我最近完成了企业网络设备通过Radius对Windows网络策略服务器进行身份验证的配置,但有以下功能不全:
1、radius授权很麻烦,不能做到简单配置,且需添加设备,avpair属性等操作。
2、对于计费功能的用户来说很好用,但对运维人员的详细记账是不足够详细的
假如想进一步呈现Router/Switch上用户的操作记录,那么tacacs+是一个很好的开源软件,很好的弥补radius不能展现的功能,构建起来很简单,那我们开始配置吧!
安装
软件下载地址:http://pan.baidu.com/s/1i4x3jrJ
# bzip2 -dc DEVEL.tar.bz2 | tar xvfp - #解压下载好的包
# cd PROJECTS
# make
# make install
# cp tac_plus/doc/tac_plus.cfg-ads /usr/local/etc/tac_plus.cfg #复制配置文件到指定目录
对tac_plus.cfg配置文件进行编辑
vim /usr/local/etc/tac_plus.cfg
#!/usr/local/sbin/tac_plus
id = spawnd {
listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = no
}
id = tac_plus {
access log = /var/log/tac_plus/access/%Y%m%d.log
accounting log = /var/log/tac_plus/acct/%Y%m%d.log
mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "AD服务器IP:3268 ads02:3268"
setenv LDAP_BASE = "dc=my-domain,dc=com"
setenv LDAP_USER = "Manager@my-domain.com"
setenv LDAP_PASSWD = "xxxxx"
setenv REQUIRE_TACACS_GROUP_PREFIX = 1
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
#此为可选配置,如需要对特定组设备有特定权限,可自行研究。
login backend = mavis
user backend = mavis
#pap backend = mavis
host = world {
address = ::/0
prompt = "Welcome\n"
enable 15 = clear secret
key = XXXX
}
#此处定义管理员全选组admin,登录权限是15
group = admin {
message= "[Admin privileges]"
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
#此处定义普通用户组guest,登录权限是1,允许“show versinon/interface”,拒绝“show ip interface”,拒绝“enable”
group = guest {
enable = deny
service = shell {
default cmd = deny
message deny="Command Denied by tacacs server"
default attribute = deny
cmd = show {
deny /ip interface/
permit /version/
permit /interface */
deny //
message deny="Access Deny"
}
cmd = quit {
permit //
}
set priv-lvl = 1
}
}
user = 111 {
password = clear 111
member = guest
}
#这里我们为运维工程师创建了2个账号,属admin组
user = cisco {
password = clear cisco
member = admin
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
user = atomlqws {
password = clear "xxxxx"
member = admin
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
group = medium {
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
cmd = configure { deny .*}
cmd = enable { deny .* }
}
}
user = readonly {
password = clear readonly
member = guest
}
}
#(我们需要在AD中建立用户和组,上边配置文件中的 tacacs用户用来查询AD。配置文件中还设定了2个组,一个是admin,一个是guest,设置不同的权限,我们需要再AD中设置相应的组,来对应这两个组。默认的前缀为tacacs,即在AD 中建立tacacsadmin组对应tacacs+中的admin组,tacacsguest组对应tacacs+中的guest组,使用mavis中的TACACS_GROUP_PREFIX参数可以修改此前缀。setenv REQUIRE_TACACS_GROUP_PREFIX = 1 的意思是只有属于有tacacs前缀的组的用户才能登陆了交换机。testa属于tacacsguest,testc属于tacacsadmin)
/usr/local/bin/tac_plus -P /usr/local/etc/tac_plus.cfg
#测试tac_plus.cfg有没有错误
cp tac_plus/doc/etc_init.d_tac_plus /etc/init.d/tac_plus
#复制tac_plus的脚本到/etc/init.d
/etc/init.d/tac_plus start
or
/usr/local/bin/tac_plus /usr/local/etc/tac_plus.cfg
#启动tac_plus
网络设备tacacs+配置
我司线上网络设备包括:cisco/h3c,不通品牌型号均不同:
H3C hwtacacs 配置
hwtacacs scheme XXXX(key)
primary authentication 192.168.1.100(TAcacs server IP)
primary authorization 192.168.1.100
primary accounting 192.168.1.100
key authentication cipher $c$3$a2e4q/H2M6r4Pw0T/jpldYtCqJppuQiZe6g=
key authorization cipher $c$3$axYZ0PzHI5l9+QVsTOcbfl+0PlVy7d0SoVw=
key accounting cipher $c$3$VednEyM+HH7ybBW8yAhk9l0Puo2R5siPDx4=
user-name-format without-domain
nas-ip 10.2.254.101
domain sinobbd-domain
authentication login hwtacacs-scheme XXXX local
authorization login hwtacacs-scheme XXXX local
accounting login hwtacacs-scheme XXXX local
line vty 0 10
authentication-mode scheme
user-role network-admin
user-role network-operator
protocol inbound ssh
idle-timeout 30 0
Nexus系列设备配置
feature tacacs+
tacacs-server host 192.168.1.100 key 7 "VertTBY"
aaa group server tacacs+ XXXX(key)
server 192.168.1.100
source-interface loopback0
aaa authentication login default group XXXX local
aaa authentication login console local
aaa authorization commands default group XXXX local
aaa accounting default group SinoBBD
IOS系列配置(ASR 1K,3650,2960等)
aaa authentication login default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
ip tacacs source-interface Loopback0
tacacs-server host 192.168.1.100
tacacs-server key 7 113A100B18302928
ASR 9K配置
tacacs source-interface Loopback0 vrf default
tacacs-server host 192.168.1.100 port 49
!
tacacs-server key 7 113A100B18302928
!
aaa accounting commands default start-stop group tacacs+
aaa authorization commands default group tacacs+
aaa authentication login console local
aaa authentication login default group tacacs+ local
aaa default-taskgroup root-system
line template T_vtyaccounting commands default
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
