optional but recommended: Run MD5 sum to confirm the software is correct and hasn’t become
corrupted while downloaded. There are many free tools available on the Internet to check MD5
file hashes.
4. Run the installation Wizard.
1
TACACS.net 2.x, also known as TACACS.net Advanced, requires Windows Vista or Windows Server 2008
or later.
C:\>netstat -ab
Active Connections
Proto Local Address Foreign Address State PID
...
TCP mypc:49 mypc:0 LISTENING 2860
[tacplus.exe]
2
Restart required when making changes to the global configuration file tacplus.xml.
Read the Quickstart Guide to get your server up and running and confirm
basic operation, and then return to this guide for further information on
configuring and managing your server.
4. Configuration
The configuration files should now be accessible from the Programs menu at Start > All Programs >
TACACS.net > Configuration. These files are in XML format and simple to modify with any text editor like
Notepad or Wordpad or an XML editor. You will find instructions in the configuration files themselves in
addition to the instructions in this guide. All files are read by the software linearly (from top to bottom),
so if there is a conflict, the first entry will take precedence.
Before changing any of the default configuration files, make a backup of the
originals so you can restore them later if needed. Copy the original files to a
4.1.1. Port
The TCP port that the server uses is defined in <Port>. The TACACS+ protocol specification defines TCP
port 49 for use for TACACS+, and it is recommended to keep this port. Many TACACS+ network device
clients cannot use other ports, so changing this could introduce unnecessary troubleshooting problems.
4.1.2. LocalIP
This is the IP address that the Server will use. By default, this is set to 127.0.0.1. You should change this
to the server’s IP address if you have multiple physical or virtual interfaces or IP addresses, if you have
installed the software in a virtual machine like VMWare, or if you get socket errors when running
TACTest.
4.1.4. Logging
These settings define the name, location, logging level, and rollover settings for the logs.
The following logging levels are available: Alert, Critical, Error, Warning, Notice, Information, and Debug.
Debug generates the most information, and Alert generates the least amount of logging information.
RolloverDays specifies how many days to keep logs before starting a new log. RolloverMB specifies the
maximum size the log file can get before rolling over, and DeleteDays specifies how many days to keep
files before automatically deleting them.3
4.1.5. Syslog
This setting is used if you would like to log to an external Syslog server. Syslog support was added in
version 1.2. If you have a previous version of the tacplus.xml configuration file, you can download the
updated configuration file from the web site or add this line manually. These settings were deprecated in
version 2.x to enable the enhanced logging functionality with structured logging and granular control over
syslog destinations, severity levels, and content. Syslog settings for 2.x are configured in logging.xml.
4.1.6. IPv6
IPv6 is supported, but disabled by default to prevent conflict with IPv4 addresses.
4.2. Authentication
All authentication settings can be found in authentication.xml.
Do not run the TACACS.net TACACS+ Server in a live production environment with
the default settings. The default settings are there to get you up and running and
confirm operations as quickly as possible. After you have verified the functionality is
working, you should return to the configuration and optimize the configuration for
the intended environment.
Near the top of authentication.xml, you will find a File Group example commented out. Simply remove
the comments in the UserGroup section (highlighted in yellow below) and that will activate the two
example users (user1 and user2). After you have done that, run TACTest to verify server operation, and
then modify those two users to create your local File Group users.
<UserGroup>
<Name>Network Engineering</Name>
<AuthenticationType>File</AuthenticationType>
<!--
<Users>
<User>
<Name>user1</Name>
<LoginPassword ClearText="somepassword" DES=""> </LoginPassword>
<EnablePassword ClearText="" DES=""></EnablePassword>
<CHAPPassword ClearText="" DES=""> </CHAPPassword>
<OutboundPassword ClearText="" DES=""> </OutboundPassword>
</User>
<User>
<Name>user2</Name>
<LoginPassword ClearText="somepassword" DES=""> </LoginPassword>
3
Enhanced logging was introduced in v 2.1.0. Refer to the Enhanced Logging Configuration Guide for
information on configuring Enhanced Logging.
Figure 3: Use the File Group Example to create your own File Group users.
<UserGroup>
<Name>Local System Administrators</Name>
<AuthenticationType>Localhost</AuthenticationType>
<LocalhostGroupName>Administrators</LocalhostGroupName>
</UserGroup>
To see the user directory subtree information, you can execute ‘dsquery’ from the command line on
Windows Server:
The User Group <Name> is used to match a policy in authorization.xml. To avoid confusion, use the
same name as the Security Group name in Active Directory.
