This is an old revision of the document!
server# cat clients.conf
... client switch { secret = testing123 shortname = switch }
root@server# cat users
user1 Cleartext-Password := "rpassword1" user2 Cleartext-Password := "rpassword2" Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=14"
radius-server host server auth-port 1812 acct-port 1813 radius-server key testing123
aaa authentication login default group radius enable aaa authorization exec default local none
!!! may not be in some ealer ios !!! dot1x system-auth-control aaa authentication dot1x default group radius aaa accounting dot1x default start-stop group radius interface FastEthernet0/2 switchport mode access spanning-tree portfast dot1x port-control auto
switch#show dot1x interface f0/2
root@server:~# tail -f /var/log/freeradius/radacct/192.168... [server:~] # tail -f /var/log/radacct/192.168...
[server:~] # pkg_add -r tac_plus [server:~] # cd /usr/local/etc/
Необходимые пакеты: flex bison libwrap0-dev
Работа с исходными текстами
root@server:~# apt-get install flex bison libwrap0-dev root@server:~# cd /usr/src root@server:/usr/src# wget ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.19.tar.gz root@server:/usr/src# tar -xvzf tacacs+-F4.0.4.19.tar.gz root@server:/usr/src# cd tacacs+-F4.0.4.19 root@server:/usr/src/tacacs+-F4.0.4.19# ./configure --prefix=/usr/local/tac_plus root@server:/usr/src/tacacs+-F4.0.4.19# make install clean root@server:/usr/src/tacacs+-F4.0.4.19# cd /etc
# htpasswd -n user1 New password: tpassword1 ... # cat tac_plus.conf
key = tackey123 user=user1 { default service = permit login = des "DWRr6OSzYvMH." service = exec { priv-lvl = 15 } }
# /usr/local/etc/rc.d/tac_plus rcvar # /usr/local/etc/rc.d/tac_plus start Starting tac_plus.
root@server:~# cat /etc/rc.local
... /usr/local/tac_plus/bin/tac_plus -C /etc/tac_plus.conf exit 0
root@server:~# /usr/local/tac_plus/bin/tac_plus -C /etc/tac_plus.conf
tacacs-server host server tacacs-server key tackey123 aaa authentication login default group tacacs+ enable aaa authorization exec default group tacacs+ none
# cat /usr/local/etc/tac_plus.conf.example # /usr/local/etc/tac_plus.conf # This is example from old version of tac_plus. It will work # but config file have new features. I recomend to read # /usr/local/share/doc/tac_plus/users_guide user=fred { name = "Fred Flintstone" login = des mEX027bHtzTlQ # Remember that authorization is also recursive over groups, in # the same way that password lookups are recursive. Thus, if you # place a user in a group, the daemon will look in the group for # authorization parameters if it cannot find them in the user # declaration. member = admin expires = "May 23 2010" service = exec { # When Fred starts an exec, his connection access list is 5 acl = 5 # We require this autocmd to be done at startup autocmd = "telnet foo" } # All commands except telnet 131.108.13.* are denied for Fred cmd = telnet { # Fred can run the following telnet command permit 131\.108\.13\.[0-9]+ deny .* } service = ppp protocol = ip { # Fred can run ip over ppp only if he uses one # of the following mandatory addresses If he supplies no # address, the first one here will be mandated addr=131.108.12.11 addr=131.108.12.12 addr=131.108.12.13 addr=131.108.12.14 # Fred's mandatory input access list number is 101 inacl=101 # We will suggest an output access list of 102, but Fred may # choose to ignore or override it optional outacl=102 } service = slip { # Fred can run slip. When he does, he will have to use # these mandatory access lists inacl=101 outacl=102 } # set a timeout in the lcp layer of ppp service = ppp protocol = lcp { timeout = 10 } } user = wilma { # Wilma has no password of her own, but she's a group member so # she'll use the group password if there is one. Same for her # password expiry date member = admin } group = admin { # group members who don't have their own password will be looked # up in /etc/passwd login = file /etc/passwd # group members who have no expiry date set will use this one expires = "Jan 1 2038" } ----------------------------------------------- # cat /usr/local/etc/tac_plus.conf ... user=user1 { default service = permit login = des "xxxxxxxxx" service = exec { priv-lvl = 15 } member=level15 } group=level15 { cmd=enable { permit .* } cmd=configure { permit terminal } # cmd=cli { permit terminal } cmd=radius-server { permit .* } cmd=vlan { permit .* } cmd=interface { permit .* } cmd=ip { permit .* } cmd=router { permit .* } cmd=network { permit .* } cmd=eapol { permit .* } cmd=show { permit .* } cmd=copy { permit .* } cmd=reload { permit .* } cmd=end { permit .* } cmd=exit { permit .* } cmd=logout { permit .* } cmd=* { permit .* } }