14 comments on “Open Source TACACS Server for Cisco and others

  1. Pingback: TFTP Server for Cisco Archives « Sysadmin Rambling

  2. Tacacs +

    Hi i have followed everything as it is on your blog . but wen i run i get this error in the log . please help me on this

    Mon Dec 17 18:36:24 2012 [1283]: Reading config
    Mon Dec 17 18:36:24 2012 [1283]: Version F4.0.4.26 Initialized 1
    Mon Dec 17 18:36:24 2012 [1283]: tac_plus server F4.0.4.26 starting
    Mon Dec 17 18:36:24 2012 [1284]: Backgrounded
    Mon Dec 17 18:36:24 2012 [1285]: Error get_socket: bind 49 Address already in use

    —————————————————————$$$$$$$$$$$$$$$————————–

    this is the output i get before manually starting the Tacacs

    [root@Omsir ~]# netstat -na | grep 49

    tcp 0 0 0.0.0.0:49 0.0.0.0:* LISTEN

    unix 3 [ ] STREAM CONNECTED 11249

    • Hi Nash,

      I had the same issue at first but discovered that it was SELINUX that was stopping the service from starting correctly.

      you can disable SELINUX or set it to permissive.
      vi /etc/selinux/config

      #SELINUX=enforcing
      SELINUX=permissive

      then save the file. “:wq”

      then restart the computer and then it should work.
      If that doesn’t work we can try my work around solution but its a bit dirty.

      • Hi dude

        no luck still the same issue . i have pasted the vi /etc/selinux/config below for your ref ..

        please help me .

        # This file controls the state of SELinux on the system.
        # SELINUX= can take one of these three values:
        # enforcing – SELinux security policy is enforced.
        # permissive – SELinux prints warnings instead of enforcing.
        # disabled – No SELinux policy is loaded.
        SELINUX=permissive
        # SELINUXTYPE= can take one of these two values:
        # targeted – Targeted processes are protected,
        # mls – Multi Level Security protection.
        SELINUXTYPE=targeted

        ——————————————–

        Mon Dec 17 21:07:37 2012 [1273]: Reading config
        Mon Dec 17 21:07:37 2012 [1273]: Version F4.0.4.26 Initialized 1
        Mon Dec 17 21:07:37 2012 [1273]: tac_plus server F4.0.4.26 starting
        Mon Dec 17 21:07:37 2012 [1274]: Backgrounded
        Mon Dec 17 21:07:37 2012 [1275]: Error get_socket: bind 49 Address already in us

      • ok heres a few more steps that you can try to get it running.

        1) check the current status of selinux.

        [root@tacacs ~]# sestatus
        SELinux status: enabled
        SELinuxfs mount: /selinux
        Current mode: permissive
        Mode from config file: permissive
        Policy version: 24
        Policy from config file: targeted

        2) stop xinetd and start the service manually and test.

        [root@tacacs ~]#tac_plus -C /usr/local/share/tacacs+/tac_plus.conf -L -p 49 -d 16

        You would need to first cd to the location of the tacacs bin file.
        If you can login like this then your configuration files for tacacs are running fine.

        3) use init.d to start the service.
        first we create the start up script.

        vi /etc/init.d/tac-plus
        paste in the following

        #!/bin/sh
        #
        ### BEGIN INIT INFO
        # Description: Run the tac-plus server listening for
        # AAA ( access, acounting and autorization request )
        # from routers or RAS (remote access servers) via
        # tacacs+ protocol
        ### END INIT INFO
        PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin
        DESC=”TACACS+ server”
        NAME=tac_plus
        PIDFILE=/var/run/$NAME.pid
        SCRIPTNAME=/etc/init.d/tac-plus
        PROCESS=/usr/local/bin/$NAME
        CONFIG_FILE=”/usr/local/share/tacacs+/tac_plus.conf”
        LOG_OPTS=”-l /var/log/tac_plus/tac.log -d 16″
        DAEMON=”$PROCESS -C $CONFIG_FILE $LOG_OPTS”
        # Source function library.
        . /etc/rc.d/init.d/functions
        # Start service
        start() {
        echo -n “Starting $DESC: ”
        daemon $DAEMON
        }
        stop() {
        echo -n “Stopping $DESC: ”
        killproc tac_plus
        }
        case “$1” in
        start)
        start
        ;;
        stop)
        stop
        ;;
        *)
        echo “Usage: $SCRIPNAME {start|stop}” >&2
        exit 1
        esac
        exit 0

        you may need to change the script a bit to suit your needs.
        save that. in vi “:wq”

        then allow the file to be executed “chmod +x /etc/init.d/tac-plus”

        then go to the config file for the tacacs file in xinetd and change the disabled value to yes.
        vi /etc/xinetd.d/tacacs

        service tacacs
        {
        socket_type = stream
        protocol = tcp
        wait = no
        disable = yes
        user = root
        server = /usr/local/bin/tac_plus
        server_args = -C /usr/local/share/tacacs+/tac_plus.conf -L -p 49 -d 16
        cps = 50 10
        flags = IPv4
        }

        then open up the rc.local file.

        vi /etc/rc.local

        add the following line at the end.

        service tac-plus start

        save that.
        test it.

        service tac-plus start
        service tac-plus stop

        if that works then you can restart the server to check that it starts correctly at boot.

        let me know, should that work.

