Инструменты пользователя
сервис_tacacs
Содержание
Сервис TACACS+
Установка TACACS+ сервера
FreeBSD
[server:~] # pkg install tac_plus [server:~] # pkg_add -r tac_plus [server:~] # cd /usr/local/etc/
Ubuntu/Debian
root@server:~# apt install tacacs+ root@server:~# cd /etc/tacacs+/
CentOS/SL
- Необходимые пакеты: flex bison libwrap0-dev
root@server:~# apt-get install flex bison libwrap0-dev root@server:~# cd /usr/src root@server:/usr/src# wget ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.26.tar.gz root@server:/usr/src# tar -xvzf tacacs+-F4.0.4.26.tar.gz root@server:/usr/src# cd tacacs+-F4.0.4.26 root@server:/usr/src/tacacs+-F4.0.4.26# ./configure --prefix=/usr/local/tac_plus root@server:/usr/src/tacacs+-F4.0.4.26# make install clean root@server:/usr/src/tacacs+-F4.0.4.26# cd /etc
Настройка
FreeBSD/Ubuntu
# htpasswd -n -d user1 New password: tpassword1 ... # :> tac_plus.conf # cat tac_plus.conf
key = tackey123
accounting file = /var/log/tac_plus.acct
user=user1 {
default service = permit
login = des "DWRr6OSzYvMH."
service = exec {
priv-lvl = 15
}
}
Запуск
FreeBSD
# /usr/local/etc/rc.d/tac_plus rcvar # /usr/local/etc/rc.d/tac_plus start Starting tac_plus.
Ubuntu/Debian
# service tacacs_plus restart
CentOS/SL
root@server:~# cat /etc/rc.local
... /usr/local/tac_plus/bin/tac_plus -C /etc/tac_plus.conf exit 0
root@server:~# /usr/local/tac_plus/bin/tac_plus -C /etc/tac_plus.conf
Мониторинг
# tail -f /var/log/tac_plus.acct
Дополнительные материалы
# cat /etc/tac_plus.conf
key = tackey123
user=user1 {
default service = permit
login = des "DWRr6OSzYvMH."
service = exec {
priv-lvl = 15
}
}
user=user2 {
default service = permit
login = des "QMN3UmwtTO/GU"
service = exec {
priv-lvl = 15
}
member = group_restrict
}
acl = acl_restrict {
permit = 172.16.1.3
permit = 172.16.1.4
permit = 172.16.1.5
}
group = group_restrict {
acl = acl_restrict
}
# cat /usr/local/etc/tac_plus.conf
...
user=user1 {
default service = permit
login = des "xxxxxxxxx"
service = exec {
priv-lvl = 15
}
member=level15
}
group=level15 {
cmd=enable { permit .* }
cmd=configure { permit terminal }
# cmd=cli { permit terminal }
cmd=radius-server { permit .* }
cmd=vlan { permit .* }
cmd=interface { permit .* }
cmd=ip { permit .* }
cmd=router { permit .* }
cmd=network { permit .* }
cmd=eapol { permit .* }
cmd=show { permit .* }
cmd=copy { permit .* }
cmd=reload { permit .* }
cmd=end { permit .* }
cmd=exit { permit .* }
cmd=logout { permit .* }
cmd=* { permit .* }
}
# cat /usr/local/etc/tac_plus.conf.example
# This is example from old version of tac_plus. It will work
# but config file have new features. I recomend to read
# /usr/local/share/doc/tac_plus/users_guide
user=fred {
name = "Fred Flintstone"
login = des mEX027bHtzTlQ
# Remember that authorization is also recursive over groups, in
# the same way that password lookups are recursive. Thus, if you
# place a user in a group, the daemon will look in the group for
# authorization parameters if it cannot find them in the user
# declaration.
member = admin
expires = "May 23 2010"
service = exec {
# When Fred starts an exec, his connection access list is 5
acl = 5
# We require this autocmd to be done at startup
autocmd = "telnet foo"
}
# All commands except telnet 131.108.13.* are denied for Fred
cmd = telnet {
# Fred can run the following telnet command
permit 131\.108\.13\.[0-9]+
deny .*
}
service = ppp protocol = ip {
# Fred can run ip over ppp only if he uses one
# of the following mandatory addresses If he supplies no
# address, the first one here will be mandated
addr=131.108.12.11
addr=131.108.12.12
addr=131.108.12.13
addr=131.108.12.14
# Fred's mandatory input access list number is 101
inacl=101
# We will suggest an output access list of 102, but Fred may
# choose to ignore or override it
optional outacl=102
}
service = slip {
# Fred can run slip. When he does, he will have to use
# these mandatory access lists
inacl=101
outacl=102
}
# set a timeout in the lcp layer of ppp
service = ppp protocol = lcp {
timeout = 10
}
}
user = wilma {
# Wilma has no password of her own, but she's a group member so
# she'll use the group password if there is one. Same for her
# password expiry date
member = admin
}
group = admin {
# group members who don't have their own password will be looked
# up in /etc/passwd
login = file /etc/passwd
# group members who have no expiry date set will use this one
expires = "Jan 1 2038"
}
сервис_tacacs.txt · Последние изменения: 2018/03/27 09:42 — val
Инструменты страницы
За исключением случаев, когда указано иное, содержимое этой вики предоставляется на условиях следующей лицензии: CC Attribution-Share Alike 4.0 International
