In an earlier post, we got started with a pretty basic TACACS+ configuration on an Ubuntu server. That config works pretty well for most, if not all, IOS devices.
So, what about Cisco WLAN controllers? They’re definitely not IOS, but they do speak TACACS+ for administrative access, as well as RADIUS.
This one was a little more difficult to get working, but not because of the config on the Ubuntu server. The difficulty was in putting (3) very important configurations together:
- You must configure authentication and authorization on the WLC for your login to work. Authentication configured without authorization will appear to log your user in, but will send you quickly back to the login prompt.
- You must configure the order for authentication–with TACACS+ at the top of the list. If you don’t, local accounts will be used first.
- It doesn’t appear that the service configuration in the TACACS+ user WLC group can exist with the service configuration for an existing group, so nested groups may be required.
So, this post has nothing to do with low-rent horror movies. Sorry to disappoint.
What it’s really about is the Puppet server management system deployed to keep general server Linux settings synchronized–stuff like NTP servers and user accounts. Puppet is extremely powerful, but this will only be an introduction to what it can do, as I’m learning as I go.
It may seem a little backward to start with the client configuration, but this really seems like the easiest part to me: tell the client who the server is, sign some certificates, and wait for the updates. The puppet master server is where all the heavy lifting is done.
Once the puppet master server is created and configured with manifests and such (take for granted that they exist already), it’s time to configure your client and get it registered.
Yeah, I know the title is pretty boring, but I wanted it to be clear what this one is all about, especially if you’re looking specifically for something like this.
So, here’s the deal: Cisco 99xx and 79xx phones out on the internet somewhere connecting back to an ASA over an SSL tunnel to register with an internal network’s Call Manager, using only self-signed certificates. To me, this is the best option, rather than having users try to type usernames and passwords into the phone interface. For some users, that really is just too much to ask. This method makes it easy on them, and still gives the ASA administrator and Call Manager administrator the ability to prevent a stolen or misused phone from connecting to the network.
Yes, I still like free stuff, even though I’m turning into a bit of a Mac fanboy. Ubuntu and I remain very close, just not as my daily (desktop) driver.
I am leaning on Ubuntu as my new server platform at work, however, since it’s so much easier to count on than CentOS. And as I wrote last, TACACS+ authentication for network device administration is one of my current projects.
There are several pieces to that project,
- setting up two servers
- configuring them the same
- configuring TACACS+ user accounts that can’t login to the server
- sync-ing the TACACS+ user accounts between servers, with one as primary
- sync-ing the TACACS+ config file between servers
but this post is only going to focus on getting TACACS+ installed on Ubuntu 11.10 server (64-bit) and the configuration file. In a later post, we’ll take a look at IOS, ASA, and NX OS configurations for AAA that I’ve found to work well. As always, “your mileage may vary”, but I’d love to know of any tricks or tips others might have. I’m definitely not claiming to have invented this stuff.
On to the installation!