In an earlier post, we got started with a pretty basic TACACS+ configuration on an Ubuntu server. That config works pretty well for most, if not all, IOS devices.
So, what about Cisco WLAN controllers? They’re definitely not IOS, but they do speak TACACS+ for administrative access, as well as RADIUS.
This one was a little more difficult to get working, but not because of the config on the Ubuntu server. The difficulty was in putting (3) very important configurations together:
- You must configure authentication and authorization on the WLC for your login to work. Authentication configured without authorization will appear to log your user in, but will send you quickly back to the login prompt.
- You must configure the order for authentication–with TACACS+ at the top of the list. If you don’t, local accounts will be used first.
- It doesn’t appear that the service configuration in the TACACS+ user WLC group can exist with the service configuration for an existing group, so nested groups may be required.
Yes, I still like free stuff, even though I’m turning into a bit of a Mac fanboy. Ubuntu and I remain very close, just not as my daily (desktop) driver.
I am leaning on Ubuntu as my new server platform at work, however, since it’s so much easier to count on than CentOS. And as I wrote last, TACACS+ authentication for network device administration is one of my current projects.
There are several pieces to that project,
- setting up two servers
- configuring them the same
- configuring TACACS+ user accounts that can’t login to the server
- sync-ing the TACACS+ user accounts between servers, with one as primary
- sync-ing the TACACS+ config file between servers
but this post is only going to focus on getting TACACS+ installed on Ubuntu 11.10 server (64-bit) and the configuration file. In a later post, we’ll take a look at IOS, ASA, and NX OS configurations for AAA that I’ve found to work well. As always, “your mileage may vary”, but I’d love to know of any tricks or tips others might have. I’m definitely not claiming to have invented this stuff.
On to the installation!
Before I get into this post too far, yes, I’m now a Mac user. Not exactly a fanboy yet, but my new employer let me choose between a Windows laptop and a MacBook for my work computer, so I chose–wisely. I’d been using Ubuntu on an HP laptop (ugh to HP) for a few years, so it seemed like a chance to try something new at no cost to me, which is my favorite cost.
As you can see from my other posts about virtualization, I’m a big fan of Virtualbox, but this post is about VMware Fusion, which was provided to me with my MacBook.
On to the tips…
I’ve been creating a testing environment for tacacs+ servers for a Cisco networking environment as well as Puppet server management, and I’m horrible with remembering IP addresses, unless there’s a very distinct pattern. When you use NAT in Fusion, addresses are assigned to guests VMs via DHCP in an automatically generated scope. The problem is, every time you boot your server you may get a new DHCP address! That sucks.
What to do?