        I’ll update the article to show this process rather as xinetd does have issues in many cases.

  3. Hi dude

    any luck . please . i am eagerly waiting for it work

    Thanks in advance 🙂

    • i tired everything but the 3 point i cannot understand . i am newbee wen it comes to linux .
      please help on how to create tac-plus in “init.d folder”

      • If you can send the tac-plus file to my email ID . it will be very helpfull for me

        thanks so much for your help … i hope i am not disturbing by keep on asking each and everything

        omnashom@gmail.com

        please send me dude ……

      • I have update my comment as it was in a rush and i see it came out as goop 🙂

        hope the new version is better.

  4. Thanks so much dude , tacacs + server is working

    Tue Dec 18 18:42:02 2012 [1227]: Received signal 15, shutting down
    Tue Dec 18 18:42:17 2012 [1287]: Reading config
    Tue Dec 18 18:42:17 2012 [1287]: Version F4.0.4.26 Initialized 1
    Tue Dec 18 18:42:17 2012 [1287]: tac_plus server F4.0.4.26 starting
    Tue Dec 18 18:42:17 2012 [1288]: Backgrounded
    Tue Dec 18 18:42:17 2012 [1289]: uid=0 euid=0 gid=0 egid=0 s=0

    ————————————————————————————————————————-

    😦 but now my router is not talk to tacacs server . please find the log below for your reference

    *Dec 18 15:03:23.626: AAA/LOCAL: exec
    *Dec 18 15:03:23.626: AAA/BIND(0000000D): Bind i/f
    *Dec 18 15:03:23.626: AAA/LOCAL: new_ascii_login: tty 8373FDE0 idb 0
    *Dec 18 15:03:23.626: AAA/AUTHEN/LOGIN (0000000D): Pick method list ‘default’
    *Dec 18 15:03:23.626: TPLUS: Queuing AAA Authentication request 13 for processin
    g
    *Dec 18 15:03:23.626: TPLUS: processing authentication start request id 13
    *Dec 18 15:03:23.626: TPLUS: Authentication start packet created for 13()
    *Dec 18 15:03:23.626: TPLUS: Using server 10.138.79.5
    *Dec 18 15:03:23.626: TPLUS(0000000D)/0/NB_WAIT/83A03AE8: Started 30 sec timeout

    *Dec 18 15:03:23.626: TPLUS(0000000D)/0/NB_WAIT: socket event 2
    *Dec 18 15:03:23.626: TPLUS(0000000D)/0/NB_WAIT: write to 10.138.79.5 failed wit
    h errno 257((ENOTCONN))

    • Please make sure your router is able to get to the tacacs server.
      This can be accomplished by a simple ping test.
      Also make sure that the keys on the router and the tacacs server match.

      Secondly make sure that your not being stopped by IP Tables.
      you can turn them off while testing.

      service iptables stop

      As for the accounting log file. if its not there then you can create it.

      touch /var/log/tac_accounting.log

      • Thanks so much ,its started working after stopping IP tables

        thanks so much 🙂
        thanks so much 🙂
        can i know your name 🙂 🙂

      • Your welcome glad to hear that its all sorted out now 🙂

        Name is Randy

  5. After starting the tacacs i do not find “tac_accounting.log” file in the log directory . please let me know whether the TACACS is started properly

    -rw——-. 1 root root 4546 Dec 17 10:42 anaconda.ifcfg.log
    -rw——-. 1 root root 20808 Dec 17 10:42 anaconda.log
    -rw——-. 1 root root 56337 Dec 17 10:42 anaconda.program.log
    -rw——-. 1 root root 166518 Dec 17 10:42 anaconda.storage.log
    -rw——-. 1 root root 94599 Dec 17 10:42 anaconda.syslog
    -rw——-. 1 root root 36579 Dec 17 10:42 anaconda.xlog
    -rw——-. 1 root root 25256 Dec 17 10:42 anaconda.yum.log
    drwxr-x—. 2 root root 4096 Dec 17 10:46 audit
    -rw-r–r–. 1 root root 1606 Dec 18 18:21 boot.log
    -rw——-. 1 root utmp 6528 Dec 18 17:08 btmp
    -rw——-. 1 root root 11872 Dec 18 21:01 cron
    -rw-r–r–. 1 root root 42952 Dec 18 18:21 dmesg
    -rw-r–r–. 1 root root 46994 Dec 17 23:32 dmesg.old
    -rw-r–r–. 1 root root 101458 Dec 17 10:42 dracut.log
    -rw-r–r–. 1 root root 146000 Dec 18 18:32 lastlog
    -rw——-. 1 root root 3276 Dec 18 18:21 maillog
    -rw——-. 1 root root 555911 Dec 18 18:42 messages
    -rw——-. 1 root root 14375 Dec 18 18:32 secure
    -rw——-. 1 root root 0 Dec 17 10:39 spooler
    -rw-r–r–. 1 root root 1670 Dec 18 18:42 tac_plus.log
    -rw——-. 1 root root 0 Dec 17 10:39 tallylog
    -rw-rw-r–. 1 root utmp 71424 Dec 18 18:32 wtmp
    -rw——-. 1 root root 7141 Dec 17 12:26 yum.log

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s