Untitled

sudo apt-get update && sudo apt-get upgrade
sudo apt-get install build-essential libnet-ldap-perl
cd ~
wget http://www.pro-bono-publico.de/projects/src/DEVEL.tar.bz2
bzip2 -dc DEVEL.tar.bz2 | tar xvfp -
cd PROJECTS
sudo make
sudo make install
sudo mkdir /var/log/tac_plus
sudo mkdir /var/log/tac_plus/access
sudo mkdir /var/log/tac_plus/accounting
sudo mkdir /var/log/tac_plus/authentication

stat --format '%a' /var/log/tac_plus

/usr/local/lib/mavis/mavis_tacplus_ldap.pl < /dev/null
Default server type is 'tacacs_schema'. You *may* need to change that to 'generic' or 'microsoft'.
LDAP_HOSTS not defined at /usr/local/lib/mavis/mavis_tacplus_ldap.pl line 277, <DATA> line 755.

cd /usr/local/etc
sudo touch tac_plus.cfg
sudo chmod 755 tac_plus.cfg
sudo nano tac_plus.cfg

#!/usr/local/sbin/tac_plus
id = spawnd {
        listen = { address = 0.0.0.0 port = 49 }
        #Uncomment the line below for IPv6 support
        #listen = { address = :: port = 49 }
        spawn = {
                instances min = 1
                instances max = 10
        }
        background = yes
}

id = tac_plus {
        access log = /var/log/tac_plus/access/%Y/%m/access-%m-%d-%Y.txt
        accounting log = /var/log/tac_plus/accounting/%Y/%m/accounting-%m-%d-%Y.txt
        authentication log = /var/log/tac_plus/authentication/%Y/%m/authentication-%m-%d-%Y.txt

        mavis module = external {
                setenv LDAP_SERVER_TYPE = "microsoft"
                #If you are using Microsoft Global Catalog with LDAP SSL
                #setenv LDAP_HOSTS = "ldaps://10.0.0.100:3269"
                #If you are using Microsoft Global Catalog with LDAP (non-SSL)
                setenv LDAP_HOSTS = "10.0.0.100:3268"
                setenv LDAP_BASE = "DC=domain,DC=name"
                setenv LDAP_SCOPE = sub
                setenv LDAP_FILTER = "(&(objectClass=user)(objectClass=person)(sAMAccountName=%s))"
                setenv LDAP_USER = "svc_tacplus@domain.name"
                setenv LDAP_PASSWD = "ServiceAccountPassword"
                #Setting UNLIMIT_AD_GROUP_MEMBERSHIP to 0 will cause a NACK response if the AD account is a member of more than one security group
                setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
                #I'm not 100% sure what EXPAND_AD_GROUP_MEMBERSHIP does
                setenv EXPAND_AD_GROUP_MEMBERSHIP = 0
                #Clear default setting of tacplus for AD_GROUP_PREFIX
                setenv AD_GROUP_PREFIX = ""
                #Setting REQUIRE_TACACS_GROUP_PREFIX to 1 will cause a NACK response if the AD account is not a member of a security group with the required prefix
                setenv REQUIRE_TACACS_GROUP_PREFIX = 0
                #Set USE_TLS to 1 if you are using port 636 or 3269, set to 0 for port 389 or 3268
                setenv USE_TLS = 0
                exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
        }

        login backend = mavis
        user backend = mavis
        pap backend = mavis

        host = world {
                #Allow any IPv4 device
                address = 0.0.0.0/0

                #Uncomment the line below for IPv6 support
                #address = ::/0

                #Uncomment the line below to inject a login prompt
                #prompt = "Put your custom welcome message here.n"

                #Change this to your own secure TACACS+ key
                key = "cisco"
        }

        #Example group that grants admin on Cisco IOS/XE/XR and NX-OS
        group = admin {
                #Permit all services by default
                default service = permit

