Article Listing 1 Listing 2 oct2006.tar

OpenBSD and TACACS+

Eric Taylor

When working at a site with multiple network administrators and a required level of accountability, using a centralized database of user accounts and audit logs is one of the best practices. On routers and switches, it is helpful to use a centralized server to allow administrative control of access, privilege levels, and accountability for changes made to the devices. In my experience, the TACACS+ protocol along with OpenBSD makes a good combination for completing this task. TACACS+ is primarily a Cisco-specific authentication protocol, and not many other vendors have adopted support for it.

In this article, I'll show how to install and configure TACACS+ as well as how to make changes necessary to the operating system for adding the service, starting the daemon upon booting, turning over the TACACS+ log files, and sending daily changes of the log file via email. I'll also provide a sample TACACS+ client configuration on a Cisco Catalyst switch. I will assume that you already have a system loaded with OpenBSD 3.9 connected to the network.

TACACS+ Installation

The installation is pretty easy. A pre-packaged TACACS+ can be found on the OpenBSD package page or the source code can be found at the maintainer's Web site at: 

http://www.gazi.edu.tr/tacacs/
For the purpose of this article, grab the pre-package TACACS+ by issuing the following command. 

Tac# pkg_add -v ftp://ftp.openbsd.org/pub/OpenBSD/3.9/ \
  packages/i386/tacacs+-4.0.4ap1.tgz
Once the package is installed successfully, you can now edit the operating system to allow the TCP socket as a service. You will need to add the following line to the /etc/services file: 

tacacs+         49/tcp
If you want the TACACS+ to start every time the operating system starts, you'll need to edit the /etc/rc.local file. Add the following at the end of the file: 

if [ "X${tac_flags}" != X"NO" ]; then 
      echo -n ' TACACS+ Started...'; \
        /usr/local/sbin/tac_plus ${tac_flags}; 
fi
The above addition will allow you to use the combination of the /etc/rc and the /etc/rc.conf.local files to start and control configuration flags. Next, you'll need to create the /etc/rc.conf.local and the following line: 

tac_flags="-C /etc/tac.conf"
The TACACS+ daemon will start upon boot and look for a configuration file in the /etc directory named tac.conf.

TACACS+ Configuration

There are many options for configuring the tacacs+ daemon. The package used here includes a user guide that can be found in the /usr/local/share/doc/tacacs+/ directory. In Listing 1, I use some basic options to allow us to authenticate against the BSD passwd file, use a template group for users and write accounting logs to /var/logs/tac.log.

The first line configures a key for TACACS+ to encrypt its packets across the network. This key is optional, but without it, usernames and passwords will be sent over the network in plain text. The identical key must also be configured on any network device that will communicate with TACACS+ daemon: 

Key = "SecureTacKey"
The second line specifies the path to the accounting file. This file will contain commands written while in the enable mode of the network device. We can use this information for auditing and troubleshooting purposes: 

accounting file = /var/log/tac.log
In the next section, I use a group to specify the options that admins will receive as they authenticate against our TACACS+ server: 

# Group for admins 
group = admins { 
      default service = permit 
      service = exec { 
      priv-lvl = 15 
      } 
      cmd = configure { 
      permit .* 
      } 
}
This configuration will allow anyone in the admins group to use the exec service at level 15. Level 15 will allow full permissions on the network device.

The last section specifies the user name and states where to find the password to use during authentication: 

user = eric { 
      member = admins 
      login = file /etc/passwd  

}
This basic configuration file will authenticate user eric via the operating systems password file, with full configuration permissions to the device, and will send account data to the /var/log/tac.log. If you do not want to give your TACACS+ user the ability to log into the TACACS+ server, change the login line to read login = cleartext "userspassword". Please make sure you set the proper permissions on the tac.conf file if you use cleartext passwords.

Managing the TAC Log

Depending on your network environment, you might find you need to turn over the log from time to time. The default installation of the OpenBSD operating system executes a cron job that rotates system log files, the /usr/bin/newsyslog. We can edit the configuration file, /etc/newsyslog.conf, to add the tac.log file. We can also specify that the log be turned over at our leisure. Something similar to the following will turn over the log file and keep the last 52 files: 

/var/log/tac.log   root:wheel  600  52 
     *  168  ZB /var/run/tac_plus.pid
I also use the scripts included with OpenBSD to send the daily changes of the tac.log file to the roots mail account. The default installation of OpenBSD includes a script that checks the security of the operating system. If we add the log file to the end of the /etc/changelist, when the /etc/daily runs, the file will be checked for differences in the previous day's log file.

There is one caveat with this configuration. When we use the newsyslog to turn over the log file, the /etc/daily will show all differences as removed entries from our files. To get around this issue, we need to delete the current difference file, /var/backups/var_log_tac.log.current. If we schedule this deletion after we run the newsyslog and before we run the /etc/daily, we will still receive all the changes in our tac.log from the daily security script.

TACACS+ Client Configuration

Listing 2 shows a sample configuration from a Cisco Catalyst 3550 switch. The configuration specifies the tac server for authentication, authorization, and accounting (AAA). The sample configuration will allow us to use the TACACS+ server as our primary means of AAA; then if the server is not available, it will look to the local database as a backup. Full configuration of the AAA model is beyond the scope of this article. Please refer to your vendor's documentation for specific commands.

Conclusion

Using this simple TACACS+ configuration, you can start the process of centralizing user access and audit logs of your TACACS+ clients. The example configuration leaves a lot to explore. This setup can be used to create lower privilege-level users and allow them access to only certain commands. You can also audit access to TACACS+ enabled features like PPTP or PPP.

Using the pf firewall included with OpenBSD, you can lock down access to the TACACS+ server for only the necessary ports and protocols. With the combination of the security features offered by OpenBSD "out of the box" and your TACACS+ daemon, you can have a pretty nice setup. Best of all, you can do many basic features at a low cost for hardware and the OpenBSD CD.

Eric has worked as a network administrator for six years at Kenner Army Health Clinic, a Medical Treatment Facility in the US Army. As a part of the DoD GiG environment, they have a high emphasis on network security and accountability. Eric is a huge fan of the OpenBSD operating system and encourages everyone to support the cause and purchase the operating system on CD. He can be reached at: er587@hotmail.com.