Today I wanted to get authenticated on my Cisco 2900 series switch using account not stored into its configuration.
A little of RTFM and I’ve found an implementation of TACACS+ under GNU/Linux: tac_plus.
Very easy to install & use (following done under Gentoo):
# emerge -av tac_plus ... # tac_pwd Password to be encrypted: mypassword oUKCvAueJK/dc # tac_pwd Password to be encrypted: enablepwd hp6L83Ilzeq/. # cat /etc/tac_plus/tac_plus.conf key = mykey
accounting file = /var/log/tac_plus.acct
# accounts
user = wildcat { login = des "oUKCvAueJK/dc" enable = des "hp6L83Ilzeq/." name = "GOUVERNEUR Thomas" }
On the switch side:
I’m using now my tacacs+ server (10.42.4.1) and I’ve kept a local user only activated when the tacacs+ server is not reachable…
aaa new-model aaa authentication login telnet group tacacs+ local aaa authentication login console group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default if-authenticated none aaa accounting update newinfo aaa accounting exec default start-stop group tacacs+ username local password mypassword tacacs-server host 10.42.4.1 tacacs-server key mykey line con 0 login authentication console line vty 0 4 login authentication telnet transport input telnet line vty 5 15 login authentication telnet transport input telnet
