This is an old revision of the document!
server# cat clients.conf
... client switch { secret = testing123 shortname = switch }
root@server# cat users
user1 Cleartext-Password := "rpassword1" user2 Cleartext-Password := "rpassword2" Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=14"
radius-server host server auth-port 1812 acct-port 1813 radius-server key testing123
aaa authentication login default group radius enable aaa authorization exec default local none
aaa authentication dot1x default group radius !!! may not be in some ealer ios !!! dot1x system-auth-control ! aaa accounting network default start-stop group radius aaa accounting dot1x default start-stop group radius interface FastEthernet0/2 switchport mode access dot1x port-control auto
switch#show dot1x interface f0/2
root@server:~# tail -f /var/log/freeradius/radacct/192.168... [server:~] # tail -f /var/log/radacct/192.168...
[server:~] # pkg_add -r tac_plus [server:~] # cd /usr/local/etc/
Необходимые пакеты: flex bison libwrap0-dev
Работа с исходными текстами
root@server:~# apt-get install flex bison libwrap0-dev root@server:~# cd /usr/src root@server:/usr/src# wget ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.19.tar.gz root@server:/usr/src# tar -xvzf tacacs+-F4.0.4.19.tar.gz root@server:/usr/src# cd tacacs+-F4.0.4.19 root@server:/usr/src/tacacs+-F4.0.4.19# ./configure --prefix=/usr/local/tac_plus root@server:/usr/src/tacacs+-F4.0.4.19# make install clean root@server:/usr/src/tacacs+-F4.0.4.19# cd /etc
# htpasswd -n user1 New password: tpassword1 ... # cat tac_plus.conf
key = tackey123 user=user1 { default service = permit login = des "DWRr6OSzYvMH." service = exec { priv-lvl = 15 } }
# /usr/local/etc/rc.d/tac_plus rcvar # /usr/local/etc/rc.d/tac_plus start Starting tac_plus.
root@server:~# cat /etc/rc.local
... /usr/local/tac_plus/bin/tac_plus -C /etc/tac_plus.conf exit 0
root@server:~# sh /etc/rc.local
tacacs-server host server tacacs-server key tackey123 aaa authentication login default group tacacs+ enable aaa authorization exec default group tacacs+ none
# cat /usr/local/etc/tac_plus.conf.example # /usr/local/etc/tac_plus.conf # This is example from old version of tac_plus. It will work # but config file have new features. I recomend to read # /usr/local/share/doc/tac_plus/users_guide user=fred { name = "Fred Flintstone" login = des mEX027bHtzTlQ # Remember that authorization is also recursive over groups, in # the same way that password lookups are recursive. Thus, if you # place a user in a group, the daemon will look in the group for # authorization parameters if it cannot find them in the user # declaration. member = admin expires = "May 23 2010" service = exec { # When Fred starts an exec, his connection access list is 5 acl = 5 # We require this autocmd to be done at startup autocmd = "telnet foo" } # All commands except telnet 131.108.13.* are denied for Fred cmd = telnet { # Fred can run the following telnet command permit 131\.108\.13\.[0-9]+ deny .* } service = ppp protocol = ip { # Fred can run ip over ppp only if he uses one # of the following mandatory addresses If he supplies no # address, the first one here will be mandated addr=131.108.12.11 addr=131.108.12.12 addr=131.108.12.13 addr=131.108.12.14 # Fred's mandatory input access list number is 101 inacl=101 # We will suggest an output access list of 102, but Fred may # choose to ignore or override it optional outacl=102 } service = slip { # Fred can run slip. When he does, he will have to use # these mandatory access lists inacl=101 outacl=102 } # set a timeout in the lcp layer of ppp service = ppp protocol = lcp { timeout = 10 } } user = wilma { # Wilma has no password of her own, but she's a group member so # she'll use the group password if there is one. Same for her # password expiry date member = admin } group = admin { # group members who don't have their own password will be looked # up in /etc/passwd login = file /etc/passwd # group members who have no expiry date set will use this one expires = "Jan 1 2038" } ----------------------------------------------- # cat /usr/local/etc/tac_plus.conf ... user=user1 { default service = permit login = des "xxxxxxxxx" service = exec { priv-lvl = 15 } member=level15 } group=level15 { cmd=enable { permit .* } cmd=configure { permit terminal } # cmd=cli { permit terminal } cmd=radius-server { permit .* } cmd=vlan { permit .* } cmd=interface { permit .* } cmd=ip { permit .* } cmd=router { permit .* } cmd=network { permit .* } cmd=eapol { permit .* } cmd=show { permit .* } cmd=copy { permit .* } cmd=reload { permit .* } cmd=end { permit .* } cmd=exit { permit .* } cmd=logout { permit .* } cmd=* { permit .* } }