取代freeradius,tacacsAAA配置詳解
我最近完成了企業網絡設備經過Radius對Windows網絡策略服務器進行身份驗證的配置,但有如下功能不全:
一、radius受權很麻煩,不能作到簡單配置,且需添加設備,avpair屬性等操做。
二、對於計費功能的用戶來講很好用,但對運維人員的詳細記帳是不足夠詳細的
假如想進一步呈現Router/Switch上用戶的操做記錄,那麼tacacs+是一個很好的開源軟件,很好的彌補radius不能展示的功能,構建起來很簡單,那咱們開始配置吧!shell
安裝vim
軟件下載地址:http://pan.baidu.com/s/1i4x3jrJ
# bzip2 -dc DEVEL.tar.bz2 | tar xvfp - #解壓下載好的包
# cd PROJECTS
# make
# make install
# cp tac_plus/extra/tac_plus.cfg-ads /usr/local/etc/tac_plus.cfg #複製配置文件到指定目錄服務器
對tac_plus.cfg配置文件進行編輯
vim /usr/local/etc/tac_plus.cfg網絡
#!/usr/local/sbin/tac_plus
id = spawnd {
listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = no
}
id = tac_plus {
access log = /var/log/tac_plus/access/%Y%m%d.log
accounting log = /var/log/tac_plus/acct/%Y%m%d.log
mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "AD服務器IP:3268 ads02:3268"
setenv LDAP_BASE = "dc=my-domain,dc=com"
setenv LDAP_USER = "Manager@my-domain.com"
setenv LDAP_PASSWD = "xxxxx"
setenv REQUIRE_TACACS_GROUP_PREFIX = 1
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
#此爲可選配置,如須要對特定組設備有特定權限,可自行研究。
login backend = mavis
user backend = mavis
#pap backend = mavis
host = world {
address = ::/0
prompt = "Welcome\n"
enable 15 = clear secret
key = XXXX
}
#此處定義管理員全選組admin,登陸權限是15
group = admin {
message= "[Admin privileges]"
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
#此處定義普通用戶組guest,登陸權限是1,容許「show versinon/interface」,拒絕「show ip interface」,拒絕「enable」
group = guest {
enable = deny
service = shell {
default cmd = deny
message deny="Command Denied by tacacs server"
default attribute = deny
cmd = show {
deny /ip interface/
permit /version/
permit /interface */
deny //
message deny="Access Deny"
}
cmd = quit {
permit //
}
set priv-lvl = 1
}
}
user = 111 {
password = clear 111
member = guest
}
#這裏咱們爲運維工程師建立了2個帳號,屬admin組
user = cisco {
password = clear cisco
member = admin
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
user = atomlqws {
password = clear "xxxxx"
member = admin
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
group = medium {
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
cmd = configure { deny .*}
cmd = enable { deny .* }
}
}
user = readonly {
password = clear readonly
member = guest
}
}
#(咱們須要在AD中創建用戶和組,上邊配置文件中的 tacacs用戶用來查詢AD。配置文件中還設定了2個組,一個是admin,一個是guest,設置不一樣的權限,咱們須要再AD中設置相應的組,來對應這兩個組。默認的前綴爲tacacs,即在AD 中創建tacacsadmin組對應tacacs+中的admin組,tacacsguest組對應tacacs+中的guest組,使用mavis中的TACACS_GROUP_PREFIX參數能夠修改此前綴。setenv REQUIRE_TACACS_GROUP_PREFIX = 1 的意思是隻有屬於有tacacs前綴的組的用戶才能登錄了交換機。testa屬於tacacsguest,testc屬於tacacsadmin)運維
/usr/local/sbin/tac_plus -P /usr/local/etc/tac_plus.cfg
#測試tac_plus.cfg有沒有錯誤
cp tac_plus/extra/etc_init.d_tac_plus /etc/init.d/tac_plus
chmod +x /etc/init.d/tac_plus
#複製tac_plus的腳本到/etc/init.d
/etc/init.d/tac_plus start
or
/usr/local/bin/tac_plus /usr/local/etc/tac_plus.cfg
#啓動tac_plusdom
網絡設備tacacs+配置
我司線上網絡設備包括:cisco/h3c,不通品牌型號均不一樣:
H3C hwtacacs 配置ssh
hwtacacs scheme XXXX(key)
primary authentication 192.168.1.100(TAcacs server IP)
primary authorization 192.168.1.100
primary accounting 192.168.1.100
key authentication cipher $c$3$a2e4q/H2M6r4Pw0T/jPldYtCqJppuQiZe6g=
key authorization cipher $c$3$axYZ0PzHI5l9+QVsTOcbfl+0PlVy7d0SoVw=
key accounting cipher $c$3$VEdNEyM+HH7ybBW8yAhk9l0Puo2R5siPDx4=
user-name-format without-domain
nas-ip 10.2.254.101oop
domain sinobbd-domain
authentication login hwtacacs-scheme XXXX local
authorization login hwtacacs-scheme XXXX local
accounting login hwtacacs-scheme XXXX local測試
line vty 0 10
authentication-mode scheme
user-role network-admin
user-role network-operator
protocol inbound ssh
idle-timeout 30 0ui
Nexus系列設備配置
feature tacacs+
tacacs-server host 192.168.1.100 key 7 "VertTBY"
aaa group server tacacs+ XXXX(key)
server 192.168.1.100
source-interface loopback0
aaa authentication login default group XXXX local
aaa authentication login console local
aaa authorization commands default group XXXX local
aaa accounting default group SinoBBD
IOS系列配置(ASR 1K, 3650,2960等)
aaa authentication login default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
ip tacacs source-interface Loopback0
tacacs-server host 192.168.1.100
tacacs-server key 7 113A100B18302928
ASR 9K配置
tacacs source-interface Loopback0 vrf default
tacacs-server host 192.168.1.100 port 49
!
tacacs-server key 7 113A100B18302928
!
aaa accounting commands default start-stop group tacacs+
aaa authorization commands default group tacacs+
aaa authentication login console local
aaa authentication login default group tacacs+ local
aaa default-taskgroup root-system
line template T_vtyaccounting commands default
- 1. freeradius 配置
- 2. FreeRADIUS 3.0安裝配置
- 3. freeradius在ubuntu-16.04.3 + mysql安裝與配置
- 4. freeradius編譯安裝+mysql配置
- 5. 配置802.1x -與FreeRadius和WLC 8.3的PEAP
- 6. Charles抓包和代理配置詳解
- 7. mybatis生成代碼配置詳解
- 8. nginx(二) 反向代理配置詳解
- 9. squid代理服務器配置詳解
- 10. Nginx配置詳解/代理服務的配置說明
- 更多相關文章...
- • MyBatis配置文件詳解 - MyBatis教程
- • Eclipse Debug 配置 - Eclipse 教程
- • IntelliJ IDEA 代碼格式化配置和快捷鍵
- • IntelliJ IDEA代碼格式化設置
-
每一个你不满意的现在,都有一个你没有努力的曾经。