tacacs+服务器搭建

2011年3月28日 | 分类: Linux | 标签: , , , , ,

环境简介

dc:10.10.0.3(win2008R2),domain:test.cn;

tacacs+(server):10.10.0.4(ubuntu),user:root;switch:10.10.0.1;

apt-get update

apt-get install gcc

cd /

mkdir temp

cd temp

wget http://www.pro-bono-publico.de/projects/src/DEVEL.tar.bz2

#(人家修改过的可以跟AD 集成的tacacs+包)

wget http://search.cpan.org/CPAN/authors/id/G/GB/GBARR/perl-ldap-0.39.tar.gz

#需要安装perl-ldap,按默认提示安装

tar zxvf perl-ldap-0.39.tar.gz      

cd perl-ldap-0.39

perl Makefile.PL

make

make test

make install

cd ..

bzip2 -dc DEVEL.tar.bz2 | tar xvfp -    #解压下载好的包

cd PROJECTS

make

make install

cp tac_plus/doc/tac_plus.cfg-ads /usr/local/etc/tac_plus.cfg

#复制配置文件到指定目录

vi /usr/local/etc/tac_plus.cfg

#根据需要更改tac_plus.cfg,如下:

#!/usr/local/bin/tac_plus

id = spawnd {

        listen = { port = 49 }

        spawn = {

                instances min = 1

                instances max = 10

        }

        background = yes

}

id = tac_plus {

         access log = /var/log/tac_plus/access/%Y%m%d.log

         accounting log = /var/log/tac_plus/acct/%Y%m%d.log

        mavis module = external {

                setenv LDAP_SERVER_TYPE = “microsoft”

                setenv LDAP_HOSTS = “10.10.0.3:3268 TestDC-tacacs:3268″

                setenv LDAP_BASE = “dc=test,dc=cn”

                setenv LDAP_USER = “tacacs@test.cn”

                setenv LDAP_PASSWD = “abcd.1234″

                setenv REQUIRE_TACACS_GROUP_PREFIX = 1

                exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl

        }

        login backend = mavis

        user backend = mavis

        pap backend = mavis

        host = world {

                address = ::/0

                prompt = “Welcome\n”

                enable 15 = clear cisco    #switch enable password 为cisco

                key = cisco

        }

        group = admin {

                default service = permit

                service = shell {

                        default command = permit

                        default attribute = permit

                        set priv-lvl = 15

                }

        }

        group = guest {

                default service = permit

        #       enable = deny

                service = shell {

                        default command = permit

                        default attribute = permit

                        set priv-lvl = 9

                }

        }

}     

:wq

#保存退出

#(我们需要在AD中建立用户和组,上边配置文件中的 tacacs用户用来查询AD。配置文件中还设定了2个组,一个是admin,一个是guest,设置不同的权限,我们需要再AD中设置相应的组,来对应这两个组。默认的前缀为tacacs,即在AD 中建立tacacsadmin组对应tacacs+中的admin组,tacacsguest组对应tacacs+中的guest组,使用mavis中的TACACS_GROUP_PREFIX参数可以修改此前缀。setenv REQUIRE_TACACS_GROUP_PREFIX = 1 的意思是只有属于有tacacs前缀的组的用户才能登陆了交换机。testa属于tacacsguest,testc属于tacacsadmin)

/usr/local/lib/mavis/mavis_tacplus_ads.pl < /dev/null

#测试mavis,需要perl-ldap,我们已经安装

/usr/local/bin/tac_plus -P /usr/local/etc/tac_plus.cfg

#测试tac_plus.cfg有没有错误

/usr/local/bin/mavistest -d -1 /usr/local/etc/tac_plus.cfg tac_plus TAC_PLUS testa

#测试与AD的通信

cp tac_plus/doc/etc_init.d_tac_plus /etc/init.d/tac_plus

#复制tac_plus的脚本到/etc/init.d

/etc/init.d/tac_plus start

or

/usr/local/bin/tac_plus /usr/local/etc/tac_plus.cfg

#启动tac_plus

交换机配置:

aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 9 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+

aaa accounting commands 9 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

aaa accounting network default stop-only group tacacs+
aaa session-id common
tacacs-server host 10.10.0.1 single-connection
tacacs-server directed-request

tacacs-server key 7 cisco

#双向加密(type 7) : 命令service password-encryption自动对配置中的密码加密。

Written by an6097

目前还没有任何评论.
注意: 评论者允许使用'@user空格'的方式将自己的评论通知另外评论者。例如, ABC是本文的评论者之一,则使用'@ABC '(不包括单引号)将会自动将您的评论发送给ABC。使用'@all ',将会将评论发送给之前所有其它评论者。请务必注意user必须和评论者名相匹配(大小写一致)。