The <LDAPUserDirectorySubtree> Enter the distinguished name (DN) of the user directory subtree that
contains all users. Copy and paste the output of ‘dsquery’ for the configuration parameters without using
the CN=USERNAME.
The <LDAPGroupName> will come from the output of the ‘dsquery’ command. You can use the complete
DN of the group or just the AD name of the group in the <LDAPGroupName> configuration parameter.
The following example shows the results of using the ‘dsquery’ command for user ‘steve’ on server
‘myserver’ in domain ‘lab.contoso.com’.
The following example demonstrates an Active Directory authentication group using the output of
‘dsquery’ above.
<UserGroup>
<Name>Support</Name>
<AuthenticationType>Windows_Domain</AuthenticationType>
<LDAPServer>127.0.0.1:389</LDAPServer>
<LDAPUserDirectorySubtree>CN=Users,DC=myserver,DC=lab,DC=contoso,DC=com</LDAPUserDirec
torySubtree>
<LDAPGroupName>Support</LDAPGroupName>
<LDAPAccessUserName>Administrator</LDAPAccessUserName>
<LDAPAccessUserPassword ClearText="mypassword" DES=""></LDAPAccessUserPassword>
</UserGroup>
The server can only authenticate a user to the group that user is directly a member of. It cannot
authenticate a user to a group that is higher or lower in the AD tree. For example, if your user is in
dc1.contoso.com/Users/Group1/SubgroupA, you must reference the group ‘SubgroupA’ in your
configuration. The user will not authenticate using the group ‘Group1’. This enables the administrator to
set granular access policies and makes the server run faster.
<UserGroup>
<Name>group_w</Name>
<AuthenticationType>Windows_Domain<AuthenticationType>
<LDAPServer>ad.mydomain.net:636</LDAPServer>
<LDAPUseSSL>1</LDAPUseSSL>
<LDAPUserDirectorySubtree>cn=OurUsers,DC=mydomain,DC=net
</LDAPUserDirectorySubtree>
<LDAPGroupName>CN=admin,OU=ROUTERS,OU=TACACS,OU=ManagedServices,
DC=mydomain,DC=net</LDAPGroupName>
<LDAPAccessUserName>someBindUser</LDAPAccessUserName>
<LDAPAccessUserPassword ClearText=”mypassword” DES=””>
</LDAPAccessUserPassword>
</UserGroup>
<UserGroup>
<Name>group_x</Name>
<AuthenticationType>LDAP</AuthenticationType>
<LDAPAuthType>Basic</LDAPAuthType>
<LDAPServer>x.x.x.x:389</LDAPServer>
<LDAPUserDirectorySubtree>o=company, dn=etc.</LDAPUserDirectorySubtree>
<LDAPMemberOfAttribute>groupMembership</LDAPMemberOfAttribute>
<LDAPGroupName>cn=group_x,ou=etc,dn=etc</LDAPGroupName>
<LDAPUserNameAttribute>uid</LDAPUserNameAttribute>
<LDAPAccessUserName>cn=admin,o=etc, dn=etc.</LDAPAccessUserName>
<LDAPAccessUserPassword ClearText="password" DES=""></LDAPAccessUserPassword>
</UserGroup>
1. <LDAPAuthType>Basic</LDAPAuthType>
This is required to change the connection type, which is NTLM by default.
2. <LDAPMemberOfAttribute>groupMembership</LDAPMemberOfAttribute>
This is the name of the attribute used to define profiles in iPlanet.
3. <LDAPGroupName>cn=group_x,...</LDAPGroupName>
To check the contents of “groupMembership”, for each group_x defined at TACACS.net.
1. If StripRealm is Enabled, it will remove the realm suffix before sending the username to the
second server.
2. TimeoutSecs is how long TACACS.net will wait for a response before it times out and tries again.
3. ConnectionAttempts is the number of attempts it should make before moving on to the next
server or UserGroup.
4. You can set realms to be used for this UserGroup. This is an optional setting. This UserGroup will
not be used unless the specified realm(s) are sent as a part of the username. If a realm is set, it
must be used by the user in order to authenticate.
