Monday, August 20, 2007

Tacacs+ Web Interface

In the past few years since I began writing perl I have collected a little arsenal of half-baked programs that have never really been exposed to the world, probably because I was too lazy to clean them up. I decided that I would use this week to expose some of the programs that I have written over the years. For the most part I worked on these until they worked rather than until they were done correctly, but they may serve as a starting point for someone else looking to do the same thing.

The first program on the list (download here) is a little web interface to the open source tacacs+ AAA server from The Cisco SecureACS server can be fine, but if you need regular expression support in ACLs or a way of automating entries it may not be the tool for you. That said, editing a flat config file can be problematic for some folks. This was my quick solution.

This is just a series of CGI scripts that allows the user to admin the tacacs+ server without learning vi. It includes the ability to add users, delete users, administrative password resets, show configuration, and test authentication. When a users password is near expiration they can log in and change it. Passwords are checked against the aspell dictionary to make sure that they're not a simple word (yeah, there is room for much more improvement here).

There are also a couple little bonus scripts, one useful and one for fun. The script is for tying the shrubery tacacs+ user database in with a freeradius server with the MySQL back-end. It copies the users and passwords over to MySQL from tacacs+. The second,, was just for my own learning experience. It scours the config file for des encrypted passwords and cracks them if they're simple dictionary words... which I somehow thought would be difficult... it is not.

I don't maintain these or fix them, but if they're useful to you drop me a comment and let me know.