Download OVA from tacacsgui.com and import it into your hypervisor
to change the ip address of the server go into the console of the server and login in, default username/password is tacgui/tacgui and run the command and follow the guide/steps
open https://ip-of-the-server:4443 to logon to the web interface from here you can configure anything
first we need to atleast add one entry under devices, in this lab instead of creating every device I will create one device with a /24 address
in order to use LDAP we need to enable and configure this under MAVIS Settings -> Mavis LDAP , you will need a LDAP that is allowed to lookup in the ad for users/groups also you will need to know you LDAP Base, for example in my case the domain is wjacobsen.lab, my LDAP base is dc=wjacobsen,dc=lab, you can leave the rest of the parameters to default, TLS and LDAP Search Attribute
depends on how you like to setup the authentication on the network devices, it is possible to have LDAP login password and a diffrent enable password, in order for this to work you will need to change “enable password as login” in advanced settings under ldap settings
after that we need to add some ldap groups, search for the AD group you like to add and press the + sign
when this is done we need to make a Service Object, command set and define the groups we have added..
lets start with Service object, go under Access Control -> Services and press Add
give it a name and then pres service patters and choose template, in this lab I use only cisco equipment so I will add cisco -> Cisco General to the service
it is also here we defince privilege level, you can make Command set to permit / deny specific commands, run a command on logon with auto cmd and specify user roles if you got a nexus switch.
if you want to use enable password, set privilegde level to 1
now that a Service object is created, a user group needs to be created. Tacacs Users -> user groups and press add
set a name for the usergroup and pick a LDAP group to associate with this usergroup, the name does not have to be the same. then specify a Enable password if you chose to disable “Enable Password same as login” under LDAP settings and choose the Service for this usergroup
here is the Tacacs configuration I choose to do for my lab setup, I recommend you read abit about tacacs before doing this in any production environment if you have no prior knowlegde about this
aaa new-model
aaa group server tacacs+ LOGIN
server-private 192.168.202.11 key testing123
!
aaa authentication login default group LOGIN local
aaa authentication enable default group LOGIN enable
aaa authorization config-commands
aaa authorization exec default group LOGIN local if-authenticated
aaa authorization commands 0 default group LOGIN local
aaa authorization commands 1 default group LOGIN local
aaa authorization commands 2 default group LOGIN local
aaa authorization commands 3 default group LOGIN local
aaa authorization commands 4 default group LOGIN local
aaa authorization commands 5 default group LOGIN local
aaa authorization commands 6 default group LOGIN local
aaa authorization commands 7 default group LOGIN local
aaa authorization commands 8 default group LOGIN local
aaa authorization commands 9 default group LOGIN local
aaa authorization commands 10 default group LOGIN local
aaa authorization commands 11 default group LOGIN local
aaa authorization commands 12 default group LOGIN local
aaa authorization commands 13 default group LOGIN local
aaa authorization commands 14 default group LOGIN local
aaa authorization commands 15 default group LOGIN local
aaa accounting exec default start-stop group LOGIN
aaa accounting commands 0 default start-stop group LOGIN
aaa accounting commands 1 default start-stop group LOGIN
aaa accounting commands 2 default start-stop group LOGIN
aaa accounting commands 3 default start-stop group LOGIN
aaa accounting commands 4 default start-stop group LOGIN
aaa accounting commands 5 default start-stop group LOGIN
aaa accounting commands 6 default start-stop group LOGIN
aaa accounting commands 7 default start-stop group LOGIN
aaa accounting commands 8 default start-stop group LOGIN
aaa accounting commands 9 default start-stop group LOGIN
aaa accounting commands 10 default start-stop group LOGIN
aaa accounting commands 11 default start-stop group LOGIN
aaa accounting commands 12 default start-stop group LOGIN
aaa accounting commands 13 default start-stop group LOGIN
aaa accounting commands 14 default start-stop group LOGIN
aaa accounting commands 15 default start-stop group LOGIN
aaa accounting network default stop-only group LOGIN
aaa accounting system default start-stop group LOGIN
Ports Needed to be open in the firewall
Source | Destination | Src Port | Dst Port | Description |
TACACS Server | Domain Controllers | >1024 (High Ports) | TCP 389 | LDAP |
Network Device | TACACS Server | >1024 (High Ports) | TCP 49 | TACACS |
Client | Network Devices | >1024 (High Ports) | TCP 22 | SSH |
Hi, which version of tacgui are you using in this guide ?
We are running the latest version 0.9.82, and have a different view, of the LDAP settings and are not able to make it work..
Thanks
Troels
Hi Troels.
this should be the newest version.
if you like some assistant you are welcome to email me at blog@wjacobsen.dk
if you prefer, you can write me in danish
best regards
Herman W. Jacobsen