<UserGroup>
<Name>TACACS+ Proxy users</Name>
<AuthenticationType>TACACS+</AuthenticationType>
<TACACSStripRealm>Disabled</TACACSStripRealm>
<TACACSServer>192.168.1.1:49</TACACSServer>
<TACACSServer>192.168.1.2:49</TACACSServer>
<TACACSSharedSecret ClearText="secret" DES=" "></TACACSSharedSecret>
<TACACSTimeoutSecs>1</TACACSTimeoutSecs>
<TACACSConnectionAttempts>1</TACACSConnectionAttempts>
<TACACSRealm>.*@foo.com.*</TACACSRealm>
<TACACSRealm>.*@realm.*</TACACSRealm>
</UserGroup>
1. If StripRealm is Enabled, it will remove the realm suffix before sending the username to the
second server.
2. TimeoutSecs is how long TACACS.net will wait for a response before it times out and tries again.
3. ConnectionAttempts is the number of attempts it should make before moving on to the next
server or UserGroup.
4. Authenticate any user on the RADIUS server or specify which users should be authenticated by
matching on a RADIUS Attribute/Value pair. This is an optional configuration setting. TACACS.net
supports the standard IETF attributes defined in RFC 2865 Ch.5. If you would like to specify only
particular users to be authenticated from a particular RADIUS server, add the Reply-Message and
configure a string to look for eg; "TACACS" or "TACACS-NOC", etc. You can set multiple
attributes and the authenticated users would have to match all attribute/value pairs. The
AttributeMatch is case sensitive unless you use (?i) at the beginning of the string.
5. You can set realms to be used for this UserGroup. This is an optional setting. This UserGroup will
not be used unless the specified realm(s) are sent as a part of the username. If a realm is set, it
must be used by the user in order to authenticate.
<UserGroup>
<Name>RADIUS Users</Name>
<AuthenticationType>RADIUS</AuthenticationType>
<RADIUSStripRealm>Disabled</RADIUSStripRealm>
<RADIUSServer>192.168.1.1:1812</RADIUSServer>
<RADIUSServer>192.168.1.2:1812</RADIUSServer>
<RADIUSSharedSecret ClearText="mysecret" DES=""></RADIUSSharedSecret>
<RADIUSTimeoutSecs>1</RADIUSTimeoutSecs>
<RADIUSConnectionAttempts>1</RADIUSConnectionAttempts>
<RADIUSAttributeMatch>(?i)Reply-Message=.*TACACS.*</RADIUSAttributeMatch>
<RADIUSRealm>.*@realm1.com.*</RADIUSRealm>
<RADIUSRealm>.*@realm2.*</RADIUSRealm>
</UserGroup>
4.2.8.1. TACDES
The TACDES tool is simple to use. Simply launch TACDES from the Start Menu item in the TACACS.net
directory at Start > All Programs > TACACS.net > TACDES and type tacdes and the password you want
to encrypt. Then copy and paste the new password into your configuration.
C:\Program Files\TACACS.net>tacdes -?
TACDES 1.0 (C) TACACS.net
A tool for generating DES encrypted passwords that can be used with TACACS.net TACACS+
server.
C:\Program Files\TACACS.net>exit
TACDES is designed specifically for TACACS.net. Other tools will not work to
create DES encrypted passwords for TACACS.net and TACACS.net TACDES will
not create encrypted passwords for other software.
4.3. Clients
A TACACS+ client is a router, switch, firewall, or other network device that will send authentication
requests to the TACACS+ server. Clients are also sometimes called a NAS (Network Access Server). In
order for a client to work with TACACS+, the TACACS+ server needs to know that a specified client is
authorized to send requests. These settings are configured in clients.xml. Clients may also be used with
authorization configuration to specify policies per client or client type.
This file is read linearly (top to bottom). This means that the first match is applied. This will enable you to
configure overlapping Device Groups. For example, you could specify one policy for 192.168.1.1/32 and
another policy for 192.168.1.0/24 and the first match will be applied.
This configuration file supports Regular expressions. This gives the administrator additional flexibility in
configuring clients. Regular expressions can be useful when you want to set policy based on hosthames
instead of IP Addresses.
For more information on using Regular Expressions refer to the following links:
http://www.regular-expressions.info/tutorialcnt.html
http://www.regular-expressions.info/examples.html
http://www.regextester.com/
https://www.regex101.com/
You will find more examples in the clients.xml file. Copy and paste one or more of the examples and
make the necessary modifications to fit your needs.
For best results, put your more specific Clients first, and the less specific Clients towards the bottom of
this file. Bear in mind that hostnames will require DNS to be available to the server running TACACS+.
