TACACS+, Part 1: Choosing the Version

My current work environment has a decent Cisco footprint – 242 devices in all. Maintaining usernames and passwords on them is quite a chore, even with some assistance from scripting tools like Kiwi Cat Tools. We simply needed centralized login control, one way or the other.

We had a short list of important requirements:

1. It had to integrate with AD, to minimize the number of user accounts in use.
2. The entire login exchange had to be encrypted. The most powerful administrative accounts would be passing their credentials over the system. This requirement eliminated RADIUS as a solution, since the Cisco IOS versions we’re using (12.4 & 15.0.1) would pass usernames in the clear and only MD5 hash the passwords.
3. It would give use centralized user account control, and provide for varying level of user activity logging.
4. It had to be free.  This push came at the end of the year (after most of the budget was spent). Of course this meant no ACS.

After much research, I decided to use TACACS+. The implementation of TACACS+ I choose was tac_plus, written by Marc Huber. There were several version of TACACS+ out there, but Marc’s seemed the best fit as it was (a) open-source, (b) the most recent, (c) had the most complete documentation and (d) had the most recent and active forum of users giving feedback. You can find docs for tac_plus and associated daemons here, and the current forum here.I installed tac_plus on Ubuntu servers, version 10.04, and so far have had no compatibility problems. For redundancy, we’re using two Ubuntu servers running tac_plus with identical configurations.

In TACACS+ Part 2, I’ll discuss installation and configuration of tac_plus.