TACACS GUI with LDAP

Download OVA from tacacsgui.com and import it into your hypervisor

to change the ip address of the server go into the console of the server and login in, default username/password is tacgui/tacgui and run the command and follow the guide/steps

sudo ~/tgui_install/tacacsgui.sh

open https://ip-of-the-server:4443 to logon to the web interface from here you can configure anything

first we need to atleast add one entry under devices, in this lab instead of creating every device I will create one device with a /24 address

in order to use LDAP we need to enable and configure this under MAVIS Settings -> Mavis LDAP , you will need a LDAP that is allowed to lookup in the ad for users/groups also you will need to know you LDAP Base, for example in my case the domain is wjacobsen.lab, my LDAP base is dc=wjacobsen,dc=lab, you can leave the rest of the parameters to default, TLS and LDAP Search Attribute

depends on how you like to setup the authentication on the network devices, it is possible to have LDAP login password and a diffrent enable password, in order for this to work you will need to change “enable password as login” in advanced settings under ldap settings

after that we need to add some ldap groups, search for the AD group you like to add and press the + sign

when this is done we need to make a Service Object, command set and define the groups we have added..

lets start with Service object, go under Access Control -> Services and press Add

give it a name and then pres service patters and choose template, in this lab I use only cisco equipment so I will add cisco -> Cisco General to the service

it is also here we defince privilege level, you can make Command set to permit / deny specific commands, run a command on logon with auto cmd and specify user roles if you got a nexus switch.

if you want to use enable password, set privilegde level to 1

now that a Service object is created, a user group needs to be created. Tacacs Users -> user groups and press add

set a name for the usergroup and pick a LDAP group to associate with this usergroup, the name does not have to be the same. then specify a Enable password if you chose to disable “Enable Password same as login” under LDAP settings and choose the Service for this usergroup

here is the Tacacs configuration I choose to do for my lab setup, I recommend you read abit about tacacs before doing this in any production environment if you have no prior knowlegde about this

aaa new-model
aaa group server tacacs+ LOGIN
server-private 192.168.202.11 key testing123
!
aaa authentication login default group LOGIN local
aaa authentication enable default group LOGIN enable
aaa authorization config-commands
aaa authorization exec default group LOGIN local if-authenticated
aaa authorization commands 0 default group LOGIN local
aaa authorization commands 1 default group LOGIN local
aaa authorization commands 2 default group LOGIN local
aaa authorization commands 3 default group LOGIN local
aaa authorization commands 4 default group LOGIN local
aaa authorization commands 5 default group LOGIN local
aaa authorization commands 6 default group LOGIN local
aaa authorization commands 7 default group LOGIN local
aaa authorization commands 8 default group LOGIN local
aaa authorization commands 9 default group LOGIN local
aaa authorization commands 10 default group LOGIN local
aaa authorization commands 11 default group LOGIN local
aaa authorization commands 12 default group LOGIN local
aaa authorization commands 13 default group LOGIN local
aaa authorization commands 14 default group LOGIN local
aaa authorization commands 15 default group LOGIN local
aaa accounting exec default start-stop group LOGIN
aaa accounting commands 0 default start-stop group LOGIN
aaa accounting commands 1 default start-stop group LOGIN
aaa accounting commands 2 default start-stop group LOGIN
aaa accounting commands 3 default start-stop group LOGIN
aaa accounting commands 4 default start-stop group LOGIN
aaa accounting commands 5 default start-stop group LOGIN
aaa accounting commands 6 default start-stop group LOGIN
aaa accounting commands 7 default start-stop group LOGIN
aaa accounting commands 8 default start-stop group LOGIN
aaa accounting commands 9 default start-stop group LOGIN
aaa accounting commands 10 default start-stop group LOGIN
aaa accounting commands 11 default start-stop group LOGIN
aaa accounting commands 12 default start-stop group LOGIN
aaa accounting commands 13 default start-stop group LOGIN
aaa accounting commands 14 default start-stop group LOGIN
aaa accounting commands 15 default start-stop group LOGIN
aaa accounting network default stop-only group LOGIN
aaa accounting system default start-stop group LOGIN

Ports Needed to be open in the firewall

SourceDestinationSrc PortDst PortDescription
TACACS ServerDomain Controllers>1024 (High Ports)TCP 389LDAP
Network DeviceTACACS Server>1024 (High Ports)TCP 49TACACS
ClientNetwork Devices>1024 (High Ports)TCP 22SSH

2 thoughts on “TACACS GUI with LDAP

  1. Hi, which version of tacgui are you using in this guide ?

    We are running the latest version 0.9.82, and have a different view, of the LDAP settings and are not able to make it work..

    Thanks
    Troels

Leave a Reply to Herman W. Jacobsen Cancel reply

Your email address will not be published.