                #Users will need to re-enter their AD password for the enable password (feel free to customize this however you want)
                enable = login

                service = shell {
                        #Permit all commands
                        default command = permit

                        #Permit all command attributes
                        default attribute = permit

                        #Set privilege level to 15 on IOS/XE
                        set priv-lvl = 15

                        #Uncomment the line below for NX-OS support
                        #set shell:roles=""network-admin vdc-admin""

                        #Uncomment the line below for IOS XR support
                        #set task = "#root-system"
                }


        }

        #Example AD user mapping
        user = jsmith {
                password = mavis
                member = admin
        }
}

/usr/local/sbin/tac_plus -P /usr/local/etc/tac_plus.cfg

/usr/local/bin/mavistest -d -1 /usr/local/etc/tac_plus.cfg tac_plus TACPLUS SomeUserName SomeUserPassword

{mavistest debug output omitted}

Input attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest-2501-1509172787-0
USER                SomeUserName
PASSWORD            SomeUserPassword
TACTYPE             AUTH


Output attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest-2501-1509172787-0
USER                SomeUserName
RESULT              ACK
PASSWORD            SomeUserPassword
SERIAL              QrWVmlId0OZADDRU/hy/pw=
DBPASSWORD          SomeUserPassword
TACMEMBER           [List of Active Directory security groups]
TACTYPE             AUTH

cd /etc/init.d
sudo cp ~/PROJECTS/tac_plus/extra/etc_init.d_tac_plus /etc/init.d/tac_plus
sudo chmod 755 /etc/init.d/tac_plus
sudo chown root:root /etc/init.d/tac_plus
sudo update-rc.d tac_plus defaults
sudo service tac_plus start

sudo netstat -tulpen

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0 0.0.0.0:49              0.0.0.0:*               LISTEN      0          25680       1911/tac_plus: 0 co
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          16105       1023/sshd
tcp6       0      0 :::22                   :::*                    LISTEN      0          16113       1023/sshd

sudo nano /usr/local/etc/tac_plus.cfg
sudo service tac_plus stop
sudo service tac_plus start

sudo systemctl status tac_plus.service
sudo journalctl -xe
/usr/local/sbin/tac_plus -P /usr/local/etc/tac_plus.cfg

LDAP_SERVER_TYPE
    One of: generic tacacs_schema microsoft
    Default: tacacs_schema

LDAP_HOST
    Space-separated list of LDAP URLs or IP addresses or hostnames
    Examples: "ldap01 ldap02", "ldaps://ads01:636 ldaps://ads02:636"

LDAP_SCOPE
    LDAP search scope (base, one, sub)
    Default: sub

LDAP_BASE
    Base DN of your LDAP server
    Example: "dc=example,dc=com"

LDAP_FILTER
    LDAP search filter
    Defaults depend on LDAP_SERVER_TYPE:
    - generic:          "(uid=%s)"
    - tacacs_schema:    "(&(uid=%s)(objectClass=tacacsAccount))"
    - microsoft:        "(&(objectclass=user)(sAMAccountName=%s))"

LDAP_FILTER_CHPW
    LDAP search filter for password changes
    Defaults depend on LDAP_SERVER_TYPE:
    - generic:          "(uid=%s)"
    - tacacs_schema:    "(&(uid=%s)(objectClass=tacacsAccount)(!(tacacsFlag=staticpasswd))"
    - microsoft:        "(&(objectclass=user)(sAMAccountName=%s))"

LDAP_USER
    User to use for LDAP bind if server doesn't permit anonymous searches.
    Default: unset

LDAP_PASSWD
    Password for LDAP_USER
    Default: unset

AD_GROUP_PREFIX
    An AD group starting with this prefix will be used for tacacs group membership.
    Default: tacacs

REQUIRE_AD_GROUP_PREFIX
    If set, user needs to be in one of the AD_GROUP_PREFIX groups.
    Default: unset