This may impact performance slightly, so don’t use it if it’s not necessary. For fault tolerance and
performance, DNS should be running on the same server.
aaa new-model
aaa authentication login DEFAULT group tacacs+ line
aaa authorization console
aaa authorization config-commands
aaa authorization exec DEFAULT group tacacs+ none
aaa authorization commands 0 DEFAULT group tacacs+ none
aaa authorization commands 1 DEFAULT group tacacs+ none
4.4. Authorization
Authorization is the functionality where you get to define policy based on the User, the Client, or time of
day. Authorization policy allows you to specify which users have access to which devices and what
commands they can run and when. Authorization is configured in authorization.xml. This file is read
linearly. You can have multiple overlapping policies for the same Users or Clients. The first policy match
will be the one applied. If the authorization.xml file has been renamed or deleted, all commands will be
authorized. This can be useful for troubleshooting or in environments where there are only a few
administrators and they all have the maximum privilege. An authorization policy includes the following
elements:
4.4.1. Name
You can name your authorization profiles so that it will show in the logs which authorization group is
being used. If you don’t use a name, the logs will just show the number of the profile. Each authorization
name should be unique.
4.4.2. Time
This is an optional element that is used to define a time period which this policy is in effect. You could
have multiple policies for the same User Group so that during a specified time period (like a maintenance
window) they have read/write privileges, but they have read-only privileges during the rest of the time.
You would put the policy for the maintenance window first, and then the policy for all other times after
that. If no time settings are configured, the policy will always be in effect. The Days that can be used
are: M(Monday), T(Tuesday), W(Wednesday), R(Thursday), F(Friday), S(Saturday), and N(Sunday). Time
settings are based on military time, for example 07:00 is 7am and 17:00 is 5pm. The time used is the
local time of the server TACACS+ is installed on.
4.4.5. AutoExec
AutoExec is the settings you use when the user first connects to the client. This is run once when the
user first logs in. This is where you could set a privilege level or an ACL to be applied or a command to
be executed.
4.4.6. Shell
This is the section you define which commands are permitted and denied for this policy. Unlike the
AutoExec section, the shell section is used continually during the session as the user is logged in. Regular
Expressions are supported in shell commands. When the authorization.xml file is used, the default
method is deny unless there is a permit rule. If you would like to end your ruleset with a permit all, use
<Permit>.*</Permit>. If you would like to end your ruleset with a deny all, use <Deny>.*</Deny>.
4.4.7. Services
The Services section is used when someone is using TACACS+ to access a service or protocol on a client.
This is also where you can define Vendor Specific Attributes. The services available are: slip, ppp, arap,
tty-daemon, connection, system and firewall. The protocols available are: lcp, ip, ipx, atalk, vines, lat,
xremote, tn3270, telnet, rlogin, pad, vpdn, ftp, http, deccp, osicp and unknown.
4.4.8. RemAddrs
RemAddrs was added in version 2.0.1. This allows the Administrator to set authorization profiles based on
where the end user is coming from. A user can have separate privileges if they are connecting from an
untrusted network or if they are connecting from within a trusted network. Privileged accounts can be
restricted to specified IP addresses or subnets.
Here is an example of TACVerify with a syntax error in authentication.xml line 42, character 57.
Error details:Instance validation error: 'File blah' is not a valid value for Au
thenticationDatabaseType.
Errors were found in configuration files. Please fix these errors and try again.
5.2. TACTest
TACTest is a TACACS+ client that you can use to test TACACS+ requests and responses and for
performance testing. Before you attempt to run TACACS+ on any external Clients in a lab or production
environment, you must first run TACTest to verify that the system is working correctly. If TACTest fails,
your external Clients will fail also.
TACTest is not specific to TACACS.net. It will work with any server that runs the TACACS+ protocol. It
can also be installed and run as and independent program, without the TACACS.net server if desired. You
can run TACTest from Start > All Programs > TACACS.net or simply from the command line.
To view information about TACTest, type ‘tactest’ at the command line with no arguments.
C:\>tactest
TACTest 1.0.4143.32116 (C) TACACS.net
Type tactest -? for help.
To print out a list of command options and examples, type ‘tactest -?’.
C:\>tactest -?
TACTest 1.0.4143.32116 (C) TACACS.net
A tool for testing TACACS+ server responses.
This host must be in the server's authorized client list to work.
