TACACS+, Linux, and Cisco Command Accounting

I recently finished configuring our medium sized corporate network devices to authenticate via Radius against windows Network Policy Server. Never being satisfied I wanted to take it a step further and account for administrative actions taken on our routers and switches.  Basically, I want a record of every command typed into the network devices.  Its like a key logger of sorts for your Cisco devices… I know Cisco and other vendors offer some commercial TACACS+ servers but all were outside of the budget for this project. I knew TACACS+ was an open standard. I did some searching and found an open source implementation of a TACACS+ daemon from Shrubbery Networks HERE.
There was no binay distribution available, only source code. Fortunately the build was easy.

./configure
make
make install

The binarys are install to /usr/local/bin
Since I am only really interested in the command accounting at this point the configuration was very simple:

accounting file = /var/log/tac_plus/accounting.log
key = "key"

Be sure the “/var/log/tac_plus” directory is created for the logs to be dropped into. Also, be sure to remember the key you enter as we will need that to configure our switches.
Now, let’s get this daemon running!
You will need to create your own init script to run the program at startup. I found a great example of this HERE. I have also included mine at the end of this article. Since I am using a Centos 5 I added the “chkconfig” information at the top of the script as well and dropped the script into “/etc/init.d/”. I then could add the script to the startup process and start it for the first time:

#chkconfig --add tacacs
#chkconfig tacacs on
#service tacacts start

Great! The service should now be up and running. To verify the daemon is accepting connections use netstat with the listening and numberic options grepping for port 49.

# netstat -ln | grep :49
tcp 0 0 0.0.0.0:49 0.0.0.0:* LISTEN

Configure Switches
Configuring the Cisco devices was not all that difficult either. I did, however, notice some difference between different IOS versions that I will cover shortly.
On the older IOS devices it was a s simple as this:

tacacs-server host 192.168.1.2 key 0 KEY
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

“0” commands show actions that deprivilage such as an “exit” or “end”. I like to include these so I know exactly when a user logged off. “1” will report actions such as “show” commands that can be performed by non-privileged users. Finally, “15” are all system change or administrative commands that actually make changes to the system. Use the options appropriate for your environment.
On the newer devices, such as a 3560G with a fresh 12.2 IOS, the server specification is a bit different.

tacacs server TACACS01
 address ipv4 192.168.1.2
 key 0 KEY

It adds a few lines to the config but now supports TACACS+ on IPv4 and IPv6 hosts. The old syntax is still supported but you do get a nice little reminder that support will be dropped in future releases.

Finally, when issue some commands on a configured Cisco device you get log messages something like this:

Aug 30 12:15:54 192.168.1.1     USERNAME       tty1    192.168.1.2       start   task_id=31773   timezone=EDT    service=shell   start_time=1346329116
Aug 30 12:16:04 192.168.1.1     USERNAME       tty1    192.168.1.2       stop    task_id=31773   timezone=EDT    service=shell   start_time=1346329127   priv-lvl=1      cmd=show ip interface brief
Aug 30 12:16:12 192.168.1.1     USERNAME       tty1    192.168.1.2       stop    task_id=31774   timezone=EDT    service=shell   start_time=1346329134   priv-lvl=15     cmd=configure terminal
Aug 30 12:16:20 192.168.1.1     USERNAME       tty1    192.168.1.2       stop    task_id=31775   timezone=EDT    service=shell   start_time=1346329143   priv-lvl=15     cmd=interface GigabitEthernet 1/0/2

My INIT script

Other Resources:

http://www.pro-bono-publico.de/projects/tac_plus.html

http://slaptijack.com/networking/new-style-tacacs-configuration/

http://www.cisco.com/en/US/docs/ios/12_1/security/configuration/guide/scdtplus.html

This entry was posted in Linux and tagged , , , , . Bookmark the permalink.

5 Responses to TACACS+, Linux, and Cisco Command Accounting

  1. Murali says:

    I have migrated my redhat Enterprise linux server 5.5 to ipv6 . Now I want to run tacacs+ for Ipv6. When I testing from my client, it return unable to connect to server for IPv6 address. But for Ipv4 it’s working fine.

    Snapshot of Linux listening port:

    [root@ADA-Linux-Service-2 ~]# netstat -an | grep :49
    tcp 0 0 0.0.0.0:49 0.0.0.0:* LISTEN

    And once the tacacs service is started, I tried using the bind option with IPv6 it returns following error.

    Reading config
    Version F4.0.4.26 Initialized 1
    get_socket: bind 49 Address already in use

    I don’t know how to make tacacs+ to listen on IPv6 address. Or is that I need to do any entries in tac_plus.cfg to listen for IPv6.

    • schaeffer says:

      I think you can put something like this in the config file:
      listen = {address=2001::aaa1 port = 49 }

  2. Murali says:

    hI schaeffer,

  3. Murali says:

    Thanks for your reply.
    Once i added the entry in Tac_plus.cfg and i restarted the service it throws the following error:
    [root@ADA-Linux-Service-2 tacacs]# service tacacs restart
    Shutting down tacacs+: [ OK ]
    Starting tacacs+: Error: Unrecognised token listen on line 7

    • schaeffer says:

      I have been experimenting a bit… no luck so far. Unfortunately the project is not well documented… I will post my findings here. Let me know if you find anything before I!

Leave a Reply

Your email address will not be published. Required fields are marked *