Differences

This shows you the differences between two versions of the page.

--- использование_протоколов_связанных_с_aaa [2012/03/14 12:30]
val
+++ использование_протоколов_связанных_с_aaa [2013/10/07 16:19]
val [Протокол 802.1x]
@@ Line 1: / Line 1: @@
 ====== Использование протоколов связанных с AAA ======
-===== Использование RADIUS сервера =====
+===== Использование протокола RADIUS =====
-==== FreeBSD/Ubuntu ====
+==== Настройка сервера (FreeBSD/Ubuntu) ====
-[[Сервис FreeRADIUS]]
+  * [[Сервис FreeRADIUS#Инсталяция сервера]]
+  * [[Сервис FreeRADIUS#Настройка хранилища базы данных пользователей]]
+  * [[Сервис FreeRADIUS#Регистрация клиентов]]
+  * [[Сервис FreeRADIUS#Создание базы данных пользователей]]
-<code>
+==== Настройка клиента Cisco ====
-server# cat clients.conf
-</code><code>
-...
-client switch {
-       secret          = testing123
-       shortname       = switch
-}
-</code><code>
-root@server# cat users
-user1 Cleartext-Password := "rpassword1"
-user2 Cleartext-Password := "rpassword2"
+  * [[AAA#Настройка клиента RADIUS]]
-        Service-Type = NAS-Prompt-User,
-        cisco-avpair = "shell:priv-lvl=14"
-</code>
-==== Cisco ====
+==== Аутентификации telnet подключений ====
-=== Настройка клиента RADIUS ===
 <code>
-radius-server host server auth-port 1812 acct-port 1813
+switch(config)#no username user1
-radius-server key testing123
 </code>
-=== Использование RADIUS для аутентификации telnet подключений =====
+  * [[AAA#Использование RADIUS для аутентификации telnet подключений]]
-<code>
-aaa authentication login default group radius enable
-aaa authorization exec default local none
-</code>
-=== Использование RADIUS для протокола 802.1x =====
+==== Протокол 802.1x ====
-<code>
-aaa authentication dot1x default group radius
-!!! may not be in some ealer ios !!!
+  * [[AAA#Использование RADIUS для протокола 802.1x]]
-dot1x system-auth-control
+  * [[Оборудование уровня 2 Cisco Catalyst#Настройка 802.1x]]
-! aaa accounting network default start-stop group radius
+  * Настройка Windows ([[http://open1x.sourceforge.net/]])
-aaa accounting dot1x default start-stop group radius
+  * [[Сервис FreeRADIUS#Учет ресурсов потребляемых пользователями]]
-interface FastEthernet0/2
- switchport mode access
- dot1x port-control auto
-</code><code>
-switch#show dot1x interface f0/2
-</code>
-=== Настройка Windows ===
-http://open1x.sourceforge.net/
-=== Testing ===
-<code>
-root@server:~# tail -f /var/log/freeradius/radacct/192.168...
-[server:~] # tail -f /var/log/radacct/192.168...
-</code>
 ===== Использование протокола TACACS+ =====
-==== Установка TACACS+ сервера ====
+  * [[Сервис TACACS+]]
+  * [[AAA#Настройка клиента TACACS+]]
-=== FreeBSD ===
+  * [[AAA#Использование TACACS+ для аутентификации telnet подключений]]
-<code>
-[server:~] # pkg_add -r tac_plus
-[server:~] # cd /usr/local/etc/
-</code>
-=== Ubuntu/Debian/CentOS/SL ===
-Необходимые пакеты: flex bison libwrap0-dev
-[[Управление ПО в Linux]]
-Работа с исходными текстами
-<code>
-root@server:~# apt-get install flex bison libwrap0-dev
-root@server:~# cd /usr/src
-root@server:/usr/src# wget ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.19.tar.gz
-root@server:/usr/src# tar -xvzf tacacs+-F4.0.4.19.tar.gz
-root@server:/usr/src# cd tacacs+-F4.0.4.19
-root@server:/usr/src/tacacs+-F4.0.4.19# ./configure --prefix=/usr/local/tac_plus
-root@server:/usr/src/tacacs+-F4.0.4.19# make install clean
-root@server:/usr/src/tacacs+-F4.0.4.19# cd /etc
-</code>
-==== Настройка ====
-=== FreeBSD/Ubuntu ===
-<code>
-# htpasswd -n user1
-New password: tpassword1
-...
-# cat tac_plus.conf
-</code><code>
-key = tackey123
-user=user1 {
-        default service = permit
-        login = des "DWRr6OSzYvMH."
-        service = exec {
-                priv-lvl = 15
-        }
-}
-</code>
-==== Запуск ====