Options:
-\? Display help
-s ServerIP IP (If this is not provided then 127.0.0.1 is used)
-port ServerIP Port (If this is not provided then port 49 is used)
-k Shared Key (If this is not provided then no encryption is used)
-u Username
-p Password
-np New Password (used only for change password commands)
-type Authentication type. Can be ASCII or PAP, CHAP Default is ASCII
-en This sends an enable command to the server
-c Send this many requests. Default is 1
-m Send repeatedly for this many seconds.
-t Send this many requests per second.
-r Retries
-w Wait time between retries in seconds.
-f Input file to be used.
-service This is used to request authorization AV pairs from server
-command This is used to request authorization of a command from server
-authen This is used to send authentication commands to the server. This is
the default command.
-acct The type of accounting command to send. Valid values are start, stop &
watchdog
-author This is used to send authorization commands to server or to request
authorization AV pairs from the server
Authentication Examples:
tactest -s 127.0.0.1 -k mykey -u myuser -p mypassword
tactest -s 127.0.0.1 -k mykey -u myuser -p mypassword -c 20
tactest -s 127.0.0.1 -k mykey -u myuser -p mypassword -t 20
tactest -s 127.0.0.1 -k mykey -u myuser -p mypassword -m 5
tactest -s 127.0.0.1 -k mykey -u myuser -p mypassword -m 5 -t 20
Accounting Examples:
tactest -s 127.0.0.1 -k mykey -u myuser -acct start bytes_in=100 bytes_out=200
tactest -s 127.0.0.1 -k mykey -u myuser -acct stop bytes_in=400 bytes_out=300
tactest -s 127.0.0.1 -k mykey -u myuser -m 5 -acct stop bytes_in=400 bytes_out=300
Authorization Examples:
tactest -s 127.0.0.1 -k mykey -u myuser -author -service shell
tactest -s 127.0.0.1 -k mykey -u myuser -author -command configure terminal
tactest -s 127.0.0.1 -k mykey -u myuser -author -c 20 -command configure terminal
For best results, explicitly define the server IP. This is important if you have multiple IP addresses on
your computer. In some scenarios, the localhost IP (127.0.0.1) will not work, and you will need to
manually define the server’s routeable IP address in TACTest and/or in tacplus.xml.
C:\> tactest -s 127.0.0.1 -k mykey -u myuser -p mypassword
To test the performance of your TACACS+ server, you can use the ‘count’ option.
C:\> tactest -s 127.0.0.1 -k mykey -u myuser -p mypassword -c 20
The Summary Statistics (below) will show you the transactions per second of your request. TACTest uses
average possible transactions per second to extrapolate and estimate transactions per second based on
the count option used above.
------------------
SUMMARY STATISTICS
------------------
For even better results, send 1,000 or more requests (-c 1000), send the request repeatedly for a
specified amount of seconds (-m), send specified requests per second (-t), etc. You can send different
types of requests like authorization requests (-type author) or commands (-type command). You can
even use input files (-f filename) and output files (> filename) to store a log of your test.
6. Windows Firewall
A firewall is important for any production system. Because TACACS+ is a critical service-affecting service,
you should enable the host firewall on the server even if you have a perimeter firewall.
You should disable any firewalls when doing your initial configuration and
testing. Once you have confirmed your server is working as desired, and then
enable the firewall before deploying in a production network.
The following example shows how to configure Windows Firewall on Windows XP. You may need to
modify these settings slightly depending on your Operating System version.
7. Optimizing Performance
There are several steps you can take to optimize the performance of your server.
60 seconds should be satisfactory for most purposes, so there should be no need to change this
for most deployments.
8. Feature Enhancements
If you would like a feature or functionality in the TACACS.net TACACS+ Server that is not currently
available, we can build it for you. Contact us through www.TACACS.net and give us the details on the
feature(s) needed, the scenario how it would be used, your timeline and budget, and we will respond
with a development quote to add the new feature.
9. Recommended Tools
Here are some of the tools that we recommend for use with the TACACS.net server.
1. MD5Sum
Command-line MD5 hash checker
http://www.etree.org/md5com.html
2. TerraTerm
Terminal emulator
http://en.sourceforge.jp/projects/ttssh2/releases/
3. WireShark
Protocol Analyser
http://www.wireshark.org/
4. Notepad++
https://notepad-plus-plus.org/
5. GNS3
Network simulator
http://www.gns3.net/