TACACS+, Part 2: tac_plus install and config

In TACAS+ Part 1, I discussed the reasons to use TACACS+, and why I choose the version written by Marc Huber. Here, I’ll dive into installing tac_plus on Ubuntu 10.04, and configuration of the tac_plus daemon itself.

Despite being a Linux beginner, installing tac_plus on Ubuntu server wasn’t too hard. Below is my checklist.

  1. Install the libssl-dev package
  2. Install CPAN modules:
    1.  Net::SSLeay
    2. IO::Socket::SSL
  3. Install the tac_plus program. I created a working folder of /home/installs for this:
    1. /home/installs# mkdir tac_plus
    2.  /home/installs/# cd tac_plus
    3.  /home/installs/tac_plus# wget http://www.pro-bono-publico.de/projects/src/DEVEL.201111101610.tar.bz2
    4. /home/installs/tac_plus# tarc -xvf DEVEL.201111101610.tar.bz2
    5. /home/installs/tac_plus# cd PROJECTS
    6.  /home/installs/tac_plus/PROJECTS# ./configure
    7.  /home/installs/tac_plus/PROJECTS# make
    8. /home/installs/tac_plus/PROJECTS# make install
  4. Copy the attached tac_plus.conf file to /etc
  5. Verify the file tac_plus has been copied to /etc/init.d
  6. Modify that file so it will run at startup
    1. /etc/init.d# chmod -x tac_plus
  7. Make the tac_plus daemon start at boot
    1. update-rc.d tac_plus defaults
  8. Manually start the daemon:
    1. tac_plus /etc/tac_plus.conf

Once the server began running with the default configutation, it was time to tweak it to make it authenticate against AD. Most importantly, I needed to have tac_plus encrypt its entire communication with AD – nothing in the clear. In nearly all cases, the most powerful IT accounts in the enterprise were getting passed. They must be protected, even internally.

Your environment may be slightly different, depending on DC setup, but the below configuration eventually worked (after much cursing and wiresharking). Especially note the “ldaps://yourdomain.com:636”. The combo of both ldaps:// and :636 is what finally provided the encrypted communication.

id = tac_plus {
debug = MAVIS

accounting log = /var/log/tac_plus/acct.log
authentication log = /var/log/tac_plus/authen.log

mavis module = external {
# Optionally:
script out = {
# Require group membership:
if (undef($TACMEMBER) && $RESULT == ACK) set $RESULT = NAK

# Don’t cache passwords:
setenv LDAP_SERVER_TYPE = “microsoft”
setenv LDAP_HOSTS = “ldaps://yourdomain.com:636”
setenv LDAP_SCOPE = sub
setenv LDAP_BASE = “dc=yourdomain,dc=com”
setenv LDAP_FILTER = “(&(objectclass=user)(sAMAccountName=%s))”
setenv LDAP_USER = “!daps@yourdomain.com”
setenv LDAP_PASSWD = “DeuxManySecrets”
setenv AD_GROUP_PREFIX = Tacacs
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl

While this gave us tac_plus server-to-AD encryption, we still needed encryption between the router and the tac_plus server. Happily, tac_plus provides this by using a complex key. On the tac_plus server, it looks like this:

host = Router {
address =
key = >>Complex_Key_Goes_Here<<

On the router, the cmd is:

tacacs-server key >>Complex_Key_Goes_Here<<

Testing showed this is not quite encryption, but rather an MD5 hash with additional entropy, but it gets the job done. The remainder of the server config is explained well in the tac_plus docs. These sections were the only tough nut to crack.

In TACACS+ Part 3 of this series, I’ll cover configuration of the routers, using IOS 12.2, 12.4 and 15.0, as well as ASA firewalls on 8.2.


4 thoughts on “TACACS+, Part 2: tac_plus install and config

  1. Pingback: TACACS+, Part 3: Network device config « GatesTec

  2. Pingback: TACACS+, Part 1: Choosing the Version « GatesTec

  3. TACman


    I have been trying to get ldaps to work for quite some time now. My tac_plus setup works great from following your guide without ldaps but once i change to ldaps://server:636 It does not work.

    Do you have to have certificates to use ldaps or can you do it without it? the tac_plus instructions and all the guides I have read do not mention anything about needing to use certificates.

    1. Chad Gates Post author


      Serious apologies about missing your comment. No doubt you’ve already figured this out or worked around it, but here’s my two cents. You do need a certificate to run ldaps, just like you need a cert to run https as opposed to http. It can be a self-signed, self-generated cert though. No need to purchase one. All this will happen on your AD servers though. If you have a sysadmin, you could needle them….


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s