7.3. Internet User Authentication with TACACS

At my place of employment, for TACACS authentication of dial-up Internet users (who are connecting to our modem pool which are in turn connected to a couple of Cisco 250x access servers), we are using the Vikas version of "xtacacsd".

After compiling and installing the Vikas package (latest versions are available from ftp://ftp.navya.com/pub/vikas; I don't believe the package is available in RPM format), you should add the following entries to the ``/etc/inetd.conf'' file so that the daemon will be loaded by the inetd daemon whenever a TACACS request is received.

# TACACS is a user authentication protocol used for Cisco Router products. tacacs dgram udp wait root /etc/xtacacsd xtacacsd -c /etc/xtacacsd-conf

Next, you should edit the ``/etc/xtacacsd-conf'' file and customize it, as necessary, for your system (however you will probably be able to use the default settings as-is).

Note: Note: If you are using shadow passwords (see Section 6.6 for details), you will have some problems with this package. Unfortunately, PAM (Pluggable Authentication Module), which Red Hat uses for user authentication, is not supported by this package. One workaround that I use is to keep a separate ``passwd'' file in ``/usr/local/xtacacs/etc/'' which matches the one in /etc/ but is non-shadowed. This is a bit of a hassle, and if you choose to do this make sure you set permissions on the other password file to make sure it is only readable by root:

chmod a-wr,u+r /usr/local/xtacacs/etc/passwd

If you do indeed use shadow, you will most certainly need to edit the ``/etc/xtacacsd-conf'' file and location of the non-shadowed password file (assuming you are using the workaround I have suggested above).

The next step is to configure your access server(s) to authenticate logins for the desired devices (such as dial-up modems) with TACACS. Here is a sample session on how this is done:

mail:/tftpboot# telnet xyzrouter Escape character is '^]'. User Access Verification Password: **** xyzrouter> enable Password: **** xyzrouter# config terminal Enter configuration commands, one per line. End with CNTL/Z. xyzrouter(config)# tacacs-server attempts 3 xyzrouter(config)# tacacs-server authenticate connections xyzrouter(config)# tacacs-server extended xyzrouter(config)# tacacs-server host 123.12.41.41 xyzrouter(config)# tacacs-server notify connections xyzrouter(config)# tacacs-server notify enable xyzrouter(config)# tacacs-server notify logouts xyzrouter(config)# tacacs-server notify slip xyzrouter(config)# line 2 10 xyzrouter(config-line)# login tacacs xyzrouter(config-line)# exit xyzrouter(config)# exit xyzrouter# write Building configuration... [OK]   xyzrouter# exit Connection closed by foreign host.

All TACACS activity log messages will be recorded in ``/var/log/messages'' for your perusal.