My current work environment has a decent Cisco footprint – 242 devices in all. Maintaining usernames and passwords on them is quite a chore, even with some assistance from scripting tools like Kiwi Cat Tools. We simply needed centralized login control, one way or the other.
We had a short list of important requirements:
- It had to integrate with AD, to minimize the number of user accounts in use.
- The entire login exchange had to be encrypted. The most powerful administrative accounts would be passing their credentials over the system. This requirement eliminated RADIUS as a solution, since the Cisco IOS versions we’re using (12.4 & 15.0.1) would pass usernames in the clear and only MD5 hash the passwords.
- It would give use centralized user account control, and provide for varying level of user activity logging.
- It had to be free. This push came at the end of the year (after most of the budget was spent). Of course this meant no ACS.
After much research, I decided to use TACACS+. The implementation of TACACS+ I choose was tac_plus, written by Marc Huber. There were several version of TACACS+ out there, but Marc’s seemed the best fit as it was (a) open-source, (b) the most recent, (c) had the most complete documentation and (d) had the most recent and active forum of users giving feedback. You can find docs for tac_plus and associated daemons here, and the current forum here.I installed tac_plus on Ubuntu servers, version 10.04, and so far have had no compatibility problems. For redundancy, we’re using two Ubuntu servers running tac_plus with identical configurations.
In TACACS+ Part 2, I’ll discuss installation and configuration of tac_plus.