取代freeradius，tacacsAAA配置详解

我最近完成了企业网络设备通过Radius对Windows网络策略服务器进行身份验证的配置，但有以下功能不全：
1、radius授权很麻烦，不能做到简单配置，且需添加设备，avpair属性等操作。
2、对于计费功能的用户来说很好用，但对运维人员的详细记账是不足够详细的
假如想进一步呈现Router/Switch上用户的操作记录，那么tacacs+是一个很好的开源软件，很好的弥补radius不能展现的功能，构建起来很简单，那我们开始配置吧！

安装

软件下载地址：http://pan.baidu.com/s/1i4x3jrJ
# bzip2 -dc DEVEL.tar.bz2 | tar xvfp - #解压下载好的包
# cd PROJECTS
# make
# make install
# cp tac_plus/doc/tac_plus.cfg-ads /usr/local/etc/tac_plus.cfg #复制配置文件到指定目录

对tac_plus.cfg配置文件进行编辑
vim /usr/local/etc/tac_plus.cfg

#!/usr/local/sbin/tac_plus
id = spawnd {
    listen = { port = 49 }
    spawn = {
            instances min = 1
            instances max = 10
    }
background = no
}      
id = tac_plus {
   access log = /var/log/tac_plus/access/%Y%m%d.log
   accounting log = /var/log/tac_plus/acct/%Y%m%d.log

mavis module = external {
        setenv LDAP_SERVER_TYPE = "microsoft"
        setenv LDAP_HOSTS = "AD服务器IP:3268 ads02:3268"
        setenv LDAP_BASE = "dc=my-domain,dc=com"
        setenv LDAP_USER = "Manager@my-domain.com"
        setenv LDAP_PASSWD = "xxxxx"
        setenv REQUIRE_TACACS_GROUP_PREFIX = 1
        exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
#此为可选配置，如需要对特定组设备有特定权限，可自行研究。
login backend = mavis
user backend = mavis
#pap backend = mavis

host = world {
        address = ::/0
        prompt = "Welcomen"
        enable 15 = clear secret
        key = XXXX
}
#此处定义管理员全选组admin，登录权限是15
group = admin {   
        message= "[Admin privileges]"
        default service = permit
        service = shell {
                default command = permit
                default attribute = permit
                set priv-lvl = 15
        }
}
#此处定义普通用户组guest，登录权限是1，允许“show versinon/interface”，拒绝“show ip interface”,拒绝“enable”
group = guest {
        enable = deny
        service = shell {
                default cmd = deny
                message deny="Command Denied by tacacs server"
                default attribute = deny
                cmd = show {
                              deny /ip interface/
                              permit /version/
                              permit /interface */
                              deny //
                              message deny="Access Deny"
                       }
                cmd = quit {
                             permit //
                      }
                set priv-lvl = 1
                
        }
}
 user = 111 {
        password = clear 111
        member = guest 
}
#这里我们为运维工程师创建了2个账号，属admin组
user = cisco {
        password = clear cisco
        member = admin
        service = shell {
                default command = permit
                default attribute = permit
                set priv-lvl = 15
        }
}
user = atomlqws {
        password = clear "xxxxx" 
        member = admin
        service = shell {
                default command = permit
                default attribute = permit
                set priv-lvl = 15
        }
}
group = medium {
        default service = permit
        service = shell {
                default command = permit
                default attribute = permit
                set priv-lvl = 15
                cmd = configure { deny .*}
                cmd = enable { deny .* }
        }
}


user = readonly {
        password = clear readonly
        member = guest
}

}
#（我们需要在AD中建立用户和组，上边配置文件中的 tacacs用户用来查询AD。配置文件中还设定了2个组，一个是admin，一个是guest，设置不同的权限，我们需要再AD中设置相应的组，来对应这两个组。默认的前缀为tacacs，即在AD 中建立tacacsadmin组对应tacacs+中的admin组，tacacsguest组对应tacacs+中的guest组，使用mavis中的TACACS_GROUP_PREFIX参数可以修改此前缀。setenv REQUIRE_TACACS_GROUP_PREFIX = 1 的意思是只有属于有tacacs前缀的组的用户才能登陆了交换机。testa属于tacacsguest，testc属于tacacsadmin）

/usr/local/bin/tac_plus -P /usr/local/etc/tac_plus.cfg
#测试tac_plus.cfg有没有错误
cp tac_plus/doc/etc_init.d_tac_plus /etc/init.d/tac_plus
#复制tac_plus的脚本到/etc/init.d
/etc/init.d/tac_plus start
or
/usr/local/bin/tac_plus /usr/local/etc/tac_plus.cfg
#启动tac_plus

网络设备tacacs+配置

我司线上网络设备包括:cisco/h3c,不通品牌型号均不同：
H3C hwtacacs 配置

hwtacacs scheme XXXX（key）
primary authentication 192.168.1.100(TAcacs server IP)
primary authorization 192.168.1.100
primary accounting 192.168.1.100
key authentication cipher $c$3$a2e4q/H2M6r4Pw0T/jPldYtCqJppuQiZe6g=
key authorization cipher $c$3$axYZ0PzHI5l9+QVsTOcbfl+0PlVy7d0SoVw=
key accounting cipher $c$3$VEdNEyM+HH7ybBW8yAhk9l0Puo2R5siPDx4=
user-name-format without-domain
nas-ip 10.2.254.101

domain sinobbd-domain
authentication login hwtacacs-scheme XXXX local
authorization login hwtacacs-scheme XXXX local
accounting login hwtacacs-scheme XXXX local

line vty 0 10
authentication-mode scheme
user-role network-admin
user-role network-operator
protocol inbound ssh
idle-timeout 30 0

Nexus系列设备配置
feature tacacs+

tacacs-server host 192.168.1.100 key 7 "VertTBY"
aaa group server tacacs+ XXXX(key)
server 192.168.1.100
source-interface loopback0

aaa authentication login default group XXXX local
aaa authentication login console local
aaa authorization commands default group XXXX local
aaa accounting default group SinoBBD

IOS系列配置(ASR 1K,3650,2960等)
aaa authentication login default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
ip tacacs source-interface Loopback0
tacacs-server host 192.168.1.100
tacacs-server key 7 113A100B18302928

ASR 9K配置
tacacs source-interface Loopback0 vrf default
tacacs-server host 192.168.1.100 port 49
!
tacacs-server key 7 113A100B18302928
!
aaa accounting commands default start-stop group tacacs+
aaa authorization commands default group tacacs+
aaa authentication login console local
aaa authentication login default group tacacs+ local
aaa default-taskgroup root-system

line template T_vtyaccounting commands default

（编辑：李大同）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!