Cacti authentication using Cisco ACS

The scenario is that we have a cacti install (0.8.7e) running on an Ubuntu box using only a single user/pass but would like users to authenticate individually to cacti. We  use a Cisco ACS server to authenticate access to all our switches etc using tacacs+ so that already has all the users configured.

I couldnt find a simple way to authenticate people using the tacacs+ protocol but ACS is also a radius server so its no problem to configure a AAA client to use radius.

First install the auth module to allow radius authentication:

sudo apt-get install libapache2-mod-auth-radius

Now we need to configure tell apache where the radius servers is and what the key is:

sudo vi /etc/apache2/apache2.conf

Then add the following to configure the location of the ACS server the port used (1812 is default radius) the secret/key and the timeout/retry values.

##
# Adding Radius auth support
##
AddRadiusAuth 192.168.1.3:1812 mySecret 5:3
AddRadiusCookieValid 60

Now on the ACS server we configure a AAA client under Network configuration > Network Device Group. We need to configure the IP address of the Cacti box give it a name (can be anything) set the key to match the one you configured in the apache config and select the "Authenticate Using" option of Radius IETF.

Click submit and restart. Now we can test the authentication works from the Cacti machine by using the radtest application. It takes the username, password, ACS IP, port and key as the arguments.

root@cacti:~# radtest m00nie mypass 192.168.1.3 1812 mySecret
Sending Access-Request of id 89 to 192.168.1.3 port 1812
User-Name = "m00nie"
User-Password = "mypass"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 192.168.1.3 port 1812, id=89, length=26
root@cacti:~#

Access-Accept means the authentication works :) Access-Reject means something is wrong so theres no point going further till you resolve it.
Now we need to get Cacti/Apache to prompt for a user/pass and authenticate it using radius.

First go to Cacti and change it to use "web basic authentication". This is under Configuration > Settings > Authentication > Authentication Method. Select Web basic auth and be sure to change the user template to a valid template eg Admin then click save. Now we need to create a .htaccess file in the Cacti root directory.

vi /usr/share/cacti/site/.htaccess

Then add the following

AuthType Basic
AuthName "Tacacs+ Info"
AuthBasicAuthoritative Off
AuthBasicProvider radius
AuthRadiusAuthoritative on
AuthRadiusActive On
Require valid-user

Then chmod the file

chmod 644 /usr/share/cacti/site/.htaccess

Now you might need to add a section to the /etc/apache2/sites-available/default file. If you already have Cacti installed and working you maybe only need to add AllowOverride All

Alias /cacti /usr/share/cacti/site

Options +FollowSymLinks
AllowOverride All
order allow,deny
allow from all
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals On
php_flag register_argc_argv On
php_flag track_vars On
php_value include_path .
php_value mbstring.func_overload 0
DirectoryIndex index.php

After this restart Apache and when you browse to http://mysite/cacti you should be prompted for your tacacs info then logged into Cacti :)

m00nie