This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
сервис_tacacs [2014/04/03 10:53] val [Ubuntu/Debian/CentOS/SL] |
сервис_tacacs [2022/03/05 13:48] val |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Сервис TACACS+ ====== | ====== Сервис TACACS+ ====== | ||
+ | |||
+ | * [[http://www.shrubbery.net/tac_plus/|TACACS+ daemon]] | ||
+ | * [[https://habrahabr.ru/post/194750/|Другой tacacs+]] | ||
===== Установка TACACS+ сервера ===== | ===== Установка TACACS+ сервера ===== | ||
- | ==== FreeBSD ==== | + | ==== Ubuntu<11/Debian<20 ==== |
- | <code> | + | |
- | [server:~] # pkg_add -r tac_plus | + | |
- | [server:~] # cd /usr/local/etc/ | + | <code> |
+ | root@server:~# apt install tacacs+ | ||
</code> | </code> | ||
- | ==== Ubuntu/Debian/CentOS/SL ==== | + | ==== Docker ==== |
- | * [[Управление ПО в Linux#Работа с исходными текстами]] | + | * [[https://www.nixcraft.com/t/ubuntu-server-20-04-installing-tacacs/3452|Ubuntu Server 20.04 Installing TACACS+]] |
- | * Необходимые пакеты: flex bison libwrap0-dev | + | * [[Технология Docker]] |
+ | * [[https://hub.docker.com/r/lfkeitel/tacacs_plus|TACACS+ Docker Image]] | ||
<code> | <code> | ||
- | root@server:~# apt-get install flex bison libwrap0-dev | + | # mkdir tacacs_server |
- | root@server:~# cd /usr/src | + | # cd tacacs_server/ |
- | root@server:/usr/src# wget ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.26.tar.gz | + | # cat Dockerfile |
- | root@server:/usr/src# tar -xvzf tacacs+-F4.0.4.26.tar.gz | + | </code><code> |
- | root@server:/usr/src# cd tacacs+-F4.0.4.26 | + | FROM openswitch/tacacs_server |
- | root@server:/usr/src/tacacs+-F4.0.4.26# ./configure --prefix=/usr/local/tac_plus | + | RUN printf "%s\n%s" '#!/bin/sh' "/usr/local/bin/tac_plus -G -C /etc/tacacs/tac_plus.conf" > /start.sh && chmod +x /start.sh |
- | root@server:/usr/src/tacacs+-F4.0.4.26# make install clean | + | |
+ | ENTRYPOINT ["/start.sh"] | ||
+ | </code><code> | ||
+ | # docker build -t corp/tacacs_server . | ||
- | root@server:/usr/src/tacacs+-F4.0.4.26# cd /etc | + | # mkdir /etc/tacacs+/ |
</code> | </code> | ||
Line 38: | Line 44: | ||
... | ... | ||
- | # cat tac_plus.conf | + | # cat /etc/tacacs*/tac_plus.conf |
</code><code> | </code><code> | ||
key = tackey123 | key = tackey123 | ||
- | user=user1 { | + | accounting file = /var/log/tac_plus.acct |
+ | |||
+ | user=root { | ||
default service = permit | default service = permit | ||
- | login = des "DWRr6OSzYvMH." | + | login = des "hPkKtADs9JXn2" |
- | service = exec { | + | service = exec { |
priv-lvl = 15 | priv-lvl = 15 | ||
+ | } | ||
+ | } | ||
+ | |||
+ | user=user1 { | ||
+ | default service = permit | ||
+ | login = des "DWRr6OSzYvMH." | ||
+ | service = exec { | ||
+ | priv-lvl = 1 | ||
} | } | ||
} | } | ||
Line 53: | Line 69: | ||
===== Запуск ===== | ===== Запуск ===== | ||
- | ==== FreeBSD ==== | + | ==== Ubuntu/Debian ==== |
<code> | <code> | ||
- | # /usr/local/etc/rc.d/tac_plus rcvar | + | # service tacacs_plus restart |
- | + | ||
- | # /usr/local/etc/rc.d/tac_plus start | + | |
- | Starting tac_plus. | + | |
</code> | </code> | ||
- | ==== Ubuntu/Debian/CentOS/SL ==== | + | ==== Docker ==== |
<code> | <code> | ||
- | root@server:~# cat /etc/rc.local | + | # docker run --name tacacs_server -d -p 49:49 -v /etc/tacacs+/:/etc/tacacs/ -v /var/log/:/var/log/ --restart=always corp/tacacs_server |
