I setup command logging with Tacacs+ on Linux this week. Let me show you how easy it is!
I am (as always) doing this with Ubuntu linux and so I just have to apt-get the packages I need.
espen@server:~$ sudo apt-get install tac-plus
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 104 not upgraded.
Need to get 105kB of archives.
After unpacking 324kB of additional disk space will be used.
Get:1 http://no.archive.ubuntu.com feisty/universe tac-plus 1:4.0.4.alpha-14 [105kB]
Fetched 105kB in 0s (331kB/s)
Selecting previously deselected package tac-plus.
(Reading database … 227388 files and directories currently installed.)
Unpacking tac-plus (from …/tac-plus_1%3a4.0.4.alpha-14_i386.deb) …
Adding system user `tacacs’ (UID 64005) …
Adding new group `tacacs’ (GID 64005) …
Adding new user `tacacs’ (UID 64005) with group `tacacs’ …
Not creating home directory `/home/tacacs’.
Setting up tac-plus (4.0.4.alpha-14) …
Starting Tacacs+ server: tac_plus.
Wow, that was quick… The tacacs+ server is already running!
But wait, we have to configure it just a bit.
For this article I will just focus on the logging part (accounting), but I will continue to write about authentication and authorization to fully comply fully with AAA.
Now, open up /etc/tac-plus/tacacs.conf in your favourite editor, mine is vim.
Be sure to uncomment and set the key, set the accounting file and you should be ready to roll.
key = tercesym
accounting file = /var/log/tac-plus/account
Just restart the tacacs daemon:
espen@server:/etc/tac-plus# sudo /etc/init.d/tac-plus restart
Restarting Tacacs+ server: tac_plus.
Now to configure this on your cisco equipment, please follow the steps in this article first.
Then to make sure the Cisco IOS Switch or Router will notify your tacacs deamon of accounting events, this is the configuration you need.
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#aaa accounting delay-start
Router(config)#aaa accounting exec default start-stop group tacacs+
Router(config)#aaa accounting commands 15 default start-stop group tacacs+
Router(config)#tacacs-server host 10.0.0.50 key tercesym
! If you want the Router to source from a specific IP address
Router(config)#ip tacacs source-interface Loopback 1
Now you can verify accounting
Active Accounted actions on tty1, User admin Priv 1
Task ID 17, EXEC Accounting record, 00:16:58 Elapsed
task_id=17 start_time=1226261207 timezone=CET service=shell
There is one accounting session running, and you can also check the server to see if any accounting records are recorded.
espen@server:~# sudo tail /var/log/tac-plus/account
Sun Nov 9 21:26:58 2008 10.0.0.98 admin tty1 10.0.0.5 stop task_id=26 start_time=1226262225 timezone=CET service=shell priv-lvl=15 cmd=show accounting
Perfect, now there will be no doubt about who dropped that ‘no router bgp’ command on your Cisco Router!