TACACS+, Part 1: Choosing the Version

My current work environment has a decent Cisco footprint – 242 devices in all. Maintaining usernames and passwords on them is quite a chore, even with some assistance from scripting tools like Kiwi Cat Tools. We simply needed centralized login control, one way or the other.

We had a short list of important requirements:

  1. It had to integrate with AD, to minimize the number of user accounts in use.
  2. The entire login exchange had to be encrypted. The most powerful administrative accounts would be passing their credentials over the system. This requirement eliminated RADIUS as a solution, since the Cisco IOS versions we’re using (12.4 & 15.0.1) would pass usernames in the clear and only MD5 hash the passwords.
  3. It would give use centralized user account control, and provide for varying level of user activity logging.
  4. It had to be free.  This push came at the end of the year (after most of the budget was spent). Of course this meant no ACS.

After much research, I decided to use TACACS+. The implementation of TACACS+ I choose was tac_plus, written by Marc Huber. There were several version of TACACS+ out there, but Marc’s seemed the best fit as it was (a) open-source, (b) the most recent, (c) had the most complete documentation and (d) had the most recent and active forum of users giving feedback. You can find docs for tac_plus and associated daemons here, and the current forum here.I installed tac_plus on Ubuntu servers, version 10.04, and so far have had no compatibility problems. For redundancy, we’re using two Ubuntu servers running tac_plus with identical configurations.

In TACACS+ Part 2, I’ll discuss installation and configuration of tac_plus.

Advertisements

3 thoughts on “TACACS+, Part 1: Choosing the Version

  1. Pingback: TACACS+, Part 2: tac_plus install and config « GatesTec

  2. Pingback: TACACS+, Part 3: Network device config « GatesTec

  3. Alexey

    Hi, Chad,
    I found interesting project – tacacsGUI. It is self-hosted front-end UI for tac_plus configuration. My installation was easy, try it. Plus it has some advantages like Backup Maker for auto backup, Subnet searcher for subnets collection etc. Good luck!

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s