User Tools
использование_протоколов_связанных_с_aaa
This is an old revision of the document!
Table of Contents
Использование протоколов связанных с AAA
Использование протокола RADIUS
FreeBSD/Ubuntu
server# cat clients.conf
...
client switch {
secret = testing123
shortname = switch
}
root@server# cat users
user1 Cleartext-Password := "rpassword1"
user2 Cleartext-Password := "rpassword2"
Service-Type = NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=14"
Cisco
Настройка клиента RADIUS
radius-server host server auth-port 1812 acct-port 1813 radius-server key testing123
Использование RADIUS для аутентификации telnet подключений
aaa authentication login default group radius enable aaa authorization exec default local none
Использование RADIUS для протокола 802.1x
aaa authentication dot1x default group radius !!! may not be in some ealer ios !!! dot1x system-auth-control ! aaa accounting network default start-stop group radius aaa accounting dot1x default start-stop group radius interface FastEthernet0/2 switchport mode access dot1x port-control auto
switch#show dot1x interface f0/2
Настройка Windows
Testing
root@server:~# tail -f /var/log/freeradius/radacct/192.168... [server:~] # tail -f /var/log/radacct/192.168...
Использование протокола TACACS+
Установка TACACS+ сервера
FreeBSD
[server:~] # pkg_add -r tac_plus [server:~] # cd /usr/local/etc/
Ubuntu/Debian/CentOS/SL
Необходимые пакеты: flex bison libwrap0-dev
Работа с исходными текстами
root@server:~# apt-get install flex bison libwrap0-dev root@server:~# cd /usr/src root@server:/usr/src# wget ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.19.tar.gz root@server:/usr/src# tar -xvzf tacacs+-F4.0.4.19.tar.gz root@server:/usr/src# cd tacacs+-F4.0.4.19 root@server:/usr/src/tacacs+-F4.0.4.19# ./configure --prefix=/usr/local/tac_plus root@server:/usr/src/tacacs+-F4.0.4.19# make install clean root@server:/usr/src/tacacs+-F4.0.4.19# cd /etc
Настройка
FreeBSD/Ubuntu
# htpasswd -n user1 New password: tpassword1 ... # cat tac_plus.conf
key = tackey123
user=user1 {
default service = permit
login = des "DWRr6OSzYvMH."
service = exec {
priv-lvl = 15
}
}
Запуск
FreeBSD
# /usr/local/etc/rc.d/tac_plus rcvar # /usr/local/etc/rc.d/tac_plus start Starting tac_plus.
Ubuntu/Debian/CentOS/SL
root@server:~# cat /etc/rc.local
... /usr/local/tac_plus/bin/tac_plus -C /etc/tac_plus.conf exit 0
root@server:~# sh /etc/rc.local
Настройка Cisco на использование TACACS+ сервера
tacacs-server host server tacacs-server key tackey123 aaa authentication login default group tacacs+ enable aaa authorization exec default group tacacs+ none
Дополнительные материалы
# cat /usr/local/etc/tac_plus.conf.example
# /usr/local/etc/tac_plus.conf
# This is example from old version of tac_plus. It will work
# but config file have new features. I recomend to read
# /usr/local/share/doc/tac_plus/users_guide
user=fred {
name = "Fred Flintstone"
login = des mEX027bHtzTlQ
# Remember that authorization is also recursive over groups, in
# the same way that password lookups are recursive. Thus, if you
# place a user in a group, the daemon will look in the group for
# authorization parameters if it cannot find them in the user
# declaration.
member = admin
expires = "May 23 2010"
service = exec {
# When Fred starts an exec, his connection access list is 5
acl = 5
# We require this autocmd to be done at startup
autocmd = "telnet foo"
}
# All commands except telnet 131.108.13.* are denied for Fred
cmd = telnet {
# Fred can run the following telnet command
permit 131\.108\.13\.[0-9]+
deny .*
}
service = ppp protocol = ip {
# Fred can run ip over ppp only if he uses one
# of the following mandatory addresses If he supplies no
# address, the first one here will be mandated
addr=131.108.12.11
addr=131.108.12.12
addr=131.108.12.13
addr=131.108.12.14
# Fred's mandatory input access list number is 101
inacl=101
# We will suggest an output access list of 102, but Fred may
# choose to ignore or override it
optional outacl=102
}
service = slip {
# Fred can run slip. When he does, he will have to use
# these mandatory access lists
inacl=101
outacl=102
}
# set a timeout in the lcp layer of ppp
service = ppp protocol = lcp {
timeout = 10
}
}
user = wilma {
# Wilma has no password of her own, but she's a group member so
# she'll use the group password if there is one. Same for her
# password expiry date
member = admin
}
group = admin {
# group members who don't have their own password will be looked
# up in /etc/passwd
login = file /etc/passwd
# group members who have no expiry date set will use this one
expires = "Jan 1 2038"
}
-----------------------------------------------
# cat /usr/local/etc/tac_plus.conf
...
user=user1 {
default service = permit
login = des "xxxxxxxxx"
service = exec {
priv-lvl = 15
}
member=level15
}
group=level15 {
cmd=enable { permit .* }
cmd=configure { permit terminal }
# cmd=cli { permit terminal }
cmd=radius-server { permit .* }
cmd=vlan { permit .* }
cmd=interface { permit .* }
cmd=ip { permit .* }
cmd=router { permit .* }
cmd=network { permit .* }
cmd=eapol { permit .* }
cmd=show { permit .* }
cmd=copy { permit .* }
cmd=reload { permit .* }
cmd=end { permit .* }
cmd=exit { permit .* }
cmd=logout { permit .* }
cmd=* { permit .* }
}
использование_протоколов_связанных_с_aaa.1331718030.txt.gz · Last modified: 2013/05/22 13:50 (external edit)
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