-=== FreeBSD ===
-<code>
-# /usr/local/etc/rc.d/tac_plus rcvar
-# /usr/local/etc/rc.d/tac_plus start
-Starting tac_plus.
-</code>
-=== Ubuntu/Debian/CentOS/SL ===
-<code>
-root@server:~# cat /etc/rc.local
-</code><code>
-...
-/usr/local/tac_plus/bin/tac_plus -C /etc/tac_plus.conf
-exit 0
-</code><code>
-root@server:~# sh /etc/rc.local
-</code>
-==== Настройка Cisco на использование TACACS+ сервера ====
-<code>
-tacacs-server host server
-tacacs-server key tackey123
-aaa authentication login default group tacacs+ enable
-aaa authorization exec default group tacacs+ none
-</code>
-===== Дополнительные материалы =====
-<code>
-# cat /usr/local/etc/tac_plus.conf.example
-# /usr/local/etc/tac_plus.conf
-    # This is example from old version of tac_plus. It will work
-    # but config file have new features. I recomend to read
-    # /usr/local/share/doc/tac_plus/users_guide
-user=fred {
-    name = "Fred Flintstone"
-    login = des mEX027bHtzTlQ
-    # Remember that authorization is also recursive over groups, in
-    # the same way that password lookups are recursive. Thus, if you
-    # place a user in a group, the daemon will look in the group for
-    # authorization parameters if it cannot find them in the user
-    # declaration.
-    member = admin
-    expires = "May 23 2010"
-    service = exec {
-        # When Fred starts an exec, his connection access list is 5
-        acl = 5
-        # We require this autocmd to be done at startup
-        autocmd = "telnet foo"
-    }
-    # All commands except telnet 131.108.13.* are denied for Fred
-    cmd = telnet {
-        # Fred can run the following telnet command
-        permit 131\.108\.13\.[0-9]+
-        deny .*
-    }
-    service = ppp protocol = ip {
-        # Fred can run ip over ppp only if he uses one
-        # of the following mandatory addresses If he supplies no
-        # address, the first one here will be mandated
-        addr=131.108.12.11
-        addr=131.108.12.12
-        addr=131.108.12.13
-        addr=131.108.12.14
-        # Fred's mandatory input access list number is 101
-        inacl=101
-        # We will suggest an output access list of 102, but Fred may
-        # choose to ignore or override it
-        optional outacl=102
-    }
-    service = slip {
-        # Fred can run slip. When he does, he will have to use
-        # these mandatory access lists
-        inacl=101
-        outacl=102
-    }
-    # set a timeout in the lcp layer of ppp
-    service = ppp protocol = lcp {
-        timeout = 10
-    }
-}
-user = wilma {
-    # Wilma has no password of her own, but she's a group member so
-    # she'll use the group password if there is one. Same for her
-    # password expiry date
-    member = admin
-}
-group = admin {
-    # group members who don't have their own password will be looked
-    # up in /etc/passwd
-    login = file /etc/passwd
-    # group members who have no expiry date set will use this one
-    expires = "Jan 1 2038"
-}
------------------------------------------------
-# cat /usr/local/etc/tac_plus.conf
-...
-user=user1 {
-        default service = permit
-        login = des "xxxxxxxxx"
-        service = exec {
-                priv-lvl = 15
-        }
-        member=level15
-}
-group=level15 {
-  cmd=enable { permit .* }
-  cmd=configure { permit terminal }
-#  cmd=cli { permit terminal }
-  cmd=radius-server { permit .* }
-  cmd=vlan { permit .* }
-  cmd=interface { permit .* }
-  cmd=ip { permit .* }
-  cmd=router { permit .* }
-  cmd=network { permit .* }
-  cmd=eapol { permit .* }
-  cmd=show { permit .* }
-  cmd=copy { permit .* }
-  cmd=reload { permit .* }
-  cmd=end { permit .* }
-  cmd=exit { permit .* }
-  cmd=logout { permit .* }
-  cmd=* { permit .* }
-}
-</code>

Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Differences

Page Tools