I recently finished configuring our medium sized corporate network devices to authenticate via Radius against windows Network Policy Server. Never being satisfied I wanted to take it a step further and account for administrative actions taken on our routers and switches. Basically, I want a record of every command typed into the network devices. Its like a key logger of sorts for your Cisco devices… I know Cisco and other vendors offer some commercial TACACS+ servers but all were outside of the budget for this project. I knew TACACS+ was an open standard. I did some searching and found an open source implementation of a TACACS+ daemon from Shrubbery Networks HERE.
There was no binay distribution available, only source code. Fortunately the build was easy.
./configure make make install
The binarys are install to /usr/local/bin
Since I am only really interested in the command accounting at this point the configuration was very simple:
accounting file = /var/log/tac_plus/accounting.log key = "key"
Be sure the “/var/log/tac_plus” directory is created for the logs to be dropped into. Also, be sure to remember the key you enter as we will need that to configure our switches.
Now, let’s get this daemon running!
You will need to create your own init script to run the program at startup. I found a great example of this HERE. I have also included mine at the end of this article. Since I am using a Centos 5 I added the “chkconfig” information at the top of the script as well and dropped the script into “/etc/init.d/”. I then could add the script to the startup process and start it for the first time:
#chkconfig --add tacacs #chkconfig tacacs on #service tacacts start
Great! The service should now be up and running. To verify the daemon is accepting connections use netstat with the listening and numberic options grepping for port 49.
# netstat -ln | grep :49 tcp 0 0 0.0.0.0:49 0.0.0.0:* LISTEN
Configuring the Cisco devices was not all that difficult either. I did, however, notice some difference between different IOS versions that I will cover shortly.
On the older IOS devices it was a s simple as this:
tacacs-server host 192.168.1.2 key 0 KEY aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+
“0” commands show actions that deprivilage such as an “exit” or “end”. I like to include these so I know exactly when a user logged off. “1” will report actions such as “show” commands that can be performed by non-privileged users. Finally, “15” are all system change or administrative commands that actually make changes to the system. Use the options appropriate for your environment.
On the newer devices, such as a 3560G with a fresh 12.2 IOS, the server specification is a bit different.
tacacs server TACACS01 address ipv4 192.168.1.2 key 0 KEY
It adds a few lines to the config but now supports TACACS+ on IPv4 and IPv6 hosts. The old syntax is still supported but you do get a nice little reminder that support will be dropped in future releases.
Finally, when issue some commands on a configured Cisco device you get log messages something like this:
Aug 30 12:15:54 192.168.1.1 USERNAME tty1 192.168.1.2 start task_id=31773 timezone=EDT service=shell start_time=1346329116 Aug 30 12:16:04 192.168.1.1 USERNAME tty1 192.168.1.2 stop task_id=31773 timezone=EDT service=shell start_time=1346329127 priv-lvl=1 cmd=show ip interface brief Aug 30 12:16:12 192.168.1.1 USERNAME tty1 192.168.1.2 stop task_id=31774 timezone=EDT service=shell start_time=1346329134 priv-lvl=15 cmd=configure terminal Aug 30 12:16:20 192.168.1.1 USERNAME tty1 192.168.1.2 stop task_id=31775 timezone=EDT service=shell start_time=1346329143 priv-lvl=15 cmd=interface GigabitEthernet 1/0/2
5 Responses to TACACS+, Linux, and Cisco Command Accounting