- | </code><code> | + | </code> |
- | ... | + | |
- | /usr/local/tac_plus/bin/tac_plus -C /etc/tac_plus.conf | + | |
- | exit 0 | + | ===== Мониторинг ===== |
- | </code><code> | + | <code> |
- | root@server:~# /usr/local/tac_plus/bin/tac_plus -C /etc/tac_plus.conf | + | # tail -f /var/log/tac_plus.acct |
</code> | </code> | ||
===== Дополнительные материалы ===== | ===== Дополнительные материалы ===== | ||
+ | |||
<code> | <code> | ||
+ | # cat tac_plus.conf | ||
+ | </code><code> | ||
+ | key = tackey123 | ||
+ | |||
+ | user=user1 { | ||
+ | default service = permit | ||
+ | login = des "DWRr6OSzYvMH." | ||
+ | service = exec { | ||
+ | priv-lvl = 15 | ||
+ | } | ||
+ | } | ||
+ | |||
+ | user=user2 { | ||
+ | default service = permit | ||
+ | login = des "QMN3UmwtTO/GU" | ||
+ | service = exec { | ||
+ | priv-lvl = 15 | ||
+ | } | ||
+ | member = group_restrict | ||
+ | } | ||
+ | |||
+ | acl = acl_restrict { | ||
+ | permit = 172.16.1.3 | ||
+ | permit = 172.16.1.4 | ||
+ | permit = 172.16.1.5 | ||
+ | } | ||
+ | |||
+ | group = group_restrict { | ||
+ | acl = acl_restrict | ||
+ | } | ||
+ | </code><code> | ||
+ | # cat /usr/local/etc/tac_plus.conf | ||
+ | </code><code> | ||
+ | ... | ||
+ | user=user1 { | ||
+ | default service = permit | ||
+ | login = des "xxxxxxxxx" | ||
+ | service = exec { | ||
+ | priv-lvl = 15 | ||
+ | } | ||
+ | member=level15 | ||
+ | } | ||
+ | |||
+ | group=level15 { | ||
+ | cmd=enable { permit .* } | ||
+ | cmd=configure { permit terminal } | ||
+ | # cmd=cli { permit terminal } | ||
+ | cmd=radius-server { permit .* } | ||
+ | cmd=vlan { permit .* } | ||
+ | cmd=interface { permit .* } | ||
+ | cmd=ip { permit .* } | ||
+ | cmd=router { permit .* } | ||
+ | cmd=network { permit .* } | ||
+ | cmd=eapol { permit .* } | ||
+ | cmd=show { permit .* } | ||
+ | cmd=copy { permit .* } | ||
+ | cmd=reload { permit .* } | ||
+ | cmd=end { permit .* } | ||
+ | cmd=exit { permit .* } | ||
+ | cmd=logout { permit .* } | ||
+ | cmd=* { permit .* } | ||
+ | } | ||
+ | </code><code> | ||
# cat /usr/local/etc/tac_plus.conf.example | # cat /usr/local/etc/tac_plus.conf.example | ||
</code><code> | </code><code> | ||
Line 154: | Line 229: | ||
# group members who have no expiry date set will use this one | # group members who have no expiry date set will use this one | ||
expires = "Jan 1 2038" | expires = "Jan 1 2038" | ||
- | } | ||
- | </code><code> | ||
- | # cat /usr/local/etc/tac_plus.conf | ||
- | </code><code> | ||
- | ... | ||
- | user=user1 { | ||
- | default service = permit | ||
- | login = des "xxxxxxxxx" | ||
- | service = exec { | ||
- | priv-lvl = 15 | ||
- | } | ||
- | member=level15 | ||
- | } | ||
- | |||
- | group=level15 { | ||
- | cmd=enable { permit .* } | ||
- | cmd=configure { permit terminal } | ||
- | # cmd=cli { permit terminal } | ||
- | cmd=radius-server { permit .* } | ||
- | cmd=vlan { permit .* } | ||
- | cmd=interface { permit .* } | ||
- | cmd=ip { permit .* } | ||
- | cmd=router { permit .* } | ||
- | cmd=network { permit .* } | ||
- | cmd=eapol { permit .* } | ||
- | cmd=show { permit .* } | ||
- | cmd=copy { permit .* } | ||
- | cmd=reload { permit .* } | ||
- | cmd=end { permit .* } | ||
- | cmd=exit { permit .* } | ||
- | cmd=logout { permit .* } | ||
- | cmd=* { permit .* } | ||
} | } | ||
</code> | </code> |