- 交换机配置(以华三交换机为例,v7版本) hwtacacs scheme tacacs primary authentication 172.18.34.45 primary authorization 172.18.34.45 primary accounting 172.18.34.45 key authentication cipher $c$3$GVL2qE1HsQSyRlEI5UiDXl7Se/giCmx7fXzy key authorization cipher $c$3$SQRKlqv25kY6zvoAtPfqkKyr42LdnT57kh6V key accounting cipher $c$3$gklXXuVEMVLUcHFL0WX1t33g7BDhXciJRcb2 user-name-format without-domain
domain hwtacacs authorization command hwtacacs-scheme tacacs accounting command hwtacacs-scheme tacacs authentication default hwtacacs-scheme tacacs local authorization default hwtacacs-scheme tacacs local accounting default hwtacacs-scheme tacacs local
domain default enable hwtacacs
line vty 0 15 command authorization command accounting ! 2. 用户管理平台FreeIPA安装 系统版本 CentOS Linux release 7.3.1611 (Core),关闭防火墙 yum install ipa-server bind bind-dyndb-ldap echo "172.18.34.45 ipa.test.org ipa" >>/etc/hosts ipa-server-install 会自动安装全部默认回车 https://ipa.test.org/ 安装过程中会提示用户名和输入密码,默认用户admin 可能会遇到的报错 如遇到messagebus服务报错,执行以下命令,然后卸载重装。 https://bugzilla.redhat.com/show_bug.cgi?id=636876 systemctl restart messagebus systemctl start certmonger ipa-server-install —uninstall ipa-server-install 日志目录 tail -f /var/log/dirsrv/slapd-TEST-ORG/access tail -f /var/log/dirsrv/slapd-TEST-ORG/errors 设置IPA: 添加用户
添加用户到用户组
3. TACACS 安装配置 yum install gcc perl-LDAP wget wget http://www.pro-bono-publico.de/projects/src/DEVEL.201706241310.tar.bz2 tar xvfj DEVEL.201706241310.tar.bz2 cd /PROJECTS ./configure make && make install mkdir /var/log/tac_plus mkdir /var/log/tac_plus/access mkdir /var/log/tac_plus/acct mkdir /var/log/tac_plus/authen mkdir /var/log/tac_plus/author chmod 760 -R /var/log/tac_plus/ cp ~/PROJECTS/tac_plus/extra/tac_plus.service /etc/systemd/system/ systemctl daemon-reload cp ~/PROJECTS/tac_plus/extra/tac_plus.cfg-ads /usr/local/etc/tac_plus.cfg chmod 660 /usr/local/etc/tac_plus.cfg TACACS 配置文件 #!/usr/local/sbin/tac_plus id = spawnd { listen = { port = 49 } spawn = { instances min = 1 instances max = 10 } background = yes }
id = tac_plus { access log = /var/log/tac_plus/access/%Y%m%d.log authentication log = /var/log/tac_plus/authen/%Y%m%d.log authorization log = /var/log/tac_plus/author/%Y%m%d.log accounting log = /var/log/tac_plus/acct/%Y%m%d.log
mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "ldap://ipa.test.org:389"
setenv LDAP_SCOPE = "sub"
setenv LDAP_BASE = "cn=users,cn=accounts,dc=test,dc=org"
setenv LDAP_FILTER= "(uid=%s)"
setenv REQUIRE_TACACS_GROUP_PREFIX = 1
setenv FLAG_USE_MEMBEROF = 1
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
login backend = mavis
user backend = mavis
pap backend = mavis
skip missing groups = yes
cache timeout = 21600
host = world {
address = ::/0
prompt = "Welcome\n"
enable 15 = clear secret
key = XXXX (与交换机key一致)
}
group = admin {
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
group = guest {
default service = deny
enable = deny
service = shell {
default command = deny
default attribute = permit
set priv-lvl = 1
cmd = display {
deny diagnostic-information
permit .*
}
cmd = ping { permit .* }
}
}
} tacacs服务管理: systemctl enable tac_plus systemctl restart tac_plus systemctl status tac_plus tacacs日志管理: access log = /var/log/tac_plus/access/%Y%m%d.log authentication log = /var/log/tac_plus/authen/%Y%m%d.log authorization log = /var/log/tac_plus/author/%Y%m%d.log accounting log = /var/log/tac_plus/acct/%Y%m%d.log