Setting Up TACACS+ on OpenBSD 7.4 for Legacy Network Devices
TACACS+ (Terminal Access Controller Access-Control System Plus) is a protocol that provides authentication, authorization, and accounting (AAA) services. It is commonly used to control access to network devices, providing a centralized authentication mechanism. OpenBSD, known for its security-oriented approach, offers a stable and reliable environment for running TACACS+.
Critical Security Warning: TACACS+ is horribly insecure and should only be used when no better alternatives, such as RADIUS with RadSec, are available. It transmits authentication information in a way that is susceptible to interception, making it unsuitable for modern secure environments. Additionally, TACACS+ stores passwords in clear text, which poses a significant security risk.
TACACS+ should only be used in a network segment that has no direct internet access and in a VLAN that is exclusively dedicated to management purposes. It should only be deployed when there is no other way to centrally manage devices.
Use Case: I use TACACS+ for authenticating to some old Zyxel switches that do not work well with RADIUS, making it a necessary compromise in specific legacy environments.
Step 1: Install TACACS+ on OpenBSD
First, install the TACACS+ package using pkg_add:
pkg_add tacacs+
Step 2: Configure Log Rotation
To ensure that TACACS+ logs do not grow indefinitely, add the following entries to /etc/newsyslog.conf:
/var/log/tac_plus/tac.acct _tacacs:_tacacs 644 7 250 * Z
/var/log/tac_plus/tac.log _tacacs:_tacacs 644 7 250 * Z
/var/log/tac_plus/tacwho.log _tacacs:_tacacs 644 7 250 * Z
Restart the syslog daemon:
kill -HUP $(cat /var/run/syslog.pid)
Step 3: Configure TACACS+
Edit /etc/tac_plus.conf:
key = "your_shared_secret_here"
# Default accounting file
accounting file = /var/log/tac_plus/tac.acct
accounting syslog
# User definition
user = administrator {
global = cleartext your_password_here
}
Change the shared secret and user password to secure values.
Step 4: Configure Listening Interface
To restrict TACACS+ to a specific management network, modify /etc/rc.d/tac_plus to include:
-B 192.168.2.254
This ensures TACACS+ listens only on the management network.
Step 5: Enable and Start TACACS+
rcctl enable tac_plus
rcctl start tac_plus
Verify the service:
rcctl check tac_plus
netstat -an | grep 49
Step 6: Secure and Harden the Setup
Follow these best practices:
- Restrict access: Use firewall rules to allow only trusted devices.
- Use encryption: Implement encrypted communication channels where possible.
- Rotate credentials: Regularly update shared secrets and user passwords.
- Monitor logs: Periodically review logs for suspicious activities.
Conclusion
By following these steps, you have successfully installed and configured a TACACS+ server on OpenBSD 7.4. However, TACACS+ is fundamentally insecure and should only be used when no better alternatives are available.
Key Takeaways:
- TACACS+ stores passwords in clear text, making it extremely insecure.
- It should only be deployed in a segmented network with no direct internet access.
- It should only be used when no other option exists for centrally managing legacy devices.
If possible, consider migrating to a more secure authentication mechanism to better protect your network environment.