UNLIMIT_AD_GROUP_MEMBERSHIP
    If unset, the number of groups a user can be member of is limited to one.
    Default: unset

EXPAND_AD_GROUP_MEMBERSHIP
    If set, AD group memberships will be expanded.
    Default: unset

USE_TLS
    If set, the server is required to support start_tls.
    Default: unset

FLAG_CHPW
    Permit password changes via this backend.
    Default: unset

FLAG_PWPOLICY
    Enforce a simplicistic password policy.
    Default: unset

FLAG_CACHE_CONNECTION
    Keep connection to LDAP server open.
    Default: unset

FLAG_FALLTHROUGH
    If LDAP search fails, try next module (if any).
    Default: unset

FLAG_USE_MEMBEROF
    Use the memberof attribute for determining group membership.
    Default: unset

FLAG_AUTHORIZE_ONLY
    Don't attempt to authenticate users.

! Example Cisco IOS TACACS+ AAA configuration
!
! Don't forget to change Vlan1 to either the VLAN or physical interface that can
! reach your tacplus server
!
! Run "show aaa user all" to verify privilege level after you login
!
! NOTE: It is highly recommended that you turn on service password encryption!
!       Some IOS images contain bugs that prevent TACACS+ from working unless service
!       password encryption is enabled!

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa authorization exec default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
service password-encryption
ip tacacs source-interface Vlan1
tacacs-server host IP_OF_TACPLUS_SERVER single-connection key 0 cisco
tacacs-server directed-request

! Sample Cisco ASA TACACS+ AAA configuration
! Don't forget to change (inside) to the interface that can reach your tacplus server
! Run "show curpriv" to verify privilege level after you login
!
! NOTE: Please make sure the ASA IOS image you are running isn't exploitable
!
!       See Cisco Advisory ID: cisco-sa-20160210-asa-ike for more information
!       See Cisco Bug IDs: CSCux29978, CSCux42019 for more information
!
! Cisco TAC will provide a patched image to you free of charge even if you don't have a
! service contact! Open a Cisco TAC case with your ASA's serial number and include the
! advisory ID as proof of entitlement and they will provide the image file to you!

aaa-server tacplus protocol tacacs+
aaa-server tacplus (inside) host IP_OF_TACPLUS_SERVER
 key cisco
aaa authentication ssh console tacplus LOCAL
aaa authentication serial console tacplus LOCAL
aaa authentication enable console tacplus LOCAL
aaa authentication http console tacplus LOCAL
aaa accounting command tacplus
aaa accounting ssh console tacplus
aaa accounting enable console tacplus

! Sample NX-OS aaa tac_plus configuration
! Don't forget to change the VRF to one that can reach your tacplus server
! Run "show user-account" to verify roles after you login successfully

tacacs-server directed-request
tacacs-server host IP_OF_TACPLUS_SERVER key 0 "cisco"

aaa group server tacacs+ tacplus
    server IP_OF_TACPLUS_SERVER
    use-vrf default

aaa authentication login default group tacplus local
aaa authentication login console group tacplus local
aaa authorization config-commands default group tacplus local
aaa authorization commands default group tacplus local
aaa accounting default group tacplus

! Example Cisco IOS XR TACACS+ AAA configuration (IOS XR formal syntax)
! Don't forget to change the interface/vrf to a pair that can reach your tacplus server
! Run "show user tasks" to verify task levels after you login

tacacs source-interface TenGigE0/0/2/0 vrf default
tacacs-server host IP_OF_TACPLUS_SERVER port 49
tacacs-server host IP_OF_TACPLUS_SERVER port 49 key 0 cisco
tacacs-server host IP_OF_TACPLUS_SERVER port 49 single-connection
aaa accounting exec default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa accounting commands default start-stop group tacacs+
aaa authorization exec default group tacacs+ local
aaa authorization commands default group tacacs+
aaa authentication login default group tacacs+ local